You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by bc...@apache.org on 2019/04/11 18:09:00 UTC
[trafficserver] branch 8.1.x updated: Update documentation for SSL
VERIFY hooks.
This is an automated email from the ASF dual-hosted git repository.
bcall pushed a commit to branch 8.1.x
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/8.1.x by this push:
new 4734a95 Update documentation for SSL VERIFY hooks.
4734a95 is described below
commit 4734a95426243bc18e48fe42077ef441de30dc0f
Author: Susan Hinrichs <sh...@apache.org>
AuthorDate: Wed Oct 10 16:13:51 2018 -0500
Update documentation for SSL VERIFY hooks.
(cherry picked from commit 458bb1f2c4c2917e103701acddf9ea1aab462105)
---
doc/developer-guide/api/types/TSHttpHookID.en.rst | 2 ++
.../hooks-and-transactions/ssl-hooks.en.rst | 27 ++++++++++++++++++++++
include/ts/apidefs.h.in | 2 ++
iocore/net/SSLClientUtils.cc | 2 +-
iocore/net/SSLNetVConnection.cc | 6 ++---
proxy/InkAPIInternal.h | 2 +-
proxy/http/HttpDebugNames.cc | 4 ++--
src/traffic_server/InkAPITest.cc | 2 +-
8 files changed, 39 insertions(+), 8 deletions(-)
diff --git a/doc/developer-guide/api/types/TSHttpHookID.en.rst b/doc/developer-guide/api/types/TSHttpHookID.en.rst
index f03444a..852b672 100644
--- a/doc/developer-guide/api/types/TSHttpHookID.en.rst
+++ b/doc/developer-guide/api/types/TSHttpHookID.en.rst
@@ -82,6 +82,8 @@ Enumeration Members
.. c:macro:: TSHttpHookID TS_SSL_VERIFY_CLIENT_HOOK
+.. c:macro:: TSHttpHookID TS_SSL_VERIFY_SERVER_HOOK
+
.. c:macro:: TSHttpHookID TS_SSL_LAST_HOOK
.. c:macro:: TSHttpHookID TS_HTTP_LAST_HOOK
diff --git a/doc/developer-guide/plugins/hooks-and-transactions/ssl-hooks.en.rst b/doc/developer-guide/plugins/hooks-and-transactions/ssl-hooks.en.rst
index 518d0e8..1fa1a20 100644
--- a/doc/developer-guide/plugins/hooks-and-transactions/ssl-hooks.en.rst
+++ b/doc/developer-guide/plugins/hooks-and-transactions/ssl-hooks.en.rst
@@ -84,6 +84,29 @@ handshake processing will not proceed until :c:func:`TSSslVConnReenable()` is ca
It may be useful to delay the TLS handshake processing if other resources must be consulted to select or create
a certificate.
+TS_SSL_VERIFY_CLIENT_HOOK
+-------------------------
+
+This hook is called when a client connects to Traffic Server and presents a
+client certificate in the case of a mutual TLS handshake. The callback can
+get the SSL object from the TSVConn argument and use that to access the client
+certificate and make any additional checks.
+
+Processing will continue regardless of whether the hook callback executes
+:c:func:`TSSslVConnReenable()` since the openssl implementation does not allow
+for pausing processing during the certificate verify callback.
+
+TS_SSL_VERIFY_SERVER_HOOK
+-------------------------
+
+This hooks is called when a Traffic Server connects to an origin and the origin
+presents a certificate. The callback can get the SSL object from the TSVConn
+argument and use that to access the origin certificate and make any additional checks.
+
+Processing will continue regardless of whether the hook callback executes
+:c:func:`TSSslVConnReenable()` since the openssl implementation does not allow
+for pausing processing during the certificate verify callback.
