This is an automated email from the ASF dual-hosted git repository.
shinrich pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push:
new 5b8136e Correct interpretation of
proxy.config.ssl.client.verify.server
5b8136e is described below
commit 5b8136e335e2bef67194a658b3ea6501d62369d9
Author: Susan Hinrichs <shinr...@apache.org>
AuthorDate: Thu Sep 6 09:25:13 2018 -0500
Correct interpretation of proxy.config.ssl.client.verify.server
---
doc/admin-guide/files/records.config.en.rst | 4 +++-
doc/admin-guide/files/ssl_server_name.yaml.en.rst | 2 ++
doc/developer-guide/api/types/TSOverridableConfigKey.en.rst | 1 -
iocore/net/SSLNetVConnection.cc | 5 +++--
lib/ts/apidefs.h.in | 1 -
plugins/lua/ts_lua_http_config.c | 2 --
proxy/http/HttpConfig.cc | 2 --
proxy/http/HttpSM.cc | 10 ++++------
src/traffic_server/InkAPI.cc | 5 -----
src/traffic_server/InkAPITest.cc | 1 -
10 files changed, 12 insertions(+), 21 deletions(-)
diff --git a/doc/admin-guide/files/records.config.en.rst
b/doc/admin-guide/files/records.config.en.rst
index 3801b23..9d14ccb 100644
--- a/doc/admin-guide/files/records.config.en.rst
+++ b/doc/admin-guide/files/records.config.en.rst
@@ -3364,15 +3364,17 @@ Client-Related Configuration
.. ts:cv:: CONFIG proxy.config.ssl.client.verify.server INT 0
:reloadable:
- :overridable:
Configures Traffic Server to verify the origin server certificate
with the Certificate Authority (CA). This configuration takes a value
between 0 to 2.
+ You can override this global setting on a per domain basis in the
ssl_servername.yaml file using the :ref:`verify_origin_server
attribute<override-verify-origin-server>`.
+
:0: Server Certificate will not be verified
:1: Certificate will be verified and the connection will not be established if
verification fails.
:2: The provided certificate will be verified and the connection will be
established irrespective of the verification result. If verification fails the
name of the server will be logged.
+
.. ts:cv:: CONFIG proxy.config.ssl.client.cert.filename STRING NULL
:overridable:
diff --git a/doc/admin-guide/files/ssl_server_name.yaml.en.rst
b/doc/admin-guide/files/ssl_server_name.yaml.en.rst
index 4aa1ebc..4da0c0f 100644
--- a/doc/admin-guide/files/ssl_server_name.yaml.en.rst
+++ b/doc/admin-guide/files/ssl_server_name.yaml.en.rst
@@ -42,6 +42,8 @@ Each table is a set of key / value pairs that create a
configuration item. This
wildcard entries. To apply an SNI based setting on all the servernames with a
common upper level domain name,
the user needs to enter the fqdn in the configuration with a ``*.`` followed
by the common domain name. (``*.yahoo.com`` for e.g.,).
+.. _override-verify-origin-server:
+
=======================
==============================================================================
Key Meaning
=======================
==============================================================================
diff --git a/doc/developer-guide/api/types/TSOverridableConfigKey.en.rst
b/doc/developer-guide/api/types/TSOverridableConfigKey.en.rst
index 9da76fb..55e2b4e 100644
--- a/doc/developer-guide/api/types/TSOverridableConfigKey.en.rst
+++ b/doc/developer-guide/api/types/TSOverridableConfigKey.en.rst
@@ -131,7 +131,6 @@ Enumeration Members
.. c:macro:: TS_CONFIG_SSL_CERT_FILENAME
.. c:macro:: TS_CONFIG_SSL_CERT_FILEPATH
.. c:macro:: TS_CONFIG_PARENT_FAILURES_UPDATE_HOSTDB
