Author: igalic
Date: Thu Nov 10 07:19:23 2011
New Revision: 1200202
URL: http://svn.apache.org/viewvc?rev=1200202&view=rev
Log:
TS-944: Align all configurations of paths to use the same function,
this now guarantees that TS-1013 actually works.
Modified:
trafficserver/traffic/trunk/CHANGES
trafficserver/traffic/trunk/iocore/net/P_SSLConfig.h
trafficserver/traffic/trunk/iocore/net/SSLCertLookup.cc
trafficserver/traffic/trunk/iocore/net/SSLConfig.cc
trafficserver/traffic/trunk/iocore/net/SSLNet.cc
trafficserver/traffic/trunk/proxy/config/records.config.default.in
Modified: trafficserver/traffic/trunk/CHANGES
URL:
http://svn.apache.org/viewvc/trafficserver/traffic/trunk/CHANGES?rev=1200202&r1=1200201&r2=1200202&view=diff
==============================================================================
--- trafficserver/traffic/trunk/CHANGES (original)
+++ trafficserver/traffic/trunk/CHANGES Thu Nov 10 07:19:23 2011
@@ -1,5 +1,7 @@
-*- coding: utf-8 -*-
Changes with Apache Traffic Server 3.1.1
+ *) TS-944: Align all configurations of paths to use the same function
+
*) TS-1018 Remove obsolete OpenSSL acceleration code and configs
*) TS-1013: Allow ssl_multicert.config to support CA chains per host
Modified: trafficserver/traffic/trunk/iocore/net/P_SSLConfig.h
URL:
http://svn.apache.org/viewvc/trafficserver/traffic/trunk/iocore/net/P_SSLConfig.h?rev=1200202&r1=1200201&r2=1200202&view=diff
==============================================================================
--- trafficserver/traffic/trunk/iocore/net/P_SSLConfig.h (original)
+++ trafficserver/traffic/trunk/iocore/net/P_SSLConfig.h Thu Nov 10 07:19:23
2011
@@ -70,6 +70,7 @@ public:
int getAcceptPort(void) const { return ssl_accept_port_number; }
char *getConfigFilePath(void) const { return configFilePath; }
char *getServerCertPathOnly(void) const { return serverCertPathOnly; }
+ char *getServerCACertPathOnly(void) const { return CACertPath; }
char *getServerKeyPathOnly(void) const { return serverKeyPathOnly; }
SslConfigParams();
Modified: trafficserver/traffic/trunk/iocore/net/SSLCertLookup.cc
URL:
http://svn.apache.org/viewvc/trafficserver/traffic/trunk/iocore/net/SSLCertLookup.cc?rev=1200202&r1=1200201&r2=1200202&view=diff
==============================================================================
--- trafficserver/traffic/trunk/iocore/net/SSLCertLookup.cc (original)
+++ trafficserver/traffic/trunk/iocore/net/SSLCertLookup.cc Thu Nov 10 07:19:23
2011
@@ -76,6 +76,7 @@ SSLCertLookup::buildTable()
// Table should be empty
// ink_assert(num_el == 0);
+ Debug("ssl", "ssl_multicert.config: %s", configFilePath);
if (configFilePath)
file_buf = readIntoBuffer(configFilePath, moduleName, NULL);
Modified: trafficserver/traffic/trunk/iocore/net/SSLConfig.cc
URL:
http://svn.apache.org/viewvc/trafficserver/traffic/trunk/iocore/net/SSLConfig.cc?rev=1200202&r1=1200201&r2=1200202&view=diff
==============================================================================
--- trafficserver/traffic/trunk/iocore/net/SSLConfig.cc (original)
+++ trafficserver/traffic/trunk/iocore/net/SSLConfig.cc Thu Nov 10 07:19:23 2011
@@ -131,6 +131,43 @@ SslConfigParams::cleanup()
termMode = SSL_TERM_MODE_NONE;
}
+// XXX: Add handling for Windows?
