You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by me...@apache.org on 2020/08/04 15:20:46 UTC

[apisix] branch master updated: bugfix: fail to handshake if there is no certificate matched by host. (#1980)

This is an automated email from the ASF dual-hosted git repository.

membphis pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git


The following commit(s) were added to refs/heads/master by this push:
     new c67e998  bugfix: fail to handshake if there is no certificate matched by host. (#1980)
c67e998 is described below

commit c67e998dad394a70d2a1d922c1956d5098509424
Author: YuanSheng Wang <me...@gmail.com>
AuthorDate: Tue Aug 4 23:20:34 2020 +0800

    bugfix: fail to handshake if there is no certificate matched by host. (#1980)
    
    * bugfix: fail to handshake if there is no certificate matched by host.
    * fix:  grpc proxy test case
---
 apisix/http/router/radixtree_sni.lua |  2 +-
 apisix/init.lua                      |  3 ++-
 t/grpc-proxy-test.sh                 | 17 ++++++++++++++++-
 t/router/radixtree-sni.t             | 11 ++++-------
 4 files changed, 23 insertions(+), 10 deletions(-)

diff --git a/apisix/http/router/radixtree_sni.lua b/apisix/http/router/radixtree_sni.lua
index 07c689f..4c7843b 100644
--- a/apisix/http/router/radixtree_sni.lua
+++ b/apisix/http/router/radixtree_sni.lua
@@ -163,7 +163,7 @@ function _M.match_and_set(api_ctx)
     local sni_rev = sni:reverse()
     local ok = radixtree_router:dispatch(sni_rev, nil, api_ctx)
     if not ok then
-        core.log.warn("failed to find any SSL certificate by SNI: ", sni)
+        core.log.error("failed to find any SSL certificate by SNI: ", sni)
         return false
     end
 
diff --git a/apisix/init.lua b/apisix/init.lua
index da2df14..29536de 100644
--- a/apisix/init.lua
+++ b/apisix/init.lua
@@ -159,8 +159,9 @@ function _M.http_ssl_phase()
     local ok, err = router.router_ssl.match_and_set(api_ctx)
     if not ok then
         if err then
-            core.log.warn("failed to fetch ssl config: ", err)
+            core.log.error("failed to fetch ssl config: ", err)
         end
+        ngx_exit(-1)
     end
 end
 
diff --git a/t/grpc-proxy-test.sh b/t/grpc-proxy-test.sh
index 6f8f2d1..5ca3234 100755
--- a/t/grpc-proxy-test.sh
+++ b/t/grpc-proxy-test.sh
@@ -18,6 +18,14 @@
 
 set -ex
 
+#set ssl
+curl http://127.0.0.1:9080/apisix/admin/ssl/1  -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
+{
+    "cert": "-----BEGIN CERTIFICATE-----\nMIIEojCCAwqgAwIBAgIJAK253pMhgCkxMA0GCSqGSIb3DQEBCwUAMFYxCzAJBgNV\nBAYTAkNOMRIwEAYDVQQIDAlHdWFuZ0RvbmcxDzANBgNVBAcMBlpodUhhaTEPMA0G\nA1UECgwGaXJlc3R5MREwDwYDVQQDDAh0ZXN0LmNvbTAgFw0xOTA2MjQyMjE4MDVa\nGA8yMTE5MDUzMTIyMTgwNVowVjELMAkGA1UEBhMCQ04xEjAQBgNVBAgMCUd1YW5n\nRG9uZzEPMA0GA1UEBwwGWmh1SGFpMQ8wDQYDVQQKDAZpcmVzdHkxETAPBgNVBAMM\nCHRlc3QuY29tMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAyCM0rqJe\ncvgnCfOw4fATotPwk5Ba0gC2YvIrO+gSbQkyxXF5jhZB3W6BkWUWR4 [...]
+    "key": "-----BEGIN RSA PRIVATE KEY-----\nMIIG5AIBAAKCAYEAyCM0rqJecvgnCfOw4fATotPwk5Ba0gC2YvIrO+gSbQkyxXF5\njhZB3W6BkWUWR4oNFLLSqcVbVDPitz/Mt46Mo8amuS6zTbQetGnBARzPLtmVhJfo\neLj0efMiOepOSZflj9Ob4yKR2bGdEFOdHPjm+4ggXU9jMKeLqdVvxll/JiVFBW5s\nmPtW1Oc/BV5terhscJdOgmRrabf9xiIis9/qVYfyGn52u9452V0owUuwP7nZ01jt\n6iMWEGeQU6mwPENgvj1olji2WjdG2UwpUVp3jp3l7j1ekQ6mI0F7yI+LeHzfUwiy\nVt1TmtMWn1ztk6FfLRqwJWR/Evm95vnfS3Le4S2ky3XAgn2UnCMyej3wDN6qHR1o\nnpRVeXhrBajbCRDRBMwaNw/1/3Uvza8QKK10PzQR6OcQ0xo9psM [...]
+    "sni": "test.com"
+}'
+
 #test grpc proxy
 curl http://127.0.0.1:9080/apisix/admin/routes/1  -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
 {
@@ -32,4 +40,11 @@ curl http://127.0.0.1:9080/apisix/admin/routes/1  -H 'X-API-KEY: edd1c9f034335f1
     }
 }'
 
-./build-cache/grpcurl -insecure -import-path ./build-cache/proto -proto helloworld.proto -d '{"name":"apisix"}' 127.0.0.1:9443 helloworld.Greeter.SayHello
+echo "127.0.0.1 test.com" | sudo tee -a /etc/hosts
+
+./build-cache/grpcurl -insecure -import-path ./build-cache/proto -proto helloworld.proto -d '{"name":"apisix"}' test.com:9443 helloworld.Greeter.SayHello
+
+
+#delete test data
+curl http://127.0.0.1:9080/apisix/admin/routes/1  -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X DELETE
+curl http://127.0.0.1:9080/apisix/admin/ssl/1  -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X DELETE
diff --git a/t/router/radixtree-sni.t b/t/router/radixtree-sni.t
index 06388a7..5fe1ccd 100644
--- a/t/router/radixtree-sni.t
+++ b/t/router/radixtree-sni.t
@@ -205,7 +205,7 @@ location /t {
 GET /t
 --- response_body
 connected: 1
-failed to do SSL handshake: certificate host mismatch
+failed to do SSL handshake: handshake failed
 --- error_log
 failed to find any SSL certificate by SNI
 
@@ -558,12 +558,11 @@ location /t {
 GET /t
 --- response_body
 connected: 1
-failed to do SSL handshake: certificate host mismatch
+failed to do SSL handshake: handshake failed
 --- error_log
 lua ssl server name: "aa.bb.test2.com"
 failed to find any SSL certificate by SNI: aa.bb.test2.com matched SNI: *.test2.com
 --- no_error_log
-[error]
 [alert]
 
 
@@ -641,11 +640,10 @@ location /t {
 GET /t
 --- response_body
 connected: 1
-failed to do SSL handshake: certificate host mismatch
+failed to do SSL handshake: handshake failed
 --- error_log
 lua ssl server name: "www.test2.com"
 --- no_error_log
-[error]
 [alert]
 
 
@@ -853,12 +851,11 @@ location /t {
 GET /t
 --- response_body
 connected: 1
-failed to do SSL handshake: certificate host mismatch
+failed to do SSL handshake: handshake failed
 --- error_log
 lua ssl server name: "aa.bb.test2.com"
 failed to find any SSL certificate by SNI: aa.bb.test2.com matched SNIs: ["*.test2.com","test2.com"]
 --- no_error_log
-[error]
 [alert]