You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by bc...@apache.org on 2014/08/01 19:58:03 UTC
git commit: TS-2367: Add OCSP (Online Certificate Status Protocol)
Stapling Support
Repository: trafficserver
Updated Branches:
refs/heads/master c0e5dc6f1 -> 562179c50
TS-2367: Add OCSP (Online Certificate Status Protocol) Stapling Support
Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/562179c5
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/562179c5
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/562179c5
Branch: refs/heads/master
Commit: 562179c50eae3422ac9b4fe50a1b41ea09712ad1
Parents: c0e5dc6
Author: Feifei Cai <ff...@yahoo-inc.com>
Authored: Fri Aug 1 10:57:45 2014 -0700
Committer: Bryan Call <bc...@apache.org>
Committed: Fri Aug 1 10:57:45 2014 -0700
----------------------------------------------------------------------
iocore/net/Makefile.am | 2 ++
iocore/net/P_SSLConfig.h | 5 +++++
iocore/net/SSLConfig.cc | 10 ++++++++++
iocore/net/SSLNetProcessor.cc | 33 ++++++++++++++++++++++++++++++---
iocore/net/SSLUtils.cc | 21 +++++++++++++++++++++
mgmt/RecordsConfig.cc | 17 +++++++++++++++++
6 files changed, 85 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/562179c5/iocore/net/Makefile.am
----------------------------------------------------------------------
diff --git a/iocore/net/Makefile.am b/iocore/net/Makefile.am
index 9ce103f..cfbdb4b 100644
--- a/iocore/net/Makefile.am
+++ b/iocore/net/Makefile.am
@@ -72,6 +72,7 @@ libinknet_a_SOURCES = \
P_SSLNextProtocolAccept.h \
P_SSLNextProtocolSet.h \
P_SSLUtils.h \
+ P_OCSPStapling.h \
P_Socks.h \
P_UDPConnection.h \
P_UDPIOEvent.h \
@@ -93,6 +94,7 @@ libinknet_a_SOURCES = \
SSLNextProtocolAccept.cc \
SSLNextProtocolSet.cc \
SSLUtils.cc \
+ OCSPStapling.cc \
Socks.cc \
UDPIOEvent.cc \
UnixConnection.cc \
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/562179c5/iocore/net/P_SSLConfig.h
----------------------------------------------------------------------
diff --git a/iocore/net/P_SSLConfig.h b/iocore/net/P_SSLConfig.h
index 31a6242..aa4926f 100644
--- a/iocore/net/P_SSLConfig.h
+++ b/iocore/net/P_SSLConfig.h
@@ -83,6 +83,11 @@ struct SSLConfigParams : public ConfigInfo
static int ssl_maxrecord;
static bool ssl_allow_client_renegotiation;
+ static bool ssl_ocsp_enabled;
+ static int ssl_ocsp_cache_timeout;
+ static int ssl_ocsp_request_timeout;
+ static int ssl_ocsp_update_period;
+
static init_ssl_ctx_func init_ssl_ctx_cb;
void initialize();
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/562179c5/iocore/net/SSLConfig.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc
index 25c2875..402664a 100644
--- a/iocore/net/SSLConfig.cc
+++ b/iocore/net/SSLConfig.cc
@@ -43,6 +43,10 @@ int SSLConfig::configid = 0;
int SSLCertificateConfig::configid = 0;
int SSLConfigParams::ssl_maxrecord = 0;
bool SSLConfigParams::ssl_allow_client_renegotiation = false;
+bool SSLConfigParams::ssl_ocsp_enabled = false;
+int SSLConfigParams::ssl_ocsp_cache_timeout = 3600;
+int SSLConfigParams::ssl_ocsp_request_timeout = 10;
