You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by sh...@apache.org on 2015/04/21 21:49:31 UTC
trafficserver git commit: TS-3529: Add a config to allow ATS to start
up even if some certificates are bad.
Repository: trafficserver
Updated Branches:
refs/heads/master f158ebced -> ef36a509c
TS-3529: Add a config to allow ATS to start up even if some certificates are bad.
Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/ef36a509
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/ef36a509
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/ef36a509
Branch: refs/heads/master
Commit: ef36a509c0a3cf0309ad563e980d7e002f9b2d9c
Parents: f158ebc
Author: shinrich <sh...@yahoo-inc.com>
Authored: Tue Apr 21 14:47:51 2015 -0500
Committer: shinrich <sh...@yahoo-inc.com>
Committed: Tue Apr 21 14:47:51 2015 -0500
----------------------------------------------------------------------
CHANGES | 2 ++
iocore/net/P_SSLConfig.h | 1 +
iocore/net/SSLConfig.cc | 14 +++++++++-----
mgmt/RecordsConfig.cc | 2 ++
4 files changed, 14 insertions(+), 5 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/ef36a509/CHANGES
----------------------------------------------------------------------
diff --git a/CHANGES b/CHANGES
index c8d3e2a..8b19edb 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,8 @@
-*- coding: utf-8 -*-
Changes with Apache Traffic Server 6.0.0
+ *) [TS-3529] Add config option to allow ATS to start even if certificate files are bad.
+
*) [TS-3523]: Proxy urls with no matching remap rules, when remap_required
is disabled, regardless of reverse_proxy_enabled setting
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/ef36a509/iocore/net/P_SSLConfig.h
----------------------------------------------------------------------
diff --git a/iocore/net/P_SSLConfig.h b/iocore/net/P_SSLConfig.h
index 549aa28..68dd50f 100644
--- a/iocore/net/P_SSLConfig.h
+++ b/iocore/net/P_SSLConfig.h
@@ -66,6 +66,7 @@ struct SSLConfigParams : public ConfigInfo {
char *dhparamsFile;
char *cipherSuite;
char *client_cipherSuite;
+ int configExitOnLoadError;
int clientCertLevel;
int verify_depth;
int ssl_session_cache; // SSL_SESSION_CACHE_MODE
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/ef36a509/iocore/net/SSLConfig.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc
index acd8c19..669e1c1 100644
--- a/iocore/net/SSLConfig.cc
+++ b/iocore/net/SSLConfig.cc
@@ -231,6 +231,7 @@ SSLConfigParams::initialize()
ats_free(serverCertRelativePath);
configFilePath = RecConfigReadConfigPath("proxy.config.ssl.server.multicert.filename");
+ REC_ReadConfigInteger(configExitOnLoadError, "proxy.config.ssl.server.multicert.exit_on_load_fail");
REC_ReadConfigStringAlloc(ssl_server_private_key_path, "proxy.config.ssl.server.private_key.path");
set_paths_helper(ssl_server_private_key_path, NULL, &serverKeyPathOnly, NULL);
@@ -324,12 +325,17 @@ SSLCertificateConfig::startup()
{
sslCertUpdate = new ConfigUpdateHandler<SSLCertificateConfig>();
sslCertUpdate->attach("proxy.config.ssl.server.multicert.filename");
+ sslCertUpdate->attach("proxy.config.ssl.server.multicert.exit_on_load_fail");
sslCertUpdate->attach("proxy.config.ssl.server.ticket_key.filename");
sslCertUpdate->attach("proxy.config.ssl.server.cert.path");
sslCertUpdate->attach("proxy.config.ssl.server.private_key.path");
sslCertUpdate->attach("proxy.config.ssl.server.cert_chain.filename");
- if (!reconfigure()) {
+ // Exit if there are problems on the certificate loading and the
+ // proxy.config.ssl.server.multicert.exit_on_load_fail is true
+ SSLConfigParams *params = SSLConfig::acquire();
+ if (!reconfigure() && params->configExitOnLoadError) {
+ Error("Problems loading ssl certificate file, %s. Exiting.", params->configFilePath);
_exit(1);
}
return true;
@@ -351,11 +357,9 @@ SSLCertificateConfig::reconfigure()
}
SSLParseCertificateConfiguration(params, lookup);
- if (lookup->is_valid) {
- configid = configProcessor.set(configid, lookup);
- } else {
+ configid = configProcessor.set(configid, lookup);
+ if (!lookup->is_valid) {
retStatus = false;
- delete lookup;
}
return retStatus;
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/ef36a509/mgmt/RecordsConfig.cc
----------------------------------------------------------------------
diff --git a/mgmt/RecordsConfig.cc b/mgmt/RecordsConfig.cc
index cf5f4c1..1826427 100644
--- a/mgmt/RecordsConfig.cc
+++ b/mgmt/RecordsConfig.cc
@@ -1282,6 +1282,8 @@ static const RecordElement RecordsConfig[] =
,
{RECT_CONFIG, "proxy.config.ssl.server.multicert.filename", RECD_STRING, "ssl_multicert.config", RECU_RESTART_TS, RR_NULL, RECC_NULL, NULL, RECA_NULL}
,
+ {RECT_CONFIG, "proxy.config.ssl.server.multicert.exit_on_load_fail", RECD_INT, "0", RECU_RESTART_TS, RR_NULL, RECC_NULL, "[0-1]", RECA_NULL}
+ ,
{RECT_CONFIG, "proxy.config.ssl.server.ticket_key.filename", RECD_STRING, "ssl_ticket.key", RECU_DYNAMIC, RR_NULL, RECC_NULL, NULL, RECA_NULL}
,
{RECT_CONFIG, "proxy.config.ssl.server.private_key.path", RECD_STRING, TS_BUILD_SYSCONFDIR, RECU_RESTART_TS, RR_NULL, RECC_NULL, NULL, RECA_NULL}