This is an automated email from the ASF dual-hosted git repository.
bcall pushed a commit to branch 8.1.x
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/8.1.x by this push:
new bd24f08 Correct interpretation of
proxy.config.ssl.client.verify.server
bd24f08 is described below
commit bd24f08b137b054f8d481b6c9629c37de66bfa9d
Author: Susan Hinrichs <[email protected]>
AuthorDate: Thu Sep 6 09:25:13 2018 -0500
Correct interpretation of proxy.config.ssl.client.verify.server
(cherry picked from commit 5b8136e335e2bef67194a658b3ea6501d62369d9)
Conflicts:
src/traffic_server/InkAPI.cc
src/traffic_server/InkAPITest.cc
---
doc/admin-guide/files/records.config.en.rst | 4 +++-
doc/admin-guide/files/ssl_server_name.yaml.en.rst | 2 ++
doc/developer-guide/api/types/TSOverridableConfigKey.en.rst | 1 -
include/ts/apidefs.h.in | 1 -
iocore/net/SSLNetVConnection.cc | 5 +++--
plugins/lua/ts_lua_http_config.c | 2 --
proxy/http/HttpConfig.cc | 2 --
proxy/http/HttpSM.cc | 10 ++++------
src/traffic_server/InkAPI.cc | 5 -----
src/traffic_server/InkAPITest.cc | 1 -
10 files changed, 12 insertions(+), 21 deletions(-)
diff --git a/doc/admin-guide/files/records.config.en.rst
b/doc/admin-guide/files/records.config.en.rst
index 7ef65a6..ce545e3 100644
--- a/doc/admin-guide/files/records.config.en.rst
+++ b/doc/admin-guide/files/records.config.en.rst
@@ -3318,15 +3318,17 @@ Client-Related Configuration
.. ts:cv:: CONFIG proxy.config.ssl.client.verify.server INT 0
:reloadable:
- :overridable:
Configures Traffic Server to verify the origin server certificate
with the Certificate Authority (CA). This configuration takes a value
between 0 to 2.
+ You can override this global setting on a per domain basis in the
ssl_servername.yaml file using the :ref:`verify_origin_server
attribute<override-verify-origin-server>`.
+
:0: Server Certificate will not be verified
:1: Certificate will be verified and the connection will not be established if
verification fails.
:2: The provided certificate will be verified and the connection will be
established irrespective of the verification result. If verification fails the
name of the server will be logged.
+
.. ts:cv:: CONFIG proxy.config.ssl.client.cert.filename STRING NULL
:overridable:
diff --git a/doc/admin-guide/files/ssl_server_name.yaml.en.rst
b/doc/admin-guide/files/ssl_server_name.yaml.en.rst
index 4aa1ebc..4da0c0f 100644
--- a/doc/admin-guide/files/ssl_server_name.yaml.en.rst
+++ b/doc/admin-guide/files/ssl_server_name.yaml.en.rst
@@ -42,6 +42,8 @@ Each table is a set of key / value pairs that create a
configuration item. This
wildcard entries. To apply an SNI based setting on all the servernames with a
common upper level domain name,
the user needs to enter the fqdn in the configuration with a ``*.`` followed
by the common domain name. (``*.yahoo.com`` for e.g.,).
+.. _override-verify-origin-server:
+
=======================
==============================================================================
Key Meaning
=======================
==============================================================================
diff --git a/doc/developer-guide/api/types/TSOverridableConfigKey.en.rst
b/doc/developer-guide/api/types/TSOverridableConfigKey.en.rst
index cb815af..f391d15 100644
--- a/doc/developer-guide/api/types/TSOverridableConfigKey.en.rst
+++ b/doc/developer-guide/api/types/TSOverridableConfigKey.en.rst
@@ -131,7 +131,6 @@ Enumeration Members
.. c:macro:: TS_CONFIG_SSL_CERT_FILENAME