+// If path is *not* absolute, consider it relative to PREFIX
+// if it's empty, just take SYSCONFDIR, otherwise we can take it as-is
+static void
+set_paths_helper(const char *path, const char *filename, char **final_path,
char **final_filename)
+{
+ if (final_path != NULL) {
+ if (path && path[0] != '/') {
+ *final_path = Layout::get()->relative_to(Layout::get()->prefix, path);
+ } else if (!path || path[0] == '\0'){
+ *final_path = ats_strdup(Layout::get()->sysconfdir);
+ } else {
+ *final_path = ats_strdup(path);
+ }
+ }
+ if (filename) {
+ *final_filename = ats_strdup(Layout::get()->relative_to(path, filename));
+ } else {
+ *final_filename = NULL;
+ }
+
+#ifdef _WIN32
+ i = 0;
+ while (final_path[i] != 0) {
+ if (final_path[i] == '/')
+ final_path[i] = '\\';
+ i++;
+ }
+
+ i = 0;
+ while (final_filename[i] != 0) {
+ if (final_filename[i] == '/')
+ final_filename[i] = '\\';
+ i++;
+ }
+#endif
+}
void
SslConfigParams::initialize()
{
@@ -189,114 +226,28 @@ SslConfigParams::initialize()
IOCORE_ReadConfigString(serverCertFilename,
"proxy.config.ssl.server.cert.filename", PATH_NAME_MAX);
IOCORE_ReadConfigString(serverCertRelativePath,
"proxy.config.ssl.server.cert.path", PATH_NAME_MAX);
+ set_paths_helper(serverCertRelativePath, serverCertFilename,
&serverCertPathOnly, &serverCertPath);
- serverCertPathOnly = Layout::get()->relative(serverCertRelativePath);
- serverCertPath = Layout::relative_to(serverCertPathOnly, serverCertFilename);
-
-#ifdef _WIN32
- i = 0;
- while (serverCertPathOnly[i] != 0) {
- if (serverCertPathOnly[i] == '/')
- serverCertPathOnly[i] = '\\';
- i++;
- }
-
- i = 0;
- while (serverCertPath[i] != 0) {
- if (serverCertPath[i] == '/')
- serverCertPath[i] = '\\';
- i++;
- }
-#endif
-
-
- char *cert_chain;
+ char *cert_chain = NULL;
IOCORE_ReadConfigStringAlloc(cert_chain,
"proxy.config.ssl.server.cert_chain.filename");
- if (cert_chain != NULL) {
- serverCertChainPath = Layout::relative_to(serverCertPathOnly, cert_chain);
-
-#ifdef _WIN32
- i = 0;
- while (serverCertChainPath[i] != 0) {
- if (serverCertChainPath[i] == '/')
- serverCertChainPath[i] = '\\';
- i++;
- }
-#endif
- ats_free(cert_chain);
- }
+ set_paths_helper(serverCertRelativePath, cert_chain, &serverCertPathOnly,
&serverCertChainPath);
+ ats_free(cert_chain);
IOCORE_ReadConfigStringAlloc(multicert_config_file,
"proxy.config.ssl.server.multicert.filename");
- if (multicert_config_file != NULL) {
- configFilePath = Layout::relative_to(Layout::get()->sysconfdir,
multicert_config_file);
-
-#ifdef _WIN32
- i = 0;
- while (configFilePath[i] != 0) {
- if (configFilePath[i] == '/')
- configFilePath[i] = '\\';
- i++;
- }
-#endif
- ats_free(multicert_config_file);
- }
- // Added Alloc as a temp fix for warnings generated
- // by the ReadConfigString Macro when a string is NULL.
