trafficserver-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From shinr...@apache.org
Subject [trafficserver] branch master updated: Remove double call of the SNI action on TLS accept.
Date Mon, 12 Aug 2019 17:16:42 GMT
This is an automated email from the ASF dual-hosted git repository.

shinrich pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git


The following commit(s) were added to refs/heads/master by this push:
     new adbaca2  Remove double call of the SNI action on TLS accept.
adbaca2 is described below

commit adbaca2022058d0b4d8d01763863999309f8dffc
Author: Susan Hinrichs <shinrich@oath.com>
AuthorDate: Thu Aug 8 16:23:25 2019 +0000

    Remove double call of the SNI action on TLS accept.
---
 iocore/net/SSLUtils.cc                             |  4 +-
 .../tls/tls_tunnel_plugin_rename.test.py           | 91 ----------------------
 tests/tools/plugins/ssl_sni_rename_test.cc         | 73 -----------------
 3 files changed, 3 insertions(+), 165 deletions(-)

diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index c375047..fe58083 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -490,11 +490,13 @@ ssl_servername_callback(SSL *ssl, int * /* ad */, void * /*arg*/)
     netvc->serverName = "";
   }
 
-  // Rerun the actions in case a plugin changed the server name
+#if !TS_USE_HELLO_CB
+  // Only call the SNI actions here if not already performed in the HELLO_CB
   int ret = PerformAction(netvc, netvc->serverName);
   if (ret != SSL_TLSEXT_ERR_OK) {
     return SSL_TLSEXT_ERR_ALERT_FATAL;
   }
+#endif
   if (netvc->has_tunnel_destination() && !netvc->decrypt_tunnel()) {
     netvc->attributes = HttpProxyPort::TRANSPORT_BLIND_TUNNEL;
   }
diff --git a/tests/gold_tests/tls/tls_tunnel_plugin_rename.test.py b/tests/gold_tests/tls/tls_tunnel_plugin_rename.test.py
deleted file mode 100644
index b11cd3e..0000000
--- a/tests/gold_tests/tls/tls_tunnel_plugin_rename.test.py
+++ /dev/null
@@ -1,91 +0,0 @@
-'''
-'''
-#  Licensed to the Apache Software Foundation (ASF) under one
-#  or more contributor license agreements.  See the NOTICE file
-#  distributed with this work for additional information
-#  regarding copyright ownership.  The ASF licenses this file
-#  to you under the Apache License, Version 2.0 (the
-#  "License"); you may not use this file except in compliance
-#  with the License.  You may obtain a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-#  Unless required by applicable law or agreed to in writing, software
-#  distributed under the License is distributed on an "AS IS" BASIS,
-#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-#  See the License for the specific language governing permissions and
-#  limitations under the License.
-
-import os
-Test.Summary = '''
-Test tunneling based on SNI renaming
-'''
-
-# Define default ATS
-ts = Test.MakeATSProcess("ts", select_ports=True, enable_tls=True)
-server_bar = Test.MakeOriginServer("server_bar", ssl=True)
-server_random = Test.MakeOriginServer("server_random", ssl=True)
-
-request_bar_header = {"headers": "GET / HTTP/1.1\r\nHost: bar.com\r\n\r\n", "timestamp":
"1469733493.993", "body": ""}
-request_random_header = {"headers": "GET / HTTP/1.1\r\nHost: random.com\r\n\r\n", "timestamp":
"1469733493.993", "body": ""}
-response_bar_header = {"headers": "HTTP/1.1 200 OK\r\nConnection: close\r\n\r\n", "timestamp":
"1469733493.993", "body": "ok bar"}
-response_random_header = {"headers": "HTTP/1.1 200 OK\r\nConnection: close\r\n\r\n", "timestamp":
"1469733493.993", "body": "ok random"}
-server_bar.addResponse("sessionlog_bar.json", request_bar_header, response_bar_header)
-server_random.addResponse("sessionlog_random.json", request_random_header, response_random_header)
-
-Test.PreparePlugin(os.path.join(Test.Variables.AtsTestToolsDir, 'plugins', 'ssl_sni_rename_test.cc'),
ts)
-
-# add ssl materials like key, certificates for the server
-ts.addSSLfile("ssl/signed-foo.pem")
-ts.addSSLfile("ssl/signed-foo.key")
-ts.addSSLfile("ssl/signed-bar.pem")
-ts.addSSLfile("ssl/signed-bar.key")
-ts.addSSLfile("ssl/server.pem")
-ts.addSSLfile("ssl/server.key")
-ts.addSSLfile("ssl/signer.pem")
-ts.addSSLfile("ssl/signer.key")
-
-# Need no remap rules.  Everything should be proccessed by sni
-
-# Make sure the TS server certs are different from the origin certs
-ts.Disk.ssl_multicert_config.AddLine(
-    'dest_ip=* ssl_cert_name=signed-foo.pem ssl_key_name=signed-foo.key'
-)
-
-# Case 1, global config policy=permissive properties=signature
-#         override for foo.com policy=enforced properties=all
-ts.Disk.records_config.update({
-    'proxy.config.ssl.server.cert.path': '{0}'.format(ts.Variables.SSLDir),
