(trafficserver) branch master updated: Use EMERGENCY instead of FATAL for some certificate loading errors (#11108)
This is an automated email from the ASF dual-hosted git repository. lzx404243 pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/trafficserver.git The following commit(s) were added to refs/heads/master by this push: new 67bcbf4b33 Use EMERGENCY instead of FATAL for some certificate loading errors (#11108) 67bcbf4b33 is described below commit 67bcbf4b33d43f2e0a1186d725b19e712971f886 Author: Zhengxi Li AuthorDate: Thu Feb 29 15:17:12 2024 -0500 Use EMERGENCY instead of FATAL for some certificate loading errors (#11108) * Use EMERGENCY instead of FATAL for certificate loading errors --- src/iocore/net/SSLConfig.cc | 4 ++-- tests/gold_tests/tls/exit_on_cert_load_fail.test.py | 4 ++-- tests/gold_tests/tls/ssl_multicert_loader.test.py | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/src/iocore/net/SSLConfig.cc b/src/iocore/net/SSLConfig.cc index fc84ce517d..f275d1b051 100644 --- a/src/iocore/net/SSLConfig.cc +++ b/src/iocore/net/SSLConfig.cc @@ -550,7 +550,7 @@ SSLConfigParams::initialize() } // Can't get SSL client context. if (this->clientCertExitOnLoadError) { -Fatal("Can't initialize the SSL client, HTTPS in remap rules will not function"); +Emergency("Can't initialize the SSL client, HTTPS in remap rules will not function"); } else { SSLError("Can't initialize the SSL client, HTTPS in remap rules will not function"); } @@ -637,7 +637,7 @@ SSLCertificateConfig::startup() // proxy.config.ssl.server.multicert.exit_on_load_fail is true SSLConfig::scoped_config params; if (!reconfigure() && params->configExitOnLoadError) { -Fatal("failed to load SSL certificate file, %s", params->configFilePath); +Emergency("failed to load SSL certificate file, %s", params->configFilePath); } return true; diff --git a/tests/gold_tests/tls/exit_on_cert_load_fail.test.py b/tests/gold_tests/tls/exit_on_cert_load_fail.test.py index f578665c48..c075e1a357 100644 --- a/tests/gold_tests/tls/exit_on_cert_load_fail.test.py +++ b/tests/gold_tests/tls/exit_on_cert_load_fail.test.py @@ -85,9 +85,9 @@ class Test_exit_on_cert_load_fail: self._ts.Disk.diags_log.Content = Testers.ContainsExpression("ERROR:", "These tests should have error logs.") if self.enable_exit_on_load: -self._ts.ReturnCode = 70 +self._ts.ReturnCode = 33 self._ts.Disk.diags_log.Content += Testers.ContainsExpression( -"FATAL: ", "Failure loading the certs results in a fatal error.") +"EMERGENCY: ", "Failure loading the certs results in an emergency error.") self._ts.Disk.diags_log.Content += Testers.ExcludesExpression( "Traffic Server is fully initialized", "Traffic Server should exit upon the load failure.") else: diff --git a/tests/gold_tests/tls/ssl_multicert_loader.test.py b/tests/gold_tests/tls/ssl_multicert_loader.test.py index ddcc231825..27b90b4f83 100644 --- a/tests/gold_tests/tls/ssl_multicert_loader.test.py +++ b/tests/gold_tests/tls/ssl_multicert_loader.test.py @@ -102,8 +102,8 @@ tr4.Processes.Default.Command = 'echo Waiting' tr4.Processes.Default.ReturnCode = 0 tr4.Processes.Default.StartBefore(ts2) -ts2.ReturnCode = 70 # ink_fatal will exit with EX_SOFTWARE. +ts2.ReturnCode = 33 # ink_emergency will exit with UNRECOVERABLE_EXIT. ts2.Ready = 0 # Need this to be 0 because we are testing shutdown, this is to make autest not think ats went away for a bad reason. ts2.Disk.traffic_out.Content = Testers.ExcludesExpression( 'Traffic Server is fully initialized', 'process should fail when invalid certificate specified') -ts2.Disk.diags_log.Content = Testers.IncludesExpression('FATAL: failed to load SSL certificate file', 'check diags.log"') +ts2.Disk.diags_log.Content = Testers.IncludesExpression('EMERGENCY: failed to load SSL certificate file', 'check diags.log"')
(trafficserver) branch master updated: Added config to support exit on client cert load failure (#10958)
