This is an automated email from the ASF dual-hosted git repository.
maskit pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push:
new 6cfdc5ddbf Add an SNI action to reject QUIC connections (#9348)
6cfdc5ddbf is described below
commit 6cfdc5ddbfc951d6ae02e1e09c0a9423e6c008ba
Author: Masakazu Kitajo <[email protected]>
AuthorDate: Fri Jun 23 05:28:19 2023 +0900
Add an SNI action to reject QUIC connections (#9348)
* Add an SNI action to reject QUIC connections
* Make ControlQUIC NOOP if QUIC stuff is not built
* Move the impplementation into the cc file
* Fix link errors
* Add ifdef for non-quic build
* fix build error
* Fix typo
* Fix link error
* Fix link error
* Fix link error
* Improve wording
* Improve wording 2
* Fix link error
---
doc/admin-guide/files/sni.yaml.en.rst | 7 ++++++-
iocore/cache/Makefile.am | 5 +++++
iocore/net/Makefile.am | 10 ++++++++++
iocore/net/P_SNIActionPerformer.h | 18 ++++++++++++++++++
iocore/net/SNIActionPerformer.cc | 29 +++++++++++++++++++++++++++++
iocore/net/SSLSNIConfig.cc | 3 +++
iocore/net/YamlSNIConfig.cc | 4 ++++
iocore/net/YamlSNIConfig.h | 4 +++-
proxy/http/Makefile.am | 5 +++++
9 files changed, 83 insertions(+), 2 deletions(-)
diff --git a/doc/admin-guide/files/sni.yaml.en.rst
b/doc/admin-guide/files/sni.yaml.en.rst
index b5b7a5b1ba..f7f90089df 100644
--- a/doc/admin-guide/files/sni.yaml.en.rst
+++ b/doc/admin-guide/files/sni.yaml.en.rst
@@ -45,7 +45,7 @@ the user needs to enter the fqdn in the configuration with a
``*.`` followed by
For some settings, there is no guarantee that they will be applied to a
connection under certain conditions.
An established TLS connection may be reused for another server name if it’s
used for HTTP/2. This also means that settings
for server name A may affects requests for server name B as well. See
https://daniel.haxx.se/blog/2016/08/18/http2-connection-coalescing/
-for a more detailed description of HTTP/2 connection coalescing.
+for a more detailed description of HTTP/2 connection coalescing. A similar
thing can happen on a QUIC connection for HTTP/3 as well.
.. _override-verify-server-policy:
.. _override-verify-server-properties:
@@ -174,6 +174,11 @@ http2_buffer_water_mark Inbound Specifies the high
water mark for all HTTP/2
By default this is
:ts:cv:`proxy.config.http2.default_buffer_water_mark`.
NOTE: Connection coalescing may prevent
this taking effect.
+quic Inbound Indicates whether QUIC connections should
be accepted. The valid values are :code:`on` or
+ :code:`off`. Note that this is a more
specific setting to configure QUIC availability per server
+ name. More broadly, you will also need to
configure :ts:cv:`proxy.config.http.server_ports` to
+ open ports for QUIC.
+
tunnel_route Inbound Destination as an FQDN and port, separated
by a colon ``:``.
Match group number can be specified by
``$N`` where N should refer to a specified group
in the FQDN, ``tunnel_route: $1.domain``.
diff --git a/iocore/cache/Makefile.am b/iocore/cache/Makefile.am
index 418621dfc0..b989eb5ff4 100644
--- a/iocore/cache/Makefile.am
+++ b/iocore/cache/Makefile.am
@@ -117,6 +117,11 @@ test_LDADD = \
@YAMLCPP_LIBS@ \
-lm
+if ENABLE_QUIC
+test_LDADD += \
+ $(top_builddir)/iocore/net/quic/libquic.a
+endif
+
check_PROGRAMS = \
test_Cache \
test_RWW \
diff --git a/iocore/net/Makefile.am b/iocore/net/Makefile.am
index c9a1b2bc39..b567a359c6 100644
--- a/iocore/net/Makefile.am
+++ b/iocore/net/Makefile.am
@@ -86,6 +86,11 @@ test_UDPNet_LDADD = \
$(top_builddir)/proxy/ParentSelectionStrategy.o \
@HWLOC_LIBS@ @OPENSSL_LIBS@ @LIBPCRE@ @YAMLCPP_LIBS@ @SWOC_LIBS@
+if ENABLE_QUIC
+test_UDPNet_LDADD += \
+ $(top_builddir)/iocore/net/quic/libquic.a
+endif
+
test_UDPNet_SOURCES = \
libinknet_stub.cc \
test_I_UDPNet.cc
@@ -121,6 +126,11 @@ test_libinknet_LDADD = \
$(top_builddir)/proxy/ParentSelectionStrategy.o \
@HWLOC_LIBS@ @OPENSSL_LIBS@ @LIBPCRE@ @YAMLCPP_LIBS@ @SWOC_LIBS@
+if ENABLE_QUIC
+test_libinknet_LDADD += \
+ $(top_builddir)/iocore/net/quic/libquic.a
+endif
+
libinknet_a_SOURCES = \
ALPNSupport.cc \
BIO_fastopen.cc \
diff --git a/iocore/net/P_SNIActionPerformer.h
b/iocore/net/P_SNIActionPerformer.h
index 8375a5be09..601a5b0118 100644
