trafficserver-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From zw...@apache.org
Subject [trafficserver] branch 7.1.x updated: set verify locations in the initializer function only
Date Wed, 20 Jun 2018 17:24:00 GMT
This is an automated email from the ASF dual-hosted git repository.

zwoop pushed a commit to branch 7.1.x
in repository https://gitbox.apache.org/repos/asf/trafficserver.git


The following commit(s) were added to refs/heads/7.1.x by this push:
     new 97695f2  set verify locations in the initializer function only
97695f2 is described below

commit 97695f2677c59bf4d2fe56e32477661029dae4d6
Author: Syeda Persia Aziz <persia.aziz@yahoo.com>
AuthorDate: Thu Jun 14 13:39:26 2018 -0500

    set verify locations in the initializer function only
    
    (cherry picked from commit 7fb12c035957bd0c58bc30a3f99a50f67ac55a9d)
    
     Conflicts:
    	iocore/net/SSLNetVConnection.cc
---
 iocore/net/SSLClientUtils.cc    | 18 ++++++++----------
 iocore/net/SSLNetVConnection.cc | 10 ++++------
 2 files changed, 12 insertions(+), 16 deletions(-)

diff --git a/iocore/net/SSLClientUtils.cc b/iocore/net/SSLClientUtils.cc
index 37f0659..44c2835 100644
--- a/iocore/net/SSLClientUtils.cc
+++ b/iocore/net/SSLClientUtils.cc
@@ -145,19 +145,17 @@ SSLInitClientContext(const SSLConfigParams *params)
   if (params->clientVerify) {
     SSL_CTX_set_verify(client_ctx, SSL_VERIFY_PEER, verify_callback);
     SSL_CTX_set_verify_depth(client_ctx, params->client_verify_depth);
+  }
 
-    if (params->clientCACertFilename != nullptr || params->clientCACertPath != nullptr)
{
-      if (!SSL_CTX_load_verify_locations(client_ctx, params->clientCACertFilename, params->clientCACertPath))
{
-        SSLError("invalid client CA Certificate file (%s) or CA Certificate path (%s)", params->clientCACertFilename,
-                 params->clientCACertPath);
-        goto fail;
-      }
-    }
-
-    if (!SSL_CTX_set_default_verify_paths(client_ctx)) {
-      SSLError("failed to set the default verify paths");
+  if (params->clientCACertFilename != nullptr || params->clientCACertPath != nullptr)
{
+    if (!SSL_CTX_load_verify_locations(client_ctx, params->clientCACertFilename, params->clientCACertPath))
{
+      SSLError("invalid client CA Certificate file (%s) or CA Certificate path (%s)", params->clientCACertFilename,
+               params->clientCACertPath);
       goto fail;
     }
+  } else if (!SSL_CTX_set_default_verify_paths(client_ctx)) {
+    SSLError("failed to set the default verify paths");
+    goto fail;
   }
 
   if (SSLConfigParams::init_ssl_ctx_cb) {
diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc
index 70afedc..f2de327 100644
--- a/iocore/net/SSLNetVConnection.cc
+++ b/iocore/net/SSLNetVConnection.cc
@@ -1017,13 +1017,11 @@ SSLNetVConnection::sslStartHandShake(int event, int &err)
         clientCTX = params->client_ctx;
       }
 
-      if (this->options.clientVerificationFlag && params->clientCACertFilename
!= nullptr && params->clientCACertPath != nullptr) {
-        if (!SSL_CTX_load_verify_locations(clientCTX, params->clientCACertFilename, params->clientCACertPath))
{
-          SSLError("invalid client CA Certificate file (%s) or CA Certificate path (%s)",
params->clientCACertFilename,
-                   params->clientCACertPath);
-          return EVENT_ERROR;
-        }
+      if (!clientCTX) {
+        SSLErrorVC(this, "failed to create SSL client session");
+        return EVENT_ERROR;
       }
+
       this->ssl = make_ssl_connection(clientCTX, this);
       if (this->ssl != nullptr) {
         uint8_t clientVerify = this->options.clientVerificationFlag;


Mime
View raw message