trafficserver-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From shinr...@apache.org
Subject trafficserver git commit: TS-3529: Add a config to allow ATS to start up even if some certificates are bad.
Date Tue, 21 Apr 2015 19:49:31 GMT
Repository: trafficserver
Updated Branches:
  refs/heads/master f158ebced -> ef36a509c


TS-3529:  Add a config to allow ATS to start up even if some certificates are bad.


Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/ef36a509
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/ef36a509
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/ef36a509

Branch: refs/heads/master
Commit: ef36a509c0a3cf0309ad563e980d7e002f9b2d9c
Parents: f158ebc
Author: shinrich <shinrich@yahoo-inc.com>
Authored: Tue Apr 21 14:47:51 2015 -0500
Committer: shinrich <shinrich@yahoo-inc.com>
Committed: Tue Apr 21 14:47:51 2015 -0500

----------------------------------------------------------------------
 CHANGES                  |  2 ++
 iocore/net/P_SSLConfig.h |  1 +
 iocore/net/SSLConfig.cc  | 14 +++++++++-----
 mgmt/RecordsConfig.cc    |  2 ++
 4 files changed, 14 insertions(+), 5 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/trafficserver/blob/ef36a509/CHANGES
----------------------------------------------------------------------
diff --git a/CHANGES b/CHANGES
index c8d3e2a..8b19edb 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,8 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache Traffic Server 6.0.0
 
+  *) [TS-3529] Add config option to allow ATS to start even if certificate files are bad.
+
   *) [TS-3523]: Proxy urls with no matching remap rules, when remap_required
                is disabled, regardless of reverse_proxy_enabled setting
 

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/ef36a509/iocore/net/P_SSLConfig.h
----------------------------------------------------------------------
diff --git a/iocore/net/P_SSLConfig.h b/iocore/net/P_SSLConfig.h
index 549aa28..68dd50f 100644
--- a/iocore/net/P_SSLConfig.h
+++ b/iocore/net/P_SSLConfig.h
@@ -66,6 +66,7 @@ struct SSLConfigParams : public ConfigInfo {
   char *dhparamsFile;
   char *cipherSuite;
   char *client_cipherSuite;
+  int configExitOnLoadError;
   int clientCertLevel;
   int verify_depth;
   int ssl_session_cache; // SSL_SESSION_CACHE_MODE

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/ef36a509/iocore/net/SSLConfig.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc
index acd8c19..669e1c1 100644
--- a/iocore/net/SSLConfig.cc
+++ b/iocore/net/SSLConfig.cc
@@ -231,6 +231,7 @@ SSLConfigParams::initialize()
   ats_free(serverCertRelativePath);
 
   configFilePath = RecConfigReadConfigPath("proxy.config.ssl.server.multicert.filename");
+  REC_ReadConfigInteger(configExitOnLoadError, "proxy.config.ssl.server.multicert.exit_on_load_fail");
 
   REC_ReadConfigStringAlloc(ssl_server_private_key_path, "proxy.config.ssl.server.private_key.path");
   set_paths_helper(ssl_server_private_key_path, NULL, &serverKeyPathOnly, NULL);
@@ -324,12 +325,17 @@ SSLCertificateConfig::startup()
 {
   sslCertUpdate = new ConfigUpdateHandler<SSLCertificateConfig>();
   sslCertUpdate->attach("proxy.config.ssl.server.multicert.filename");
+  sslCertUpdate->attach("proxy.config.ssl.server.multicert.exit_on_load_fail");
   sslCertUpdate->attach("proxy.config.ssl.server.ticket_key.filename");
   sslCertUpdate->attach("proxy.config.ssl.server.cert.path");
   sslCertUpdate->attach("proxy.config.ssl.server.private_key.path");
   sslCertUpdate->attach("proxy.config.ssl.server.cert_chain.filename");
 
-  if (!reconfigure()) {
+  // Exit if there are problems on the certificate loading and the
+  // proxy.config.ssl.server.multicert.exit_on_load_fail is true
+  SSLConfigParams *params = SSLConfig::acquire();
+  if (!reconfigure() && params->configExitOnLoadError) {
+    Error("Problems loading ssl certificate file, %s.  Exiting.", params->configFilePath);
     _exit(1);
   }
   return true;
@@ -351,11 +357,9 @@ SSLCertificateConfig::reconfigure()
   }
 
   SSLParseCertificateConfiguration(params, lookup);
-  if (lookup->is_valid) {
-    configid = configProcessor.set(configid, lookup);
-  } else {
+  configid = configProcessor.set(configid, lookup);
+  if (!lookup->is_valid) {
     retStatus = false;
-    delete lookup;
   }
 
   return retStatus;

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/ef36a509/mgmt/RecordsConfig.cc
----------------------------------------------------------------------
diff --git a/mgmt/RecordsConfig.cc b/mgmt/RecordsConfig.cc
index cf5f4c1..1826427 100644
--- a/mgmt/RecordsConfig.cc
+++ b/mgmt/RecordsConfig.cc
@@ -1282,6 +1282,8 @@ static const RecordElement RecordsConfig[] =
   ,
   {RECT_CONFIG, "proxy.config.ssl.server.multicert.filename", RECD_STRING, "ssl_multicert.config",
RECU_RESTART_TS, RR_NULL, RECC_NULL, NULL, RECA_NULL}
   ,
+  {RECT_CONFIG, "proxy.config.ssl.server.multicert.exit_on_load_fail", RECD_INT, "0", RECU_RESTART_TS,
RR_NULL, RECC_NULL, "[0-1]", RECA_NULL}
+  ,
   {RECT_CONFIG, "proxy.config.ssl.server.ticket_key.filename", RECD_STRING, "ssl_ticket.key",
RECU_DYNAMIC, RR_NULL, RECC_NULL, NULL, RECA_NULL}
   ,
   {RECT_CONFIG, "proxy.config.ssl.server.private_key.path", RECD_STRING, TS_BUILD_SYSCONFDIR,
RECU_RESTART_TS, RR_NULL, RECC_NULL, NULL, RECA_NULL}


Mime
View raw message