This is an automated email from the ASF dual-hosted git repository. shinrich pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/trafficserver.git
commit 548368334753553468f3fbabe41f4e09342afa33 Author: Susan Hinrichs <[email protected]> AuthorDate: Wed Aug 7 19:24:34 2019 +0000 Refactor the alpn/npn handling into common ALPNSupport class --- iocore/net/ALPNSupport.cc | 82 +++++++++++++++++++++++++++++++++++ iocore/net/Makefile.am | 2 + iocore/net/P_ALPNSupport.h | 71 ++++++++++++++++++++++++++++++ iocore/net/P_QUICNetVConnection.h | 23 +++------- iocore/net/P_SNIActionPerformer.h | 2 +- iocore/net/P_SSLNetVConnection.h | 29 +------------ iocore/net/QUICNetVConnection.cc | 36 +++------------ iocore/net/QUICNextProtocolAccept.cc | 3 +- iocore/net/SSLNetVConnection.cc | 60 ++++--------------------- iocore/net/SSLNextProtocolAccept.cc | 1 - iocore/net/quic/Mock.h | 26 ----------- iocore/net/quic/QUICConnection.h | 14 +++--- src/traffic_server/InkAPI.cc | 13 +++--- tests/gold_tests/h2/h2disable.test.py | 3 +- tests/gold_tests/h2/h2enable.test.py | 1 + 15 files changed, 193 insertions(+), 173 deletions(-) diff --git a/iocore/net/ALPNSupport.cc b/iocore/net/ALPNSupport.cc new file mode 100644 index 0000000..bf6874c --- /dev/null +++ b/iocore/net/ALPNSupport.cc @@ -0,0 +1,82 @@ +/** @file + + ALPNSupport.cc provides implmentations for ALPNSupport methods + + @section license License + + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + */ + +#include "P_ALPNSupport.h" +#include "P_SSLNextProtocolSet.h" +#include "records/I_RecHttp.h" + +void +ALPNSupport::clear() +{ + if (npn) { + ats_free(npn); + npn = nullptr; + npnsz = 0; + } + npnSet = nullptr; + npnEndpoint = nullptr; +} + +bool +ALPNSupport::setSelectedProtocol(const unsigned char *proto, unsigned int len) +{ + // If there's no NPN set, we should not have done this negotiation. + ink_assert(this->npnSet != nullptr); + + this->npnEndpoint = this->npnSet->findEndpoint(proto, static_cast<unsigned>(len)); + this->npnSet = nullptr; + + if (this->npnEndpoint == nullptr) { + Error("failed to find registered SSL endpoint for '%.*s'", len, proto); + return false; + } + return true; +} + +void +ALPNSupport::disableProtocol(int idx) +{ + this->protoenabled.markOut(idx); + // Update the npn string + if (npnSet) { + npnSet->create_npn_advertisement(protoenabled, &npn, &npnsz); + } +} + +void +ALPNSupport::enableProtocol(int idx) +{ + this->protoenabled.markIn(idx); + // Update the npn string + if (npnSet) { + npnSet->create_npn_advertisement(protoenabled, &npn, &npnsz); + } +} + +void +ALPNSupport::registerNextProtocolSet(SSLNextProtocolSet *s, const SessionProtocolSet &protos) +{ + this->protoenabled = protos; + this->npnSet = s; + npnSet->create_npn_advertisement(protoenabled, &npn, &npnsz); +} diff --git a/iocore/net/Makefile.am b/iocore/net/Makefile.am index 898eb9b..2ec6f4e 100644 --- a/iocore/net/Makefile.am +++ b/iocore/net/Makefile.am @@ -86,6 +86,7 @@ test_UDPNet_SOURCES = \ test_I_UDPNet.cc libinknet_a_SOURCES = \ + ALPNSupport.cc \ BIO_fastopen.cc \ BIO_fastopen.h \ Connection.cc \ @@ -102,6 +103,7 @@ libinknet_a_SOURCES = \ YamlSNIConfig.cc \ Net.cc \ NetVConnection.cc \ + P_ALPNSupport.h \ P_SNIActionPerformer.h \ P_CompletionUtil.h \ P_Connection.h \ diff --git