This is an automated email from the ASF dual-hosted git repository. lzx404243 pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/trafficserver.git The following commit(s) were added to refs/heads/master by this push: new 7ccdbd30ac Added config to support exit on client cert load failure (#10958) 7ccdbd30ac is described below commit 7ccdbd30ac8f03667d734fa40f04f1c250eed2c8 Author: Zhengxi Li AuthorDate: Tue Feb 27 10:48:50 2024 -0500 Added config to support exit on client cert load failure (#10958) * Added ssl.client.cert.exit_on_load option. * Added doc for config * Updated test run names --- doc/admin-guide/files/records.yaml.en.rst | 6 ++ src/iocore/net/P_SSLConfig.h | 1 + src/iocore/net/SSLConfig.cc| 10 +- src/records/RecordsConfig.cc | 2 + tests/gold_tests/records/gold/full_records.yaml| 1 + .../records/legacy_config/full_records.config | 1 + .../gold_tests/tls/exit_on_cert_load_fail.test.py | 119 + 7 files changed, 139 insertions(+), 1 deletion(-) diff --git a/doc/admin-guide/files/records.yaml.en.rst b/doc/admin-guide/files/records.yaml.en.rst index 81c02e4fb4..93da31b31d 100644 --- a/doc/admin-guide/files/records.yaml.en.rst +++ b/doc/admin-guide/files/records.yaml.en.rst @@ -3992,6 +3992,12 @@ Client-Related Configuration The filename of SSL client certificate installed on |TS|. +.. ts:cv:: CONFIG proxy.config.ssl.client.cert.exit_on_load_fail INT 0 + + By default (``0``), |TS| will start even if problems occur when loading the + SSL client certificates. If true (``1``), SSL client certificate load + failures will prevent |TS| from starting. + .. ts:cv:: CONFIG proxy.config.ssl.client.cert.path STRING /config :reloadable: diff --git a/src/iocore/net/P_SSLConfig.h b/src/iocore/net/P_SSLConfig.h index 7870bf9467..0fa6439979 100644 --- a/src/iocore/net/P_SSLConfig.h +++ b/src/iocore/net/P_SSLConfig.h @@ -96,6 +96,7 @@ struct SSLConfigParams : public ConfigInfo { char *clientKeyPathOnly; char *clientCACertFilename; char *clientCACertPath; + int clientCertExitOnLoadError; YamlSNIConfig::Policy verifyServerPolicy; YamlSNIConfig::Property verifyServerProperties; bool tls_server_connection; diff --git a/src/iocore/net/SSLConfig.cc b/src/iocore/net/SSLConfig.cc index df1f2299e2..fc84ce517d 100644 --- a/src/iocore/net/SSLConfig.cc +++ b/src/iocore/net/SSLConfig.cc @@ -129,6 +129,7 @@ SSLConfigParams::reset() ssl_session_cache_timeout= 0; ssl_session_cache_auto_clear = 1; configExitOnLoadError= 1; + clientCertExitOnLoadError= 0; } void @@ -503,6 +504,7 @@ SSLConfigParams::initialize() ssl_client_cert_path = nullptr; REC_ReadConfigStringAlloc(ssl_client_cert_filename, "proxy.config.ssl.client.cert.filename"); REC_ReadConfigStringAlloc(ssl_client_cert_path, "proxy.config.ssl.client.cert.path"); + REC_ReadConfigInteger(clientCertExitOnLoadError, "proxy.config.ssl.client.cert.exit_on_load_fail"); set_paths_helper(ssl_client_cert_path, ssl_client_cert_filename, , ); ats_free_null(ssl_client_cert_filename); ats_free_null(ssl_client_cert_path); @@ -543,7 +545,13 @@ SSLConfigParams::initialize() // can cause HTTP layer to connect using SSL. But only if SSL // initialization hasn't failed already. client_ctx = this->getCTX(this->clientCertPath, this->clientKeyPath, this->clientCACertFilename, this->clientCACertPath); - if (!client_ctx) { + if (client_ctx) { +return; + } + // Can't get SSL client context. + if (this->clientCertExitOnLoadError) { +Fatal("Can't initialize the SSL client, HTTPS in remap rules will not function"); + } else { SSLError("Can't initialize the SSL client, HTTPS in remap rules will not function"); } } diff --git a/src/records/RecordsConfig.cc b/src/records/RecordsConfig.cc index e8a7abc8ff..7aedc3fe00 100644 --- a/src/records/RecordsConfig.cc +++ b/src/records/RecordsConfig.cc @@ -1134,6 +1134,8 @@ static const RecordElement RecordsConfig[] = , {RECT_CONFIG, "proxy.config.ssl.client.verify.server.properties", RECD_STRING, "ALL", RECU_DYNAMIC, RR_NULL, RECC_NULL, nullptr, RECA_NULL} , + {RECT_CONFIG, "proxy.config.ssl.client.cert.exit_on_load_fail", RECD_INT, "0", RECU_RESTART_TS, RR_NULL, RECC_NULL, "[0-1]", RECA_NULL} + , {RECT_CONFIG, "proxy.config.ssl.client.cert.filename", RECD_STRING, nullptr, RECU_DYNAMIC, RR_NULL, RECC_STR, "^[^[:space:]]*$", RECA_NULL} , {RECT_CONFIG, "proxy.config.ssl.client.cert.path", RECD_STRING, TS_BUILD_SYSCONFDIR, RECU_DYNAMIC, RR_NULL, RECC_NULL, nullptr, RECA_NULL} diff --git a/tests/gold_tests/records/gold/full_records.yaml b/t
