You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by rr...@apache.org on 2019/06/14 18:47:48 UTC
[trafficserver] branch master updated: Move sni config (formerly
ssl_server_name) under toplevel YAML tag 'sni'
This is an automated email from the ASF dual-hosted git repository.
rrm pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push:
new a8d0c5a Move sni config (formerly ssl_server_name) under toplevel YAML tag 'sni'
a8d0c5a is described below
commit a8d0c5aec41c279afcf3d149fcbc08b3ae2a2bbb
Author: Randall Meyer <rr...@apache.org>
AuthorDate: Tue May 21 11:21:44 2019 -0700
Move sni config (formerly ssl_server_name) under toplevel YAML tag 'sni'
This is for the work in issue #5245
---
configs/sni.yaml.default | 18 +++++++++---------
doc/admin-guide/files/sni.yaml.en.rst | 3 +++
doc/admin-guide/layer-4-routing.en.rst | 1 +
iocore/net/YamlSNIConfig.cc | 5 +++++
tests/gold_tests/h2/h2disable.test.py | 1 +
.../pluginTest/cert_update/cert_update.test.py | 1 +
.../client_context_dump/client_context_dump.test.py | 1 +
.../pluginTest/sslheaders/sslheaders.test.py | 1 +
tests/gold_tests/tls/tls_client_cert.test.py | 4 ++++
tests/gold_tests/tls/tls_client_cert2.test.py | 1 +
tests/gold_tests/tls/tls_client_verify.test.py | 1 +
tests/gold_tests/tls/tls_client_verify2.test.py | 1 +
tests/gold_tests/tls/tls_client_versions.test.py | 1 +
tests/gold_tests/tls/tls_forward_nonhttp.test.py | 1 +
tests/gold_tests/tls/tls_hooks_client_verify.test.py | 1 +
tests/gold_tests/tls/tls_hooks_verify.test.py | 2 ++
tests/gold_tests/tls/tls_tunnel.test.py | 4 +++-
tests/gold_tests/tls/tls_tunnel_forward.test.py | 1 +
tests/gold_tests/tls/tls_tunnel_plugin_rename.test.py | 1 +
tests/gold_tests/tls/tls_verify.test.py | 1 +
tests/gold_tests/tls/tls_verify2.test.py | 2 ++
tests/gold_tests/tls/tls_verify3.test.py | 1 +
tests/gold_tests/tls/tls_verify_base.test.py | 1 +
23 files changed, 44 insertions(+), 10 deletions(-)
diff --git a/configs/sni.yaml.default b/configs/sni.yaml.default
index 7431229..6b9080c 100644
--- a/configs/sni.yaml.default
+++ b/configs/sni.yaml.default
@@ -17,12 +17,12 @@
# for subnet specification.
#
# Example:
-#
-# - fqdn: one.com
-# disable_h2: true
-# verify_origin_server: STRICT
-# client_cert: somepem.pem
-# verify_client: MODERATE
-# - fqdn: two.com
-# tunnel_route: two.com
-# ip_allow = '10.0.0.1-10.0.0.255'
+# sni:
+# - fqdn: one.com
+# disable_h2: true
+# verify_origin_server: STRICT
+# client_cert: somepem.pem
+# verify_client: MODERATE
+# - fqdn: two.com
+# tunnel_route: two.com
+# ip_allow = '10.0.0.1-10.0.0.255'
diff --git a/doc/admin-guide/files/sni.yaml.en.rst b/doc/admin-guide/files/sni.yaml.en.rst
index 7c490b8..98f2dff 100644
--- a/doc/admin-guide/files/sni.yaml.en.rst
+++ b/doc/admin-guide/files/sni.yaml.en.rst
@@ -173,6 +173,7 @@ Disable HTTP/2 for ``no-http2.example.com``.
.. code-block:: yaml
+ sni:
- fqdn: no-http2.example.com
disable_h2: true
@@ -180,6 +181,7 @@ Require client certificate verification for ``example.com`` and any server name
.. code-block:: yaml
+ sni:
- fqdn: example.com
verify_client: MODERATE
- fqdn: '*.yahoo.com'
@@ -190,6 +192,7 @@ client certificate.
