trafficserver-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bc...@apache.org
Subject [trafficserver] branch 8.1.x updated: Correct interpretation of proxy.config.ssl.client.verify.server
Date Wed, 10 Apr 2019 20:52:06 GMT
This is an automated email from the ASF dual-hosted git repository.

bcall pushed a commit to branch 8.1.x
in repository https://gitbox.apache.org/repos/asf/trafficserver.git


The following commit(s) were added to refs/heads/8.1.x by this push:
     new bd24f08  Correct interpretation of proxy.config.ssl.client.verify.server
bd24f08 is described below

commit bd24f08b137b054f8d481b6c9629c37de66bfa9d
Author: Susan Hinrichs <shinrich@apache.org>
AuthorDate: Thu Sep 6 09:25:13 2018 -0500

    Correct interpretation of proxy.config.ssl.client.verify.server
    
    (cherry picked from commit 5b8136e335e2bef67194a658b3ea6501d62369d9)
    
    Conflicts:
    	src/traffic_server/InkAPI.cc
    	src/traffic_server/InkAPITest.cc
---
 doc/admin-guide/files/records.config.en.rst                 |  4 +++-
 doc/admin-guide/files/ssl_server_name.yaml.en.rst           |  2 ++
 doc/developer-guide/api/types/TSOverridableConfigKey.en.rst |  1 -
 include/ts/apidefs.h.in                                     |  1 -
 iocore/net/SSLNetVConnection.cc                             |  5 +++--
 plugins/lua/ts_lua_http_config.c                            |  2 --
 proxy/http/HttpConfig.cc                                    |  2 --
 proxy/http/HttpSM.cc                                        | 10 ++++------
 src/traffic_server/InkAPI.cc                                |  5 -----
 src/traffic_server/InkAPITest.cc                            |  1 -
 10 files changed, 12 insertions(+), 21 deletions(-)

diff --git a/doc/admin-guide/files/records.config.en.rst b/doc/admin-guide/files/records.config.en.rst
index 7ef65a6..ce545e3 100644
--- a/doc/admin-guide/files/records.config.en.rst
+++ b/doc/admin-guide/files/records.config.en.rst
@@ -3318,15 +3318,17 @@ Client-Related Configuration
 
 .. ts:cv:: CONFIG proxy.config.ssl.client.verify.server INT 0
    :reloadable:
-   :overridable:
 
    Configures Traffic Server to verify the origin server certificate
    with the Certificate Authority (CA). This configuration takes a value between 0 to 2.
 
+   You can override this global setting on a per domain basis in the ssl_servername.yaml
file using the :ref:`verify_origin_server attribute<override-verify-origin-server>`.
+
 :0: Server Certificate will not be verified
 :1: Certificate will be verified and the connection will not be established if verification
fails.
 :2: The provided certificate will be verified and the connection will be established irrespective
of the verification result. If verification fails the name of the server will be logged.
 
+
 .. ts:cv:: CONFIG proxy.config.ssl.client.cert.filename STRING NULL
    :overridable:
 
diff --git a/doc/admin-guide/files/ssl_server_name.yaml.en.rst b/doc/admin-guide/files/ssl_server_name.yaml.en.rst
index 4aa1ebc..4da0c0f 100644
--- a/doc/admin-guide/files/ssl_server_name.yaml.en.rst
+++ b/doc/admin-guide/files/ssl_server_name.yaml.en.rst
@@ -42,6 +42,8 @@ Each table is a set of key / value pairs that create a configuration item.
This
 wildcard entries. To apply an SNI based setting on all the servernames with a common upper
level domain name,
 the user needs to enter the fqdn in the configuration with a ``*.`` followed by the common
domain name. (``*.yahoo.com`` for e.g.,).
 