(trafficserver) branch master updated: Support elevated access option when loading client certs. (#10957)
This is an automated email from the ASF dual-hosted git repository. lzx404243 pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/trafficserver.git The following commit(s) were added to refs/heads/master by this push: new 51d6cd762e Support elevated access option when loading client certs. (#10957) 51d6cd762e is described below commit 51d6cd762e92831bd39da7307c716ca65c3a0c76 Author: Zhengxi Li AuthorDate: Wed Jan 3 11:19:16 2024 -0500 Support elevated access option when loading client certs. (#10957) --- src/iocore/net/SSLConfig.cc | 5 + 1 file changed, 5 insertions(+) diff --git a/src/iocore/net/SSLConfig.cc b/src/iocore/net/SSLConfig.cc index 00e00a4931..15dbcbfa81 100644 --- a/src/iocore/net/SSLConfig.cc +++ b/src/iocore/net/SSLConfig.cc @@ -918,6 +918,11 @@ SSLConfigParams::getCTX(const std::string _cert, const std::string _f Debug("ssl_client_ctx", "Load new cert for %s %s", top_level_key.c_str(), ctx_key.c_str()); client_ctx = shared_SSL_CTX(SSLInitClientContext(this), SSLReleaseContext); +// Upon configuration, elevate file access to be able to read root-only +// certificates. The destructor will drop privilege. +uint32_t elevate_setting = 0; +REC_ReadConfigInteger(elevate_setting, "proxy.config.ssl.cert.load_elevated"); +ElevateAccess elevate_access(elevate_setting ? ElevateAccess::FILE_PRIVILEGE : 0); // Set public and private keys if (!client_cert.empty()) { std::string secret_data;
(trafficserver) branch master updated: Reenable management control for ts logging (#10883)
This is an automated email from the ASF dual-hosted git repository. lzx404243 pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/trafficserver.git The following commit(s) were added to refs/heads/master by this push: new 515b610d45 Reenable management control for ts logging (#10883) 515b610d45 is described below commit 515b610d458c8262fe486df0010a900093959fdd Author: Zhengxi Li AuthorDate: Fri Dec 1 11:25:43 2023 -0500 Reenable management control for ts logging (#10883) --- src/traffic_server/traffic_server.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/traffic_server/traffic_server.cc b/src/traffic_server/traffic_server.cc index 99c7fef3d8..0835228b7a 100644 --- a/src/traffic_server/traffic_server.cc +++ b/src/traffic_server/traffic_server.cc @@ -2172,7 +2172,7 @@ main(int /* argc ATS_UNUSED */, const char **argv) } // initialize logging (after event and net processor) -Log::init(Log::NO_REMOTE_MANAGEMENT); +Log::init(); (void)parsePluginConfig();
(trafficserver) branch master updated (3e52401991 -> faebf95ba3)
This is an automated email from the ASF dual-hosted git repository. lzx404243 pushed a change to branch master in repository https://gitbox.apache.org/repos/asf/trafficserver.git from 3e52401991 Update to libswoc 1.5.8 (#10849) add faebf95ba3 Move FetchSM out of tsapi to break cycle (#10852) No new revisions were added by this update. Summary of changes: include/{api => proxy}/FetchSM.h | 0 .../proxy/PluginHttpConnect.h | 4 +- src/api/CMakeLists.txt | 3 +- src/api/InkAPI.cc | 34 ++-- src/iocore/cache/unit_tests/stub.cc| 2 +- src/iocore/net/OCSPStapling.cc | 2 +- src/iocore/net/libinknet_stub.cc | 2 +- src/proxy/CMakeLists.txt | 2 + src/{api => proxy}/FetchSM.cc | 45 ++-- src/proxy/PluginHttpConnect.cc | 61 ++ src/traffic_quic/traffic_quic.cc | 2 +- 11 files changed, 104 insertions(+), 53 deletions(-) rename include/{api => proxy}/FetchSM.h (100%) copy src/records/test_RecordsConfig.h => include/proxy/PluginHttpConnect.h (89%) rename src/{api => proxy}/FetchSM.cc (94%) create mode 100644 src/proxy/PluginHttpConnect.cc