.. code-block:: yaml
+ sni:
- fqdn: trusted.example.com
verify_server_policy: DISABLED
verify_client: STRICT
diff --git a/doc/admin-guide/layer-4-routing.en.rst b/doc/admin-guide/layer-4-routing.en.rst
index 69042a9..188eafa 100644
--- a/doc/admin-guide/layer-4-routing.en.rst
+++ b/doc/admin-guide/layer-4-routing.en.rst
@@ -101,6 +101,7 @@ The :file:`sni.yaml` contents would be
.. code:: yaml
+ sni:
- tunnel_route: app-server-29:443
fqdn: service-1.example.com
diff --git a/iocore/net/YamlSNIConfig.cc b/iocore/net/YamlSNIConfig.cc
index 8a07c11..d2f6f9d 100644
--- a/iocore/net/YamlSNIConfig.cc
+++ b/iocore/net/YamlSNIConfig.cc
@@ -42,6 +42,11 @@ YamlSNIConfig::loader(const char *cfgFilename)
return ts::Errata();
}
+ if (!config["sni"]) {
+ return ts::Errata::Message(1, 1, "malformed ssl_server_name.yaml file; expected a toplevel 'sni' node");
+ }
+
+ config = config["sni"];
if (!config.IsSequence()) {
return ts::Errata::Message(1, 1, "expected sequence");
}
diff --git a/tests/gold_tests/h2/h2disable.test.py b/tests/gold_tests/h2/h2disable.test.py
index 17438d3..23ba022 100644
--- a/tests/gold_tests/h2/h2disable.test.py
+++ b/tests/gold_tests/h2/h2disable.test.py
@@ -60,6 +60,7 @@ ts.Disk.records_config.update({
})
ts.Disk.sni_yaml.AddLines([
+ 'sni:',
'- fqdn: bar.com',
' disable_h2: true',
'- fqdn: bob.*.com',
diff --git a/tests/gold_tests/pluginTest/cert_update/cert_update.test.py b/tests/gold_tests/pluginTest/cert_update/cert_update.test.py
index efabbc3..349d18a 100644
--- a/tests/gold_tests/pluginTest/cert_update/cert_update.test.py
+++ b/tests/gold_tests/pluginTest/cert_update/cert_update.test.py
@@ -67,6 +67,7 @@ ts.Disk.remap_config.AddLines([
])
ts.Disk.sni_yaml.AddLines([
+ 'sni:',
'- fqdn: "*foo.com"',
' client_cert: "client1.pem"',
])
diff --git a/tests/gold_tests/pluginTest/client_context_dump/client_context_dump.test.py b/tests/gold_tests/pluginTest/client_context_dump/client_context_dump.test.py
index 366bf8f..5306c89 100644
--- a/tests/gold_tests/pluginTest/client_context_dump/client_context_dump.test.py
+++ b/tests/gold_tests/pluginTest/client_context_dump/client_context_dump.test.py
@@ -48,6 +48,7 @@ ts.Disk.ssl_multicert_config.AddLine(
)
ts.Disk.sni_yaml.AddLines([
+ 'sni:',
'- fqdn: "*one.com"',
' client_cert: "one.com.pem"',
'- fqdn: "*two.com"',
diff --git a/tests/gold_tests/pluginTest/sslheaders/sslheaders.test.py b/tests/gold_tests/pluginTest/sslheaders/sslheaders.test.py
index fdfb5c8..7a7a552 100644
--- a/tests/gold_tests/pluginTest/sslheaders/sslheaders.test.py
+++ b/tests/gold_tests/pluginTest/sslheaders/sslheaders.test.py
@@ -72,6 +72,7 @@ ts.Disk.remap_config.AddLine(
)
ts.Disk.sni_yaml.AddLines([
+ 'sni:',
'- fqdn: "*bar.com"',
' verify_client: STRICT',
])
diff --git a/tests/gold_tests/tls/tls_client_cert.test.py b/tests/gold_tests/tls/tls_client_cert.test.py
index 7c57ca5..a9ae020 100644
--- a/tests/gold_tests/tls/tls_client_cert.test.py
+++ b/tests/gold_tests/tls/tls_client_cert.test.py
@@ -92,6 +92,8 @@ ts.Disk.remap_config.AddLine(
)
ts.Disk.sni_yaml.AddLine(
+ 'sni:')
+ts.Disk.sni_yaml.AddLine(
'- fqdn: bar.com')
ts.Disk.sni_yaml.AddLine(
' client_cert: {0}/signed2-bar.pem'.format(ts.Variables.SSLDir))
@@ -144,6 +146,8 @@ snipath = ts.Disk.sni_yaml.AbsPath
recordspath = ts.Disk.records_config.AbsPath
tr2.Disk.File(snipath, id = "sni_yaml", typename="ats:config"),
tr2.Disk.sni_yaml.AddLine(
+ 'sni:')
+tr2.Disk.sni_yaml.AddLine(
