You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by me...@apache.org on 2020/08/04 15:20:46 UTC
[apisix] branch master updated: bugfix: fail to handshake if there
is no certificate matched by host. (#1980)
This is an automated email from the ASF dual-hosted git repository.
membphis pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/master by this push:
new c67e998 bugfix: fail to handshake if there is no certificate matched by host. (#1980)
c67e998 is described below
commit c67e998dad394a70d2a1d922c1956d5098509424
Author: YuanSheng Wang <me...@gmail.com>
AuthorDate: Tue Aug 4 23:20:34 2020 +0800
bugfix: fail to handshake if there is no certificate matched by host. (#1980)
* bugfix: fail to handshake if there is no certificate matched by host.
* fix: grpc proxy test case
---
apisix/http/router/radixtree_sni.lua | 2 +-
apisix/init.lua | 3 ++-
t/grpc-proxy-test.sh | 17 ++++++++++++++++-
t/router/radixtree-sni.t | 11 ++++-------
4 files changed, 23 insertions(+), 10 deletions(-)
diff --git a/apisix/http/router/radixtree_sni.lua b/apisix/http/router/radixtree_sni.lua
index 07c689f..4c7843b 100644
--- a/apisix/http/router/radixtree_sni.lua
+++ b/apisix/http/router/radixtree_sni.lua
@@ -163,7 +163,7 @@ function _M.match_and_set(api_ctx)
local sni_rev = sni:reverse()
local ok = radixtree_router:dispatch(sni_rev, nil, api_ctx)
if not ok then
- core.log.warn("failed to find any SSL certificate by SNI: ", sni)
+ core.log.error("failed to find any SSL certificate by SNI: ", sni)
return false
end
diff --git a/apisix/init.lua b/apisix/init.lua
index da2df14..29536de 100644
--- a/apisix/init.lua
+++ b/apisix/init.lua
@@ -159,8 +159,9 @@ function _M.http_ssl_phase()
local ok, err = router.router_ssl.match_and_set(api_ctx)
if not ok then
if err then
- core.log.warn("failed to fetch ssl config: ", err)
+ core.log.error("failed to fetch ssl config: ", err)
end
+ ngx_exit(-1)
end
end
diff --git a/t/grpc-proxy-test.sh b/t/grpc-proxy-test.sh
index 6f8f2d1..5ca3234 100755
--- a/t/grpc-proxy-test.sh
+++ b/t/grpc-proxy-test.sh
@@ -18,6 +18,14 @@
set -ex
+#set ssl
+curl http://127.0.0.1:9080/apisix/admin/ssl/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
+{
+ "cert": "-----BEGIN CERTIFICATE-----\nMIIEojCCAwqgAwIBAgIJAK253pMhgCkxMA0GCSqGSIb3DQEBCwUAMFYxCzAJBgNV\nBAYTAkNOMRIwEAYDVQQIDAlHdWFuZ0RvbmcxDzANBgNVBAcMBlpodUhhaTEPMA0G\nA1UECgwGaXJlc3R5MREwDwYDVQQDDAh0ZXN0LmNvbTAgFw0xOTA2MjQyMjE4MDVa\nGA8yMTE5MDUzMTIyMTgwNVowVjELMAkGA1UEBhMCQ04xEjAQBgNVBAgMCUd1YW5n\nRG9uZzEPMA0GA1UEBwwGWmh1SGFpMQ8wDQYDVQQKDAZpcmVzdHkxETAPBgNVBAMM\nCHRlc3QuY29tMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAyCM0rqJe\ncvgnCfOw4fATotPwk5Ba0gC2YvIrO+gSbQkyxXF5jhZB3W6BkWUWR4 [...]
+ "key": "-----BEGIN RSA PRIVATE KEY-----\nMIIG5AIBAAKCAYEAyCM0rqJecvgnCfOw4fATotPwk5Ba0gC2YvIrO+gSbQkyxXF5\njhZB3W6BkWUWR4oNFLLSqcVbVDPitz/Mt46Mo8amuS6zTbQetGnBARzPLtmVhJfo\neLj0efMiOepOSZflj9Ob4yKR2bGdEFOdHPjm+4ggXU9jMKeLqdVvxll/JiVFBW5s\nmPtW1Oc/BV5terhscJdOgmRrabf9xiIis9/qVYfyGn52u9452V0owUuwP7nZ01jt\n6iMWEGeQU6mwPENgvj1olji2WjdG2UwpUVp3jp3l7j1ekQ6mI0F7yI+LeHzfUwiy\nVt1TmtMWn1ztk6FfLRqwJWR/Evm95vnfS3Le4S2ky3XAgn2UnCMyej3wDN6qHR1o\nnpRVeXhrBajbCRDRBMwaNw/1/3Uvza8QKK10PzQR6OcQ0xo9psM [...]
+ "sni": "test.com"
+}'
+
#test grpc proxy
curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
@@ -32,4 +40,11 @@ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f1
}
}'
-./build-cache/grpcurl -insecure -import-path ./build-cache/proto -proto helloworld.proto -d '{"name":"apisix"}' 127.0.0.1:9443 helloworld.Greeter.SayHello
+echo "127.0.0.1 test.com" | sudo tee -a /etc/hosts
+
+./build-cache/grpcurl -insecure -import-path ./build-cache/proto -proto helloworld.proto -d '{"name":"apisix"}' test.com:9443 helloworld.Greeter.SayHello
+
+
+#delete test data
+curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X DELETE
+curl http://127.0.0.1:9080/apisix/admin/ssl/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X DELETE
diff --git a/t/router/radixtree-sni.t b/t/router/radixtree-sni.t
index 06388a7..5fe1ccd 100644
--- a/t/router/radixtree-sni.t
+++ b/t/router/radixtree-sni.t
@@ -205,7 +205,7 @@ location /t {
GET /t
--- response_body
connected: 1
-failed to do SSL handshake: certificate host mismatch
+failed to do SSL handshake: handshake failed
--- error_log
failed to find any SSL certificate by SNI
@@ -558,12 +558,11 @@ location /t {
GET /t
--- response_body
connected: 1
-failed to do SSL handshake: certificate host mismatch
+failed to do SSL handshake: handshake failed
--- error_log
lua ssl server name: "aa.bb.test2.com"
failed to find any SSL certificate by SNI: aa.bb.test2.com matched SNI: *.test2.com
--- no_error_log
-[error]
[alert]
@@ -641,11 +640,10 @@ location /t {
GET /t
--- response_body
connected: 1
-failed to do SSL handshake: certificate host mismatch
+failed to do SSL handshake: handshake failed
--- error_log
lua ssl server name: "www.test2.com"
--- no_error_log
-[error]
[alert]
@@ -853,12 +851,11 @@ location /t {
GET /t
--- response_body
connected: 1
-failed to do SSL handshake: certificate host mismatch
+failed to do SSL handshake: handshake failed
--- error_log
lua ssl server name: "aa.bb.test2.com"
failed to find any SSL certificate by SNI: aa.bb.test2.com matched SNIs: ["*.test2.com","test2.com"]
--- no_error_log
-[error]
[alert]