+
TLS Hook State Diagram
----------------------
@@ -92,9 +115,11 @@ TLS Hook State Diagram
digraph tls_hook_state_diagram{
HANDSHAKE_HOOKS_PRE -> TS_VCONN_START_HOOK;
+ HANDSHAKE_HOOKS_PRE -> TS_SSL_VERIFY_CLIENT_HOOK;
HANDSHAKE_HOOKS_PRE -> TS_SSL_CERT_HOOK;
HANDSHAKE_HOOKS_PRE -> TS_SSL_SERVERNAME_HOOK;
HANDSHAKE_HOOKS_PRE -> HANDSHAKE_HOOKS_DONE;
+ TS_SSL_VERIFY_CLIENT_HOOK -> HANDSHAKE_HOOKS_PRE;
TS_VCONN_START_HOOK -> HANDSHAKE_HOOKS_PRE_INVOKE;
HANDSHAKE_HOOKS_PRE_INVOKE -> TSSslVConnReenable;
TSSslVConnReenable -> HANDSHAKE_HOOKS_PRE;
@@ -110,6 +135,8 @@ TLS Hook State Diagram
HANDSHAKE_HOOKS_DONE -> TS_VCONN_CLOSE_HOOK;
HANDSHAKE_HOOKS_PRE [shape=box];
+ TS_VCONN_START_HOOK [shape=box];
+ TS_SSL_VERIFY_CLIENT_HOOK [shape=box];
HANDSHAKE_HOOKS_PRE_INVOKE [shape=box];
HANDSHAKE_HOOKS_SNI [shape=box];
HANDSHAKE_HOOKS_CERT [shape=box];
diff --git a/include/ts/apidefs.h.in b/include/ts/apidefs.h.in
index 758b48d..862ac31 100644
--- a/include/ts/apidefs.h.in
+++ b/include/ts/apidefs.h.in
@@ -290,6 +290,7 @@ typedef enum {
TS_SSL_CERT_HOOK = TS_SSL_SNI_HOOK,
TS_SSL_SERVERNAME_HOOK,
TS_SSL_SERVER_VERIFY_HOOK,
+ TS_SSL_VERIFY_SERVER_HOOK = TS_SSL_SERVER_VERIFY_HOOK,
TS_SSL_VERIFY_CLIENT_HOOK,
TS_SSL_SESSION_HOOK,
TS_SSL_LAST_HOOK = TS_SSL_SESSION_HOOK,
@@ -462,6 +463,7 @@ typedef enum {
TS_EVENT_SSL_CERT = 60203,
TS_EVENT_SSL_SERVERNAME = 60204,
TS_EVENT_SSL_SERVER_VERIFY_HOOK = 60205,
+ TS_EVENT_SSL_VERIFY_SERVER = 60205,
TS_EVENT_SSL_VERIFY_CLIENT = 60206
} TSEvent;
#define TS_EVENT_HTTP_READ_REQUEST_PRE_REMAP TS_EVENT_HTTP_PRE_REMAP /* backwards compat */
diff --git a/iocore/net/SSLClientUtils.cc b/iocore/net/SSLClientUtils.cc
index 2adb62b..5163153 100644
--- a/iocore/net/SSLClientUtils.cc
+++ b/iocore/net/SSLClientUtils.cc
@@ -79,7 +79,7 @@ verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
}
if (netvc != nullptr) {
- netvc->callHooks(TS_EVENT_SSL_SERVER_VERIFY_HOOK);
+ netvc->callHooks(TS_EVENT_SSL_VERIFY_SERVER);
char *matched_name = nullptr;
unsigned char *sni_name;
char buff[INET6_ADDRSTRLEN];
diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc
index 3b61a8e..d801550 100644
--- a/iocore/net/SSLNetVConnection.cc
+++ b/iocore/net/SSLNetVConnection.cc
@@ -1599,7 +1599,7 @@ bool
SSLNetVConnection::callHooks(TSEvent eventId)
{
// Only dealing with the SNI/CERT hook so far.
- ink_assert(eventId == TS_EVENT_SSL_CERT || eventId == TS_EVENT_SSL_SERVERNAME || eventId == TS_EVENT_SSL_SERVER_VERIFY_HOOK ||
+ ink_assert(eventId == TS_EVENT_SSL_CERT || eventId == TS_EVENT_SSL_SERVERNAME || eventId == TS_EVENT_SSL_VERIFY_SERVER ||
eventId == TS_EVENT_SSL_VERIFY_CLIENT || eventId == TS_EVENT_VCONN_CLOSE);
Debug("ssl", "callHooks sslHandshakeHookState=%d", this->sslHandshakeHookState);
@@ -1626,9 +1626,9 @@ SSLNetVConnection::callHooks(TSEvent eventId)
case HANDSHAKE_HOOKS_SNI:
// The server verify event addresses ATS to origin handshake
// All the other events are for client to ATS
- if (eventId == TS_EVENT_SSL_SERVER_VERIFY_HOOK) {
+ if (eventId == TS_EVENT_SSL_VERIFY_SERVER) {
if (!curHook) {
- curHook = ssl_hooks->get(TS_SSL_SERVER_VERIFY_INTERNAL_HOOK);
+ curHook = ssl_hooks->get(TS_SSL_VERIFY_SERVER_INTERNAL_HOOK);
}
} else {
if (!curHook) {
diff --git a/proxy/InkAPIInternal.h b/proxy/InkAPIInternal.h
index 99aaec2..0ed5672 100644
--- a/proxy/InkAPIInternal.h
+++ b/proxy/InkAPIInternal.h
@@ -279,7 +279,7 @@ typedef enum {
TS_VCONN_CLOSE_INTERNAL_HOOK,
TS_SSL_CERT_INTERNAL_HOOK,
TS_SSL_SERVERNAME_INTERNAL_HOOK,
- TS_SSL_SERVER_VERIFY_INTERNAL_HOOK,
+ TS_SSL_VERIFY_SERVER_INTERNAL_HOOK,
TS_SSL_VERIFY_CLIENT_INTERNAL_HOOK,
TS_SSL_SESSION_INTERNAL_HOOK,
TS_SSL_INTERNAL_LAST_HOOK
diff --git a/proxy/http/HttpDebugNames.cc b/proxy/http/HttpDebugNames.cc
index 8f270a8..e460f82 100644
--- a/proxy/http/HttpDebugNames.cc
+++ b/proxy/http/HttpDebugNames.cc
@@ -464,8 +464,8 @@ HttpDebugNames::get_api_hook_name(TSHttpHookID t)
return "TS_SSL_CERT_HOOK";
case TS_SSL_SERVERNAME_HOOK:
return "TS_SSL_SERVERNAME_HOOK";
- case TS_SSL_SERVER_VERIFY_HOOK:
- return "TS_SSL_SERVER_VERIFY_HOOK";
+ case TS_SSL_VERIFY_SERVER_HOOK:
+ return "TS_SSL_VERIFY_SERVER_HOOK";
case TS_SSL_VERIFY_CLIENT_HOOK:
return "TS_SSL_VERIFY_CLIENT_HOOK";
case TS_SSL_SESSION_HOOK:
diff --git a/src/traffic_server/InkAPITest.cc b/src/traffic_server/InkAPITest.cc
index bbe5144..2769d49 100644
--- a/src/traffic_server/InkAPITest.cc
+++ b/src/traffic_server/InkAPITest.cc
@@ -6622,7 +6622,7 @@ typedef enum {
ORIG_TS_VCONN_CLOSE_HOOK,
ORIG_TS_SSL_SNI_HOOK,
ORIG_TS_SSL_SERVERNAME_HOOK,
- ORIG_TS_SSL_SERVER_VERIFY_HOOK,
+ ORIG_TS_SSL_VERIFY_SERVER_HOOK,
ORIG_TS_SSL_VERIFY_CLIENT_HOOK,
ORIG_TS_SSL_SESSION_HOOK,
ORIG_TS_SSL_LAST_HOOK = ORIG_TS_SSL_SESSION_HOOK,