'- fqdn: bar.com')
tr2.Disk.sni_yaml.AddLine(
' client_cert: {0}/signed-bar.pem'.format(ts.Variables.SSLDir))
diff --git a/tests/gold_tests/tls/tls_client_cert2.test.py b/tests/gold_tests/tls/tls_client_cert2.test.py
index 02ff1a2..e19bd7c 100644
--- a/tests/gold_tests/tls/tls_client_cert2.test.py
+++ b/tests/gold_tests/tls/tls_client_cert2.test.py
@@ -86,6 +86,7 @@ ts.Disk.remap_config.AddLine(
)
ts.Disk.sni_yaml.AddLines([
+ 'sni:',
'- fqdn: bob.bar.com',
' client_cert: signed-bar.pem',
' client_key: signed-bar.key',
diff --git a/tests/gold_tests/tls/tls_client_verify.test.py b/tests/gold_tests/tls/tls_client_verify.test.py
index f878a84..944a829 100644
--- a/tests/gold_tests/tls/tls_client_verify.test.py
+++ b/tests/gold_tests/tls/tls_client_verify.test.py
@@ -65,6 +65,7 @@ ts.Disk.remap_config.AddLine(
# Scenario 1: Default no client cert required. cert required for bar.com
ts.Disk.sni_yaml.AddLines([
+ 'sni:',
'- fqdn: bob.bar.com',
' verify_client: NONE',
'- fqdn: bob.*.com',
diff --git a/tests/gold_tests/tls/tls_client_verify2.test.py b/tests/gold_tests/tls/tls_client_verify2.test.py
index 304a33b..544e40e 100644
--- a/tests/gold_tests/tls/tls_client_verify2.test.py
+++ b/tests/gold_tests/tls/tls_client_verify2.test.py
@@ -65,6 +65,7 @@ ts.Disk.remap_config.AddLine(
# Scenario 1: Default no client cert required. cert required for bar.com
ts.Disk.sni_yaml.AddLines([
+ 'sni:',
'- fqdn: bob.bar.com',
' verify_client: STRICT',
'- fqdn: bob.*.com',
diff --git a/tests/gold_tests/tls/tls_client_versions.test.py b/tests/gold_tests/tls/tls_client_versions.test.py
index 2a3dbd2..88b00cb 100644
--- a/tests/gold_tests/tls/tls_client_versions.test.py
+++ b/tests/gold_tests/tls/tls_client_versions.test.py
@@ -68,6 +68,7 @@ ts.Disk.records_config.update({
# bar.com should terminate.
# empty SNI should tunnel to server_bar
ts.Disk.sni_yaml.AddLines([
+ 'sni:',
'- fqdn: foo.com',
' valid_tls_versions_in: [ TLSv1, TLSv1_1 ]'
])
diff --git a/tests/gold_tests/tls/tls_forward_nonhttp.test.py b/tests/gold_tests/tls/tls_forward_nonhttp.test.py
index 4b3c22c..eb49a2b 100644
--- a/tests/gold_tests/tls/tls_forward_nonhttp.test.py
+++ b/tests/gold_tests/tls/tls_forward_nonhttp.test.py
@@ -53,6 +53,7 @@ ts.Disk.records_config.update({
# foo.com should not terminate. Just tunnel to server_foo
# bar.com should terminate. Forward its tcp stream to server_bar
ts.Disk.sni_yaml.AddLines([
+ "sni:",
"- fqdn: bar.com",
" forward_route: localhost:4444"
])
diff --git a/tests/gold_tests/tls/tls_hooks_client_verify.test.py b/tests/gold_tests/tls/tls_hooks_client_verify.test.py
index a166d46..a7dc38e 100644
--- a/tests/gold_tests/tls/tls_hooks_client_verify.test.py
+++ b/tests/gold_tests/tls/tls_hooks_client_verify.test.py
@@ -67,6 +67,7 @@ ts.Disk.remap_config.AddLine(
)
ts.Disk.sni_yaml.AddLines([
+ 'sni:',
'- fqdn: bar.com',
' verify_client: STRICT',
'- fqdn: foo.com',
diff --git a/tests/gold_tests/tls/tls_hooks_verify.test.py b/tests/gold_tests/tls/tls_hooks_verify.test.py
index 0c99d7f..6d7a091 100644
--- a/tests/gold_tests/tls/tls_hooks_verify.test.py
+++ b/tests/gold_tests/tls/tls_hooks_verify.test.py
@@ -65,6 +65,8 @@ ts.Disk.remap_config.AddLine(
)
ts.Disk.sni_yaml.AddLine(
+ 'sni:')
+ts.Disk.sni_yaml.AddLine(
'- fqdn: bar.com')
ts.Disk.sni_yaml.AddLine(
' verify_server_policy: PERMISSIVE')
diff --git a/tests/gold_tests/tls/tls_tunnel.test.py b/tests/gold_tests/tls/tls_tunnel.test.py
