Updated Branches: refs/heads/master ac73d305a -> e4b955aef
TS-1970 Using ssl_ca_name= in ssl_multicert.config fails Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/e4b955ae Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/e4b955ae Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/e4b955ae Branch: refs/heads/master Commit: e4b955aef0d74e62738963f6f5503f783c6178bd Parents: ac73d30 Author: Leif Hedstrom <[email protected]> Authored: Tue Jun 25 08:31:31 2013 -0600 Committer: Leif Hedstrom <[email protected]> Committed: Tue Jun 25 08:32:06 2013 -0600 ---------------------------------------------------------------------- CHANGES | 2 ++ iocore/net/SSLUtils.cc | 33 ++++++++++----------------------- 2 files changed, 12 insertions(+), 23 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/trafficserver/blob/e4b955ae/CHANGES ---------------------------------------------------------------------- diff --git a/CHANGES b/CHANGES index 6fd000c..934099a 100644 --- a/CHANGES +++ b/CHANGES @@ -2,6 +2,8 @@ Changes with Apache Traffic Server 3.3.5 + *) [TS-1970] Using ssl_ca_name= in ssl_multicert.config fails. + *) [TS-1946] Reduce the verbosity of SSL handshake errors. *) [TS-1971] Switch jtest over to standard argument parsing. http://git-wip-us.apache.org/repos/asf/trafficserver/blob/e4b955ae/iocore/net/SSLUtils.cc ---------------------------------------------------------------------- diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc index f19ee25..0cfcf02 100644 --- a/iocore/net/SSLUtils.cc +++ b/iocore/net/SSLUtils.cc @@ -49,22 +49,6 @@ typedef SSL_METHOD * ink_ssl_method_t; static ProxyMutex ** sslMutexArray; static bool open_ssl_initialized = false; -struct ats_x509_certificate -{ - explicit ats_x509_certificate(X509 * x) : x509(x) {} - ~ats_x509_certificate() { if (x509) X509_free(x509); } - - operator bool() const { - return x509 != NULL; - } - - X509 * x509; - -private: - ats_x509_certificate(const ats_x509_certificate&); - ats_x509_certificate& operator=(const ats_x509_certificate&); -}; - struct ats_file_bio { ats_file_bio(const char * path, const char * mode) @@ -115,6 +99,7 @@ SSL_locking_callback(int mode, int type, const char * file, int line) static bool SSL_CTX_add_extra_chain_cert_file(SSL_CTX * ctx, const char * chainfile) { + X509 *cert; ats_file_bio bio(chainfile, "r"); if (!bio) { @@ -122,14 +107,16 @@ SSL_CTX_add_extra_chain_cert_file(SSL_CTX * ctx, const char * chainfile) } for (;;) { - ats_x509_certificate certificate(PEM_read_bio_X509_AUX(bio.bio, NULL, NULL, NULL)); + cert = PEM_read_bio_X509_AUX(bio.bio, NULL, NULL, NULL); - if (!certificate) { + if (!cert) { // No more the certificates in this file. break; } - if (!SSL_CTX_add_extra_chain_cert(ctx, certificate.x509)) { + // This transfers ownership of the cert (X509) to the SSL context, if successful. + if (!SSL_CTX_add_extra_chain_cert(ctx, cert)) { + X509_free(cert); return false; } } @@ -506,10 +493,10 @@ ssl_index_certificate(SSLCertLookup * lookup, SSL_CTX * ctx, const char * certfi X509_NAME * subject = NULL; ats_file_bio bio(certfile, "r"); - ats_x509_certificate certificate(PEM_read_bio_X509_AUX(bio.bio, NULL, NULL, NULL)); + X509* cert = PEM_read_bio_X509_AUX(bio.bio, NULL, NULL, NULL); // Insert a key for the subject CN. - subject = X509_get_subject_name(certificate.x509); + subject = X509_get_subject_name(cert); if (subject) { int pos = -1; for (;;) { @@ -529,7 +516,7 @@ ssl_index_certificate(SSLCertLookup * lookup, SSL_CTX * ctx, const char * certfi #if HAVE_OPENSSL_TS_H // Traverse the subjectAltNames (if any) and insert additional keys for the SSL context. - GENERAL_NAMES * names = (GENERAL_NAMES *)X509_get_ext_d2i(certificate.x509, NID_subject_alt_name, NULL, NULL); + GENERAL_NAMES * names = (GENERAL_NAMES *)X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL); if (names) { unsigned count = sk_GENERAL_NAME_num(names); for (unsigned i = 0; i < count; ++i) { @@ -546,7 +533,7 @@ ssl_index_certificate(SSLCertLookup * lookup, SSL_CTX * ctx, const char * certfi GENERAL_NAMES_free(names); } #endif // HAVE_OPENSSL_TS_H - + X509_free(cert); } static void
