You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@trafficserver.apache.org by jp...@apache.org on 2013/12/04 23:06:06 UTC

[1/2] git commit: TS-2372: update default SSL context options

Updated Branches:
  refs/heads/master 581282d8b -> d75e933a1


TS-2372: update default SSL context options


Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/d7bb4cd3
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/d7bb4cd3
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/d7bb4cd3

Branch: refs/heads/master
Commit: d7bb4cd3c6ec6c1fc5e70251257e2e10e450c92f
Parents: 581282d
Author: James Peach <jp...@apache.org>
Authored: Tue Nov 26 09:37:15 2013 -0800
Committer: James Peach <jp...@apache.org>
Committed: Wed Dec 4 14:05:09 2013 -0800

----------------------------------------------------------------------
 iocore/net/SSLConfig.cc         | 18 ++++++++++++++++++
 iocore/net/SSLNetVConnection.cc |  1 +
 2 files changed, 19 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/trafficserver/blob/d7bb4cd3/iocore/net/SSLConfig.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc
index 72b7c42..d4e0b9e 100644
--- a/iocore/net/SSLConfig.cc
+++ b/iocore/net/SSLConfig.cc
@@ -164,6 +164,24 @@ SSLConfigParams::initialize()
 #endif
   }
 
+  // Enable ephemeral DH parameters for the case where we use a cipher with DH forward security.
+#ifdef SSL_OP_SINGLE_DH_USE
+  ssl_ctx_options |= SSL_OP_SINGLE_DH_USE;
+#endif
+
+#ifdef SSL_OP_SINGLE_ECDH_USE
+  ssl_ctx_options |= SSL_OP_SINGLE_ECDH_USE;
+#endif
+
+  // Enable all SSL compatibility workarounds.
+  ssl_ctx_options |= SSL_OP_ALL;
+
+  // According to OpenSSL source, applications must enable this if they support the Server Name extension. Since
+  // we do, then we ought to enable this. Httpd also enables this unconditionally.
+#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
+  ssl_ctx_options |= SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION;
+#endif
+
   REC_ReadConfigStringAlloc(serverCertChainFilename, "proxy.config.ssl.server.cert_chain.filename");
   REC_ReadConfigStringAlloc(serverCertRelativePath, "proxy.config.ssl.server.cert.path");
   set_paths_helper(serverCertRelativePath, NULL, &serverCertPathOnly, NULL);

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/d7bb4cd3/iocore/net/SSLNetVConnection.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc
index 9e477da..6bdb0da 100644
--- a/iocore/net/SSLNetVConnection.cc
+++ b/iocore/net/SSLNetVConnection.cc
@@ -466,6 +466,7 @@ SSLNetVConnection::free(EThread * t) {
   sslHandShakeComplete = false;
   sslClientConnection = false;
   npnSet = NULL;
+  npnEndPoint= NULL;
 
   if (from_accept_thread) {
     sslNetVCAllocator.free(this);

[2/2] git commit: TS-2372: enable ECDHE forward security

Posted by jp...@apache.org.

TS-2372: enable ECDHE forward security


Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/d75e933a
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/d75e933a
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/d75e933a

Branch: refs/heads/master
Commit: d75e933a1c1b05700ca79dcbe53f6261d39e8c13
Parents: d7bb4cd
Author: James Peach <jp...@apache.org>
Authored: Tue Nov 26 09:37:47 2013 -0800
Committer: James Peach <jp...@apache.org>
Committed: Wed Dec 4 14:05:10 2013 -0800

----------------------------------------------------------------------
 CHANGES                |  2 ++
 iocore/net/SSLUtils.cc | 17 +++++++++++++++++
 2 files changed, 19 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/trafficserver/blob/d75e933a/CHANGES
----------------------------------------------------------------------
diff --git a/CHANGES b/CHANGES
index 504e1a0..363b915 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,8 @@
 Changes with Apache Traffic Server 4.2.0
 
 
+  *) [TS-2372] Enable TLS perfect forward security with ECDHE.
+
   *) [TS-2416] Make TLS the session timeout threshold configurable.
    Author: Wei Sun <su...@yahoo-inc.com>
 

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/d75e933a/iocore/net/SSLUtils.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index 228870a..33d1bd5 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -185,6 +185,21 @@ ssl_context_enable_sni(SSL_CTX * ctx, SSLCertLookup * lookup)
   return ctx;
 }
 
+static void
+ssl_enable_ecdh(SSL_CTX * ctx)
+{
+#if defined(SSL_CTRL_SET_ECDH_AUTO)
+  SSL_CTX_set_ecdh_auto(ctx, 1);
+#elif defined(NID_X9_62_prime256v1)
+  EC_KEY * ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+
+  if (ecdh) {
+    SSL_CTX_set_tmp_ecdh(ctx, ecdh);
+    EC_KEY_free(ecdh);
+  }
+#endif
+}
+
 void
 SSLInitializeLibrary()
 {
@@ -407,6 +422,8 @@ SSLInitServerContext(
     }
   }
 
+  ssl_enable_ecdh(ctx);
+
   return ctx;
 
 fail: