You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by so...@apache.org on 2015/04/22 18:55:27 UTC
[08/12] trafficserver git commit: TS-3529: Add a config to allow ATS
to start up even if some certificates are bad.
TS-3529: Add a config to allow ATS to start up even if some certificates are bad.
(cherry picked from commit ef36a509c0a3cf0309ad563e980d7e002f9b2d9c)
Conflicts:
CHANGES
Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/bf4ba0cf
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/bf4ba0cf
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/bf4ba0cf
Branch: refs/heads/5.3.x
Commit: bf4ba0cf2741d7d189deba608154b07aa61dce46
Parents: efd2db2
Author: shinrich <sh...@yahoo-inc.com>
Authored: Tue Apr 21 14:47:51 2015 -0500
Committer: Phil Sorber <so...@apache.org>
Committed: Tue Apr 21 14:50:42 2015 -0600
----------------------------------------------------------------------
CHANGES | 2 ++
iocore/net/P_SSLConfig.h | 1 +
iocore/net/SSLConfig.cc | 14 +++++++++-----
mgmt/RecordsConfig.cc | 2 ++
4 files changed, 14 insertions(+), 5 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/bf4ba0cf/CHANGES
----------------------------------------------------------------------
diff --git a/CHANGES b/CHANGES
index 280d95f..0df57b1 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,8 @@
-*- coding: utf-8 -*-
Changes with Apache Traffic Server 5.3.0
+ *) [TS-3529] Add config option to allow ATS to start even if certificate files are bad.
+
*) [TS-3522] Segfault due to inactivity_cop.
*) [TS-3530] HTTP/2 memory leak with headers and more...
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/bf4ba0cf/iocore/net/P_SSLConfig.h
----------------------------------------------------------------------
diff --git a/iocore/net/P_SSLConfig.h b/iocore/net/P_SSLConfig.h
index 549aa28..68dd50f 100644
--- a/iocore/net/P_SSLConfig.h
+++ b/iocore/net/P_SSLConfig.h
@@ -66,6 +66,7 @@ struct SSLConfigParams : public ConfigInfo {
char *dhparamsFile;
char *cipherSuite;
char *client_cipherSuite;
+ int configExitOnLoadError;
int clientCertLevel;
int verify_depth;
int ssl_session_cache; // SSL_SESSION_CACHE_MODE
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/bf4ba0cf/iocore/net/SSLConfig.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc
index acd8c19..669e1c1 100644
--- a/iocore/net/SSLConfig.cc
+++ b/iocore/net/SSLConfig.cc
@@ -231,6 +231,7 @@ SSLConfigParams::initialize()
ats_free(serverCertRelativePath);
configFilePath = RecConfigReadConfigPath("proxy.config.ssl.server.multicert.filename");
+ REC_ReadConfigInteger(configExitOnLoadError, "proxy.config.ssl.server.multicert.exit_on_load_fail");
REC_ReadConfigStringAlloc(ssl_server_private_key_path, "proxy.config.ssl.server.private_key.path");
set_paths_helper(ssl_server_private_key_path, NULL, &serverKeyPathOnly, NULL);
@@ -324,12 +325,17 @@ SSLCertificateConfig::startup()
{
sslCertUpdate = new ConfigUpdateHandler<SSLCertificateConfig>();
sslCertUpdate->attach("proxy.config.ssl.server.multicert.filename");
+ sslCertUpdate->attach("proxy.config.ssl.server.multicert.exit_on_load_fail");
sslCertUpdate->attach("proxy.config.ssl.server.ticket_key.filename");
sslCertUpdate->attach("proxy.config.ssl.server.cert.path");
sslCertUpdate->attach("proxy.config.ssl.server.private_key.path");
sslCertUpdate->attach("proxy.config.ssl.server.cert_chain.filename");
- if (!reconfigure()) {
+ // Exit if there are problems on the certificate loading and the
+ // proxy.config.ssl.server.multicert.exit_on_load_fail is true
+ SSLConfigParams *params = SSLConfig::acquire();
+ if (!reconfigure() && params->configExitOnLoadError) {
+ Error("Problems loading ssl certificate file, %s. Exiting.", params->configFilePath);
_exit(1);
}
return true;
@@ -351,11 +357,9 @@ SSLCertificateConfig::reconfigure()
}
SSLParseCertificateConfiguration(params, lookup);
- if (lookup->is_valid) {
- configid = configProcessor.set(configid, lookup);
- } else {
+ configid = configProcessor.set(configid, lookup);
+ if (!lookup->is_valid) {
retStatus = false;
- delete lookup;
}
return retStatus;
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/bf4ba0cf/mgmt/RecordsConfig.cc
----------------------------------------------------------------------
diff --git a/mgmt/RecordsConfig.cc b/mgmt/RecordsConfig.cc
index 51eb607..d237508 100644
--- a/mgmt/RecordsConfig.cc
+++ b/mgmt/RecordsConfig.cc
@@ -1282,6 +1282,8 @@ static const RecordElement RecordsConfig[] =
,
{RECT_CONFIG, "proxy.config.ssl.server.multicert.filename", RECD_STRING, "ssl_multicert.config", RECU_RESTART_TS, RR_NULL, RECC_NULL, NULL, RECA_NULL}
,
+ {RECT_CONFIG, "proxy.config.ssl.server.multicert.exit_on_load_fail", RECD_INT, "0", RECU_RESTART_TS, RR_NULL, RECC_NULL, "[0-1]", RECA_NULL}
+ ,
{RECT_CONFIG, "proxy.config.ssl.server.ticket_key.filename", RECD_STRING, "ssl_ticket.key", RECU_DYNAMIC, RR_NULL, RECC_NULL, NULL, RECA_NULL}
,
{RECT_CONFIG, "proxy.config.ssl.server.private_key.path", RECD_STRING, TS_BUILD_SYSCONFDIR, RECU_RESTART_TS, RR_NULL, RECC_NULL, NULL, RECA_NULL}