a/iocore/net/P_ALPNSupport.h b/iocore/net/P_ALPNSupport.h new file mode 100644 index 0000000..75970da --- /dev/null +++ b/iocore/net/P_ALPNSupport.h @@ -0,0 +1,71 @@ +/** @file + + ALPNSupport implements common methods and members to + support protocols for ALPN negotiation + + @section license License + + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + */ + +#pragma once +#include "records/I_RecHttp.h" + +class SSLNextProtocolSet; +class SSLNextProtocolAccept; +class Continuation; + +class ALPNSupport +{ +public: + void registerNextProtocolSet(SSLNextProtocolSet *, const SessionProtocolSet &protos); + void disableProtocol(int idx); + void enableProtocol(int idx); + void clear(); + bool setSelectedProtocol(const unsigned char *proto, unsigned int len); + + Continuation * + endpoint() const + { + return npnEndpoint; + } + + bool + getNPN(const unsigned char **out, unsigned int *outlen) const + { + if (this->npn && this->npnsz) { + *out = this->npn; + *outlen = this->npnsz; + return true; + } + return false; + } + + const SSLNextProtocolSet * + getNextProtocolSet() const + { + return npnSet; + } + +private: + const SSLNextProtocolSet *npnSet = nullptr; + SessionProtocolSet protoenabled; + // Local copies of the npn strings + unsigned char *npn = nullptr; + size_t npnsz = 0; + Continuation *npnEndpoint = nullptr; +}; diff --git a/iocore/net/P_QUICNetVConnection.h b/iocore/net/P_QUICNetVConnection.h index d9a0adb..925a4fe 100644 --- a/iocore/net/P_QUICNetVConnection.h +++ b/iocore/net/P_QUICNetVConnection.h @@ -127,7 +127,11 @@ class SSLNextProtocolSet; * WRITE: * Do nothing **/ -class QUICNetVConnection : public UnixNetVConnection, public QUICConnection, public QUICFrameGenerator, public RefCountObj +class QUICNetVConnection : public UnixNetVConnection, + public QUICConnection, + public QUICFrameGenerator, + public RefCountObj, + public ALPNSupport { using super = UnixNetVConnection; ///< Parent type. @@ -171,15 +175,6 @@ public: int select_next_protocol(SSL *ssl, const unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned inlen) const override; - void - setEnabledProtocols(const SessionProtocolSet &protos) - { - this->_protoenabled = protos; - } - - // QUICNetVConnection - void registerNextProtocolSet(SSLNextProtocolSet *s); - // QUICConnection QUICStreamManager *stream_manager() override; void close(QUICConnectionErrorUPtr error) override; @@ -195,8 +190,6 @@ public: const QUICFiveTuple five_tuple() const override; uint32_t pmtu() const override; NetVConnectionContext_t direction() const override; - SSLNextProtocolSet *next_protocol_set() const override; - const SessionProtocolSet &get_enabled_protocols() const override; std::string_view negotiated_application_name() const override; bool is_closed() const override; @@ -245,12 +238,6 @@ private: uint32_t _pmtu = 1280; - SSLNextProtocolSet *_next_protocol_set = nullptr; - SessionProtocolSet _protoenabled; - // Local copies of the npn strings - unsigned char *_npn = nullptr; - size_t _npnsz = 0; - // TODO: use custom allocator and make them std::unique_ptr or std::shared_ptr // or make them just member variables. QUICHandshake *_handshake_handler = nullptr; diff --git a/iocore/net/P_SNIActionPerformer.h b/iocore/net/P_SNIActionPerformer.h index 1de840c..5e9f352 100644 --- a/iocore/net/P_SNIActionPerformer.h +++ b/iocore/net/P_SNIActionPerformer.h @@ -55,7 +55,7 @@ public: if (ssl_vc) { if (!enable_h2) { ssl_vc->disableProtocol(TS_ALPN_PROTOCOL_INDEX_HTTP_2_0); - } else if (enable_h2) { + } else { ssl_vc->enableProtocol(TS_ALPN_PROTOCOL_INDEX_HTTP_2_0); } } diff --git a/iocore/net/P_SSLNetVConnection.h b/iocore/net/P_SSLNetVConnection.h index ef3b625..0240ee7 100644 --- a/iocore/net/P_SSLNetVConnection.h +++ b/iocore/net/P_SSLNetVConnection.h @@ -42,7 +42,7 @@ #include "P_EventSystem.h" #include "P_UnixNetVConnection.h" #include "P_UnixNet.h" -#include "records/I_RecHttp.h" +#include "P_ALPNSupport.h" // These are included here because older OpenSSL libraries don't have them. // Don't copy these defines, or use their values directly, they are merely @@ -68,8 +68,6 @@ #define SSL_DEF_TLS_RECORD_BYTE_THRESHOLD 1000000 #define SSL_DEF_TLS_RECORD_MSEC_THRESHOLD 1000 -class SSLNextProtocolSet; -class SSLNextProtocolAccept; struct SSLCertLookup; typedef enum { @@ -88,7 +86,7 @@ enum SSLHandshakeStatus { SSL_HANDSHAKE_ONGOING, SSL_HANDSHAKE_DONE, SSL_HANDSHA // A VConnection for a network socket. // ////////////////////////////////////////////////////////////////// -class SSLNetVConnection : public UnixNetVConnection +class SSLNetVConnection : public UnixNetVConnection, public ALPNSupport { typedef UnixNetVConnection super; ///< Parent type. @@ -142,7 +140,6 @@ public: int sslClientHandShakeEvent(int &err); void net_read_io(NetHandler *nh, EThread *lthread) override; int64_t load_buffer_and_write(int64_t towrite, MIOBufferAccessor &buf, int64_t &total_written, int &needs) override; - void registerNextProtocolSet(SSLNextProtocolSet *, const SessionProtocolSet &protos); void do_io_close(int lerrno = -1) override; //////////////////////////////////////////////////////////// @@ -156,21 +153,6 @@ public: static int select_next_protocol(SSL *ssl, const unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned inlen, void *); - Continuation * - endpoint() const - { - return npnEndpoint; - } - - void disableProtocol(int idx); - void enableProtocol(int idx); - - void - setEnabledProtocols(const SessionProtocolSet &protos) - { - this->protoenabled = protos; - } - bool getSSLClientRenegotiationAbort() const { @@ -459,13 +441,6 @@ private: HANDSHAKE_HOOKS_DONE } sslHandshakeHookState = HANDSHAKE_HOOKS_PRE; - const SSLNextProtocolSet *npnSet = nullptr; - Continuation *npnEndpoint = nullptr; - SessionProtocolSet protoenabled; - // Local copies of the npn strings - unsigned char *npn = nullptr; - size_t npnsz = 0; - int64_t redoWriteSize = 0; char *tunnel_host = nullptr; in_port_t tunnel_port = 0; diff --git a/iocore/net/QUICNetVConnection.cc b/iocore/net/QUICNetVConnection.cc index 36f55cc..6755703 100644 --- a/iocore/net/QUICNetVConnection.cc +++ b/iocore/net/QUICNetVConnection.cc @@ -503,11 +503,7 @@ QUICNetVConnection::free(EThread *t) super::clear(); */ - if (this->_npn) { - ats_free(this->_npn); - this->_npn = nullptr; - this->_npnsz = 0; - } + ALPNSupport::clear(); this->_packet_handler->close_connection(this); } @@ -1019,23 +1015,18 @@ QUICNetVConnection::protocol_contains(std::string_view prefix) const return retval; } -void -QUICNetVConnection::registerNextProtocolSet(SSLNextProtocolSet *s) -{ - this->_next_protocol_set = s; - this->_next_protocol_set->create_npn_advertisement(this->_protoenabled, &this->_npn, &this->_npnsz); -} - // ALPN TLS extension callback. Given the client's set of offered // protocols, we have to select a protocol to use for this session. int QUICNetVConnection::select_next_protocol(SSL *ssl, const unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned inlen) const { - if (this->_npn && this->_npnsz) { + const unsigned char *npnptr = nullptr; + unsigned int npnsize = 0; + if (this->getNPN(&npnptr, &npnsize)) { // SSL_select_next_proto chooses the first server-offered protocol that appears in the clients protocol set, ie. the // server selects the protocol. This is a n^2 search, so it's preferable to keep the protocol set short. - if (SSL_select_next_proto((unsigned char **)out, outlen, this->_npn, this->_npnsz, in, inlen) == OPENSSL_NPN_NEGOTIATED) { + if (SSL_select_next_proto((unsigned char **)out, outlen, npnptr, npnsize, in, inlen) == OPENSSL_NPN_NEGOTIATED) { Debug("ssl", "selected ALPN protocol %.*s", (int)(*outlen), *out); return SSL_TLSEXT_ERR_OK; } @@ -1052,18 +1043,6 @@ QUICNetVConnection::is_closed() const return this->handler == reinterpret_cast<NetVConnHandler>(&QUICNetVConnection::state_connection_closed); } -SSLNextProtocolSet * -QUICNetVConnection::next_protocol_set() const -{ - return this->_next_protocol_set; -} - -const SessionProtocolSet & -QUICNetVConnection::get_enabled_protocols() const -{ - return this->_protoenabled; -} - QUICPacketNumber QUICNetVConnection::_largest_acked_packet_number(QUICEncryptionLevel level) const { @@ -2049,11 +2028,10 @@ QUICNetVConnection::_start_application() } if (netvc_context == NET_VCONNECTION_IN) { - Continuation *endpoint = this->_next_protocol_set->findEndpoint(app_name, app_name_len); - if (endpoint == nullptr) { + if (!this->setSelectedProtocol(app_name, app_name_len)) { this->_handle_error(std::make_unique<QUICConnectionError>(QUICTransErrorCode::VERSION_NEGOTIATION_ERROR)); } else { - endpoint->handleEvent(NET_EVENT_ACCEPT, this); + this->endpoint()->handleEvent(NET_EVENT_ACCEPT, this); } } else { this->action_.continuation->handleEvent(NET_EVENT_OPEN, this); diff --git a/iocore/net/QUICNextProtocolAccept.cc b/iocore/net/QUICNextProtocolAccept.cc index 4662a09..53faf43 100644 --- a/iocore/net/QUICNextProtocolAccept.cc +++ b/iocore/net/QUICNextProtocolAccept.cc @@ -54,8 +54,7 @@ QUICNextProtocolAccept::mainEvent(int event, void *edata) switch (event) { case NET_EVENT_ACCEPT: ink_release_assert(netvc != nullptr); - netvc->setEnabledProtocols(this->protoenabled); - netvc->registerNextProtocolSet(&this->protoset); + netvc->registerNextProtocolSet(&this->protoset, this->protoenabled); return EVENT_CONT; default: netvc->do_io_close(); diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc index 2dbe2d9..309391c 100644 --- a/iocore/net/SSLNetVConnection.cc +++ b/iocore/net/SSLNetVConnection.cc @@ -25,7 +25,6 @@ #include "tscore/EventNotify.h" #include "tscore/I_Layout.h" #include "tscore/TSSystemState.h" -#include "records/I_RecHttp.h" #include "InkAPIInternal.h" // Added to include the ssl_hook definitions #include "Log.h" @@ -34,7 +33,6 @@ #include "HttpConfig.h" #include "P_Net.h" -#include "P_SSLNextProtocolSet.h" #include "P_SSLUtils.h" #include "P_SSLConfig.h" #include "P_SSLClientUtils.h" @@ -42,6 +40,7 @@ #include "BIO_fastopen.h" #include "SSLStats.h" #include "SSLInternal.h" +#include "P_ALPNSupport.h" #include <climits> #include <string> @@ -889,11 +888,7 @@ SSLNetVConnection::clear() SSL_free(ssl); ssl = nullptr; } - if (npn) { - ats_free(npn); - npn = nullptr; - npnsz = 0; - } + ALPNSupport::clear(); sslHandshakeStatus = SSL_HANDSHAKE_ONGOING; sslHandshakeBeginTime = 0; @@ -904,8 +899,6 @@ SSLNetVConnection::clear() curHook = nullptr; hookOpRequested = SSL_HOOK_OP_DEFAULT; - npnSet = nullptr; - npnEndpoint = nullptr; free_handshake_buffers(); super::clear(); @@ -1268,17 +1261,9 @@ SSLNetVConnection::sslServerHandShakeEvent(int &err) } if (len) { - // If there's no NPN set, we should not have done this negotiation. - ink_assert(this->npnSet != nullptr); - - this->npnEndpoint = this->npnSet->findEndpoint(proto, len); - this->npnSet = nullptr; - - if (this->npnEndpoint == nullptr) { - Error("failed to find registered SSL endpoint for '%.*s'", (int)len, (const char *)proto); + if (!this->setSelectedProtocol(proto, len)) { return EVENT_ERROR; } - Debug("ssl", "client selected next protocol '%.*s'", len, proto); } else { Debug("ssl", "client did not select a next protocol"); @@ -1457,34 +1442,6 @@ SSLNetVConnection::sslClientHandShakeEvent(int &err) return EVENT_CONT; } -void -SSLNetVConnection::disableProtocol(int idx) -{ - this->protoenabled.markOut(idx); - // Update the npn string - if (npnSet) { - npnSet->create_npn_advertisement(protoenabled, &npn, &npnsz); - } -} - -void -SSLNetVConnection::enableProtocol(int idx) -{ - this->protoenabled.markIn(idx); - // Update the npn string - if (npnSet) { - npnSet->create_npn_advertisement(protoenabled, &npn, &npnsz); - } -} - -void -SSLNetVConnection::registerNextProtocolSet(SSLNextProtocolSet *s, const SessionProtocolSet &protos) -{ - this->protoenabled = protos; - this->npnSet = s; - npnSet->create_npn_advertisement(protoenabled, &npn, &npnsz); -} - // NextProtocolNegotiation TLS extension callback. The NPN extension // allows the client to select a preferred protocol, so all we have // to do here is tell them what out protocol set is. @@ -1495,13 +1452,10 @@ SSLNetVConnection::advertise_next_protocol(SSL *ssl, const unsigned char **out, ink_release_assert(netvc != nullptr); - if (netvc->npn && netvc->npnsz) { - *out = netvc->npn; - *outlen = netvc->npnsz; + if (netvc->getNPN(out, outlen)) { // Successful return tells OpenSSL to advertise. return SSL_TLSEXT_ERR_OK; } - return SSL_TLSEXT_ERR_NOACK; } @@ -1514,10 +1468,12 @@ SSLNetVConnection::select_next_protocol(SSL *ssl, const unsigned char **out, uns SSLNetVConnection *netvc = SSLNetVCAccess(ssl); ink_release_assert(netvc != nullptr); - if (netvc->npn && netvc->npnsz) { + const unsigned char *npnptr = nullptr; + unsigned int npnsize = 0; + if (netvc->getNPN(&npnptr, &npnsize)) { // SSL_select_next_proto chooses the first server-offered protocol that appears in the clients protocol set, ie. the // server selects the protocol. This is a n^2 search, so it's preferable to keep the protocol set short. - if (SSL_select_next_proto((unsigned char **)out, outlen, netvc->npn, netvc->npnsz, in, inlen) == OPENSSL_NPN_NEGOTIATED) { + if (SSL_select_next_proto((unsigned char **)out, outlen, npnptr, npnsize, in, inlen) == OPENSSL_NPN_NEGOTIATED) { Debug("ssl", "selected ALPN protocol %.