- .. c:macro:: TS_CONFIG_SSL_CLIENT_VERIFY_SERVER
.. c:macro:: TS_CONFIG_HTTP_CACHE_ENABLE_DEFAULT_VARY_HEADER
.. c:macro:: TS_CONFIG_HTTP_CACHE_VARY_DEFAULT_TEXT
.. c:macro:: TS_CONFIG_HTTP_CACHE_VARY_DEFAULT_IMAGES
diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc
index b418c43..d6f87c2 100644
--- a/iocore/net/SSLNetVConnection.cc
+++ b/iocore/net/SSLNetVConnection.cc
@@ -1004,8 +1004,9 @@ SSLNetVConnection::sslStartHandShake(int event, int &err)
clientCTX = nps->ctx;
clientVerify = nps->verifyLevel;
} else {
- clientCTX = params->client_ctx;
- clientVerify = params->clientVerify;
+ clientCTX = params->client_ctx;
+ // Keeping backwards compatability on the
proxy.config.ssl.client.verify.server setting
+ clientVerify = params->clientVerify ? (params->clientVerify == 1 ? 2 :
1) : 0;
}
if (!clientCTX) {
SSLErrorVC(this, "failed to create SSL client session");
diff --git a/lib/ts/apidefs.h.in b/lib/ts/apidefs.h.in
index 5b0a953..75f956e 100644
--- a/lib/ts/apidefs.h.in
+++ b/lib/ts/apidefs.h.in
@@ -758,7 +758,6 @@ typedef enum {
TS_CONFIG_SSL_CERT_FILENAME,
TS_CONFIG_SSL_CERT_FILEPATH,
TS_CONFIG_PARENT_FAILURES_UPDATE_HOSTDB,
- TS_CONFIG_SSL_CLIENT_VERIFY_SERVER,
TS_CONFIG_HTTP_CACHE_ENABLE_DEFAULT_VARY_HEADER,
TS_CONFIG_HTTP_CACHE_VARY_DEFAULT_TEXT,
TS_CONFIG_HTTP_CACHE_VARY_DEFAULT_IMAGES,
diff --git a/plugins/lua/ts_lua_http_config.c b/plugins/lua/ts_lua_http_config.c
index 11f8cca..d7f25c6 100644
--- a/plugins/lua/ts_lua_http_config.c
+++ b/plugins/lua/ts_lua_http_config.c
@@ -119,7 +119,6 @@ typedef enum {
TS_LUA_CONFIG_SSL_CERT_FILENAME =
TS_CONFIG_SSL_CERT_FILENAME,
TS_LUA_CONFIG_SSL_CERT_FILEPATH =
TS_CONFIG_SSL_CERT_FILEPATH,
TS_LUA_CONFIG_PARENT_FAILURES_UPDATE_HOSTDB =
TS_CONFIG_PARENT_FAILURES_UPDATE_HOSTDB,
- TS_LUA_CONFIG_SSL_CLIENT_VERIFY_SERVER =
TS_CONFIG_SSL_CLIENT_VERIFY_SERVER,
TS_LUA_CONFIG_HTTP_CACHE_ENABLE_DEFAULT_VARY_HEADER =
TS_CONFIG_HTTP_CACHE_ENABLE_DEFAULT_VARY_HEADER,
TS_LUA_CONFIG_HTTP_CACHE_VARY_DEFAULT_TEXT =
TS_CONFIG_HTTP_CACHE_VARY_DEFAULT_TEXT,
TS_LUA_CONFIG_HTTP_CACHE_VARY_DEFAULT_IMAGES =
TS_CONFIG_HTTP_CACHE_VARY_DEFAULT_IMAGES,
@@ -244,7 +243,6 @@ ts_lua_var_item ts_lua_http_config_vars[] = {
TS_LUA_MAKE_VAR_ITEM(TS_LUA_CONFIG_SSL_CERT_FILENAME),
TS_LUA_MAKE_VAR_ITEM(TS_LUA_CONFIG_SSL_CERT_FILEPATH),
TS_LUA_MAKE_VAR_ITEM(TS_LUA_CONFIG_PARENT_FAILURES_UPDATE_HOSTDB),
- TS_LUA_MAKE_VAR_ITEM(TS_LUA_CONFIG_SSL_CLIENT_VERIFY_SERVER),
TS_LUA_MAKE_VAR_ITEM(TS_LUA_CONFIG_HTTP_CACHE_ENABLE_DEFAULT_VARY_HEADER),
TS_LUA_MAKE_VAR_ITEM(TS_LUA_CONFIG_HTTP_CACHE_VARY_DEFAULT_TEXT),
TS_LUA_MAKE_VAR_ITEM(TS_LUA_CONFIG_HTTP_CACHE_VARY_DEFAULT_IMAGES),
diff --git a/proxy/http/HttpConfig.cc b/proxy/http/HttpConfig.cc
index 48a960e..9a9d6d4 100644
--- a/proxy/http/HttpConfig.cc
+++ b/proxy/http/HttpConfig.cc
@@ -1177,7 +1177,6 @@ HttpConfig::startup()
HttpEstablishStaticConfigByte(c.errors_log_error_pages,
"proxy.config.http.errors.log_error_pages");
HttpEstablishStaticConfigLongLong(c.oride.slow_log_threshold,
"proxy.config.http.slow.log.threshold");
- HttpEstablishStaticConfigByte(c.oride.ssl_client_verify_server,
"proxy.config.ssl.client.verify.server");
HttpEstablishStaticConfigByte(c.oride.send_http11_requests,
"proxy.config.http.send_http11_requests");
HttpEstablishStaticConfigByte(c.oride.allow_multi_range,
"proxy.config.http.allow_multi_range");
@@ -1454,7 +1453,6 @@ HttpConfig::reconfigure()
params->url_remap_required =