index b689bbc..365d265 100644
--- a/tests/gold_tests/tls/tls_tunnel.test.py
+++ b/tests/gold_tests/tls/tls_tunnel.test.py
@@ -73,6 +73,7 @@ ts.Disk.records_config.update({
# bar.com should terminate.
# empty SNI should tunnel to server_bar
ts.Disk.sni_yaml.AddLines([
+ 'sni:',
'- fqdn: foo.com',
" tunnel_route: localhost:{0}".format(server_foo.Variables.SSL_Port),
"- fqdn: bob.*.com",
@@ -131,8 +132,9 @@ snipath = ts.Disk.sni_yaml.AbsPath
recordspath = ts.Disk.records_config.AbsPath
tr.Disk.File(snipath, id = "sni_yaml", typename="ats:config"),
tr.Disk.sni_yaml.AddLines([
+ 'sni:',
'- fqdn: bar.com',
- " tunnel_route: localhost:{0}".format(server_bar.Variables.SSL_Port),
+ ' tunnel_route: localhost:{0}'.format(server_bar.Variables.SSL_Port),
])
tr.StillRunningAfter = ts
tr.StillRunningAfter = server_foo
diff --git a/tests/gold_tests/tls/tls_tunnel_forward.test.py b/tests/gold_tests/tls/tls_tunnel_forward.test.py
index c7bb6d6..af20407 100644
--- a/tests/gold_tests/tls/tls_tunnel_forward.test.py
+++ b/tests/gold_tests/tls/tls_tunnel_forward.test.py
@@ -74,6 +74,7 @@ ts.Disk.records_config.update({
# foo.com should not terminate. Just tunnel to server_foo
# bar.com should terminate. Forward its tcp stream to server_bar
ts.Disk.sni_yaml.AddLines([
+ "sni:",
"- fqdn: 'foo.com'",
" tunnel_route: 'localhost:{0}'".format(server_foo.Variables.SSL_Port),
"- fqdn: 'bar.com'",
diff --git a/tests/gold_tests/tls/tls_tunnel_plugin_rename.test.py b/tests/gold_tests/tls/tls_tunnel_plugin_rename.test.py
index fa5640b..4889355 100644
--- a/tests/gold_tests/tls/tls_tunnel_plugin_rename.test.py
+++ b/tests/gold_tests/tls/tls_tunnel_plugin_rename.test.py
@@ -73,6 +73,7 @@ ts.Disk.records_config.update({
# empty should tunnel to server_random (should not happen)
# newname should tunnel to server_bar
ts.Disk.sni_yaml.AddLines([
+ "sni:",
"- fqdn: newname",
" tunnel_route: localhost:{0}".format(server_bar.Variables.SSL_Port),
"- fqdn: ''", #default case
diff --git a/tests/gold_tests/tls/tls_verify.test.py b/tests/gold_tests/tls/tls_verify.test.py
index ba2f3ed..9e7d9ff 100644
--- a/tests/gold_tests/tls/tls_verify.test.py
+++ b/tests/gold_tests/tls/tls_verify.test.py
@@ -89,6 +89,7 @@ ts.Disk.records_config.update({
})
ts.Disk.sni_yaml.AddLines([
+ 'sni:',
'- fqdn: bar.com',
' verify_server_policy: ENFORCED',
' verify_server_properties: ALL',
diff --git a/tests/gold_tests/tls/tls_verify2.test.py b/tests/gold_tests/tls/tls_verify2.test.py
index 1752f63..fc67a72 100644
--- a/tests/gold_tests/tls/tls_verify2.test.py
+++ b/tests/gold_tests/tls/tls_verify2.test.py
@@ -81,6 +81,8 @@ ts.Disk.records_config.update({
})
ts.Disk.sni_yaml.AddLine(
+ 'sni:')
+ts.Disk.sni_yaml.AddLine(
'- fqdn: bar.com')
ts.Disk.sni_yaml.AddLine(
' verify_server_policy: PERMISSIVE')
diff --git a/tests/gold_tests/tls/tls_verify3.test.py b/tests/gold_tests/tls/tls_verify3.test.py
index ec7df52..cb27394 100644
--- a/tests/gold_tests/tls/tls_verify3.test.py
+++ b/tests/gold_tests/tls/tls_verify3.test.py
@@ -81,6 +81,7 @@ ts.Disk.records_config.update({
})
ts.Disk.sni_yaml.AddLines([
+ 'sni:',
'- fqdn: bob.bar.com',
' verify_server_policy: ENFORCED',
' verify_server_properties: ALL',
diff --git a/tests/gold_tests/tls/tls_verify_base.test.py b/tests/gold_tests/tls/tls_verify_base.test.py
index 3bdfdd1..6ca301f 100644
--- a/tests/gold_tests/tls/tls_verify_base.test.py
+++ b/tests/gold_tests/tls/tls_verify_base.test.py
@@ -81,6 +81,7 @@ ts.Disk.records_config.update({
})
ts.Disk.sni_yaml.AddLines([
+ 'sni:',
'- fqdn: bar.com',
' verify_server_policy: ENFORCED',
' verify_server_properties: ALL',