*s", (int)(*outlen), *out); return SSL_TLSEXT_ERR_OK; } diff --git a/iocore/net/SSLNextProtocolAccept.cc b/iocore/net/SSLNextProtocolAccept.cc index 7d4b39f..942bf02 100644 --- a/iocore/net/SSLNextProtocolAccept.cc +++ b/iocore/net/SSLNextProtocolAccept.cc @@ -135,7 +135,6 @@ SSLNextProtocolAccept::mainEvent(int event, void *edata) // force the SSLNetVConnection to complete the SSL handshake. Don't tell // the endpoint that there is an accept to handle until the read completes // and we know which protocol was negotiated. - netvc->setEnabledProtocols(this->protoenabled); netvc->registerNextProtocolSet(&this->protoset, this->protoenabled); netvc->do_io_read(new SSLNextProtocolTrampoline(this, netvc->mutex), 0, this->buffer); return EVENT_CONT; diff --git a/iocore/net/quic/Mock.h b/iocore/net/quic/Mock.h index cb107c9..d4692b0 100644 --- a/iocore/net/quic/Mock.h +++ b/iocore/net/quic/Mock.h @@ -214,18 +214,6 @@ public: return _direction; } - SSLNextProtocolSet * - next_protocol_set() const override - { - return nullptr; - } - - const SessionProtocolSet & - get_enabled_protocols() const override - { - return _protocolsenabled; - } - void close(QUICConnectionErrorUPtr error) override { @@ -281,7 +269,6 @@ public: QUICTransportParametersInEncryptedExtensions dummy_transport_parameters(); NetVConnectionContext_t _direction; - SessionProtocolSet _protocolsenabled; }; class MockQUICConnectionInfoProvider : public QUICConnectionInfoProvider @@ -335,17 +322,6 @@ class MockQUICConnectionInfoProvider : public QUICConnectionInfoProvider return NET_VCONNECTION_OUT; } - SSLNextProtocolSet * - next_protocol_set() const override - { - return nullptr; - } - const SessionProtocolSet & - get_enabled_protocols() const override - { - return _protocolsenabled; - } - int select_next_protocol(SSL *ssl, const unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned inlen) const override @@ -364,8 +340,6 @@ class MockQUICConnectionInfoProvider : public QUICConnectionInfoProvider { return negotiated_application_name_sv; } - - SessionProtocolSet _protocolsenabled; }; class MockQUICCongestionController : public QUICCongestionController diff --git a/iocore/net/quic/QUICConnection.h b/iocore/net/quic/QUICConnection.h index c57b19f..d2c3d56 100644 --- a/iocore/net/quic/QUICConnection.h +++ b/iocore/net/quic/QUICConnection.h @@ -30,8 +30,6 @@ class QUICApplication; class QUICStreamManager; class UDPPacket; -class SSLNextProtocolSet; -class SessionProtocolSet; class QUICConnectionInfoProvider { @@ -43,14 +41,12 @@ public: virtual std::string_view cids() const = 0; virtual const QUICFiveTuple five_tuple() const = 0; - virtual uint32_t pmtu() const = 0; - virtual NetVConnectionContext_t direction() const = 0; - virtual SSLNextProtocolSet *next_protocol_set() const = 0; - virtual const SessionProtocolSet &get_enabled_protocols() const = 0; + virtual uint32_t pmtu() const = 0; + virtual NetVConnectionContext_t direction() const = 0; virtual int select_next_protocol(SSL *ssl, const unsigned char **out, unsigned char *outlen, const unsigned char *in, - unsigned inlen) const = 0; - virtual bool is_closed() const = 0; - virtual std::string_view