You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by pa...@apache.org on 2017/05/27 18:50:59 UTC
[trafficserver] branch master updated: TS-3746: make
proxy.config.ssl.client.verify.server overridable
This is an automated email from the ASF dual-hosted git repository.
paziz pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push:
new b8c6592 TS-3746: make proxy.config.ssl.client.verify.server overridable
b8c6592 is described below
commit b8c6592a8097b457a71d914a412f8e0e6a750537
Author: Persia Aziz <pe...@yahoo-inc.com>
AuthorDate: Tue Apr 11 14:22:59 2017 -0500
TS-3746: make proxy.config.ssl.client.verify.server overridable
---
doc/admin-guide/files/records.config.en.rst | 2 ++
iocore/net/I_NetVConnection.h | 2 ++
iocore/net/P_SSLClientUtils.h | 2 ++
iocore/net/SSLConfig.cc | 1 -
iocore/net/SSLNetVConnection.cc | 7 ++++++-
lib/ts/apidefs.h.in | 1 +
mgmt/RecordsConfig.cc | 2 +-
plugins/experimental/ts_lua/ts_lua_http_config.c | 2 ++
proxy/InkAPI.cc | 5 +++++
proxy/InkAPITest.cc | 2 +-
proxy/http/HttpConfig.cc | 2 ++
proxy/http/HttpConfig.h | 6 ++++++
proxy/http/HttpSM.cc | 19 +++++++++++++------
13 files changed, 43 insertions(+), 10 deletions(-)
diff --git a/doc/admin-guide/files/records.config.en.rst b/doc/admin-guide/files/records.config.en.rst
index 6fea643..706dc64 100644
--- a/doc/admin-guide/files/records.config.en.rst
+++ b/doc/admin-guide/files/records.config.en.rst
@@ -3271,6 +3271,8 @@ Client-Related Configuration
----------------------------
.. ts:cv:: CONFIG proxy.config.ssl.client.verify.server INT 0
+ :reloadable:
+ :overridable:
Configures Traffic Server to verify the origin server certificate
with the Certificate Authority (CA).
diff --git a/iocore/net/I_NetVConnection.h b/iocore/net/I_NetVConnection.h
index a815cf3..da460d5 100644
--- a/iocore/net/I_NetVConnection.h
+++ b/iocore/net/I_NetVConnection.h
@@ -184,6 +184,8 @@ struct NetVCOptions {
*/
ats_scoped_str clientCertificate;
/// Reset all values to defaults.
+
+ uint8_t clientVerificationFlag = 0;
void reset();
void set_sock_param(int _recv_bufsize, int _send_bufsize, unsigned long _opt_flags, unsigned long _packet_mark = 0,
diff --git a/iocore/net/P_SSLClientUtils.h b/iocore/net/P_SSLClientUtils.h
index 6410af3..32d2a1d 100644
--- a/iocore/net/P_SSLClientUtils.h
+++ b/iocore/net/P_SSLClientUtils.h
@@ -37,4 +37,6 @@
// Create and initialize a SSL client context.