.. c:macro:: TS_CONFIG_SSL_CERT_FILEPATH
.. c:macro:: TS_CONFIG_PARENT_FAILURES_UPDATE_HOSTDB
- .. c:macro:: TS_CONFIG_SSL_CLIENT_VERIFY_SERVER
.. c:macro:: TS_CONFIG_HTTP_CACHE_ENABLE_DEFAULT_VARY_HEADER
.. c:macro:: TS_CONFIG_HTTP_CACHE_VARY_DEFAULT_TEXT
.. c:macro:: TS_CONFIG_HTTP_CACHE_VARY_DEFAULT_IMAGES
diff --git a/include/ts/apidefs.h.in b/include/ts/apidefs.h.in
index 84a1aee..758b48d 100644
--- a/include/ts/apidefs.h.in
+++ b/include/ts/apidefs.h.in
@@ -750,7 +750,6 @@ typedef enum {
TS_CONFIG_SSL_CERT_FILENAME,
TS_CONFIG_SSL_CERT_FILEPATH,
TS_CONFIG_PARENT_FAILURES_UPDATE_HOSTDB,
- TS_CONFIG_SSL_CLIENT_VERIFY_SERVER,
TS_CONFIG_HTTP_CACHE_ENABLE_DEFAULT_VARY_HEADER,
TS_CONFIG_HTTP_CACHE_VARY_DEFAULT_TEXT,
TS_CONFIG_HTTP_CACHE_VARY_DEFAULT_IMAGES,
diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc
index b211552..3b61a8e 100644
--- a/iocore/net/SSLNetVConnection.cc
+++ b/iocore/net/SSLNetVConnection.cc
@@ -1049,8 +1049,9 @@ SSLNetVConnection::sslStartHandShake(int event, int &err)
clientCTX = nps->ctx;
clientVerify = nps->verifyLevel;
} else {
- clientCTX = params->client_ctx;
- clientVerify = params->clientVerify;
+ clientCTX = params->client_ctx;
+ // Keeping backwards compatability on the
proxy.config.ssl.client.verify.server setting
+ clientVerify = params->clientVerify ? (params->clientVerify == 1 ? 2 :
1) : 0;
}
if (!clientCTX) {
SSLErrorVC(this, "failed to create SSL client session");
diff --git a/plugins/lua/ts_lua_http_config.c b/plugins/lua/ts_lua_http_config.c
index 6110f76..f4c3ae9 100644
--- a/plugins/lua/ts_lua_http_config.c
+++ b/plugins/lua/ts_lua_http_config.c
@@ -119,7 +119,6 @@ typedef enum {
TS_LUA_CONFIG_SSL_CERT_FILENAME =
TS_CONFIG_SSL_CERT_FILENAME,
TS_LUA_CONFIG_SSL_CERT_FILEPATH =
TS_CONFIG_SSL_CERT_FILEPATH,
TS_LUA_CONFIG_PARENT_FAILURES_UPDATE_HOSTDB =
TS_CONFIG_PARENT_FAILURES_UPDATE_HOSTDB,
- TS_LUA_CONFIG_SSL_CLIENT_VERIFY_SERVER =
TS_CONFIG_SSL_CLIENT_VERIFY_SERVER,
TS_LUA_CONFIG_HTTP_CACHE_ENABLE_DEFAULT_VARY_HEADER =
TS_CONFIG_HTTP_CACHE_ENABLE_DEFAULT_VARY_HEADER,
TS_LUA_CONFIG_HTTP_CACHE_VARY_DEFAULT_TEXT =
TS_CONFIG_HTTP_CACHE_VARY_DEFAULT_TEXT,
TS_LUA_CONFIG_HTTP_CACHE_VARY_DEFAULT_IMAGES =
TS_CONFIG_HTTP_CACHE_VARY_DEFAULT_IMAGES,
@@ -246,7 +245,6 @@ ts_lua_var_item ts_lua_http_config_vars[] = {
TS_LUA_MAKE_VAR_ITEM(TS_LUA_CONFIG_SSL_CERT_FILENAME),
TS_LUA_MAKE_VAR_ITEM(TS_LUA_CONFIG_SSL_CERT_FILEPATH),
TS_LUA_MAKE_VAR_ITEM(TS_LUA_CONFIG_PARENT_FAILURES_UPDATE_HOSTDB),
- TS_LUA_MAKE_VAR_ITEM(TS_LUA_CONFIG_SSL_CLIENT_VERIFY_SERVER),
TS_LUA_MAKE_VAR_ITEM(TS_LUA_CONFIG_HTTP_CACHE_ENABLE_DEFAULT_VARY_HEADER),
TS_LUA_MAKE_VAR_ITEM(TS_LUA_CONFIG_HTTP_CACHE_VARY_DEFAULT_TEXT),
TS_LUA_MAKE_VAR_ITEM(TS_LUA_CONFIG_HTTP_CACHE_VARY_DEFAULT_IMAGES),
diff --git a/proxy/http/HttpConfig.cc b/proxy/http/HttpConfig.cc
index 1911483..d0df865 100644
--- a/proxy/http/HttpConfig.cc
+++ b/proxy/http/HttpConfig.cc
@@ -1185,7 +1185,6 @@ HttpConfig::startup()
HttpEstablishStaticConfigByte(c.errors_log_error_pages,
"proxy.config.http.errors.log_error_pages");
HttpEstablishStaticConfigLongLong(c.oride.slow_log_threshold,
"proxy.config.http.slow.log.threshold");
- HttpEstablishStaticConfigByte(c.oride.ssl_client_verify_server,
"proxy.config.ssl.client.verify.server");
HttpEstablishStaticConfigByte(c.oride.send_http11_requests,
"proxy.config.http.send_http11_requests");
HttpEstablishStaticConfigByte(c.oride.allow_multi_range,
"proxy.config.http.allow_multi_range");