-    'proxy.config.ssl.server.private_key.path': '{0}'.format(ts.Variables.SSLDir),
-    'proxy.config.http.connect_ports': '{0} {1} {2}'.format(ts.Variables.ssl_port,server_bar.Variables.SSL_Port,server_random.Variables.SSL_Port),
-    'proxy.config.ssl.server.cipher_suite': 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA:RC4-MD5:AES128-SHA:AES256-SHA:DES-CBC3-SHA!SRP:!DSS:!PSK:!aNULL:!eNULL:!SSLv2',
-    'proxy.config.ssl.client.CA.cert.path': '{0}'.format(ts.Variables.SSLDir),
-    'proxy.config.ssl.client.CA.cert.filename': 'signer.pem',
-    'proxy.config.exec_thread.autoconfig.scale': 1.0,
-    'proxy.config.url_remap.pristine_host_hdr': 1
-})
-
-# bar.com should terminate.
-# empty should tunnel to server_random (should not happen)
-# newname should tunnel to server_bar
-ts.Disk.sni_yaml.AddLines([
-  "sni:",
-  "- fqdn: newname",
-  "  tunnel_route: localhost:{0}".format(server_bar.Variables.SSL_Port),
-  "- fqdn: ''",  #default case
-  "  tunnel_route: localhost:{0}".format(server_random.Variables.SSL_Port),
-  ])
-
-# Plugin should add "newname" to the empty sni and go to _bar instead of random.com
-tr = Test.AddTestRun("no-sni-tunnel-test")
-tr.Processes.Default.Command = "curl --http1.1 -v -k https://127.0.0.1:{0}".format(ts.Variables.ssl_port)
-tr.ReturnCode = 0
-tr.Processes.Default.StartBefore(server_bar)
-tr.Processes.Default.StartBefore(server_random)
-tr.Processes.Default.StartBefore(Test.Processes.ts)
-tr.StillRunningAfter = server_random
-tr.StillRunningAfter = ts
-tr.Processes.Default.Streams.All += Testers.ExcludesExpression("Could Not Connect", "Curl
attempt should have succeeded")
-tr.Processes.Default.Streams.All += Testers.ExcludesExpression("Not Found on Accelerato",
"Should not try to remap on Traffic Server")
-tr.Processes.Default.Streams.All += Testers.ContainsExpression("HTTP/1.1 200 OK", "Should
get a successful response")
-tr.Processes.Default.Streams.All += Testers.ContainsExpression("ok bar", "Body is expected")
diff --git a/tests/tools/plugins/ssl_sni_rename_test.cc b/tests/tools/plugins/ssl_sni_rename_test.cc
deleted file mode 100644
index 99a55ef..0000000
--- a/tests/tools/plugins/ssl_sni_rename_test.cc
+++ /dev/null
@@ -1,73 +0,0 @@
-/** @file
-
-  SSL Preaccept test plugin
-  Implements blind tunneling based on the client IP address
-  The client ip addresses are specified in the plugin's
-  config file as an array of IP addresses or IP address ranges under the
-  key "client-blind-tunnel"
-
-  @section license License
-
-  Licensed to the Apache Software Foundation (ASF) under one
-  or more contributor license agreements.  See the NOTICE file
-  distributed with this work for additional information
-  regarding copyright ownership.  The ASF licenses this file
-  to you under the Apache License, Version 2.0 (the
-  "License"); you may not use this file except in compliance
-  with the License.  You may obtain a copy of the License at
-
-      http://www.apache.org/licenses/LICENSE-2.0
-
-  Unless required by applicable law or agreed to in writing, software
-  distributed under the License is distributed on an "AS IS" BASIS,
-  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-  See the License for the specific language governing permissions and
-  limitations under the License.
- */
-
-#include <ts/ts.h>
-#include <ts/remap.h>
-#include <getopt.h>
-#include <openssl/ssl.h>
-#include <strings.h>
-#include <string>
-#include <map>
-
-#define PN "ssl_rename_test"
-#define PCP "[" PN " Plugin] "
-
-std::map<std::string, int> bad_names;
-
-int
-CB_server_rename(TSCont cont, TSEvent event, void *edata)
-{
-  TSVConn ssl_vc = reinterpret_cast<TSVConn>(edata);
-
-  TSSslConnection sslobj = TSVConnSSLConnectionGet(ssl_vc);
-  SSL *ssl               = (SSL *)sslobj;
-  const char *sni_name   = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
-  if (!sni_name) {
-    SSL_set_tlsext_host_name(ssl, "newname");
-  }
-
-  // All done, reactivate things
-  TSVConnReenable(ssl_vc);
-  return TS_SUCCESS;
-}
-
-// Called by ATS as our initialization point
-void
-TSPluginInit(int argc, const char *argv[])
-{
-  TSPluginRegistrationInfo info;
-  info.plugin_name   = const_cast<char *>("SSL rename test");
-  info.vendor_name   = const_cast<char *>("apache");
-  info.support_email = const_cast<char *>("shinrich@apache.org");
-  if (TSPluginRegister(&info) != TS_SUCCESS) {
-    TSError("[%s] Plugin registration failed", PN);
-  }
-  TSCont cb = TSContCreate(&CB_server_rename, TSMutexCreate());
-  TSHttpHookAdd(TS_SSL_SERVERNAME_HOOK, cb);
-
-  return;
-}


Mime
View raw message