trafficserver-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From pa...@apache.org
Subject [trafficserver] branch master updated: Isolate client ctx options from server options
Date Wed, 28 Feb 2018 20:35:09 GMT
This is an automated email from the ASF dual-hosted git repository.

paziz pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git


The following commit(s) were added to refs/heads/master by this push:
     new 2075a92  Isolate client ctx options from server options
2075a92 is described below

commit 2075a921ec27d2bb3f6310fa0a427429d0d15893
Author: Persia Aziz <persia@yahoo-inc.com>
AuthorDate: Wed Feb 28 11:42:05 2018 -0600

    Isolate client ctx options from server options
---
 iocore/net/P_SSLConfig.h     |  2 +-
 iocore/net/SSLClientUtils.cc |  6 +-----
 iocore/net/SSLConfig.cc      | 15 ++++++++++-----
 3 files changed, 12 insertions(+), 11 deletions(-)

diff --git a/iocore/net/P_SSLConfig.h b/iocore/net/P_SSLConfig.h
index 6fa438f..8dee6c8 100644
--- a/iocore/net/P_SSLConfig.h
+++ b/iocore/net/P_SSLConfig.h
@@ -86,7 +86,7 @@ struct SSLConfigParams : public ConfigInfo {
   int8_t clientVerify;
   int client_verify_depth;
   long ssl_ctx_options;
-  long ssl_client_ctx_protocols;
+  long ssl_client_ctx_options;
 
   static int ssl_maxrecord;
   static bool ssl_allow_client_renegotiation;
diff --git a/iocore/net/SSLClientUtils.cc b/iocore/net/SSLClientUtils.cc
index 40dbfda..0f0f60c 100644
--- a/iocore/net/SSLClientUtils.cc
+++ b/iocore/net/SSLClientUtils.cc
@@ -124,16 +124,12 @@ SSLInitClientContext(const SSLConfigParams *params)
   meth       = SSLv23_client_method();
   client_ctx = SSL_CTX_new(meth);
 
-  // disable selected protocols
-  SSL_CTX_set_options(client_ctx, params->ssl_ctx_options);
   if (!client_ctx) {
     SSLError("cannot create new client context");
     ::exit(1);
   }
 
-  if (params->ssl_client_ctx_protocols) {
-    SSL_CTX_set_options(client_ctx, params->ssl_client_ctx_protocols);
-  }
+  SSL_CTX_set_options(client_ctx, params->ssl_client_ctx_options);
   if (params->client_cipherSuite != nullptr) {
     if (!SSL_CTX_set_cipher_list(client_ctx, params->client_cipherSuite)) {
       SSLError("invalid client cipher suite in records.config");
diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc
index d32df4a..6918c8e 100644
--- a/iocore/net/SSLConfig.cc
+++ b/iocore/net/SSLConfig.cc
@@ -95,7 +95,7 @@ SSLConfigParams::reset()
   client_ctx      = nullptr;
   clientCertLevel = client_verify_depth = verify_depth = clientVerify = 0;
   ssl_ctx_options                                                     = SSL_OP_NO_SSLv2 |
SSL_OP_NO_SSLv3;
-  ssl_client_ctx_protocols                                            = SSL_OP_NO_SSLv2 |
SSL_OP_NO_SSLv3;
+  ssl_client_ctx_options                                              = SSL_OP_NO_SSLv2 |
SSL_OP_NO_SSLv3;
   ssl_session_cache                                                   = SSL_SESSION_CACHE_MODE_SERVER_ATS_IMPL;
   ssl_session_cache_size                                              = 1024 * 100;
   ssl_session_cache_num_buckets = 1024; // Sessions per bucket is ceil(ssl_session_cache_size
/ ssl_session_cache_num_buckets)
@@ -188,11 +188,11 @@ SSLConfigParams::initialize()
 #if TS_USE_SSLV3_CLIENT
   REC_ReadConfigInteger(client_ssl_options, "proxy.config.ssl.client.SSLv3");
   if (client_ssl_options)
-    ssl_client_ctx_protocols &= ~SSL_OP_NO_SSLv3;
+    ssl_client_ctx_options &= ~SSL_OP_NO_SSLv3;
 #endif
   REC_ReadConfigInteger(client_ssl_options, "proxy.config.ssl.client.TLSv1");
   if (!client_ssl_options) {
-    ssl_client_ctx_protocols |= SSL_OP_NO_TLSv1;
+    ssl_client_ctx_options |= SSL_OP_NO_TLSv1;
   }
 
 // These are not available in all versions of OpenSSL (e.g. CentOS6). Also see http://s.apache.org/TS-2355.
@@ -204,7 +204,7 @@ SSLConfigParams::initialize()
 
   REC_ReadConfigInteger(client_ssl_options, "proxy.config.ssl.client.TLSv1_1");
   if (!client_ssl_options) {
-    ssl_client_ctx_protocols |= SSL_OP_NO_TLSv1_1;
+    ssl_client_ctx_options |= SSL_OP_NO_TLSv1_1;
   }
 #endif
 #ifdef SSL_OP_NO_TLSv1_2
@@ -215,7 +215,7 @@ SSLConfigParams::initialize()
 
   REC_ReadConfigInteger(client_ssl_options, "proxy.config.ssl.client.TLSv1_2");
   if (!client_ssl_options) {
-    ssl_client_ctx_protocols |= SSL_OP_NO_TLSv1_2;
+    ssl_client_ctx_options |= SSL_OP_NO_TLSv1_2;
   }
 #endif
 
@@ -229,6 +229,7 @@ SSLConfigParams::initialize()
 #ifdef SSL_OP_NO_COMPRESSION
   /* OpenSSL >= 1.0 only */
   ssl_ctx_options |= SSL_OP_NO_COMPRESSION;
+  ssl_client_ctx_options |= SSL_OP_NO_COMPRESSION;
 #elif OPENSSL_VERSION_NUMBER >= 0x00908000L
   sk_SSL_COMP_zero(SSL_COMP_get_compression_methods());
 #endif
@@ -236,19 +237,23 @@ SSLConfigParams::initialize()
 // Enable ephemeral DH parameters for the case where we use a cipher with DH forward security.
 #ifdef SSL_OP_SINGLE_DH_USE
   ssl_ctx_options |= SSL_OP_SINGLE_DH_USE;
+  ssl_client_ctx_options |= SSL_OP_SINGLE_DH_USE;
 #endif
 
 #ifdef SSL_OP_SINGLE_ECDH_USE
   ssl_ctx_options |= SSL_OP_SINGLE_ECDH_USE;
+  ssl_client_ctx_options |= SSL_OP_SINGLE_ECDH_USE;
 #endif
 
   // Enable all SSL compatibility workarounds.
   ssl_ctx_options |= SSL_OP_ALL;
+  ssl_client_ctx_options |= SSL_OP_ALL;
 
 // According to OpenSSL source, applications must enable this if they support the Server
Name extension. Since
 // we do, then we ought to enable this. Httpd also enables this unconditionally.
 #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
   ssl_ctx_options |= SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION;
+  ssl_client_ctx_options |= SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION;
 #endif
 
   REC_ReadConfigStringAlloc(serverCertChainFilename, "proxy.config.ssl.server.cert_chain.filename");

-- 
To stop receiving notification emails like this one, please contact
paziz@apache.org.

Mime
View raw message