Repository: trafficserver Updated Branches: refs/heads/master a5a93ac5a -> a64033ad5
TS-2563: always set the SSL default verify paths When working at reverse proxy mode with the following remap rule: map https://xxx1.com https://xxx2.com ssl.client.verify.server=1 If xxx2.com is providing trusted certificate and 'ssl.client.CA.cert.filename' is NULL, ats should be able to verify the certificate in terms of the default provided CAs. Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/a64033ad Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/a64033ad Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/a64033ad Branch: refs/heads/master Commit: a64033ad5d5e80489c89f0d1d478dedc8c9109c2 Parents: a5a93ac Author: Wei Sun <[email protected]> Authored: Tue Feb 25 09:10:19 2014 -0800 Committer: James Peach <[email protected]> Committed: Tue Feb 25 09:10:22 2014 -0800 ---------------------------------------------------------------------- CHANGES | 3 +++ iocore/net/SSLUtils.cc | 8 ++++++-- 2 files changed, 9 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/trafficserver/blob/a64033ad/CHANGES ---------------------------------------------------------------------- diff --git a/CHANGES b/CHANGES index f0bee49..9f77abc 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,9 @@ -*- coding: utf-8 -*- Changes with Apache Traffic Server 5.0.0 + *) [TS-2563] Always set the SSL default verify paths. + Author: Wei Sun <[email protected]> + *) [TS-2437] Add a lifecycle hook to expose loaded SSL certificates to plugins. Author: Wei Sun <[email protected]> http://git-wip-us.apache.org/repos/asf/trafficserver/blob/a64033ad/iocore/net/SSLUtils.cc ---------------------------------------------------------------------- diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc index ca1b82b..6ec3208 100644 --- a/iocore/net/SSLUtils.cc +++ b/iocore/net/SSLUtils.cc @@ -592,13 +592,17 @@ SSLInitClientContext(const SSLConfigParams * params) SSL_CTX_set_verify_depth(client_ctx, params->client_verify_depth); if (params->clientCACertFilename != NULL && params->clientCACertPath != NULL) { - if ((!SSL_CTX_load_verify_locations(client_ctx, params->clientCACertFilename, params->clientCACertPath)) || - (!SSL_CTX_set_default_verify_paths(client_ctx))) { + if (!SSL_CTX_load_verify_locations(client_ctx, params->clientCACertFilename, params->clientCACertPath)) { SSLError("invalid client CA Certificate file (%s) or CA Certificate path (%s)", params->clientCACertFilename, params->clientCACertPath); goto fail; } } + + if (!SSL_CTX_set_default_verify_paths(client_ctx)) { + SSLError("failed to set the default verify paths"); + goto fail; + } } if (SSLConfigParams::init_ssl_ctx_cb) {