SSL_CTX *SSLInitClientContext(const struct SSLConfigParams *param);
+int verify_callback(int preverify_ok, X509_STORE_CTX *ctx);
+
#endif /* IOCORE_NET_P_SSLCLIENTUTILS_H_ */
diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc
index 0fbe4c2..dd6ef4b 100644
--- a/iocore/net/SSLConfig.cc
+++ b/iocore/net/SSLConfig.cc
@@ -302,7 +302,6 @@ SSLConfigParams::initialize()
// ++++++++++++++++++++++++ Client part ++++++++++++++++++++
client_verify_depth = 7;
- REC_ReadConfigInt32(clientVerify, "proxy.config.ssl.client.verify.server");
ssl_client_cert_filename = nullptr;
ssl_client_cert_path = nullptr;
diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc
index dca0f3b..ddb3424 100644
--- a/iocore/net/SSLNetVConnection.cc
+++ b/iocore/net/SSLNetVConnection.cc
@@ -30,6 +30,7 @@
#include "P_SSLConfig.h"
#include "BIO_fastopen.h"
#include "Log.h"
+#include "P_SSLClientUtils.h"
#include <climits>
#include <string>
@@ -897,7 +898,6 @@ SSLNetVConnection::free(EThread *t)
THREAD_FREE(this, sslNetVCAllocator, t);
}
}
-
int
SSLNetVConnection::sslStartHandShake(int event, int &err)
{
@@ -976,6 +976,11 @@ SSLNetVConnection::sslStartHandShake(int event, int &err)
clientCTX = params->client_ctx;
}
this->ssl = make_ssl_connection(clientCTX, this);
+ if (this->ssl != nullptr) {
+ uint8_t clientVerify = this->options.clientVerificationFlag;
+ int verifyValue = clientVerify & 1 ? SSL_VERIFY_PEER : SSL_VERIFY_NONE;
+ SSL_set_verify(this->ssl, verifyValue, verify_callback);
+ }
if (this->ssl == nullptr) {
SSLErrorVC(this, "failed to create SSL client session");
diff --git a/lib/ts/apidefs.h.in b/lib/ts/apidefs.h.in
index a06b6cd..ac0a802 100644
--- a/lib/ts/apidefs.h.in
+++ b/lib/ts/apidefs.h.in
@@ -742,6 +742,7 @@ typedef enum {
TS_CONFIG_SSL_CERT_FILENAME,
TS_CONFIG_SSL_CERT_FILEPATH,
TS_CONFIG_PARENT_FAILURES_UPDATE_HOSTDB,
+ TS_CONFIG_SSL_CLIENT_VERIFY_SERVER,
TS_CONFIG_HTTP_CACHE_ENABLE_DEFAULT_VARY_HEADER,
TS_CONFIG_HTTP_CACHE_VARY_DEFAULT_TEXT,
TS_CONFIG_HTTP_CACHE_VARY_DEFAULT_IMAGES,
diff --git a/mgmt/RecordsConfig.cc b/mgmt/RecordsConfig.cc
index 9e4b86f..d1d9b36 100644
--- a/mgmt/RecordsConfig.cc
+++ b/mgmt/RecordsConfig.cc
@@ -1158,7 +1158,7 @@ static const RecordElement RecordsConfig[] =
,
{RECT_CONFIG, "proxy.config.ssl.CA.cert.path", RECD_STRING, TS_BUILD_SYSCONFDIR, RECU_RESTART_TS, RR_NULL, RECC_NULL, nullptr, RECA_NULL}
,
- {RECT_CONFIG, "proxy.config.ssl.client.verify.server", RECD_INT, "0", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
+ {RECT_CONFIG, "proxy.config.ssl.client.verify.server", RECD_INT, "0", RECU_DYNAMIC, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
,
{RECT_CONFIG, "proxy.config.ssl.client.cert.filename", RECD_STRING, nullptr, RECU_RESTART_TS, RR_NULL, RECC_STR, "^[^[:space:]]*$", RECA_NULL}
,
diff --git a/plugins/experimental/ts_lua/ts_lua_http_config.c b/plugins/experimental/ts_lua/ts_lua_http_config.c
index 16b0f7e..00d1e04 100644
--- a/plugins/experimental/ts_lua/ts_lua_http_config.c
+++ b/plugins/experimental/ts_lua/ts_lua_http_config.c
@@ -119,6 +119,7 @@ typedef enum {
TS_LUA_CONFIG_SSL_CERT_FILENAME = TS_CONFIG_SSL_CERT_FILENAME,
TS_LUA_CONFIG_SSL_CERT_FILEPATH = TS_CONFIG_SSL_CERT_FILEPATH,
TS_LUA_CONFIG_PARENT_FAILURES_UPDATE_HOSTDB = TS_CONFIG_PARENT_FAILURES_UPDATE_HOSTDB,
