This is an automated email from the ASF dual-hosted git repository. jpeach pushed a commit to branch master in repository https://git-dual.apache.org/repos/asf/trafficserver.git
commit 5a36ca58a85f34a6c7f7ccef1a9f5c9fe79ebf88 Author: Mathias Biilmann Christensen <[email protected]> AuthorDate: Mon Dec 28 22:45:03 2015 -0800 TS-4373: TSSslServerContextCreate and TSSslContextDestroy. TSSslServerContextCreate returns a new SSL Context that's configured according to the settings in records.config. This is useful if an extension wants to use the TS_SSL_CERT_HOOK to control loading of SNI certificates, and still want to respect the cipher suite and related SSL settings. Add TSSslContextDestroy method. --- iocore/net/P_SSLUtils.h | 3 +++ iocore/net/SSLUtils.cc | 41 +++++++++++++++++++++++++++++++++++++++++ proxy/InkAPI.cc | 18 ++++++++++++++++++ proxy/api/ts/ts.h | 5 +++++ 4 files changed, 67 insertions(+) diff --git a/iocore/net/P_SSLUtils.h b/iocore/net/P_SSLUtils.h index d4dd94d..b20db10 100644 --- a/iocore/net/P_SSLUtils.h +++ b/iocore/net/P_SSLUtils.h @@ -117,6 +117,9 @@ extern RecRawStatBlock *ssl_rsb; // Create a default SSL server context. SSL_CTX *SSLDefaultServerContext(); +// Create a new SSL server context fully configured. +SSL_CTX *SSLCreateServerContext(const SSLConfigParams *params); + // Initialize the SSL library. void SSLInitializeLibrary(); diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc index bd41877..ed80cf4 100644 --- a/iocore/net/SSLUtils.cc +++ b/iocore/net/SSLUtils.cc @@ -1685,6 +1685,47 @@ ssl_set_handshake_callbacks(SSL_CTX *ctx) #endif } +SSL_CTX * +SSLCreateServerContext(const SSLConfigParams *params) { + Vec<X509 *> cert_list; + const ssl_user_config sslMultCertSettings; + SSL_CTX *ctx = SSLInitServerContext(params, sslMultCertSettings, cert_list); + + // The certificate callbacks are set by the caller only + // for the default certificate + SSL_CTX_set_info_callback(ctx, ssl_callback_info); + +#if TS_USE_TLS_NPN + SSL_CTX_set_next_protos_advertised_cb(ctx, SSLNetVConnection::advertise_next_protocol, NULL); +#endif /* TS_USE_TLS_NPN */ + +#if TS_USE_TLS_ALPN + SSL_CTX_set_alpn_select_cb(ctx, SSLNetVConnection::select_next_protocol, NULL); +#endif /* TS_USE_TLS_ALPN */ + + // TODO: Allow control over tickets and ticket path when using SSLCreateServerContext + ssl_context_enable_tickets(ctx, NULL); + +#ifdef HAVE_OPENSSL_OCSP_STAPLING + if (SSLConfigParams::ssl_ocsp_enabled) { + Debug("ssl", "ssl ocsp stapling is enabled"); + SSL_CTX_set_tlsext_status_cb(ctx, ssl_callback_ocsp_stapling); + } else { + Debug("ssl", "ssl ocsp stapling is disabled"); + } +#else + if (SSLConfigParams::ssl_ocsp_enabled) { + Warning("fail to enable ssl ocsp stapling, this openssl version does not support it"); + } +#endif /* HAVE_OPENSSL_OCSP_STAPLING */ + + + if (SSLConfigParams::init_ssl_ctx_cb) { + SSLConfigParams::init_ssl_ctx_cb(ctx, true); + } + return ctx; +} + static SSL_CTX * ssl_store_ssl_context(const SSLConfigParams *params, SSLCertLookup *lookup, const ssl_user_config &sslMultCertSettings) { diff --git a/proxy/InkAPI.cc b/proxy/InkAPI.cc index 110efc7..dd7f649 100644 --- a/proxy/InkAPI.cc +++ b/proxy/InkAPI.cc @@ -8845,6 +8845,24 @@ TSSslContextFindByAddr(struct sockaddr const *addr) return ret; } +tsapi TSSslContext +TSSslServerContextCreate() +{ + TSSslContext ret = NULL; + SSLConfigParams *config = SSLConfig::acquire(); + if (config != NULL) { + ret = reinterpret_cast<TSSslContext>(SSLCreateServerContext(config)); + SSLConfig::release(config); + } + return ret; +} + +tsapi void +TSSslContextDestroy(TSSslContext ctx) +{ + SSLReleaseContext(reinterpret_cast<SSL_CTX*>(ctx)); +} + tsapi int TSVConnIsSsl(TSVConn sslp) { diff --git a/proxy/api/ts/ts.h b/proxy/api/ts/ts.h index a55408a..7fb07de 100644 --- a/proxy/api/ts/ts.h +++ b/proxy/api/ts/ts.h @@ -1224,9 +1224,14 @@ tsapi TSSslConnection TSVConnSSLConnectionGet(TSVConn sslp); // Fetch a SSL context from the global lookup table tsapi TSSslContext TSSslContextFindByName(const char *name); tsapi TSSslContext TSSslContextFindByAddr(struct sockaddr const *); +// Create a new SSL context based on the settings in records.config +tsapi TSSslContext TSSslServerContextCreate(void); +tsapi void TSSslContextDestroy(TSSslContext ctx); + // Returns 1 if the sslp argument refers to a SSL connection tsapi int TSVConnIsSsl(TSVConn sslp); + /* -------------------------------------------------------------------------- HTTP transactions */ tsapi void TSHttpTxnHookAdd(TSHttpTxn txnp, TSHttpHookID id, TSCont contp); -- To stop receiving notification emails like this one, please contact "[email protected]" <[email protected]>.