negotiated_application_name() const = 0; + unsigned inlen) const = 0; + virtual bool is_closed() const = 0; + virtual std::string_view negotiated_application_name() const = 0; }; class QUICConnection : public QUICFrameHandler, public QUICConnectionInfoProvider diff --git a/src/traffic_server/InkAPI.cc b/src/traffic_server/InkAPI.cc index d4c56b3..6b93fbb 100644 --- a/src/traffic_server/InkAPI.cc +++ b/src/traffic_server/InkAPI.cc @@ -7169,7 +7169,6 @@ TSNetAcceptNamedProtocol(TSCont contp, const char *protocol) sdk_assert(sdk_sanity_check_continuation(contp) == TS_SUCCESS); if (!ssl_register_protocol(protocol, (INKContInternal *)contp)) { - // ssl_unregister_protocol(protocol, (INKContInternal *)contp); return TS_ERROR; } @@ -9420,9 +9419,9 @@ TSVConnProtocolEnable(TSVConn connp, const char *protocol_name) TSReturnCode retval = TS_ERROR; int protocol_idx = globalSessionProtocolNameRegistry.toIndexConst(std::string_view{protocol_name}); auto net_vc = reinterpret_cast<UnixNetVConnection *>(connp); - auto ssl_vc = dynamic_cast<SSLNetVConnection *>(net_vc); - if (ssl_vc) { - ssl_vc->enableProtocol(protocol_idx); + auto alpn_vc = dynamic_cast<ALPNSupport *>(net_vc); + if (alpn_vc) { + alpn_vc->enableProtocol(protocol_idx); retval = TS_SUCCESS; } return retval; @@ -9434,9 +9433,9 @@ TSVConnProtocolDisable(TSVConn connp, const char *protocol_name) TSReturnCode retval = TS_ERROR; int protocol_idx = globalSessionProtocolNameRegistry.toIndexConst(std::string_view{protocol_name}); auto net_vc = reinterpret_cast<UnixNetVConnection *>(connp); - auto ssl_vc = dynamic_cast<SSLNetVConnection *>(net_vc); - if (ssl_vc) { - ssl_vc->disableProtocol(protocol_idx); + auto alpn_vc = dynamic_cast<ALPNSupport *>(net_vc); + if (alpn_vc) { + alpn_vc->disableProtocol(protocol_idx); retval = TS_SUCCESS; } return retval; diff --git a/tests/gold_tests/h2/h2disable.test.py b/tests/gold_tests/h2/h2disable.test.py index 945eedf..f9347b6 100644 --- a/tests/gold_tests/h2/h2disable.test.py +++ b/tests/gold_tests/h2/h2disable.test.py @@ -53,7 +53,8 @@ ts.Disk.records_config.update({ 'proxy.config.ssl.server.cert.path': '{0}'.format(ts.Variables.SSLDir), 'proxy.config.ssl.server.private_key.path': '{0}'.format(ts.Variables.SSLDir), 'proxy.config.ssl.server.cipher_suite': 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA:RC4-MD5:AES128-SHA:AES256-SHA:DES-CBC3-SHA!SRP:!DSS:!PSK:!aNULL:!eNULL:!SSLv2', - 'proxy.config.url_remap.pristine_host_hdr': 1 + 'proxy.config.url_remap.pristine_host_hdr': 1, + 'proxy.config.accept_threads': 1 }) ts.Disk.sni_yaml.AddLines([ diff --git a/tests/gold_tests/h2/h2enable.test.py b/tests/gold_tests/h2/h2enable.test.py index 7ea7dc5..0357e93 100644 --- a/tests/gold_tests/h2/h2enable.test.py +++ b/tests/gold_tests/h2/h2enable.test.py @@ -53,6 +53,7 @@ ts.Disk.records_config.update({ 'proxy.config.ssl.server.private_key.path': '{0}'.format(ts.Variables.SSLDir), 'proxy.config.ssl.server.cipher_suite': 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA:RC4-MD5:AES128-SHA:AES256-SHA:DES-CBC3-SHA!SRP:!DSS:!PSK:!aNULL:!eNULL:!SSLv2', 'proxy.config.url_remap.pristine_host_hdr': 1, + 'proxy.config.accept_threads': 1, 'proxy.config.http.server_ports': '{0}:ssl:proto=http {1}'.format(ts.Variables.ssl_port, ts.Variables.port) })