+int SSLConfigParams::ssl_ocsp_update_period = 60;
init_ssl_ctx_func SSLConfigParams::init_ssl_ctx_cb = NULL;
static ConfigUpdateHandler<SSLCertificateConfig> * sslCertUpdate;
@@ -249,6 +253,12 @@ SSLConfigParams::initialize()
// SSL record size
REC_EstablishStaticConfigInt32(ssl_maxrecord, "proxy.config.ssl.max_record_size");
+ // SSL OCSP Stapling configurations
+ REC_ReadConfigInt32(ssl_ocsp_enabled, "proxy.config.ssl.ocsp.enabled");
+ REC_EstablishStaticConfigInt32(ssl_ocsp_cache_timeout, "proxy.config.ssl.ocsp.cache_timeout");
+ REC_EstablishStaticConfigInt32(ssl_ocsp_request_timeout, "proxy.config.ssl.ocsp.request_timeout");
+ REC_EstablishStaticConfigInt32(ssl_ocsp_update_period, "proxy.config.ssl.ocsp.update_period");
+
// ++++++++++++++++++++++++ Client part ++++++++++++++++++++
client_verify_depth = 7;
REC_ReadConfigInt32(clientVerify, "proxy.config.ssl.client.verify.server");
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/562179c5/iocore/net/SSLNetProcessor.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLNetProcessor.cc b/iocore/net/SSLNetProcessor.cc
index 47bdb59..5c2d8cc 100644
--- a/iocore/net/SSLNetProcessor.cc
+++ b/iocore/net/SSLNetProcessor.cc
@@ -25,6 +25,7 @@
#include "I_Layout.h"
#include "I_RecHttp.h"
#include "P_SSLUtils.h"
+#include "P_OCSPStapling.h"
//
// Global Data
@@ -34,6 +35,21 @@ SSLNetProcessor ssl_NetProcessor;
NetProcessor& sslNetProcessor = ssl_NetProcessor;
EventType SSLNetProcessor::ET_SSL;
+struct OCSPContinuation:public Continuation
+{
+ int mainEvent(int /* event ATS_UNUSED */, Event *e)
+ {
+ ocsp_update();
+
+ return EVENT_CONT;
+ }
+
+ OCSPContinuation():Continuation(new_ProxyMutex())
+ {
+ SET_HANDLER(&OCSPContinuation::mainEvent);
+ }
+};
+
void
SSLNetProcessor::cleanup(void)
{
@@ -55,7 +71,7 @@ SSLNetProcessor::start(int number_of_ssl_threads, size_t stacksize)
// Acquire a SSLConfigParams instance *after* we start SSL up.
SSLConfig::scoped_config params;
- // Enable client regardless of config file setttings as remap file
+ // Enable client regardless of config file settings as remap file
// can cause HTTP layer to connect using SSL. But only if SSL
// initialization hasn't failed already.
client_ctx = SSLInitClientContext(params);
@@ -66,14 +82,25 @@ SSLNetProcessor::start(int number_of_ssl_threads, size_t stacksize)
// Initialize SSL statistics. This depends on an initial set of certificates being loaded above.
SSLInitializeStatistics();
+ // Shouldn't this be handled the same as -1?
+ if (number_of_ssl_threads == 0) {
+ return -1;
+ }
+
+#ifdef HAVE_OPENSSL_OCSP_STAPLING
+ if (SSLConfigParams::ssl_ocsp_enabled) {
+ EventType ET_OCSP = eventProcessor.spawn_event_threads(1, "ET_OCSP", stacksize);
+ eventProcessor.schedule_every(new OCSPContinuation(), HRTIME_SECONDS(SSLConfigParams::ssl_ocsp_update_period), ET_OCSP);
+ }
+#endif /* HAVE_OPENSSL_OCSP_STAPLING */
+
+
if (number_of_ssl_threads == -1) {
// We've disabled ET_SSL threads, so we will mark all ET_NET threads as having
// ET_SSL thread capabilities and just keep on chugging.