(trafficserver) branch master updated: Cleanup/Flatten out some headers inclusion (#10768)
This is an automated email from the ASF dual-hosted git repository. lzx404243 pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/trafficserver.git The following commit(s) were added to refs/heads/master by this push: new e3de68848f Cleanup/Flatten out some headers inclusion (#10768) e3de68848f is described below commit e3de68848f3cdded4c843f11d6d06065ca2abeaf Author: Zhengxi Li AuthorDate: Mon Nov 27 17:54:50 2023 -0500 Cleanup/Flatten out some headers inclusion (#10768) * optimize includes around EventSystem.h * optimize includes --- src/api/InkIOCoreAPI.cc | 4 src/iocore/cache/CacheEvacuateDocVC.cc | 13 - src/iocore/eventsystem/ProxyAllocator.cc| 3 ++- src/iocore/net/ProxyProtocol.cc | 5 ++--- src/iocore/net/SNIActionPerformer.cc| 4 +--- src/iocore/net/SSLCertLookup.cc | 10 +- src/iocore/net/quic/QUICTypes.cc| 3 +-- src/iocore/net/unit_tests/unit_test_main.cc | 4 +--- src/proxy/ControlMatcher.cc | 10 +- src/proxy/ParentSelection.cc| 3 +-- src/proxy/hdrs/HdrHeap.cc | 3 ++- src/proxy/hdrs/unit_tests/test_mime.cc | 3 +-- src/proxy/http/HttpConfig.cc| 1 + src/proxy/http/HttpTunnel.cc| 4 ++-- src/proxy/http2/test_HPACK.cc | 3 ++- src/proxy/http3/test/main_qpack.cc | 1 - src/proxy/private/SSLProxySession.cc| 4 ++-- src/records/unit_tests/unit_test_main_on_eventsystem.cc | 1 - tools/benchmark/benchmark_ProxyAllocator.cc | 1 - 19 files changed, 24 insertions(+), 56 deletions(-) diff --git a/src/api/InkIOCoreAPI.cc b/src/api/InkIOCoreAPI.cc index 7d918b3511..47f1c0895c 100644 --- a/src/api/InkIOCoreAPI.cc +++ b/src/api/InkIOCoreAPI.cc @@ -30,10 +30,6 @@ #include "tscore/ink_platform.h" #include "ts/ts.h" #include "ts/InkAPIPrivateIOCore.h" -#include "iocore/eventsystem/EventSystem.h" -#include "iocore/net/Net.h" -#include "iocore/cache/Cache.h" -#include "iocore/hostdb/HostDB.h" #include "../iocore/net/P_UnixUDPConnection.h" // This assert is for internal API use only. diff --git a/src/iocore/cache/CacheEvacuateDocVC.cc b/src/iocore/cache/CacheEvacuateDocVC.cc index dfc7b1e6c7..edba3379b9 100644 --- a/src/iocore/cache/CacheEvacuateDocVC.cc +++ b/src/iocore/cache/CacheEvacuateDocVC.cc @@ -22,21 +22,16 @@ */ // make sure there are no incomplete types -#include "P_Cache.h" + +// aio +#include "../aio/P_AIO.h" // inkcache -#include "iocore/cache/CacheEvacuateDocVC.h" #include "iocore/cache/CacheDefs.h" -#include "P_CacheDir.h" #include "P_CacheHttp.h" #include "P_CacheInternal.h" #include "P_CacheVol.h" - -// aio -#include "iocore/aio/AIO.h" - -// inkevent -#include "iocore/eventsystem/EThread.h" +#include "iocore/cache/CacheEvacuateDocVC.h" // tscore #include "tscore/Diags.h" diff --git a/src/iocore/eventsystem/ProxyAllocator.cc b/src/iocore/eventsystem/ProxyAllocator.cc index 0e6f92fcc1..5cc1c908fe 100644 --- a/src/iocore/eventsystem/ProxyAllocator.cc +++ b/src/iocore/eventsystem/ProxyAllocator.cc @@ -20,7 +20,8 @@ See the License for the specific language governing permissions and limitations under the License. */ -#include "iocore/eventsystem/EventSystem.h" +#include "iocore/eventsystem/ProxyAllocator.h" +#include "tscore/ink_assert.h" int thread_freelist_high_watermark = 512; int thread_freelist_low_watermark = 32; diff --git a/src/iocore/net/ProxyProtocol.cc b/src/iocore/net/ProxyProtocol.cc index 7d63b44779..10a9fd97de 100644 --- a/src/iocore/net/ProxyProtocol.cc +++ b/src/iocore/net/ProxyProtocol.cc @@ -22,15 +22,14 @@ */ #include "iocore/net/ProxyProtocol.h" - -#include "iocore/eventsystem/EventSystem.h" -#include "iocore/net/NetVConnection.h" +#include "tscore/Diags.h" #include "tscpp/util/ts_bw.h" #include "tscore/ink_assert.h" #include "tscore/ink_string.h" #include "tscore/ink_inet.h" #include "swoc/TextView.h" +#include "swoc/bwf_base.h" namespace { diff --git a/src/iocore/net/SNIActionPerformer.cc b/src/iocore/net/SNIActionPerformer.cc index c3163a0cdd..f7adcfe898 100644 --- a/src/iocore/net/SNIActionPerformer.cc +++ b/src/iocore/net/SNIActionPerformer.cc @@ -23,12 +23,10 @@ #include "swoc/swoc_file.h" #include "swoc/BufferWriter.h" -#include "swoc/bwf_std.h&qu
