moonming commented on a change in pull request #1678:
URL: https://github.com/apache/incubator-apisix/pull/1678#discussion_r437873092
##########
File path: apisix/http/router/radixtree_sni.lua
##########
@@ -39,9 +42,41 @@ local function create_router(ssl_items)
local route_items = core.table.new(#ssl_items, 0)
local idx = 0
+ local local_conf = core.config.local_conf()
+ local iv
+ if local_conf and local_conf.apisix
+ and local_conf.apisix.ssl
+ and local_conf.apisix.ssl.key_encrypt_salt then
+ iv = local_conf.apisix.ssl.key_encrypt_salt
+ end
+ local aes_128_cbc_with_iv = (type(iv)=="string" and #iv == 16) and
+ assert(aes:new(iv, nil, aes.cipher(128, "cbc"), {iv=iv})) or nil
+
for _, ssl in ipairs(ssl_items) do
- if type(ssl) == "table" then
- local sni = ssl.value.sni:reverse()
+ if type(ssl) == "table" and
+ ssl.value ~= nil and
+ (ssl.value.status == nil or ssl.value.status == 1) then --
compatible with old version
+
+ local j = 0
+ local sni
+ if type(ssl.value.snis) == "table" and #ssl.value.snis > 0 then
+ sni = core.table.new(0, #ssl.value.snis)
+ for _, s in ipairs(ssl.value.snis) do
+ j = j + 1
+ sni[j] = s:reverse()
+ end
+ else
+ sni = ssl.value.sni:reverse()
+ end
+
+ -- decrypt private key
+ if aes_128_cbc_with_iv ~= nil and
+ not str_find(ssl.value.key, "---") then
+ local decrypted =
aes_128_cbc_with_iv:decrypt(ngx_decode_base64(ssl.value.key))
Review comment:
we should write error log if `decrypted` is nil
##########
File path: apisix/schema_def.lua
##########
@@ -499,6 +499,12 @@ _M.ssl = {
type = "integer",
minimum = 1588262400, -- 2020/5/1 0:0:0
},
+ status = {
Review comment:
enable or disable ssl cert? I think we need add more desc or a better
name.
##########
File path: t/router/radixtree-sni.t
##########
@@ -565,3 +565,216 @@ not found any valid sni configuration, matched sni:
*.test2.com current sni: aa.
--- no_error_log
[error]
[alert]
+
+
+
+=== TEST 12: disable ssl(sni: *.test2.com)
+--- config
+location /t {
+ content_by_lua_block {
+ local core = require("apisix.core")
+ local t = require("lib.test_admin")
+
+ local data = {status = 0}
+
+ local code, body = t.test('/apisix/admin/ssl/1',
+ ngx.HTTP_PATCH,
+ core.json.encode(data),
+ [[{
+ "node": {
+ "value": {
+ "status": 0
+ },
+ "key": "/apisix/ssl/1"
+ },
+ "action": "set"
+ }]]
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+}
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 13: client request: www.test2.com -- failed by disable
+--- config
+listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl;
+
+location /t {
+ content_by_lua_block {
+ -- etcd sync
+ ngx.sleep(0.2)
+
+ do
+ local sock = ngx.socket.tcp()
+
+ sock:settimeout(2000)
+
+ local ok, err =
sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock")
+ if not ok then
+ ngx.say("failed to connect: ", err)
+ return
+ end
+
+ ngx.say("connected: ", ok)
+
+ local sess, err = sock:sslhandshake(nil, "www.test2.com", true)
+ if not sess then
+ ngx.say("failed to do SSL handshake: ", err)
+ return
+ end
+
+ ngx.say("ssl handshake: ", type(sess))
+ end -- do
+ -- collectgarbage()
+ }
+}
+--- request
+GET /t
+--- response_body
+connected: 1
+failed to do SSL handshake: certificate host mismatch
+--- error_log
+lua ssl server name: "www.test2.com"
+--- no_error_log
+[error]
+[alert]
+
+
+
+=== TEST 14: set ssl(snis: {test2.com, *.test2.com})
+--- config
+location /t {
+ content_by_lua_block {
+ local core = require("apisix.core")
+ local t = require("lib.test_admin")
+
+ local ssl_cert = t.read_file("conf/cert/test2.crt")
+ local ssl_key = t.read_file("conf/cert/test2.key")
+ local data = {cert = ssl_cert, key = ssl_key, snis = {"test2.com",
"*.test2.com"}}
+
+ local code, body = t.test('/apisix/admin/ssl/1',
+ ngx.HTTP_PUT,
+ core.json.encode(data),
+ [[{
+ "node": {
+ "value": {
+ "snis": ["test2.com", "*.test2.com"]
+ },
+ "key": "/apisix/ssl/1"
+ },
+ "action": "set"
+ }]]
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+}
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 15: client request: test2.com
Review comment:
Is this to test self signed certificate? we not support self signed
certificate?
##########
File path: conf/config.yaml
##########
@@ -93,6 +93,7 @@ apisix:
listen_port: 9443
ssl_protocols: "TLSv1 TLSv1.1 TLSv1.2 TLSv1.3"
ssl_ciphers:
"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
+ key_encrypt_salt: "edd1c9f0985e76a2" # !!! do not change it after
saving your ssl
Review comment:
need test cases for:
- change vaule of `key_encrypt_salt` after encryptd some keys
##########
File path: conf/config.yaml
##########
@@ -93,6 +93,7 @@ apisix:
listen_port: 9443
ssl_protocols: "TLSv1 TLSv1.1 TLSv1.2 TLSv1.3"
ssl_ciphers:
"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
+ key_encrypt_salt: "edd1c9f0985e76a2" # !!! do not change it after
saving your ssl
Review comment:
need more desc for `key_encrypt_salt`, for example encrypt algorithm
##########
File path: apisix/admin/ssl.lua
##########
@@ -138,6 +156,22 @@ function _M.post(id, conf)
return 400, err
end
+ -- encrypt private key
+ local local_conf = core.config.local_conf()
+ local iv
+ if local_conf and local_conf.apisix
+ and local_conf.apisix.ssl.key_encrypt_salt then
+ iv = local_conf.apisix.ssl.key_encrypt_salt
+ end
+
+ local aes_128_cbc_with_iv = (type(iv)=="string" and #iv == 16) and
+ assert(aes:new(iv, nil, aes.cipher(128, "cbc"), {iv=iv})) or nil
+
+ if aes_128_cbc_with_iv ~= nil then
+ local encrypted = aes_128_cbc_with_iv:encrypt(conf.key)
+ conf.key = ngx_encode_base64(encrypted)
+ end
+
Review comment:
the same codes as
https://github.com/apache/incubator-apisix/pull/1678/files#diff-ef2c372bb70b36a8baed8b3ed9818244R106-R120,
we should write in a function
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