-
- ssl_server_private_key_filename = NULL;
- ssl_server_private_key_path = NULL;
+ set_paths_helper(Layout::get()->sysconfdir, multicert_config_file, NULL,
&configFilePath);
+ ats_free(multicert_config_file);
IOCORE_ReadConfigStringAlloc(ssl_server_private_key_filename,
"proxy.config.ssl.server.private_key.filename");
IOCORE_ReadConfigStringAlloc(ssl_server_private_key_path,
"proxy.config.ssl.server.private_key.path");
+ set_paths_helper(ssl_server_private_key_path,
ssl_server_private_key_filename, &serverKeyPathOnly, &serverKeyPath);
+ ats_free(ssl_server_private_key_filename);
+ ats_free(ssl_server_private_key_path);
- if (ssl_server_private_key_path != NULL) {
- serverKeyPathOnly = Layout::get()->relative(ssl_server_private_key_path);
- ats_free(ssl_server_private_key_path);
- }
- else {
- // XXX: private_key.filename is relative to prefix or sysconfdir?
- //
- serverKeyPathOnly = ats_strdup(Layout::get()->prefix);
- }
- if (ssl_server_private_key_filename != NULL) {
- serverKeyPath = Layout::relative_to(serverKeyPathOnly,
ssl_server_private_key_filename);
-
-#ifdef _WIN32
- i = 0;
- while (serverKeyPath[i] != 0) {
- if (serverKeyPath[i] == '/')
- serverKeyPath[i] = '\\';
- i++;
- }
-#endif
- ats_free(ssl_server_private_key_filename);
- }
-
- ssl_server_private_key_path = NULL;
IOCORE_ReadConfigStringAlloc(CACertFilename,
"proxy.config.ssl.CA.cert.filename");
- if (CACertFilename && (*CACertFilename == 0)) {
- ats_free(CACertFilename);
- CACertFilename = NULL;
- }
-
- IOCORE_ReadConfigStringAlloc(CACertRelativePath,
"proxy.config.ssl.CA.cert.pathname");
-
- if (CACertRelativePath != NULL) {
- char *abs_path = Layout::get()->relative(CACertRelativePath);
- CACertPath = Layout::relative_to(abs_path, CACertFilename);
-
-#ifdef _WIN32
- i = 0;
- while (CACertPath[i] != 0) {
- if (CACertPath[i] == '/')
- CACertPath[i] = '\\';
- i++;
- }
-#endif
- ats_free(abs_path);
- ats_free(CACertRelativePath);
- }
+ IOCORE_ReadConfigStringAlloc(CACertRelativePath,
"proxy.config.ssl.CA.cert.path");
+ set_paths_helper(CACertRelativePath, CACertFilename, &CACertPath,
&CACertFilename);
+ ats_free(CACertRelativePath);
// SSL session cache configurations
IOCORE_ReadConfigInteger(ssl_session_cache,
"proxy.config.ssl.session_cache");
@@ -312,11 +263,11 @@ SslConfigParams::initialize()
IOCORE_ReadConfigStringAlloc(ssl_client_cert_path,
"proxy.config.ssl.client.cert.path");
if (ssl_client_cert_path == NULL) {
- ssl_client_cert_path = ats_strdup(Layout::get()->prefix);
+ ssl_client_cert_path = ats_strdup(Layout::get()->sysconfdir);
}
if (ssl_client_cert_filename != NULL) {
- char *abs_path = Layout::get()->relative(ssl_client_cert_path);
- clientCertPath = Layout::relative_to(abs_path, ssl_client_cert_filename);
+ char *abs_path = Layout::get()->relative_to(Layout::get()->sysconfdir,
ssl_client_cert_path);
+ clientCertPath = Layout::get()->Layout::relative_to(abs_path,
ssl_client_cert_filename);
#ifdef _WIN32
i = 0;
@@ -338,12 +289,12 @@ SslConfigParams::initialize()
IOCORE_ReadConfigStringAlloc(ssl_client_private_key_path,
"proxy.config.ssl.client.private_key.path");
if (ssl_client_private_key_path == NULL) {
- ssl_client_private_key_path = ats_strdup(Layout::get()->prefix);
+ ssl_client_private_key_path = ats_strdup(Layout::get()->sysconfdir);
}
if (ssl_client_private_key_filename != NULL) {
- char *abs_path = Layout::get()->relative(ssl_client_private_key_path);
- clientCertPath = Layout::relative_to(abs_path,
ssl_client_private_key_filename);
+ char *abs_path = Layout::get()->relative_to(Layout::get()->sysconfdir,
ssl_client_private_key_path);
+ clientCertPath = Layout::get()->Layout::relative_to(abs_path,
ssl_client_private_key_filename);
#ifdef _WIN32
i = 0;
@@ -373,7 +324,7 @@ SslConfigParams::initialize()
// Notice that we don't put the filename at the
// end of this path. Its a quirk of the SSL lib interface.
