This is an automated email from the ASF dual-hosted git repository.
lzx404243 pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push:
new 51d6cd762e Support elevated access option when loading client certs.
(#10957)
51d6cd762e is described below
commit 51d6cd762e92831bd39da7307c716ca65c3a0c76
Author: Zhengxi Li <[email protected]>
AuthorDate: Wed Jan 3 11:19:16 2024 -0500
Support elevated access option when loading client certs. (#10957)
---
src/iocore/net/SSLConfig.cc | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/iocore/net/SSLConfig.cc b/src/iocore/net/SSLConfig.cc
index 00e00a4931..15dbcbfa81 100644
--- a/src/iocore/net/SSLConfig.cc
+++ b/src/iocore/net/SSLConfig.cc
@@ -918,6 +918,11 @@ SSLConfigParams::getCTX(const std::string &client_cert,
const std::string &key_f
Debug("ssl_client_ctx", "Load new cert for %s %s", top_level_key.c_str(),
ctx_key.c_str());
client_ctx = shared_SSL_CTX(SSLInitClientContext(this), SSLReleaseContext);
+ // Upon configuration, elevate file access to be able to read root-only
+ // certificates. The destructor will drop privilege.
+ uint32_t elevate_setting = 0;
+ REC_ReadConfigInteger(elevate_setting,
"proxy.config.ssl.cert.load_elevated");
+ ElevateAccess elevate_access(elevate_setting ?
ElevateAccess::FILE_PRIVILEGE : 0);
// Set public and private keys
if (!client_cert.empty()) {
std::string secret_data;