INT_TO_BOOL(m_master.url_remap_required);
params->errors_log_error_pages =
INT_TO_BOOL(m_master.errors_log_error_pages);
params->oride.slow_log_threshold = m_master.oride.slow_log_threshold;
- params->oride.ssl_client_verify_server =
m_master.oride.ssl_client_verify_server;
params->oride.send_http11_requests =
m_master.oride.send_http11_requests;
params->oride.doc_in_cache_skip_dns =
INT_TO_BOOL(m_master.oride.doc_in_cache_skip_dns);
params->oride.default_buffer_size_index =
m_master.oride.default_buffer_size_index;
diff --git a/proxy/http/HttpSM.cc b/proxy/http/HttpSM.cc
index fc6b65a..106c02b 100644
--- a/proxy/http/HttpSM.cc
+++ b/proxy/http/HttpSM.cc
@@ -5364,12 +5364,10 @@ HttpSM::handle_http_server_open()
NetVConnection *vc = server_session->get_netvc();
if (vc != nullptr && (vc->options.sockopt_flags !=
t_state.txn_conf->sock_option_flag_out ||
vc->options.packet_mark !=
t_state.txn_conf->sock_packet_mark_out ||
- vc->options.packet_tos !=
t_state.txn_conf->sock_packet_tos_out ||
- vc->options.clientVerificationFlag !=
t_state.txn_conf->ssl_client_verify_server)) {
- vc->options.sockopt_flags =
t_state.txn_conf->sock_option_flag_out;
- vc->options.packet_mark =
t_state.txn_conf->sock_packet_mark_out;
- vc->options.packet_tos =
t_state.txn_conf->sock_packet_tos_out;
- vc->options.clientVerificationFlag =
t_state.txn_conf->ssl_client_verify_server;
+ vc->options.packet_tos !=
t_state.txn_conf->sock_packet_tos_out)) {
+ vc->options.sockopt_flags = t_state.txn_conf->sock_option_flag_out;
+ vc->options.packet_mark = t_state.txn_conf->sock_packet_mark_out;
+ vc->options.packet_tos = t_state.txn_conf->sock_packet_tos_out;
vc->apply_options();
}
}
diff --git a/src/traffic_server/InkAPI.cc b/src/traffic_server/InkAPI.cc
index 6225ada..c186506 100644
--- a/src/traffic_server/InkAPI.cc
+++ b/src/traffic_server/InkAPI.cc
@@ -8173,9 +8173,6 @@ _conf_to_memberp(TSOverridableConfigKey conf,
OverridableHttpConfigParams *overr
case TS_CONFIG_PARENT_FAILURES_UPDATE_HOSTDB:
ret =
_memberp_to_generic(&overridableHttpConfig->parent_failures_update_hostdb,
conv);
break;
- case TS_CONFIG_SSL_CLIENT_VERIFY_SERVER:
- ret =
_memberp_to_generic(&overridableHttpConfig->ssl_client_verify_server, conv);
- break;
case TS_CONFIG_HTTP_CACHE_ENABLE_DEFAULT_VARY_HEADER:
ret =
_memberp_to_generic(&overridableHttpConfig->cache_enable_default_vary_headers,
conv);
break;
@@ -8545,8 +8542,6 @@ TSHttpTxnConfigFind(const char *name, int length,
TSOverridableConfigKey *conf,
if (!strncmp(name, "proxy.config.http.response_server_str", length)) {
cnf = TS_CONFIG_HTTP_RESPONSE_SERVER_STR;
typ = TS_RECORDDATATYPE_STRING;
- } else if (!strncmp(name, "proxy.config.ssl.client.verify.server",
length)) {
- cnf = TS_CONFIG_SSL_CLIENT_VERIFY_SERVER;
}
break;
case 't':
diff --git a/src/traffic_server/InkAPITest.cc b/src/traffic_server/InkAPITest.cc
index fb47d87..f861bbb 100644
--- a/src/traffic_server/InkAPITest.cc
+++ b/src/traffic_server/InkAPITest.cc
@@ -8669,7 +8669,6 @@ std::array<std::string_view, TS_CONFIG_LAST_ENTRY>
SDK_Overridable_Configs = {
"proxy.config.ssl.client.cert.filename",
"proxy.config.ssl.client.cert.path",
"proxy.config.http.parent_proxy.mark_down_hostdb",
- "proxy.config.ssl.client.verify.server",
"proxy.config.http.cache.enable_default_vary_headers",
"proxy.config.http.cache.vary_default_text",
"proxy.config.http.cache.vary_default_images",
