This is an automated email from the ASF dual-hosted git repository. shinrich pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push: new 458bb1f Update documentation for SSL VERIFY hooks. 458bb1f is described below commit 458bb1f2c4c2917e103701acddf9ea1aab462105 Author: Susan Hinrichs <shinr...@apache.org> AuthorDate: Wed Oct 10 16:13:51 2018 -0500 Update documentation for SSL VERIFY hooks. --- doc/developer-guide/api/types/TSHttpHookID.en.rst | 2 ++ .../hooks-and-transactions/ssl-hooks.en.rst | 27 ++++++++++++++++++++++ include/ts/apidefs.h.in | 2 ++ iocore/net/SSLClientUtils.cc | 2 +- iocore/net/SSLNetVConnection.cc | 6 ++--- proxy/InkAPIInternal.h | 2 +- proxy/http/HttpDebugNames.cc | 4 ++-- src/traffic_server/InkAPITest.cc | 2 +- 8 files changed, 39 insertions(+), 8 deletions(-) diff --git a/doc/developer-guide/api/types/TSHttpHookID.en.rst b/doc/developer-guide/api/types/TSHttpHookID.en.rst index f03444a..852b672 100644 --- a/doc/developer-guide/api/types/TSHttpHookID.en.rst +++ b/doc/developer-guide/api/types/TSHttpHookID.en.rst @@ -82,6 +82,8 @@ Enumeration Members .. c:macro:: TSHttpHookID TS_SSL_VERIFY_CLIENT_HOOK +.. c:macro:: TSHttpHookID TS_SSL_VERIFY_SERVER_HOOK + .. c:macro:: TSHttpHookID TS_SSL_LAST_HOOK .. c:macro:: TSHttpHookID TS_HTTP_LAST_HOOK diff --git a/doc/developer-guide/plugins/hooks-and-transactions/ssl-hooks.en.rst b/doc/developer-guide/plugins/hooks-and-transactions/ssl-hooks.en.rst index 518d0e8..1fa1a20 100644 --- a/doc/developer-guide/plugins/hooks-and-transactions/ssl-hooks.en.rst +++ b/doc/developer-guide/plugins/hooks-and-transactions/ssl-hooks.en.rst @@ -84,6 +84,29 @@ handshake processing will not proceed until :c:func:`TSSslVConnReenable()` is ca It may be useful to delay the TLS handshake processing if other resources must be consulted to select or create a certificate. +TS_SSL_VERIFY_CLIENT_HOOK +------------------------- + +This hook is called when a client connects to Traffic Server and presents a +client certificate in the case of a mutual TLS handshake. The callback can +get the SSL object from the TSVConn argument and use that to access the client +certificate and make any additional checks. + +Processing will continue regardless of whether the hook callback executes +:c:func:`TSSslVConnReenable()` since the openssl implementation does not allow +for pausing processing during the certificate verify callback. + +TS_SSL_VERIFY_SERVER_HOOK +------------------------- + +This hooks is called when a Traffic Server connects to an origin and the origin +presents a certificate. The callback can get the SSL object from the TSVConn +argument and use that to access the origin certificate and make any additional checks. + +Processing will continue regardless of whether the hook callback executes +:c:func:`TSSslVConnReenable()` since the openssl implementation does not allow +for pausing processing during the certificate verify callback. + TLS Hook State Diagram ---------------------- @@ -92,9 +115,11 @@ TLS Hook State Diagram digraph tls_hook_state_diagram{ HANDSHAKE_HOOKS_PRE -> TS_VCONN_START_HOOK; + HANDSHAKE_HOOKS_PRE -> TS_SSL_VERIFY_CLIENT_HOOK; HANDSHAKE_HOOKS_PRE -> TS_SSL_CERT_HOOK; HANDSHAKE_HOOKS_PRE -> TS_SSL_SERVERNAME_HOOK; HANDSHAKE_HOOKS_PRE -> HANDSHAKE_HOOKS_DONE; + TS_SSL_VERIFY_CLIENT_HOOK -> HANDSHAKE_HOOKS_PRE; TS_VCONN_START_HOOK -> HANDSHAKE_HOOKS_PRE_INVOKE; HANDSHAKE_HOOKS_PRE_INVOKE -> TSSslVConnReenable; TSSslVConnReenable -> HANDSHAKE_HOOKS_PRE; @@ -110,6 +135,8 @@ TLS Hook State Diagram HANDSHAKE_HOOKS_DONE -> TS_VCONN_CLOSE_HOOK; HANDSHAKE_HOOKS_PRE [shape=box]; + TS_VCONN_START_HOOK [shape=box]; + TS_SSL_VERIFY_CLIENT_HOOK [shape=box]; HANDSHAKE_HOOKS_PRE_INVOKE [shape=box]; HANDSHAKE_HOOKS_SNI [shape=box]; HANDSHAKE_HOOKS_CERT [shape=box]; diff --git a/include/ts/apidefs.h.in