TS-1147: Remove default server SSL_CTX from SSLNetProcessor
Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/e2827c06 Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/e2827c06 Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/e2827c06 Branch: refs/heads/master Commit: e2827c060568b08b0a8cd9d0a6fb67fdc8720f1f Parents: a238d13 Author: James Peach <[email protected]> Authored: Sat Mar 31 20:36:58 2012 -0700 Committer: James Peach <[email protected]> Committed: Fri Apr 6 21:20:08 2012 -0700 ---------------------------------------------------------------------- iocore/net/P_SSLCertLookup.h | 3 ++ iocore/net/P_SSLNetProcessor.h | 6 +---- iocore/net/SSLNetProcessor.cc | 8 ++++-- iocore/net/SSLNetVConnection.cc | 38 ++++++++++++++++----------------- 4 files changed, 27 insertions(+), 28 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/trafficserver/blob/e2827c06/iocore/net/P_SSLCertLookup.h ---------------------------------------------------------------------- diff --git a/iocore/net/P_SSLCertLookup.h b/iocore/net/P_SSLCertLookup.h index b09a8d1..817cd1f 100644 --- a/iocore/net/P_SSLCertLookup.h +++ b/iocore/net/P_SSLCertLookup.h @@ -48,6 +48,9 @@ public: void init(SslConfigParams * param); SSL_CTX *findInfoInHash(const char * address) const; + // Return the last-resort default TLS context if there is no name or address match. + SSL_CTX *defaultContext() const { return NULL; } + SSLCertLookup(); ~SSLCertLookup(); }; http://git-wip-us.apache.org/repos/asf/trafficserver/blob/e2827c06/iocore/net/P_SSLNetProcessor.h ---------------------------------------------------------------------- diff --git a/iocore/net/P_SSLNetProcessor.h b/iocore/net/P_SSLNetProcessor.h index 6ce5ca2..630c5be 100644 --- a/iocore/net/P_SSLNetProcessor.h +++ b/iocore/net/P_SSLNetProcessor.h @@ -69,17 +69,13 @@ public: const char *serverCertPtr, const char *serverCaPtr, const char *serverKeyPtr); - SSL_CTX *getSSL_CTX(void) const {return ctx; } SSL_CTX *getClientSSL_CTX(void) const { return client_ctx; } static void logSSLError(const char *errStr = "", int critical = 1); - SSLNetProcessor() - : ctx(NULL), client_ctx(NULL), sslMutexArray(NULL) - { }; + SSLNetProcessor(); virtual ~SSLNetProcessor(); - SSL_CTX *ctx; SSL_CTX *client_ctx; ProxyMutex **sslMutexArray; http://git-wip-us.apache.org/repos/asf/trafficserver/blob/e2827c06/iocore/net/SSLNetProcessor.cc ---------------------------------------------------------------------- diff --git a/iocore/net/SSLNetProcessor.cc b/iocore/net/SSLNetProcessor.cc index 3e6a96d..a52cb0b 100644 --- a/iocore/net/SSLNetProcessor.cc +++ b/iocore/net/SSLNetProcessor.cc @@ -101,9 +101,6 @@ SSLNetProcessor::cleanup(void) sslMutexArray = NULL; } - if (ctx) - SSL_CTX_free(ctx); - ctx = NULL; if (client_ctx) SSL_CTX_free(client_ctx); client_ctx = NULL; @@ -444,6 +441,11 @@ SSLNetProcessor::freeThread(UnixNetVConnection *vc, EThread *t) THREAD_FREE((SSLNetVConnection *) vc, sslNetVCAllocator, t); } +SSLNetProcessor::SSLNetProcessor() + : client_ctx(NULL), sslMutexArray(NULL) +{ +} + SSLNetProcessor::~SSLNetProcessor() { cleanup(); http://git-wip-us.apache.org/repos/asf/trafficserver/blob/e2827c06/iocore/net/SSLNetVConnection.cc ---------------------------------------------------------------------- diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc index 33ebe64..0fd34a3 100644 --- a/iocore/net/SSLNetVConnection.cc +++ b/iocore/net/SSLNetVConnection.cc @@ -475,37 +475,35 @@ int SSLNetVConnection::sslStartHandShake(int event, int &err) { IpEndpoint ip; - int namelen = sizeof(ip); if (event == SSL_EVENT_SERVER) { - SSL_CTX *ctx = ssl_NetProcessor.ctx; - - if (ssl == NULL) { - if (sslCertLookup.hasMultipleCerts()) { - char buff[INET6_ADDRSTRLEN]; - safe_getsockname(get_socket(), &ip.sa, &namelen); - ats_ip_ntop(&ip.sa, buff, sizeof(buff)); - ctx = sslCertLookup.findInfoInHash(buff); - if (ctx == NULL) { - ctx = ssl_NetProcessor.ctx; - } + if (this->ssl == NULL) { + SSL_CTX * ctx; + int namelen = sizeof(ip); + char buff[INET6_ADDRSTRLEN]; + + safe_getsockname(get_socket(), &ip.sa, &namelen); + ats_ip_ntop(&ip.sa, buff, sizeof(buff)); + ctx = sslCertLookup.findInfoInHash(buff); + if (ctx == NULL) { + ctx = sslCertLookup.defaultContext(); + } #if TS_USE_TLS_SNI - Debug("ssl", "setting SNI callbacks"); - SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_callback); - SSL_CTX_set_tlsext_servername_arg(ctx, &sslCertLookup); + Debug("ssl", "setting SNI callbacks with initial ctx %p", ctx); + SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_callback); + SSL_CTX_set_tlsext_servername_arg(ctx, &sslCertLookup); #endif /* TS_USE_TLS_SNI */ - } - ssl = make_ssl_connection(ctx, this); - if (ssl == NULL) { + this->ssl = make_ssl_connection(ctx, this); + if (this->ssl == NULL) { Debug("ssl", "SSLNetVConnection::sslServerHandShakeEvent, ssl create failed"); SSLNetProcessor::logSSLError("SSL_StartHandShake"); return EVENT_ERROR; } - } - return (sslServerHandShakeEvent(err)); + + return sslServerHandShakeEvent(err); } else { if (ssl == NULL) { ssl = make_ssl_connection(ssl_NetProcessor.client_ctx, this);
