TS-1147: Remove defaultEnabled flag from SSLNetProcessor::initSSLServerCTX()
Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/47255d30 Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/47255d30 Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/47255d30 Branch: refs/heads/master Commit: 47255d3000c32d75a24c98c6695f4011f6098c89 Parents: e7d5784 Author: James Peach <[email protected]> Authored: Fri Mar 30 21:58:44 2012 -0700 Committer: James Peach <[email protected]> Committed: Fri Apr 6 21:19:54 2012 -0700 ---------------------------------------------------------------------- iocore/net/P_SSLNetProcessor.h | 2 +- iocore/net/SSLCertLookup.cc | 2 +- iocore/net/SSLNetProcessor.cc | 86 +++++++++++----------------------- 3 files changed, 30 insertions(+), 60 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/trafficserver/blob/47255d30/iocore/net/P_SSLNetProcessor.h ---------------------------------------------------------------------- diff --git a/iocore/net/P_SSLNetProcessor.h b/iocore/net/P_SSLNetProcessor.h index fdfb2bc..6ce5ca2 100644 --- a/iocore/net/P_SSLNetProcessor.h +++ b/iocore/net/P_SSLNetProcessor.h @@ -67,7 +67,7 @@ public: int initSSLServerCTX(SSL_CTX * ctx, const SslConfigParams * param, const char *serverCertPtr, const char *serverCaPtr, - const char *serverKeyPtr, bool defaultEnabled); + const char *serverKeyPtr); SSL_CTX *getSSL_CTX(void) const {return ctx; } SSL_CTX *getClientSSL_CTX(void) const { return client_ctx; } http://git-wip-us.apache.org/repos/asf/trafficserver/blob/47255d30/iocore/net/SSLCertLookup.cc ---------------------------------------------------------------------- diff --git a/iocore/net/SSLCertLookup.cc b/iocore/net/SSLCertLookup.cc index 2795b2b..fb50a1d 100644 --- a/iocore/net/SSLCertLookup.cc +++ b/iocore/net/SSLCertLookup.cc @@ -284,7 +284,7 @@ SSLCertLookup::addInfoToHash( // if (serverPrivateKey == NULL) // serverPrivateKey = cert; - if (ssl_NetProcessor.initSSLServerCTX(ctx, this->param, cert, caCert, serverPrivateKey, false) == 0) { + if (ssl_NetProcessor.initSSLServerCTX(ctx, this->param, cert, caCert, serverPrivateKey) == 0) { char * certpath = Layout::relative_to(this->param->getServerCertPathOnly(), cert); // Index this certificate by the specified IP(v6) address; http://git-wip-us.apache.org/repos/asf/trafficserver/blob/47255d30/iocore/net/SSLNetProcessor.cc ---------------------------------------------------------------------- diff --git a/iocore/net/SSLNetProcessor.cc b/iocore/net/SSLNetProcessor.cc index eef1967..3e6a96d 100644 --- a/iocore/net/SSLNetProcessor.cc +++ b/iocore/net/SSLNetProcessor.cc @@ -214,7 +214,7 @@ SSLNetProcessor::logSSLError(const char *errStr, int critical) int SSLNetProcessor::initSSLServerCTX(SSL_CTX * lCtx, const SslConfigParams * param, const char *serverCertPtr, const char *serverCaCertPtr, - const char *serverKeyPtr, bool defaultEnabled) + const char *serverKeyPtr) { int session_id_context; int server_verify_client; @@ -237,75 +237,45 @@ SSLNetProcessor::initSSLServerCTX(SSL_CTX * lCtx, const SslConfigParams * param, int verify_depth = param->verify_depth; SSL_CTX_set_quiet_shutdown(lCtx, 1); - if (defaultEnabled) { - if (SSL_CTX_use_certificate_file(lCtx, param->serverCertPath, SSL_FILETYPE_PEM) <= 0) { - Error ("SSL ERROR: Cannot use server certificate file: %s", param->serverCertPath); - return -2; - } - if (param->serverKeyPath != NULL) { - if (SSL_CTX_use_PrivateKey_file(lCtx, param->serverKeyPath, SSL_FILETYPE_PEM) <= 0) { - Error("SSL ERROR: Cannot use server private key file: %s", param->serverKeyPath); - return -3; - } - } else // assume key is contained in the cert file. - { - if (SSL_CTX_use_PrivateKey_file(lCtx, param->serverCertPath, SSL_FILETYPE_PEM) <= 0) { - Error("SSL