+ TS_LUA_CONFIG_SSL_CLIENT_VERIFY_SERVER = TS_CONFIG_SSL_CLIENT_VERIFY_SERVER,
TS_LUA_CONFIG_HTTP_CACHE_ENABLE_DEFAULT_VARY_HEADER = TS_CONFIG_HTTP_CACHE_ENABLE_DEFAULT_VARY_HEADER,
TS_LUA_CONFIG_HTTP_CACHE_VARY_DEFAULT_TEXT = TS_CONFIG_HTTP_CACHE_VARY_DEFAULT_TEXT,
TS_LUA_CONFIG_HTTP_CACHE_VARY_DEFAULT_IMAGES = TS_CONFIG_HTTP_CACHE_VARY_DEFAULT_IMAGES,
@@ -238,6 +239,7 @@ ts_lua_var_item ts_lua_http_config_vars[] = {
TS_LUA_MAKE_VAR_ITEM(TS_LUA_CONFIG_SSL_CERT_FILENAME),
TS_LUA_MAKE_VAR_ITEM(TS_LUA_CONFIG_SSL_CERT_FILEPATH),
TS_LUA_MAKE_VAR_ITEM(TS_LUA_CONFIG_PARENT_FAILURES_UPDATE_HOSTDB),
+ TS_LUA_MAKE_VAR_ITEM(TS_CONFIG_SSL_CLIENT_VERIFY_SERVER),
TS_LUA_MAKE_VAR_ITEM(TS_LUA_CONFIG_HTTP_CACHE_ENABLE_DEFAULT_VARY_HEADER),
TS_LUA_MAKE_VAR_ITEM(TS_LUA_CONFIG_HTTP_CACHE_VARY_DEFAULT_TEXT),
TS_LUA_MAKE_VAR_ITEM(TS_LUA_CONFIG_HTTP_CACHE_VARY_DEFAULT_IMAGES),
diff --git a/proxy/InkAPI.cc b/proxy/InkAPI.cc
index 67dbb40..5e23d2a 100644
--- a/proxy/InkAPI.cc
+++ b/proxy/InkAPI.cc
@@ -8079,6 +8079,9 @@ _conf_to_memberp(TSOverridableConfigKey conf, OverridableHttpConfigParams *overr
case TS_CONFIG_PARENT_FAILURES_UPDATE_HOSTDB:
ret = _memberp_to_generic(&overridableHttpConfig->parent_failures_update_hostdb, typep);
break;
+ case TS_CONFIG_SSL_CLIENT_VERIFY_SERVER:
+ ret = _memberp_to_generic(&overridableHttpConfig->ssl_client_verify_server, typep);
+ break;
case TS_CONFIG_HTTP_CACHE_ENABLE_DEFAULT_VARY_HEADER:
ret = _memberp_to_generic(&overridableHttpConfig->cache_enable_default_vary_headers, typep);
break;
@@ -8403,6 +8406,8 @@ TSHttpTxnConfigFind(const char *name, int length, TSOverridableConfigKey *conf,
if (!strncmp(name, "proxy.config.http.response_server_str", length)) {
cnf = TS_CONFIG_HTTP_RESPONSE_SERVER_STR;
typ = TS_RECORDDATATYPE_STRING;
+ } else if (!strncmp(name, "proxy.config.ssl.client.verify.server", length)) {
+ cnf = TS_CONFIG_SSL_CLIENT_VERIFY_SERVER;
}
break;
case 't':
diff --git a/proxy/InkAPITest.cc b/proxy/InkAPITest.cc
index e0b0a56..90ef84d 100644
--- a/proxy/InkAPITest.cc
+++ b/proxy/InkAPITest.cc
@@ -7617,6 +7617,7 @@ const char *SDK_Overridable_Configs[TS_CONFIG_LAST_ENTRY] = {
"proxy.config.ssl.client.cert.filename",
"proxy.config.ssl.client.cert.path",
"proxy.config.http.parent_proxy.mark_down_hostdb",
+ "proxy.config.ssl.client.verify.server",
"proxy.config.http.cache.enable_default_vary_headers",
"proxy.config.http.cache.vary_default_text",
"proxy.config.http.cache.vary_default_images",
@@ -7626,7 +7627,6 @@ const char *SDK_Overridable_Configs[TS_CONFIG_LAST_ENTRY] = {
"proxy.config.http.cache.ignore_accept_encoding_mismatch",
"proxy.config.http.cache.ignore_accept_charset_mismatch",
};
-
REGRESSION_TEST(SDK_API_OVERRIDABLE_CONFIGS)(RegressionTest *test, int /* atype ATS_UNUSED */, int *pstatus)
{
const char *conf;
diff --git a/proxy/http/HttpConfig.cc b/proxy/http/HttpConfig.cc
index 062bdd4..52b8674 100644
--- a/proxy/http/HttpConfig.cc
+++ b/proxy/http/HttpConfig.cc
@@ -1072,6 +1072,7 @@ HttpConfig::startup()
HttpEstablishStaticConfigByte(c.errors_log_error_pages, "proxy.config.http.errors.log_error_pages");
HttpEstablishStaticConfigLongLong(c.oride.slow_log_threshold, "proxy.config.http.slow.log.threshold");
