trafficserver-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From masa...@apache.org
Subject [trafficserver] branch master updated: Cleanup: remove duplicated SSL_CTX_set_tlsext_status_cb calls for OCSP Stapling
Date Tue, 26 Feb 2019 00:36:37 GMT
This is an automated email from the ASF dual-hosted git repository.

masaori pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git


The following commit(s) were added to refs/heads/master by this push:
     new b4e5319  Cleanup: remove duplicated SSL_CTX_set_tlsext_status_cb calls for OCSP Stapling
b4e5319 is described below

commit b4e53199f0d93eecd82db13a3f9841760d1913a0
Author: Masaori Koshiba <masaori@apache.org>
AuthorDate: Wed Feb 20 16:15:50 2019 +0900

    Cleanup: remove duplicated SSL_CTX_set_tlsext_status_cb calls for OCSP Stapling
---
 iocore/net/SSLUtils.cc | 30 +++++++++---------------------
 1 file changed, 9 insertions(+), 21 deletions(-)

diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index ad20188..653cec4 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -1285,7 +1285,7 @@ setClientCertLevel(SSL *ssl, uint8_t certLevel)
 }
 
 SSL_CTX *
-SSLInitServerContext(const SSLConfigParams *params, const ssl_user_config *sslMultCertSettings,
std::vector<X509 *> &certList)
+SSLInitServerContext(const SSLConfigParams *params, const ssl_user_config *sslMultCertSettings,
std::vector<X509 *> &cert_list)
 {
   int server_verify_client;
   SSL_CTX *ctx                 = SSLDefaultServerContext();
@@ -1416,7 +1416,7 @@ SSLInitServerContext(const SSLConfigParams *params, const ssl_user_config
*sslMu
           goto fail;
         }
 
-        certList.push_back(cert);
+        cert_list.push_back(cert);
         if (SSLConfigParams::load_ssl_file_cb) {
           SSLConfigParams::load_ssl_file_cb(completeServerCertPath.c_str(), CONFIG_FLAG_UNVERSIONED);
         }
@@ -1605,6 +1605,12 @@ SSLInitServerContext(const SSLConfigParams *params, const ssl_user_config
*sslMu
   if (SSLConfigParams::ssl_ocsp_enabled) {
     Debug("ssl", "SSL OCSP Stapling is enabled");
     SSL_CTX_set_tlsext_status_cb(ctx, ssl_callback_ocsp_stapling);
+
+    for (auto cert : cert_list) {
+      if (!ssl_stapling_init_cert(ctx, cert, setting_cert)) {
+        Warning("failed to configure SSL_CTX for OCSP Stapling info for certificate at %s",
setting_cert);
+      }
+    }
   } else {
     Debug("ssl", "SSL OCSP Stapling is disabled");
   }
@@ -1625,7 +1631,7 @@ fail:
   }
   SSL_CLEAR_PW_REFERENCES(ctx)
   SSLReleaseContext(ctx);
-  for (auto cert : certList) {
+  for (auto cert : cert_list) {
     X509_free(cert);
   }
 
@@ -1703,24 +1709,6 @@ ssl_store_ssl_context(const SSLConfigParams *params, SSLCertLookup
*lookup, cons
 #endif
   }
 
-#ifdef TS_USE_TLS_OCSP
-  if (SSLConfigParams::ssl_ocsp_enabled) {
-    Debug("ssl", "SSL OCSP Stapling is enabled");
-    SSL_CTX_set_tlsext_status_cb(ctx, ssl_callback_ocsp_stapling);
-    for (auto cert : cert_list) {
-      if (!ssl_stapling_init_cert(ctx, cert, certname)) {
-        Warning("failed to configure SSL_CTX for OCSP Stapling info for certificate at %s",
(const char *)certname);
-      }
-    }
-  } else {
-    Debug("ssl", "SSL OCSP Stapling is disabled");
-  }
-#else
-  if (SSLConfigParams::ssl_ocsp_enabled) {
-    Warning("failed to enable SSL OCSP Stapling; this version of OpenSSL does not support
it");
-  }
-#endif /* TS_USE_TLS_OCSP */
-
   // Insert additional mappings. Note that this maps multiple keys to the same value, so
when
   // this code is updated to reconfigure the SSL certificates, it will need some sort of
   // refcounting or alternate way of avoiding double frees.


Mime
View raw message