--- a/iocore/net/P_SNIActionPerformer.h
+++ b/iocore/net/P_SNIActionPerformer.h
@@ -43,6 +43,24 @@
#include <vector>
+class ControlQUIC : public ActionItem
+{
+public:
+#if TS_USE_QUIC == 1
+ ControlQUIC(bool turn_on) : enable_quic(turn_on) {}
+#else
+ ControlQUIC(bool turn_on) {}
+#endif
+ ~ControlQUIC() override {}
+
+ int SNIAction(TLSSNISupport *snis, const Context &ctx) const override;
+
+private:
+#if TS_USE_QUIC == 1
+ bool enable_quic = false;
+#endif
+};
+
class ControlH2 : public ActionItem
{
public:
diff --git a/iocore/net/SNIActionPerformer.cc b/iocore/net/SNIActionPerformer.cc
index 9856511bac..46445cf572 100644
--- a/iocore/net/SNIActionPerformer.cc
+++ b/iocore/net/SNIActionPerformer.cc
@@ -28,6 +28,35 @@
#include "P_SNIActionPerformer.h"
+#if TS_USE_QUIC == 1
+#include "P_QUICNetVConnection.h"
+#endif
+
+int
+ControlQUIC::SNIAction(TLSSNISupport *snis, const Context &ctx) const
+{
+#if TS_USE_QUIC == 1
+ if (enable_quic) {
+ return SSL_TLSEXT_ERR_OK;
+ }
+
+ // This action is only available for QUIC connections
+ auto *quic_vc = dynamic_cast<QUICNetVConnection *>(snis);
+ if (quic_vc == nullptr) {
+ return SSL_TLSEXT_ERR_OK;
+ }
+
+ if (is_debug_tag_set("ssl_sni")) {
+ const char *servername = quic_vc->get_server_name();
+ Debug("ssl_sni", "Rejecting handshake due to QUIC being disabled for fqdn
[%s]", servername);
+ }
+
+ return SSL_TLSEXT_ERR_ALERT_FATAL;
+#else
+ return SSL_TLSEXT_ERR_OK;
+#endif
+}
+
SNI_IpAllow::SNI_IpAllow(std::string &ip_allow_list, std::string const
&servername)
{
swoc::TextView content{ip_allow_list};
diff --git a/iocore/net/SSLSNIConfig.cc b/iocore/net/SSLSNIConfig.cc
index 4d35767220..e7749fa469 100644
--- a/iocore/net/SSLSNIConfig.cc
+++ b/iocore/net/SSLSNIConfig.cc
@@ -119,6 +119,9 @@ SNIConfigParams::load_sni_config()
if (item.offer_h2.has_value()) {
ai->actions.push_back(std::make_unique<ControlH2>(item.offer_h2.value()));
}
+ if (item.offer_quic.has_value()) {
+
ai->actions.push_back(std::make_unique<ControlQUIC>(item.offer_quic.value()));
+ }
if (item.verify_client_level != 255) {
ai->actions.push_back(
std::make_unique<VerifyClient>(item.verify_client_level,
item.verify_client_ca_file, item.verify_client_ca_dir));
diff --git a/iocore/net/YamlSNIConfig.cc b/iocore/net/YamlSNIConfig.cc
index 3ae5c4fb95..314adecc85 100644
--- a/iocore/net/YamlSNIConfig.cc
+++ b/iocore/net/YamlSNIConfig.cc
@@ -151,6 +151,7 @@ std::set<std::string> valid_sni_config_keys = {TS_fqdn,
TS_client_sni_policy,
TS_http2,
TS_http2_buffer_water_mark,
+ TS_quic,
TS_ip_allow,
#if TS_USE_HELLO_CB || defined(OPENSSL_IS_BORINGSSL)
TS_valid_tls_versions_in,
@@ -184,6 +185,9 @@ template <> struct convert<YamlSNIConfig::Item> {
if (node[TS_http2_buffer_water_mark]) {
item.http2_buffer_water_mark =
node[TS_http2_buffer_water_mark].as<int>();
}
+ if (node[TS_quic]) {
+ item.offer_quic = node[TS_quic].as<bool>();
+ }
// enum
if (node[TS_verify_client]) {
diff --git a/iocore/net/YamlSNIConfig.h b/iocore/net/YamlSNIConfig.h
index 755b82e481..63d9aacd1b 100644
--- a/iocore/net/YamlSNIConfig.h
+++ b/iocore/net/YamlSNIConfig.h
@@ -57,6 +57,7 @@ TSDECL(valid_tls_version_min_in);
TSDECL(valid_tls_version_max_in);
TSDECL(http2);
TSDECL(http2_buffer_water_mark);
+TSDECL(quic);
TSDECL(host_sni_policy);
TSDECL(server_max_early_data);
#undef TSDECL
@@ -71,7 +72,8 @@ struct YamlSNIConfig {
struct Item {
std::string fqdn;
- std::optional<bool> offer_h2; // Has no value by default, so do not
initialize!
+ std::optional<bool> offer_h2; // Has no value by default, so do not
initialize!
+ std::optional<bool> offer_quic; // Has no value by default, so do not
initialize!
uint8_t verify_client_level = 255;
std::string verify_client_ca_file;
std::string verify_client_ca_dir;
diff --git a/proxy/http/Makefile.am b/proxy/http/Makefile.am
index 3a1e25db35..d77d35a9aa 100644
--- a/proxy/http/Makefile.am
+++ b/proxy/http/Makefile.am
@@ -157,6 +157,11 @@ test_HttpTransact_LDADD = \
-lz -llzma -lcrypto -lresolv -lssl \
@LIBPCRE@ @HWLOC_LIBS@ @SWOC_LIBS@ @YAMLCPP_LIBS@
+if ENABLE_QUIC
+test_HttpTransact_LDADD += \
+ $(top_builddir)/iocore/net/quic/libquic.a
+endif
+
test_HttpTransact_SOURCES = \
../../iocore/cache/test/stub.cc \
unit_tests/main.cc \
