The added configuration is "proxy.config.ssl.server.enable_dhparams", but the code checks "proxy.config.ssl.client.enable_dhparams".
The added configuration is marked RECU_RESTART_TS, but will actually take effect when ssl_multicert.config is reloaded. So I think this should be RECU_DYNAMIC (though this is almost an intermediate state). > On Mar 11, 2015, at 3:17 PM, bri...@apache.org wrote: > > Repository: trafficserver > Updated Branches: > refs/heads/master 66bdd406f -> 4361f4d0d > > > TS-3437: Make DH params configurable > > > Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo > Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/091b59ca > Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/091b59ca > Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/091b59ca > > Branch: refs/heads/master > Commit: 091b59ca3f772ebc4a6cbc832b57fb0794c6b82e > Parents: 66bdd40 > Author: Brian Geffon <bri...@apache.org> > Authored: Wed Mar 11 15:16:07 2015 -0700 > Committer: Brian Geffon <bri...@apache.org> > Committed: Wed Mar 11 15:16:07 2015 -0700 > > ---------------------------------------------------------------------- > iocore/net/P_SSLConfig.h | 1 + > iocore/net/SSLConfig.cc | 2 ++ > iocore/net/SSLUtils.cc | 4 +++- > mgmt/RecordsConfig.cc | 2 ++ > 4 files changed, 8 insertions(+), 1 deletion(-) > ---------------------------------------------------------------------- > > > http://git-wip-us.apache.org/repos/asf/trafficserver/blob/091b59ca/iocore/net/P_SSLConfig.h > ---------------------------------------------------------------------- > diff --git a/iocore/net/P_SSLConfig.h b/iocore/net/P_SSLConfig.h > index cda2dcb..376036d 100644 > --- a/iocore/net/P_SSLConfig.h > +++ b/iocore/net/P_SSLConfig.h > @@ -81,6 +81,7 @@ struct SSLConfigParams : public ConfigInfo > char * clientKeyPath; > char * clientCACertFilename; > char * clientCACertPath; > + int enable_dhparams; > int clientVerify; > int client_verify_depth; > long ssl_ctx_options; > > http://git-wip-us.apache.org/repos/asf/trafficserver/blob/091b59ca/iocore/net/SSLConfig.cc > ---------------------------------------------------------------------- > diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc > index 627ccd2..1e1c0df 100644 > --- a/iocore/net/SSLConfig.cc > +++ b/iocore/net/SSLConfig.cc > @@ -74,6 +74,7 @@ SSLConfigParams::SSLConfigParams() > > clientCertLevel = client_verify_depth = verify_depth = clientVerify = 0; > > + enable_dhparams = 0; > ssl_ctx_options = 0; > ssl_client_ctx_protocols = 0; > ssl_session_cache = SSL_SESSION_CACHE_MODE_SERVER_ATS_IMPL; > @@ -159,6 +160,7 @@ SSLConfigParams::initialize() > REC_ReadConfigStringAlloc(cipherSuite, > "proxy.config.ssl.server.cipher_suite"); > REC_ReadConfigStringAlloc(client_cipherSuite, > "proxy.config.ssl.client.cipher_suite"); > dhparamsFile = > RecConfigReadConfigPath("proxy.config.ssl.server.dhparams_file"); > + REC_ReadConfigInt32(enable_dhparams, > "proxy.config.ssl.client.enable_dhparams"); > > int options; > int client_ssl_options; > > http://git-wip-us.apache.org/repos/asf/trafficserver/blob/091b59ca/iocore/net/SSLUtils.cc > ---------------------------------------------------------------------- > diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc > index 361d344..83ce5e5 100644 > --- a/iocore/net/SSLUtils.cc > +++ b/iocore/net/SSLUtils.cc > @@ -1473,8 +1473,10 @@ SSLInitServerContext(const SSLConfigParams * params, > const ssl_user_config & ssl > SSL_CTX_set_default_passwd_cb_userdata(CTX, NULL);\ > } > SSL_CLEAR_PW_REFERENCES(ud,ctx) > - if (!ssl_context_enable_dhe(params->dhparamsFile, ctx)) { > + if (params->enable_dhparams && > !ssl_context_enable_dhe(params->dhparamsFile, ctx)) { > goto fail; > + } else if (!params->enable_dhparams) { > + Debug("ssl", "Not using dhparams"); > } > return ssl_context_enable_ecdh(ctx); > > > http://git-wip-us.apache.org/repos/asf/trafficserver/blob/091b59ca/mgmt/RecordsConfig.cc > ---------------------------------------------------------------------- > diff --git a/mgmt/RecordsConfig.cc b/mgmt/RecordsConfig.cc > index b360aa0..76d6cb2 100644 > --- a/mgmt/RecordsConfig.cc > +++ b/mgmt/RecordsConfig.cc > @@ -1322,6 +1322,8 @@ static const RecordElement RecordsConfig[] = > , > {RECT_CONFIG, "proxy.config.ssl.allow_client_renegotiation", RECD_INT, "0", > RECU_DYNAMIC, RR_NULL, RECC_INT, "[0-1]", RECA_NULL} > , > + {RECT_CONFIG, "proxy.config.ssl.server.enable_dhparams", RECD_INT, "0", > RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL} > + , > {RECT_CONFIG, "proxy.config.ssl.server.dhparams_file", RECD_STRING, NULL, > RECU_RESTART_TS, RR_NULL, RECC_NULL, NULL, RECA_NULL} > , > > //############################################################################## >
