You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by bn...@apache.org on 2021/10/01 23:39:27 UTC

[trafficserver] 01/01: Revert "TSSslSecretSet: Update SSL_CTX TLS Secrets (#8368)"

This is an automated email from the ASF dual-hosted git repository.

bneradt pushed a commit to branch revert-8368-fix_TSSslSecretSet_for_stored_ssl_contexts
in repository https://gitbox.apache.org/repos/asf/trafficserver.git

commit d4c99a0687fffeb101e84dd4db0753fd217275af
Author: Brian Neradt <br...@verizonmedia.com>
AuthorDate: Fri Oct 1 18:39:18 2021 -0500

    Revert "TSSslSecretSet: Update SSL_CTX TLS Secrets (#8368)"
    
    This reverts commit 1ae919a734f5db707ae14fc0f7abb7ca091be123.
---
 iocore/net/SSLConfig.cc      | 3 ---
 iocore/net/SSLSecret.cc      | 8 +++-----
 iocore/net/SSLUtils.cc       | 7 -------
 src/traffic_server/InkAPI.cc | 6 +-----
 4 files changed, 4 insertions(+), 20 deletions(-)

diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc
index 152d9fe..cecbb45 100644
--- a/iocore/net/SSLConfig.cc
+++ b/iocore/net/SSLConfig.cc
@@ -573,9 +573,6 @@ SSLCertificateConfig::acquire()
 void
 SSLCertificateConfig::release(SSLCertLookup *lookup)
 {
-  if (lookup == nullptr) {
-    return;
-  }
   configProcessor.release(configid, lookup);
 }
 
diff --git a/iocore/net/SSLSecret.cc b/iocore/net/SSLSecret.cc
index 3135d56..945e444 100644
--- a/iocore/net/SSLSecret.cc
+++ b/iocore/net/SSLSecret.cc
@@ -82,7 +82,7 @@ SSLSecret::setSecret(const std::string &name, const char *data, int data_len)
     return false;
   }
   iter->second.assign(data, data_len);
-  Debug("ssl_secret", "Set secret for %s to %.*s", name.c_str(), static_cast<int>(iter->second.size()), iter->second.data());
+  Debug("secret_ssl", "Set secret=%10.s... to %*.s", name.c_str(), static_cast<int>(iter->second.size()), iter->second.data());
   return true;
 }
 
@@ -102,10 +102,9 @@ SSLSecret::getSecret(const std::string &name, std::string_view &data) const
 {
   const std::string *data_item = this->getSecretItem(name);
   if (data_item) {
-    Debug("ssl_secret", "Get secret for %s: %.*s", name.c_str(), static_cast<int>(data_item->length()), data_item->data());
+    Debug("secret_ssl", "Get secret=%10.s...  %s(%zd)", name.c_str(), data_item->data(), data_item->length());
     data = *data_item;
   } else {
-    Debug("ssl_secret", "Get secret for %s: not found", name.c_str());
     data = std::string_view{};
   }
   return data_item != nullptr;
@@ -114,12 +113,11 @@ SSLSecret::getSecret(const std::string &name, std::string_view &data) const
 bool
 SSLSecret::getOrLoadSecret(const std::string &name1, const std::string &name2, std::string_view &data1, std::string_view &data2)
 {
-  Debug("ssl_secret", "lookup up secrets for %s and %s", name1.c_str(), name2.c_str());
   std::scoped_lock lock(secret_map_mutex);
   bool found_secret1 = this->getSecret(name1, data1);
   bool found_secret2 = name2.empty() || this->getSecret(name2, data2);
 
-  // If we can't find either secret, load them both again
+  // If we can't find either secret, load the both again
   if (!found_secret1 || !found_secret2) {
     // Make sure each name has an entry
     if (!found_secret1) {
diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index d6b87e3..43b4635 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -1747,13 +1747,6 @@ SSLMultiCertConfigLoader::update_ssl_ctx(const std::string &secret_name)
   bool retval = true;
 
   SSLCertificateConfig::scoped_config lookup;
-  if (!lookup) {
-    // SSLCertificateConfig is still being configured, thus there are no SSL
-    // contexts to update. This situation can happen during startup if a
-    // registered hook updates certs before SSLCertContext configuration is
-    // complete.
-    return retval;
-  }
   std::set<shared_SSLMultiCertConfigParams> policies;
   lookup->getPolicies(secret_name, policies);
 
diff --git a/src/traffic_server/InkAPI.cc b/src/traffic_server/InkAPI.cc
index c3f0cd7..9f4b1dd 100644
--- a/src/traffic_server/InkAPI.cc
+++ b/src/traffic_server/InkAPI.cc
@@ -9511,19 +9511,15 @@ TSSslSecretSet(const char *secret_name, int secret_name_length, const char *secr
   SSLConfigParams *load_params = SSLConfig::load_acquire();
   SSLConfigParams *params      = SSLConfig::acquire();
   if (load_params != nullptr) { // Update the current data structure
-    Debug("ssl.cert_update", "Setting secrets in SSLConfig load for: %.*s", secret_name_length, secret_name);
     if (!load_params->secrets.setSecret(std::string(secret_name, secret_name_length), secret_data, secret_data_len)) {
       retval = TS_ERROR;
     }
-    load_params->updateCTX(std::string(secret_name, secret_name_length));
-    SSLConfig::load_release(load_params);
+    SSLConfig::load_release(params);
   }
   if (params != nullptr) {
-    Debug("ssl.cert_update", "Setting secrets in SSLConfig for: %.*s", secret_name_length, secret_name);
     if (!params->secrets.setSecret(std::string(secret_name, secret_name_length), secret_data, secret_data_len)) {
       retval = TS_ERROR;
     }
-    params->updateCTX(std::string(secret_name, secret_name_length));
     SSLConfig::release(params);
   }
   return retval;