(trafficserver) branch master updated: Remove unused header and source (#10771)
This is an automated email from the ASF dual-hosted git repository. lzx404243 pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/trafficserver.git The following commit(s) were added to refs/heads/master by this push: new 117fa03761 Remove unused header and source (#10771) 117fa03761 is described below commit 117fa037610b9ee3fc3509ed919d6e506022cd91 Author: Zhengxi Li AuthorDate: Thu Nov 16 19:51:54 2023 -0500 Remove unused header and source (#10771) Removed unused EventName.[h|cc]. --- src/traffic_server/CMakeLists.txt | 2 +- src/traffic_server/EventName.cc | 47 --- src/traffic_server/EventName.h| 35 - 3 files changed, 1 insertion(+), 83 deletions(-) diff --git a/src/traffic_server/CMakeLists.txt b/src/traffic_server/CMakeLists.txt index 32eddec049..32e5936f7b 100644 --- a/src/traffic_server/CMakeLists.txt +++ b/src/traffic_server/CMakeLists.txt @@ -15,7 +15,7 @@ # ### -add_executable(traffic_server Crash.cc EventName.cc SocksProxy.cc traffic_server.cc RpcAdminPubHandlers.cc) +add_executable(traffic_server Crash.cc SocksProxy.cc traffic_server.cc RpcAdminPubHandlers.cc) target_link_libraries( traffic_server PRIVATE ts::tscore diff --git a/src/traffic_server/EventName.cc b/src/traffic_server/EventName.cc deleted file mode 100644 index 9f7626e9da..00 --- a/src/traffic_server/EventName.cc +++ /dev/null @@ -1,47 +0,0 @@ -/** @file - - A brief file description - - @section license License - - Licensed to the Apache Software Foundation (ASF) under one - or more contributor license agreements. See the NOTICE file - distributed with this work for additional information - regarding copyright ownership. The ASF licenses this file - to you under the Apache License, Version 2.0 (the - "License"); you may not use this file except in compliance - with the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. - */ - -#include "tscore/ink_config.h" -#include -#include - -#include "../iocore/eventsystem/P_EventSystem.h" -#include "iocore/cache/Cache.h" -#include "iocore/net/Net.h" -#include "iocore/hostdb/HostDB.h" -#include "../iocore/hostdb/P_RefCountCache.h" - -/*- - event_int_to_string - - This routine will translate an integer event number to a string - identifier based on a brute-force search of a switch tag. If the event - cannot be located in the switch table, the routine will construct and - return a string of the integer identifier. - -*/ - -const char * -event_int_to_string(int event, int blen, char *buffer) -{ - return "UNKNOWN_EVENT"; -} diff --git a/src/traffic_server/EventName.h b/src/traffic_server/EventName.h deleted file mode 100644 index 9dd977f365..00 --- a/src/traffic_server/EventName.h +++ /dev/null @@ -1,35 +0,0 @@ -/** @file - - A brief file description - - @section license License - - Licensed to the Apache Software Foundation (ASF) under one - or more contributor license agreements. See the NOTICE file - distributed with this work for additional information - regarding copyright ownership. The ASF licenses this file - to you under the Apache License, Version 2.0 (the - "License"); you may not use this file except in compliance - with the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. - */ - -/ - - EventName.h - - Description: Stringifying Events - / - -#pragma once - -#include - -const char *event_int_to_string(int event, int blen = 0, char *buffer = nullptr);