[GitHub] [trafficserver] maskit commented on a change in pull request #7434: Split SSL_CTX initialization logic into small functions

Thu, 18 Feb 2021 16:23:02 -0800 


maskit commented on a change in pull request #7434:
URL: https://github.com/apache/trafficserver/pull/7434#discussion_r578839630



##########
File path: iocore/net/SSLUtils.cc
##########
@@ -1226,90 +1314,98 @@ 
SSLMultiCertConfigLoader::init_server_ssl_ctx(CertLoadData const &data, const SS
     break;
   }
   }
+  return true;
+}
 
-#ifdef SSL_MODE_RELEASE_BUFFERS
-  Debug("ssl", "enabling SSL_MODE_RELEASE_BUFFERS");
-  SSL_CTX_set_mode(ctx, SSL_MODE_RELEASE_BUFFERS);
-#endif
-
-#ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
-  SSL_CTX_set_options(ctx, SSL_OP_SAFARI_ECDHE_ECDSA_BUG);
-#endif
-
-  if (sslMultCertSettings) {
-    if (sslMultCertSettings->dialog) {
-      passphrase_cb_userdata ud(params, sslMultCertSettings->dialog, 
sslMultCertSettings->first_cert, sslMultCertSettings->key);
-      // pass phrase dialog configuration
-      pem_password_cb *passwd_cb = nullptr;
-      if (strncmp(sslMultCertSettings->dialog, "exec:", 5) == 0) {
-        ud._serverDialog = &sslMultCertSettings->dialog[5];
-        // validate the exec program
-        if (!ssl_private_key_validate_exec(ud._serverDialog)) {
-          SSLError("failed to access '%s' pass phrase program: %s", (const 
char *)ud._serverDialog, strerror(errno));
-          memset(static_cast<void *>(&ud), 0, sizeof(ud));
-          goto fail;
-        }
-        passwd_cb = ssl_private_key_passphrase_callback_exec;
-      } else if (strcmp(sslMultCertSettings->dialog, "builtin") == 0) {
-        passwd_cb = ssl_private_key_passphrase_callback_builtin;
-      } else { // unknown config
-        SSLError("unknown %s configuration value '%s'", SSL_KEY_DIALOG.data(), 
(const char *)sslMultCertSettings->dialog);
+bool
+SSLMultiCertConfigLoader::_setup_dialog(SSL_CTX *ctx, const 
SSLMultiCertConfigParams *sslMultCertSettings)
+{
+  if (sslMultCertSettings->dialog) {

Review comment:
       I think it would be better to ask on users@. It's not a something from 
the initial commit.
   https://issues.apache.org/jira/browse/TS-612




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to