+.. _override-verify-origin-server:
+
 ======================= ==============================================================================
 Key                     Meaning
 ======================= ==============================================================================
diff --git a/doc/developer-guide/api/types/TSOverridableConfigKey.en.rst b/doc/developer-guide/api/types/TSOverridableConfigKey.en.rst
index cb815af..f391d15 100644
--- a/doc/developer-guide/api/types/TSOverridableConfigKey.en.rst
+++ b/doc/developer-guide/api/types/TSOverridableConfigKey.en.rst
@@ -131,7 +131,6 @@ Enumeration Members
    .. c:macro:: TS_CONFIG_SSL_CERT_FILENAME
    .. c:macro:: TS_CONFIG_SSL_CERT_FILEPATH
    .. c:macro:: TS_CONFIG_PARENT_FAILURES_UPDATE_HOSTDB
-   .. c:macro:: TS_CONFIG_SSL_CLIENT_VERIFY_SERVER
    .. c:macro:: TS_CONFIG_HTTP_CACHE_ENABLE_DEFAULT_VARY_HEADER
    .. c:macro:: TS_CONFIG_HTTP_CACHE_VARY_DEFAULT_TEXT
    .. c:macro:: TS_CONFIG_HTTP_CACHE_VARY_DEFAULT_IMAGES
diff --git a/include/ts/apidefs.h.in b/include/ts/apidefs.h.in
index 84a1aee..758b48d 100644
--- a/include/ts/apidefs.h.in
+++ b/include/ts/apidefs.h.in
@@ -750,7 +750,6 @@ typedef enum {
   TS_CONFIG_SSL_CERT_FILENAME,
   TS_CONFIG_SSL_CERT_FILEPATH,
   TS_CONFIG_PARENT_FAILURES_UPDATE_HOSTDB,
-  TS_CONFIG_SSL_CLIENT_VERIFY_SERVER,
   TS_CONFIG_HTTP_CACHE_ENABLE_DEFAULT_VARY_HEADER,
   TS_CONFIG_HTTP_CACHE_VARY_DEFAULT_TEXT,
   TS_CONFIG_HTTP_CACHE_VARY_DEFAULT_IMAGES,
diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc
index b211552..3b61a8e 100644
--- a/iocore/net/SSLNetVConnection.cc
+++ b/iocore/net/SSLNetVConnection.cc
@@ -1049,8 +1049,9 @@ SSLNetVConnection::sslStartHandShake(int event, int &err)
         clientCTX    = nps->ctx;
         clientVerify = nps->verifyLevel;
       } else {
-        clientCTX    = params->client_ctx;
-        clientVerify = params->clientVerify;
+        clientCTX = params->client_ctx;
+        // Keeping backwards compatability on the proxy.config.ssl.client.verify.server setting
+        clientVerify = params->clientVerify ? (params->clientVerify == 1 ? 2 : 1) :
0;
       }
       if (!clientCTX) {
         SSLErrorVC(this, "failed to create SSL client session");
diff --git a/plugins/lua/ts_lua_http_config.c b/plugins/lua/ts_lua_http_config.c
index 6110f76..f4c3ae9 100644
--- a/plugins/lua/ts_lua_http_config.c
+++ b/plugins/lua/ts_lua_http_config.c
@@ -119,7 +119,6 @@ typedef enum {
   TS_LUA_CONFIG_SSL_CERT_FILENAME                             = TS_CONFIG_SSL_CERT_FILENAME,
   TS_LUA_CONFIG_SSL_CERT_FILEPATH                             = TS_CONFIG_SSL_CERT_FILEPATH,
   TS_LUA_CONFIG_PARENT_FAILURES_UPDATE_HOSTDB                 = TS_CONFIG_PARENT_FAILURES_UPDATE_HOSTDB,
-  TS_LUA_CONFIG_SSL_CLIENT_VERIFY_SERVER                      = TS_CONFIG_SSL_CLIENT_VERIFY_SERVER,
   TS_LUA_CONFIG_HTTP_CACHE_ENABLE_DEFAULT_VARY_HEADER         = TS_CONFIG_HTTP_CACHE_ENABLE_DEFAULT_VARY_HEADER,
   TS_LUA_CONFIG_HTTP_CACHE_VARY_DEFAULT_TEXT                  = TS_CONFIG_HTTP_CACHE_VARY_DEFAULT_TEXT,
   TS_LUA_CONFIG_HTTP_CACHE_VARY_DEFAULT_IMAGES                = TS_CONFIG_HTTP_CACHE_VARY_DEFAULT_IMAGES,
@@ -246,7 +245,6 @@ ts_lua_var_item ts_lua_http_config_vars[] = {
   TS_LUA_MAKE_VAR_ITEM(TS_LUA_CONFIG_SSL_CERT_FILENAME),
   TS_LUA_MAKE_VAR_ITEM(TS_LUA_CONFIG_SSL_CERT_FILEPATH),
   TS_LUA_MAKE_VAR_ITEM(TS_LUA_CONFIG_PARENT_FAILURES_UPDATE_HOSTDB),
-  TS_LUA_MAKE_VAR_ITEM(TS_LUA_CONFIG_SSL_CLIENT_VERIFY_SERVER),
   TS_LUA_MAKE_VAR_ITEM(TS_LUA_CONFIG_HTTP_CACHE_ENABLE_DEFAULT_VARY_HEADER),
   TS_LUA_MAKE_VAR_ITEM(TS_LUA_CONFIG_HTTP_CACHE_VARY_DEFAULT_TEXT),
   TS_LUA_MAKE_VAR_ITEM(TS_LUA_CONFIG_HTTP_CACHE_VARY_DEFAULT_IMAGES),
diff --git a/proxy/http/HttpConfig.cc b/proxy/http/HttpConfig.cc
index 1911483..d0df865 100644
--- a/proxy/http/HttpConfig.cc
+++ b/proxy/http/HttpConfig.cc
@@ -1185,7 +1185,6 @@ HttpConfig::startup()
   HttpEstablishStaticConfigByte(c.errors_log_error_pages, "proxy.config.http.errors.log_error_pages");
 
   HttpEstablishStaticConfigLongLong(c.oride.slow_log_threshold, "proxy.config.http.slow.log.threshold");
-  HttpEstablishStaticConfigByte(c.oride.ssl_client_verify_server, "proxy.config.ssl.client.verify.server");
 