if (clientCACertRelativePath != NULL) {
- clientCACertPath = Layout::get()->relative(clientCACertRelativePath);
+ clientCACertPath = Layout::get()->relative_to(Layout::get()->sysconfdir,
clientCACertRelativePath);
#ifdef _WIN32
i = 0;
while (clientCACertPath[i] != 0) {
Modified: trafficserver/traffic/trunk/iocore/net/SSLNet.cc
URL:
http://svn.apache.org/viewvc/trafficserver/traffic/trunk/iocore/net/SSLNet.cc?rev=1200202&r1=1200201&r2=1200202&view=diff
==============================================================================
--- trafficserver/traffic/trunk/iocore/net/SSLNet.cc (original)
+++ trafficserver/traffic/trunk/iocore/net/SSLNet.cc Thu Nov 10 07:19:23 2011
@@ -284,25 +284,27 @@ SSLNetProcessor::initSSLServerCTX(SslCon
if (defaultEnabled) {
if (SSL_CTX_use_certificate_file(lCtx, param->serverCertPath,
SSL_FILETYPE_PEM) <= 0) {
- logSSLError("Cannot use server certificate file");
+ Error ("SSL ERROR: Cannot use server certificate file: %s",
param->serverCertPath);
return -2;
}
if (param->serverKeyPath != NULL) {
if (SSL_CTX_use_PrivateKey_file(lCtx, param->serverKeyPath,
SSL_FILETYPE_PEM) <= 0) {
- logSSLError("Cannot use server private key file");
+ Error("SSL ERROR: Cannot use server private key file: %s",
param->serverKeyPath);
return -3;
}
} else // assume key is contained in the cert file.
{
if (SSL_CTX_use_PrivateKey_file(lCtx, param->serverCertPath,
SSL_FILETYPE_PEM) <= 0) {
- logSSLError("Cannot use server private key file");
+ Error("SSL ERROR: Cannot use server private key file: %s",
param->serverKeyPath);
return -3;
}
}
if (param->serverCertChainPath) {
+ char *completeServerCaCertPath = Layout::relative_to
(param->getServerCACertPathOnly(), param->serverCertChainPath);
if (SSL_CTX_add_extra_chain_cert_file(lCtx, param->serverCertChainPath)
<= 0) {
- logSSLError("Cannot use server certificate chain file");
+ Error ("SSL ERROR: Cannot use server certificate chain file: %s",
completeServerCaCertPath);
+ ats_free(completeServerCaCertPath);
return -2;
}
}
@@ -310,12 +312,14 @@ SSLNetProcessor::initSSLServerCTX(SslCon
completeServerCertPath = Layout::relative_to
(param->getServerCertPathOnly(), serverCertPtr);
if (SSL_CTX_use_certificate_file(lCtx, completeServerCertPath,
SSL_FILETYPE_PEM) <= 0) {
- logSSLError("Cannot use server certificate file");
+ Error ("SSL ERROR: Cannot use server certificate file: %s",
completeServerCertPath);
return -2;
}
if (serverCaCertPtr) {
- if (SSL_CTX_add_extra_chain_cert_file(lCtx, serverCaCertPtr) <= 0) {
- logSSLError("Cannot use server certificate chain file");
+ char *completeServerCaCertPath = Layout::relative_to
(param->getServerCACertPathOnly(), serverCaCertPtr);
+ if (SSL_CTX_add_extra_chain_cert_file(lCtx, completeServerCaCertPath) <=
0) {
+ Error ("SSL ERROR: Cannot use server certificate chain file: %s",
completeServerCaCertPath);
+ ats_free(completeServerCaCertPath);
return -2;
}
}
@@ -323,13 +327,14 @@ SSLNetProcessor::initSSLServerCTX(SslCon
if (serverKeyPtr == NULL) // assume private key is contained in cert
obtained from multicert file.