+ HttpEstablishStaticConfigByte(c.oride.ssl_client_verify_server, "proxy.config.ssl.client.verify.server");
HttpEstablishStaticConfigByte(c.record_cop_page, "proxy.config.http.record_heartbeat");
@@ -1344,6 +1345,7 @@ HttpConfig::reconfigure()
params->errors_log_error_pages = INT_TO_BOOL(m_master.errors_log_error_pages);
params->oride.slow_log_threshold = m_master.oride.slow_log_threshold;
params->record_cop_page = INT_TO_BOOL(m_master.record_cop_page);
+ params->oride.ssl_client_verify_server = INT_TO_BOOL(m_master.oride.ssl_client_verify_server);
params->oride.send_http11_requests = m_master.oride.send_http11_requests;
params->oride.doc_in_cache_skip_dns = INT_TO_BOOL(m_master.oride.doc_in_cache_skip_dns);
params->oride.default_buffer_size_index = m_master.oride.default_buffer_size_index;
diff --git a/proxy/http/HttpConfig.h b/proxy/http/HttpConfig.h
index 85ccca2..303db6a 100644
--- a/proxy/http/HttpConfig.h
+++ b/proxy/http/HttpConfig.h
@@ -414,6 +414,7 @@ struct OverridableHttpConfigParams {
parent_failures_update_hostdb(0),
cache_open_write_fail_action(0),
post_check_content_length_enabled(1),
+ ssl_client_verify_server(0),
redirection_enabled(0),
redirect_use_orig_cache_key(0),
number_of_redirections(1),
@@ -578,6 +579,11 @@ struct OverridableHttpConfigParams {
////////////////////////
MgmtByte post_check_content_length_enabled;
+ /////////////////////////////
+ // server verification mode//
+ /////////////////////////////
+ MgmtByte ssl_client_verify_server;
+
//##############################################################################
//#
//# Redirection
diff --git a/proxy/http/HttpSM.cc b/proxy/http/HttpSM.cc
index aae2961..e24ea4a 100644
--- a/proxy/http/HttpSM.cc
+++ b/proxy/http/HttpSM.cc
@@ -5282,12 +5282,19 @@ HttpSM::handle_http_server_open()
// server session's first transaction.
if (nullptr != server_session) {
NetVConnection *vc = server_session->get_netvc();
- if (vc != nullptr && (vc->options.sockopt_flags != t_state.txn_conf->sock_option_flag_out ||
- vc->options.packet_mark != t_state.txn_conf->sock_packet_mark_out ||
- vc->options.packet_tos != t_state.txn_conf->sock_packet_tos_out)) {
- vc->options.sockopt_flags = t_state.txn_conf->sock_option_flag_out;
- vc->options.packet_mark = t_state.txn_conf->sock_packet_mark_out;
- vc->options.packet_tos = t_state.txn_conf->sock_packet_tos_out;
+
+ // SSLNetVConnection *ssl_vc = dynamic_cast<SSLNetVConnection *>(vc);
+ // if (ssl_vc) {
+ // ssl_vc->setClientVerifyEnable(t_state.txn_conf->ssl_client_verify_server);
+ // }
+ if (vc != NULL && (vc->options.sockopt_flags != t_state.txn_conf->sock_option_flag_out ||
+ vc->options.packet_mark != t_state.txn_conf->sock_packet_mark_out ||
+ vc->options.packet_tos != t_state.txn_conf->sock_packet_tos_out ||
+ vc->options.clientVerificationFlag != t_state.txn_conf->ssl_client_verify_server)) {
+ vc->options.sockopt_flags = t_state.txn_conf->sock_option_flag_out;
+ vc->options.packet_mark = t_state.txn_conf->sock_packet_mark_out;
+ vc->options.packet_tos = t_state.txn_conf->sock_packet_tos_out;
+ vc->options.clientVerificationFlag = t_state.txn_conf->ssl_client_verify_server;
vc->apply_options();
}
}
--
To stop receiving notification emails like this one, please contact
['"commits@trafficserver.apache.org" <co...@trafficserver.apache.org>'].