Repository: trafficserver Updated Branches: refs/heads/master f158ebced -> ef36a509c
TS-3529: Add a config to allow ATS to start up even if some certificates are bad. Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/ef36a509 Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/ef36a509 Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/ef36a509 Branch: refs/heads/master Commit: ef36a509c0a3cf0309ad563e980d7e002f9b2d9c Parents: f158ebc Author: shinrich <shinr...@yahoo-inc.com> Authored: Tue Apr 21 14:47:51 2015 -0500 Committer: shinrich <shinr...@yahoo-inc.com> Committed: Tue Apr 21 14:47:51 2015 -0500 ---------------------------------------------------------------------- CHANGES | 2 ++ iocore/net/P_SSLConfig.h | 1 + iocore/net/SSLConfig.cc | 14 +++++++++----- mgmt/RecordsConfig.cc | 2 ++ 4 files changed, 14 insertions(+), 5 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/trafficserver/blob/ef36a509/CHANGES ---------------------------------------------------------------------- diff --git a/CHANGES b/CHANGES index c8d3e2a..8b19edb 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,8 @@ -*- coding: utf-8 -*- Changes with Apache Traffic Server 6.0.0 + *) [TS-3529] Add config option to allow ATS to start even if certificate files are bad. + *) [TS-3523]: Proxy urls with no matching remap rules, when remap_required is disabled, regardless of reverse_proxy_enabled setting http://git-wip-us.apache.org/repos/asf/trafficserver/blob/ef36a509/iocore/net/P_SSLConfig.h ---------------------------------------------------------------------- diff --git a/iocore/net/P_SSLConfig.h b/iocore/net/P_SSLConfig.h index 549aa28..68dd50f 100644 --- a/iocore/net/P_SSLConfig.h +++ b/iocore/net/P_SSLConfig.h @@ -66,6 +66,7 @@ struct SSLConfigParams : public ConfigInfo { char *dhparamsFile; char *cipherSuite; char *client_cipherSuite; + int configExitOnLoadError; int clientCertLevel; int verify_depth; int ssl_session_cache; // SSL_SESSION_CACHE_MODE http://git-wip-us.apache.org/repos/asf/trafficserver/blob/ef36a509/iocore/net/SSLConfig.cc ---------------------------------------------------------------------- diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc index acd8c19..669e1c1 100644 --- a/iocore/net/SSLConfig.cc +++ b/iocore/net/SSLConfig.cc @@ -231,6 +231,7 @@ SSLConfigParams::initialize() ats_free(serverCertRelativePath); configFilePath = RecConfigReadConfigPath("proxy.config.ssl.server.multicert.filename"); + REC_ReadConfigInteger(configExitOnLoadError, "proxy.config.ssl.server.multicert.exit_on_load_fail"); REC_ReadConfigStringAlloc(ssl_server_private_key_path, "proxy.config.ssl.server.private_key.path"); set_paths_helper(ssl_server_private_key_path, NULL, &serverKeyPathOnly, NULL); @@ -324,12 +325,17 @@ SSLCertificateConfig::startup() { sslCertUpdate = new ConfigUpdateHandler<SSLCertificateConfig>(); sslCertUpdate->attach("proxy.config.ssl.server.multicert.filename"); + sslCertUpdate->attach("proxy.config.ssl.server.multicert.exit_on_load_fail"); sslCertUpdate->attach("proxy.config.ssl.server.ticket_key.filename"); sslCertUpdate->attach("proxy.config.ssl.server.cert.path"); sslCertUpdate->attach("proxy.config.ssl.server.private_key.path"); sslCertUpdate->attach("proxy.config.ssl.server.cert_chain.filename"); - if (!reconfigure()) { + // Exit if there are problems on the certificate loading and the + // proxy.config.ssl.server.multicert.exit_on_load_fail is true + SSLConfigParams *params = SSLConfig::acquire(); + if (!reconfigure() && params->configExitOnLoadError) { + Error("Problems loading ssl certificate file, %s. Exiting.", params->configFilePath); _exit(1); } return true; @@ -351,11 +357,9 @@ SSLCertificateConfig::reconfigure() } SSLParseCertificateConfiguration(params, lookup); - if (lookup->is_valid) { - configid = configProcessor.set(configid, lookup); - } else { + configid = configProcessor.set(configid, lookup); + if (!lookup->is_valid) { retStatus = false; - delete lookup; } return retStatus; http://git-wip-us.apache.org/repos/asf/trafficserver/blob/ef36a509/mgmt/RecordsConfig.cc ---------------------------------------------------------------------- diff --git a/mgmt/RecordsConfig.cc b/mgmt/RecordsConfig.cc index cf5f4c1..1826427 100644 --- a/mgmt/RecordsConfig.cc +++ b/mgmt/RecordsConfig.cc @@ -1282,6 +1282,8 @@ static const RecordElement RecordsConfig[] = , {RECT_CONFIG, "proxy.config.ssl.server.multicert.filename", RECD_STRING, "ssl_multicert.config", RECU_RESTART_TS, RR_NULL, RECC_NULL, NULL, RECA_NULL} , + {RECT_CONFIG, "proxy.config.ssl.server.multicert.exit_on_load_fail", RECD_INT, "0", RECU_RESTART_TS, RR_NULL, RECC_NULL, "[0-1]", RECA_NULL} + , {RECT_CONFIG, "proxy.config.ssl.server.ticket_key.filename", RECD_STRING, "ssl_ticket.key", RECU_DYNAMIC, RR_NULL, RECC_NULL, NULL, RECA_NULL} , {RECT_CONFIG, "proxy.config.ssl.server.private_key.path", RECD_STRING, TS_BUILD_SYSCONFDIR, RECU_RESTART_TS, RR_NULL, RECC_NULL, NULL, RECA_NULL}