{
if (SSL_CTX_use_PrivateKey_file(lCtx, completeServerCertPath,
SSL_FILETYPE_PEM) <= 0) {
- logSSLError("Cannot use server private key file");
+ Error("SSL ERROR: Cannot use server private key file: %s",
completeServerCertPath);
return -3;
}
} else {
if (param->getServerKeyPathOnly() != NULL) {
- if (SSL_CTX_use_PrivateKey_file(lCtx, serverKeyPtr, SSL_FILETYPE_PEM)
<= 0) {
- logSSLError("Cannot use server private key file");
+ char *completeServerKeyPath =
Layout::get()->relative_to(param->getServerKeyPathOnly(), serverKeyPtr);
+ if (SSL_CTX_use_PrivateKey_file(lCtx, completeServerKeyPath,
SSL_FILETYPE_PEM) <= 0) {
+ Error("SSL ERROR: Cannot use server private key file: %s",
completeServerKeyPath);
return -3;
}
} else {
Modified: trafficserver/traffic/trunk/proxy/config/records.config.default.in
URL:
http://svn.apache.org/viewvc/trafficserver/traffic/trunk/proxy/config/records.config.default.in?rev=1200202&r1=1200201&r2=1200202&view=diff
==============================================================================
--- trafficserver/traffic/trunk/proxy/config/records.config.default.in
(original)
+++ trafficserver/traffic/trunk/proxy/config/records.config.default.in Thu Nov
10 07:19:23 2011
@@ -516,12 +516,12 @@ CONFIG proxy.config.ssl.server.cert.path
# For multiple cert systems, if any private key is not contained
# in the cert file, you must fill in the private key path.
CONFIG proxy.config.ssl.server.private_key.filename STRING NULL
-CONFIG proxy.config.ssl.server.private_key.path STRING NULL
+CONFIG proxy.config.ssl.server.private_key.path STRING @rel_sysconfdir@
# The CA file name and path are the
# certificate authority certificate that
# client certificates will be verified against.
CONFIG proxy.config.ssl.CA.cert.filename STRING NULL
-CONFIG proxy.config.ssl.CA.cert.path STRING NULL
+CONFIG proxy.config.ssl.CA.cert.path STRING @rel_sysconfdir@
################################
# client related configuration #
################################
@@ -531,12 +531,12 @@ CONFIG proxy.config.ssl.client.cert.path
# Fill in private key file and path only if the client's
# private key is not contained in the client certificate file.
CONFIG proxy.config.ssl.client.private_key.filename STRING NULL
-CONFIG proxy.config.ssl.client.private_key.path STRING NULL
+CONFIG proxy.config.ssl.client.private_key.path STRING @rel_sysconfdir@
# The CA file name and path are the
# certificate authority certificate that
# server certificates will be verified against.
CONFIG proxy.config.ssl.client.CA.cert.filename STRING NULL
-CONFIG proxy.config.ssl.client.CA.cert.path STRING NULL
+CONFIG proxy.config.ssl.client.CA.cert.path STRING @rel_sysconfdir@
##############################################################################
#
# ICP Configuration. NOTE! ICP is currently broken NOTE!