b/include/ts/apidefs.h.in index 75f956e..b719daf 100644 --- a/include/ts/apidefs.h.in +++ b/include/ts/apidefs.h.in @@ -290,6 +290,7 @@ typedef enum { TS_SSL_CERT_HOOK = TS_SSL_SNI_HOOK, TS_SSL_SERVERNAME_HOOK, TS_SSL_SERVER_VERIFY_HOOK, + TS_SSL_VERIFY_SERVER_HOOK = TS_SSL_SERVER_VERIFY_HOOK, TS_SSL_VERIFY_CLIENT_HOOK, TS_SSL_SESSION_HOOK, TS_SSL_LAST_HOOK = TS_SSL_SESSION_HOOK, @@ -462,6 +463,7 @@ typedef enum { TS_EVENT_SSL_CERT = 60203, TS_EVENT_SSL_SERVERNAME = 60204, TS_EVENT_SSL_SERVER_VERIFY_HOOK = 60205, + TS_EVENT_SSL_VERIFY_SERVER = 60205, TS_EVENT_SSL_VERIFY_CLIENT = 60206 } TSEvent; #define TS_EVENT_HTTP_READ_REQUEST_PRE_REMAP TS_EVENT_HTTP_PRE_REMAP /* backwards compat */ diff --git a/iocore/net/SSLClientUtils.cc b/iocore/net/SSLClientUtils.cc index 78b107d..386f244 100644 --- a/iocore/net/SSLClientUtils.cc +++ b/iocore/net/SSLClientUtils.cc @@ -79,7 +79,7 @@ verify_callback(int preverify_ok, X509_STORE_CTX *ctx) } if (netvc != nullptr) { - netvc->callHooks(TS_EVENT_SSL_SERVER_VERIFY_HOOK); + netvc->callHooks(TS_EVENT_SSL_VERIFY_SERVER); char *matched_name = nullptr; unsigned char *sni_name; char buff[INET6_ADDRSTRLEN]; diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc index 3198df0..46eb194 100644 --- a/iocore/net/SSLNetVConnection.cc +++ b/iocore/net/SSLNetVConnection.cc @@ -1554,7 +1554,7 @@ bool SSLNetVConnection::callHooks(TSEvent eventId) { // Only dealing with the SNI/CERT hook so far. - ink_assert(eventId == TS_EVENT_SSL_CERT || eventId == TS_EVENT_SSL_SERVERNAME || eventId == TS_EVENT_SSL_SERVER_VERIFY_HOOK || + ink_assert(eventId == TS_EVENT_SSL_CERT || eventId == TS_EVENT_SSL_SERVERNAME || eventId == TS_EVENT_SSL_VERIFY_SERVER || eventId == TS_EVENT_SSL_VERIFY_CLIENT || eventId == TS_EVENT_VCONN_CLOSE); Debug("ssl", "callHooks sslHandshakeHookState=%d", this->sslHandshakeHookState); @@ -1581,9 +1581,9 @@ SSLNetVConnection::callHooks(TSEvent eventId) case HANDSHAKE_HOOKS_SNI: // The server verify event addresses ATS to origin handshake // All the other events are for client to ATS - if (eventId == TS_EVENT_SSL_SERVER_VERIFY_HOOK) { + if (eventId == TS_EVENT_SSL_VERIFY_SERVER) { if (!curHook) { - curHook = ssl_hooks->get(TS_SSL_SERVER_VERIFY_INTERNAL_HOOK); + curHook = ssl_hooks->get(TS_SSL_VERIFY_SERVER_INTERNAL_HOOK); } } else { if (!curHook) { diff --git a/proxy/InkAPIInternal.h b/proxy/InkAPIInternal.h index b86b4cb..9f43222 100644 --- a/proxy/InkAPIInternal.h +++ b/proxy/InkAPIInternal.h @@ -279,7 +279,7 @@ typedef enum { TS_VCONN_CLOSE_INTERNAL_HOOK, TS_SSL_CERT_INTERNAL_HOOK, TS_SSL_SERVERNAME_INTERNAL_HOOK, - TS_SSL_SERVER_VERIFY_INTERNAL_HOOK, + TS_SSL_VERIFY_SERVER_INTERNAL_HOOK, TS_SSL_VERIFY_CLIENT_INTERNAL_HOOK, TS_SSL_SESSION_INTERNAL_HOOK, TS_SSL_INTERNAL_LAST_HOOK diff --git a/proxy/http/HttpDebugNames.cc b/proxy/http/HttpDebugNames.cc index 31c8f9f..91131ed 100644 --- a/proxy/http/HttpDebugNames.cc +++ b/proxy/http/HttpDebugNames.cc @@ -466,8 +466,8 @@ HttpDebugNames::get_api_hook_name(TSHttpHookID t) return "TS_SSL_CERT_HOOK"; case TS_SSL_SERVERNAME_HOOK: return "TS_SSL_SERVERNAME_HOOK"; - case TS_SSL_SERVER_VERIFY_HOOK: - return "TS_SSL_SERVER_VERIFY_HOOK"; + case TS_SSL_VERIFY_SERVER_HOOK: + return "TS_SSL_VERIFY_SERVER_HOOK"; case TS_SSL_VERIFY_CLIENT_HOOK: return "TS_SSL_VERIFY_CLIENT_HOOK"; case TS_SSL_SESSION_HOOK: diff --git a/src/traffic_server/InkAPITest.cc b/src/traffic_server/InkAPITest.cc index e537f7b..c914511 100644 --- a/src/traffic_server/InkAPITest.cc +++ b/src/traffic_server/InkAPITest.cc @@ -6622,7 +6622,7 @@ typedef enum { ORIG_TS_VCONN_CLOSE_HOOK, ORIG_TS_SSL_SNI_HOOK, ORIG_TS_SSL_SERVERNAME_HOOK, - ORIG_TS_SSL_SERVER_VERIFY_HOOK, + ORIG_TS_SSL_VERIFY_SERVER_HOOK, ORIG_TS_SSL_VERIFY_CLIENT_HOOK, ORIG_TS_SSL_SESSION_HOOK, ORIG_TS_SSL_LAST_HOOK = ORIG_TS_SSL_SESSION_HOOK,