@@ -1458,7 +1457,6 @@ HttpConfig::reconfigure()
params->url_remap_required =
INT_TO_BOOL(m_master.url_remap_required);
params->errors_log_error_pages =
INT_TO_BOOL(m_master.errors_log_error_pages);
params->oride.slow_log_threshold = m_master.oride.slow_log_threshold;
- params->oride.ssl_client_verify_server =
m_master.oride.ssl_client_verify_server;
params->oride.send_http11_requests =
m_master.oride.send_http11_requests;
params->oride.doc_in_cache_skip_dns =
INT_TO_BOOL(m_master.oride.doc_in_cache_skip_dns);
params->oride.default_buffer_size_index =
m_master.oride.default_buffer_size_index;
diff --git a/proxy/http/HttpSM.cc b/proxy/http/HttpSM.cc
index 8e9c40d..b0cfc1a 100644
--- a/proxy/http/HttpSM.cc
+++ b/proxy/http/HttpSM.cc
@@ -5386,12 +5386,10 @@ HttpSM::handle_http_server_open()
NetVConnection *vc = server_session->get_netvc();
if (vc != nullptr && (vc->options.sockopt_flags !=
t_state.txn_conf->sock_option_flag_out ||
vc->options.packet_mark !=
t_state.txn_conf->sock_packet_mark_out ||
- vc->options.packet_tos !=
t_state.txn_conf->sock_packet_tos_out ||
- vc->options.clientVerificationFlag !=
t_state.txn_conf->ssl_client_verify_server)) {
- vc->options.sockopt_flags =
t_state.txn_conf->sock_option_flag_out;
- vc->options.packet_mark =
t_state.txn_conf->sock_packet_mark_out;
- vc->options.packet_tos =
t_state.txn_conf->sock_packet_tos_out;
- vc->options.clientVerificationFlag =
t_state.txn_conf->ssl_client_verify_server;
+ vc->options.packet_tos !=
t_state.txn_conf->sock_packet_tos_out)) {
+ vc->options.sockopt_flags = t_state.txn_conf->sock_option_flag_out;
+ vc->options.packet_mark = t_state.txn_conf->sock_packet_mark_out;
+ vc->options.packet_tos = t_state.txn_conf->sock_packet_tos_out;
vc->apply_options();
}
}
diff --git a/src/traffic_server/InkAPI.cc b/src/traffic_server/InkAPI.cc
index c732dae..372b855 100644
--- a/src/traffic_server/InkAPI.cc
+++ b/src/traffic_server/InkAPI.cc
@@ -8123,9 +8123,6 @@ _conf_to_memberp(TSOverridableConfigKey conf,
OverridableHttpConfigParams *overr
case TS_CONFIG_PARENT_FAILURES_UPDATE_HOSTDB:
ret =
_memberp_to_generic(&overridableHttpConfig->parent_failures_update_hostdb,
typep);
break;
- case TS_CONFIG_SSL_CLIENT_VERIFY_SERVER:
- ret =
_memberp_to_generic(&overridableHttpConfig->ssl_client_verify_server, typep);
- break;
case TS_CONFIG_HTTP_CACHE_ENABLE_DEFAULT_VARY_HEADER:
ret =
_memberp_to_generic(&overridableHttpConfig->cache_enable_default_vary_headers,
typep);
break;
@@ -8479,8 +8476,6 @@ TSHttpTxnConfigFind(const char *name, int length,
TSOverridableConfigKey *conf,
if (!strncmp(name, "proxy.config.http.response_server_str", length)) {
cnf = TS_CONFIG_HTTP_RESPONSE_SERVER_STR;
typ = TS_RECORDDATATYPE_STRING;
- } else if (!strncmp(name, "proxy.config.ssl.client.verify.server",
length)) {
- cnf = TS_CONFIG_SSL_CLIENT_VERIFY_SERVER;
}
break;
case 't':
diff --git a/src/traffic_server/InkAPITest.cc b/src/traffic_server/InkAPITest.cc
index 6193a0b..bbe5144 100644
--- a/src/traffic_server/InkAPITest.cc
+++ b/src/traffic_server/InkAPITest.cc
@@ -8670,7 +8670,6 @@ const char *SDK_Overridable_Configs[TS_CONFIG_LAST_ENTRY]
= {"proxy.config.url_r
"proxy.config.ssl.client.cert.filename",
"proxy.config.ssl.client.cert.path",
"proxy.config.http.parent_proxy.mark_down_hostdb",
-
"proxy.config.ssl.client.verify.server",
"proxy.config.http.cache.enable_default_vary_headers",
"proxy.config.http.cache.vary_default_text",
"proxy.config.http.cache.vary_default_images",