ERROR: Cannot use server private key file: %s", param->serverKeyPath); - return -3; - } - } + completeServerCertPath = Layout::relative_to (param->getServerCertPathOnly(), serverCertPtr); - if (param->serverCertChainPath) { - char *completeServerCaCertPath = Layout::relative_to (param->getServerCACertPathOnly(), param->serverCertChainPath); - if (SSL_CTX_add_extra_chain_cert_file(lCtx, param->serverCertChainPath) <= 0) { - Error ("SSL ERROR: Cannot use server certificate chain file: %s", completeServerCaCertPath); - ats_free(completeServerCaCertPath); - return -2; - } + if (SSL_CTX_use_certificate_file(lCtx, completeServerCertPath, SSL_FILETYPE_PEM) <= 0) { + Error ("SSL ERROR: Cannot use server certificate file: %s", completeServerCertPath); + ats_free(completeServerCertPath); + return -2; + } + if (serverCaCertPtr) { + char *completeServerCaCertPath = Layout::relative_to (param->getServerCACertPathOnly(), serverCaCertPtr); + if (SSL_CTX_add_extra_chain_cert_file(lCtx, completeServerCaCertPath) <= 0) { + Error ("SSL ERROR: Cannot use server certificate chain file: %s", completeServerCaCertPath); ats_free(completeServerCaCertPath); + return -2; } - } else { - completeServerCertPath = Layout::relative_to (param->getServerCertPathOnly(), serverCertPtr); + ats_free(completeServerCaCertPath); + } - if (SSL_CTX_use_certificate_file(lCtx, completeServerCertPath, SSL_FILETYPE_PEM) <= 0) { - Error ("SSL ERROR: Cannot use server certificate file: %s", completeServerCertPath); + if (serverKeyPtr == NULL) // assume private key is contained in cert obtained from multicert file. + { + if (SSL_CTX_use_PrivateKey_file(lCtx, completeServerCertPath, SSL_FILETYPE_PEM) <= 0) { + Error("SSL ERROR: Cannot use server private key file: %s", completeServerCertPath); ats_free(completeServerCertPath); - return -2; - } - if (serverCaCertPtr) { - char *completeServerCaCertPath = Layout::relative_to (param->getServerCACertPathOnly(), serverCaCertPtr); - if (SSL_CTX_add_extra_chain_cert_file(lCtx, completeServerCaCertPath) <= 0) { - Error ("SSL ERROR: Cannot use server certificate chain file: %s", completeServerCaCertPath); - ats_free(completeServerCaCertPath); - return -2; - } - ats_free(completeServerCaCertPath); + return -3; } - - if (serverKeyPtr == NULL) // assume private key is contained in cert obtained from multicert file. - { - if (SSL_CTX_use_PrivateKey_file(lCtx, completeServerCertPath, SSL_FILETYPE_PEM) <= 0) { - Error("SSL ERROR: Cannot use server private key file: %s", completeServerCertPath); - ats_free(completeServerCertPath); + } else { + if (param->getServerKeyPathOnly() != NULL) { + char *completeServerKeyPath = Layout::get()->relative_to(param->getServerKeyPathOnly(), serverKeyPtr); + if (SSL_CTX_use_PrivateKey_file(lCtx, completeServerKeyPath, SSL_FILETYPE_PEM) <= 0) { + Error("SSL ERROR: Cannot use server private key file: %s", completeServerKeyPath); + ats_free(completeServerKeyPath); return -3; } + ats_free(completeServerKeyPath); } else { - if (param->getServerKeyPathOnly() != NULL) { - char *completeServerKeyPath = Layout::get()->relative_to(param->getServerKeyPathOnly(), serverKeyPtr); - if (SSL_CTX_use_PrivateKey_file(lCtx, completeServerKeyPath, SSL_FILETYPE_PEM) <= 0) { - Error("SSL ERROR: Cannot use server private key file: %s", completeServerKeyPath); - ats_free(completeServerKeyPath); - return -3; - } - ats_free(completeServerKeyPath); - } else { - logSSLError("Empty ssl private key path in records.config."); - } - + logSSLError("Empty ssl private key path in records.config."); } - ats_free(completeServerCertPath); } + ats_free(completeServerCertPath); if (!SSL_CTX_check_private_key(lCtx)) { logSSLError("Server private key does not match the certificate public key");