SSLDebug("Disabling ET_SSL threads (config is set to -1), using thread group ET_NET=%d", ET_NET);
SSLNetProcessor::ET_SSL = ET_NET; // Set the event type for ET_SSL to be ET_NET.
return 0;
- } else if (number_of_ssl_threads < 1) {
- return -1;
}
SSLNetProcessor::ET_SSL = eventProcessor.spawn_event_threads(number_of_ssl_threads, "ET_SSL", stacksize);
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/562179c5/iocore/net/SSLUtils.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index db141e3..1576c6d 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -24,6 +24,7 @@
#include "I_Layout.h"
#include "P_Net.h"
#include "ink_cap.h"
+#include "P_OCSPStapling.h"
#include <string>
#include <openssl/err.h>
@@ -550,6 +551,10 @@ SSLInitializeLibrary()
}
ssl_session_ticket_index = (iRet == -1 ? 0 : iRet);
+#ifdef HAVE_OPENSSL_OCSP_STAPLING
+ ssl_stapling_ex_init();
+#endif /* HAVE_OPENSSL_OCSP_STAPLING */
+
open_ssl_initialized = true;
}
@@ -1334,6 +1339,22 @@ ssl_store_ssl_context(
ssl_context_enable_tickets(ctx, ticket_key_path);
}
+#ifdef HAVE_OPENSSL_OCSP_STAPLING
+ if (SSLConfigParams::ssl_ocsp_enabled) {
+ Debug("ssl", "ssl ocsp stapling is enabled");
+ SSL_CTX_set_tlsext_status_cb(ctx, ssl_callback_ocsp_stapling);
+ if (!ssl_stapling_init_cert(ctx, (const char *)certpath)) {
+ Error("fail to configure SSL_CTX for OCSP Stapling info");
+ }
+ } else {
+ Debug("ssl", "ssl ocsp stapling is disabled");
+ }
+#else
+ if (SSLConfigParams::ssl_ocsp_enabled) {
+ Error("fail to enable ssl ocsp stapling, this openssl version does not support it");
+ }
+#endif /* HAVE_OPENSSL_OCSP_STAPLING */
+
// Insert additional mappings. Note that this maps multiple keys to the same value, so when
// this code is updated to reconfigure the SSL certificates, it will need some sort of
// refcounting or alternate way of avoiding double frees.
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/562179c5/mgmt/RecordsConfig.cc
----------------------------------------------------------------------
diff --git a/mgmt/RecordsConfig.cc b/mgmt/RecordsConfig.cc
index 245ddba..31890d3 100644
--- a/mgmt/RecordsConfig.cc
+++ b/mgmt/RecordsConfig.cc
@@ -1302,6 +1302,23 @@ RecordElement RecordsConfig[] = {
{RECT_CONFIG, "proxy.config.ssl.allow_client_renegotiation", RECD_INT, "0", RECU_DYNAMIC, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
,
//##############################################################################
+ //#
+ //# OCSP (Online Certificate Status Protocol) Stapling Configuration
+ //#
+ //##############################################################################
+ // # Enable OCSP stapling. Disabled by default.
+ {RECT_CONFIG, "proxy.config.ssl.ocsp.enabled", RECD_INT, "0", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
+ ,
+ // # Number of seconds before an OCSP response expires in the stapling cache. 3600s (1 hour) by default.
+ {RECT_CONFIG, "proxy.config.ssl.ocsp.cache_timeout", RECD_INT, "3600", RECU_DYNAMIC, RR_NULL, RECC_NULL, "^[0-9]+$", RECA_NULL}
+ ,
+ // # Timeout for queries to OCSP responders. 10s by default.
+ {RECT_CONFIG, "proxy.config.ssl.ocsp.request_timeout", RECD_INT, "10", RECU_DYNAMIC, RR_NULL, RECC_NULL, "^[0-9]+$", RECA_NULL}
+ ,
+ // # Update period for stapling caches. 60s (1 min) by default.
+ {RECT_CONFIG, "proxy.config.ssl.ocsp.update_period", RECD_INT, "60", RECU_DYNAMIC, RR_NULL, RECC_NULL, "^[0-9]+$", RECA_NULL}
+ ,
+ //##############################################################################
//# ICP Configuration
//##############################################################################
//# enabled=0 ICP disabled