You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by so...@apache.org on 2015/04/22 18:55:27 UTC

[08/12] trafficserver git commit: TS-3529: Add a config to allow ATS to start up even if some certificates are bad.

TS-3529:  Add a config to allow ATS to start up even if some certificates are bad.

(cherry picked from commit ef36a509c0a3cf0309ad563e980d7e002f9b2d9c)

Conflicts:
	CHANGES


Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/bf4ba0cf
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/bf4ba0cf
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/bf4ba0cf

Branch: refs/heads/5.3.x
Commit: bf4ba0cf2741d7d189deba608154b07aa61dce46
Parents: efd2db2
Author: shinrich <sh...@yahoo-inc.com>
Authored: Tue Apr 21 14:47:51 2015 -0500
Committer: Phil Sorber <so...@apache.org>
Committed: Tue Apr 21 14:50:42 2015 -0600

----------------------------------------------------------------------
 CHANGES                  |  2 ++
 iocore/net/P_SSLConfig.h |  1 +
 iocore/net/SSLConfig.cc  | 14 +++++++++-----
 mgmt/RecordsConfig.cc    |  2 ++
 4 files changed, 14 insertions(+), 5 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/trafficserver/blob/bf4ba0cf/CHANGES
----------------------------------------------------------------------
diff --git a/CHANGES b/CHANGES
index 280d95f..0df57b1 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,8 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache Traffic Server 5.3.0
 
+  *) [TS-3529] Add config option to allow ATS to start even if certificate files are bad.
+
   *) [TS-3522] Segfault due to inactivity_cop.
 
   *) [TS-3530] HTTP/2 memory leak with headers and more...

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/bf4ba0cf/iocore/net/P_SSLConfig.h
----------------------------------------------------------------------
diff --git a/iocore/net/P_SSLConfig.h b/iocore/net/P_SSLConfig.h
index 549aa28..68dd50f 100644
--- a/iocore/net/P_SSLConfig.h
+++ b/iocore/net/P_SSLConfig.h
@@ -66,6 +66,7 @@ struct SSLConfigParams : public ConfigInfo {
   char *dhparamsFile;
   char *cipherSuite;
   char *client_cipherSuite;
+  int configExitOnLoadError;
   int clientCertLevel;
   int verify_depth;
   int ssl_session_cache; // SSL_SESSION_CACHE_MODE

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/bf4ba0cf/iocore/net/SSLConfig.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc
index acd8c19..669e1c1 100644
--- a/iocore/net/SSLConfig.cc
+++ b/iocore/net/SSLConfig.cc
@@ -231,6 +231,7 @@ SSLConfigParams::initialize()
   ats_free(serverCertRelativePath);
 
   configFilePath = RecConfigReadConfigPath("proxy.config.ssl.server.multicert.filename");
+  REC_ReadConfigInteger(configExitOnLoadError, "proxy.config.ssl.server.multicert.exit_on_load_fail");
 
   REC_ReadConfigStringAlloc(ssl_server_private_key_path, "proxy.config.ssl.server.private_key.path");
   set_paths_helper(ssl_server_private_key_path, NULL, &serverKeyPathOnly, NULL);
@@ -324,12 +325,17 @@ SSLCertificateConfig::startup()
 {
   sslCertUpdate = new ConfigUpdateHandler<SSLCertificateConfig>();
   sslCertUpdate->attach("proxy.config.ssl.server.multicert.filename");
+  sslCertUpdate->attach("proxy.config.ssl.server.multicert.exit_on_load_fail");
   sslCertUpdate->attach("proxy.config.ssl.server.ticket_key.filename");
   sslCertUpdate->attach("proxy.config.ssl.server.cert.path");
   sslCertUpdate->attach("proxy.config.ssl.server.private_key.path");
   sslCertUpdate->attach("proxy.config.ssl.server.cert_chain.filename");
 
-  if (!reconfigure()) {
+  // Exit if there are problems on the certificate loading and the
+  // proxy.config.ssl.server.multicert.exit_on_load_fail is true
+  SSLConfigParams *params = SSLConfig::acquire();
+  if (!reconfigure() && params->configExitOnLoadError) {
+    Error("Problems loading ssl certificate file, %s.  Exiting.", params->configFilePath);
     _exit(1);
   }
   return true;
@@ -351,11 +357,9 @@ SSLCertificateConfig::reconfigure()
   }
 
   SSLParseCertificateConfiguration(params, lookup);
-  if (lookup->is_valid) {
-    configid = configProcessor.set(configid, lookup);
-  } else {
+  configid = configProcessor.set(configid, lookup);
+  if (!lookup->is_valid) {
     retStatus = false;
-    delete lookup;
   }
 
   return retStatus;

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/bf4ba0cf/mgmt/RecordsConfig.cc
----------------------------------------------------------------------
diff --git a/mgmt/RecordsConfig.cc b/mgmt/RecordsConfig.cc
index 51eb607..d237508 100644
--- a/mgmt/RecordsConfig.cc
+++ b/mgmt/RecordsConfig.cc
@@ -1282,6 +1282,8 @@ static const RecordElement RecordsConfig[] =
   ,
   {RECT_CONFIG, "proxy.config.ssl.server.multicert.filename", RECD_STRING, "ssl_multicert.config", RECU_RESTART_TS, RR_NULL, RECC_NULL, NULL, RECA_NULL}
   ,
+  {RECT_CONFIG, "proxy.config.ssl.server.multicert.exit_on_load_fail", RECD_INT, "0", RECU_RESTART_TS, RR_NULL, RECC_NULL, "[0-1]", RECA_NULL}
+  ,
   {RECT_CONFIG, "proxy.config.ssl.server.ticket_key.filename", RECD_STRING, "ssl_ticket.key", RECU_DYNAMIC, RR_NULL, RECC_NULL, NULL, RECA_NULL}
   ,
   {RECT_CONFIG, "proxy.config.ssl.server.private_key.path", RECD_STRING, TS_BUILD_SYSCONFDIR, RECU_RESTART_TS, RR_NULL, RECC_NULL, NULL, RECA_NULL}