trafficserver-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From zw...@apache.org
Subject [trafficserver] 01/02: Fix sni.yaml fqdn to match complete name string
Date Sun, 22 Dec 2019 19:55:35 GMT
This is an automated email from the ASF dual-hosted git repository.

zwoop pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/trafficserver.git

commit 9e463b33ef891632cf67d8e00c72ebc32a35987b
Author: Susan Hinrichs <shinrich@oath.com>
AuthorDate: Fri Nov 22 19:58:38 2019 +0000

    Fix sni.yaml fqdn to match complete name string
    
    (cherry picked from commit 0cbe04cfbd903e266ab7ae8f194bc75459a35008)
---
 iocore/net/SSLSNIConfig.cc                     |  7 +++++--
 tests/gold_tests/tls/tls_client_verify.test.py | 16 ++++++++++++++++
 2 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/iocore/net/SSLSNIConfig.cc b/iocore/net/SSLSNIConfig.cc
index aa3246a..1dc2f4e 100644
--- a/iocore/net/SSLSNIConfig.cc
+++ b/iocore/net/SSLSNIConfig.cc
@@ -108,10 +108,13 @@ SNIConfigParams::SNIConfigParams() {}
 const actionVector *
 SNIConfigParams::get(const std::string &servername) const
 {
+  int ovector[2];
   for (const auto &retval : sni_action_list) {
-    if (retval.match == nullptr && servername.length() == 0) {
+    int length = servername.length();
+    if (retval.match == nullptr && length == 0) {
       return &retval.actions;
-    } else if (pcre_exec(retval.match, nullptr, servername.c_str(), servername.length(),
0, 0, nullptr, 0) >= 0) {
+    } else if (pcre_exec(retval.match, nullptr, servername.c_str(), length, 0, 0, ovector,
2) == 1 && ovector[0] == 0 &&
+               ovector[1] == length) {
       return &retval.actions;
     }
   }
diff --git a/tests/gold_tests/tls/tls_client_verify.test.py b/tests/gold_tests/tls/tls_client_verify.test.py
index e7480a7..7663015 100644
--- a/tests/gold_tests/tls/tls_client_verify.test.py
+++ b/tests/gold_tests/tls/tls_client_verify.test.py
@@ -63,6 +63,8 @@ ts.Disk.sni_yaml.AddLines([
     'sni:',
     '- fqdn: bob.bar.com',
     '  verify_client: NONE',
+    '- fqdn: "bob.com"',
+    '  verify_client: STRICT',
     '- fqdn: bob.*.com',
     '  verify_client: NONE',
     '- fqdn: "*bar.com"',
@@ -168,3 +170,17 @@ tr.StillRunningAfter = ts
 tr.StillRunningAfter = server
 tr.Processes.Default.Command = "curl --tls-max 1.2 -k --cert ./server.pem --key ./server.key
--resolve 'bar.com:{0}:127.0.0.1' https://bar.com:{0}/case1".format(ts.Variables.ssl_port)
 tr.Processes.Default.ReturnCode = 35
+
+
+# Test that the fqdn's match completely.  bob.com should require client certificate. bob.com.com
should not
+tr = Test.AddTestRun("Connect to bob.com without cert, should fail")
+tr.StillRunningAfter = ts
+tr.StillRunningAfter = server
+tr.Processes.Default.Command = "curl --tls-max 1.2 -k --resolve 'bob.com:{0}:127.0.0.1' https://bob.com:{0}/case1".format(ts.Variables.ssl_port)
+tr.Processes.Default.ReturnCode = 35
+
+tr = Test.AddTestRun("Connect to bob.com.com without cert, should succeed")
+tr.StillRunningAfter = ts
+tr.StillRunningAfter = server
+tr.Processes.Default.Command = "curl --tls-max 1.2 -k --resolve 'bob.com.com:{0}:127.0.0.1'
https://bob.com.com:{0}/case1".format(ts.Variables.ssl_port)
+tr.Processes.Default.ReturnCode = 0


Mime
View raw message