   HttpEstablishStaticConfigByte(c.oride.send_http11_requests, "proxy.config.http.send_http11_requests");
   HttpEstablishStaticConfigByte(c.oride.allow_multi_range, "proxy.config.http.allow_multi_range");
@@ -1458,7 +1457,6 @@ HttpConfig::reconfigure()
   params->url_remap_required               = INT_TO_BOOL(m_master.url_remap_required);
   params->errors_log_error_pages           = INT_TO_BOOL(m_master.errors_log_error_pages);
   params->oride.slow_log_threshold         = m_master.oride.slow_log_threshold;
-  params->oride.ssl_client_verify_server   = m_master.oride.ssl_client_verify_server;
   params->oride.send_http11_requests       = m_master.oride.send_http11_requests;
   params->oride.doc_in_cache_skip_dns      = INT_TO_BOOL(m_master.oride.doc_in_cache_skip_dns);
   params->oride.default_buffer_size_index  = m_master.oride.default_buffer_size_index;
diff --git a/proxy/http/HttpSM.cc b/proxy/http/HttpSM.cc
index 8e9c40d..b0cfc1a 100644
--- a/proxy/http/HttpSM.cc
+++ b/proxy/http/HttpSM.cc
@@ -5386,12 +5386,10 @@ HttpSM::handle_http_server_open()
     NetVConnection *vc = server_session->get_netvc();
     if (vc != nullptr && (vc->options.sockopt_flags != t_state.txn_conf->sock_option_flag_out
||
                           vc->options.packet_mark != t_state.txn_conf->sock_packet_mark_out
||
-                          vc->options.packet_tos != t_state.txn_conf->sock_packet_tos_out
||
-                          vc->options.clientVerificationFlag != t_state.txn_conf->ssl_client_verify_server))
{
-      vc->options.sockopt_flags          = t_state.txn_conf->sock_option_flag_out;
-      vc->options.packet_mark            = t_state.txn_conf->sock_packet_mark_out;
-      vc->options.packet_tos             = t_state.txn_conf->sock_packet_tos_out;
-      vc->options.clientVerificationFlag = t_state.txn_conf->ssl_client_verify_server;
+                          vc->options.packet_tos != t_state.txn_conf->sock_packet_tos_out))
{
+      vc->options.sockopt_flags = t_state.txn_conf->sock_option_flag_out;
+      vc->options.packet_mark   = t_state.txn_conf->sock_packet_mark_out;
+      vc->options.packet_tos    = t_state.txn_conf->sock_packet_tos_out;
       vc->apply_options();
     }
   }
diff --git a/src/traffic_server/InkAPI.cc b/src/traffic_server/InkAPI.cc
index c732dae..372b855 100644
--- a/src/traffic_server/InkAPI.cc
+++ b/src/traffic_server/InkAPI.cc
@@ -8123,9 +8123,6 @@ _conf_to_memberp(TSOverridableConfigKey conf, OverridableHttpConfigParams
*overr
   case TS_CONFIG_PARENT_FAILURES_UPDATE_HOSTDB:
     ret = _memberp_to_generic(&overridableHttpConfig->parent_failures_update_hostdb,
typep);
     break;
-  case TS_CONFIG_SSL_CLIENT_VERIFY_SERVER:
-    ret = _memberp_to_generic(&overridableHttpConfig->ssl_client_verify_server, typep);
-    break;
   case TS_CONFIG_HTTP_CACHE_ENABLE_DEFAULT_VARY_HEADER:
     ret = _memberp_to_generic(&overridableHttpConfig->cache_enable_default_vary_headers,
typep);
     break;
@@ -8479,8 +8476,6 @@ TSHttpTxnConfigFind(const char *name, int length, TSOverridableConfigKey
*conf,
       if (!strncmp(name, "proxy.config.http.response_server_str", length)) {
         cnf = TS_CONFIG_HTTP_RESPONSE_SERVER_STR;
         typ = TS_RECORDDATATYPE_STRING;
-      } else if (!strncmp(name, "proxy.config.ssl.client.verify.server", length)) {
-        cnf = TS_CONFIG_SSL_CLIENT_VERIFY_SERVER;
       }
       break;
     case 't':
diff --git a/src/traffic_server/InkAPITest.cc b/src/traffic_server/InkAPITest.cc
index 6193a0b..bbe5144 100644
--- a/src/traffic_server/InkAPITest.cc
+++ b/src/traffic_server/InkAPITest.cc
@@ -8670,7 +8670,6 @@ const char *SDK_Overridable_Configs[TS_CONFIG_LAST_ENTRY] = {"proxy.config.url_r
                                                              "proxy.config.ssl.client.cert.filename",
                                                              "proxy.config.ssl.client.cert.path",
                                                              "proxy.config.http.parent_proxy.mark_down_hostdb",
-                                                             "proxy.config.ssl.client.verify.server",
                                                              "proxy.config.http.cache.enable_default_vary_headers",
                                                              "proxy.config.http.cache.vary_default_text",
                                                              "proxy.config.http.cache.vary_default_images",


Mime
View raw message