(trafficserver) branch master updated: Use EMERGENCY instead of FATAL for some certificate loading errors (#11108)
This is an automated email from the ASF dual-hosted git repository.
lzx404243 pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push:
new 67bcbf4b33 Use EMERGENCY instead of FATAL for some certificate loading
errors (#11108)
67bcbf4b33 is described below
commit 67bcbf4b33d43f2e0a1186d725b19e712971f886
Author: Zhengxi Li
AuthorDate: Thu Feb 29 15:17:12 2024 -0500
Use EMERGENCY instead of FATAL for some certificate loading errors (#11108)
* Use EMERGENCY instead of FATAL for certificate loading errors
---
src/iocore/net/SSLConfig.cc | 4 ++--
tests/gold_tests/tls/exit_on_cert_load_fail.test.py | 4 ++--
tests/gold_tests/tls/ssl_multicert_loader.test.py | 4 ++--
3 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/src/iocore/net/SSLConfig.cc b/src/iocore/net/SSLConfig.cc
index fc84ce517d..f275d1b051 100644
--- a/src/iocore/net/SSLConfig.cc
+++ b/src/iocore/net/SSLConfig.cc
@@ -550,7 +550,7 @@ SSLConfigParams::initialize()
}
// Can't get SSL client context.
if (this->clientCertExitOnLoadError) {
-Fatal("Can't initialize the SSL client, HTTPS in remap rules will not
function");
+Emergency("Can't initialize the SSL client, HTTPS in remap rules will not
function");
} else {
SSLError("Can't initialize the SSL client, HTTPS in remap rules will not
function");
}
@@ -637,7 +637,7 @@ SSLCertificateConfig::startup()
// proxy.config.ssl.server.multicert.exit_on_load_fail is true
SSLConfig::scoped_config params;
if (!reconfigure() && params->configExitOnLoadError) {
-Fatal("failed to load SSL certificate file, %s", params->configFilePath);
+Emergency("failed to load SSL certificate file, %s",
params->configFilePath);
}
return true;
diff --git a/tests/gold_tests/tls/exit_on_cert_load_fail.test.py
b/tests/gold_tests/tls/exit_on_cert_load_fail.test.py
index f578665c48..c075e1a357 100644
--- a/tests/gold_tests/tls/exit_on_cert_load_fail.test.py
+++ b/tests/gold_tests/tls/exit_on_cert_load_fail.test.py
@@ -85,9 +85,9 @@ class Test_exit_on_cert_load_fail:
self._ts.Disk.diags_log.Content = Testers.ContainsExpression("ERROR:",
"These tests should have error logs.")
if self.enable_exit_on_load:
-self._ts.ReturnCode = 70
+self._ts.ReturnCode = 33
self._ts.Disk.diags_log.Content += Testers.ContainsExpression(
-"FATAL: ", "Failure loading the certs results in a fatal
error.")
+"EMERGENCY: ", "Failure loading the certs results in an
emergency error.")
self._ts.Disk.diags_log.Content += Testers.ExcludesExpression(
"Traffic Server is fully initialized", "Traffic Server should
exit upon the load failure.")
else:
diff --git a/tests/gold_tests/tls/ssl_multicert_loader.test.py
b/tests/gold_tests/tls/ssl_multicert_loader.test.py
index ddcc231825..27b90b4f83 100644
--- a/tests/gold_tests/tls/ssl_multicert_loader.test.py
+++ b/tests/gold_tests/tls/ssl_multicert_loader.test.py
@@ -102,8 +102,8 @@ tr4.Processes.Default.Command = 'echo Waiting'
tr4.Processes.Default.ReturnCode = 0
tr4.Processes.Default.StartBefore(ts2)
-ts2.ReturnCode = 70 # ink_fatal will exit with EX_SOFTWARE.
+ts2.ReturnCode = 33 # ink_emergency will exit with UNRECOVERABLE_EXIT.
ts2.Ready = 0 # Need this to be 0 because we are testing shutdown, this is to
make autest not think ats went away for a bad reason.
ts2.Disk.traffic_out.Content = Testers.ExcludesExpression(
'Traffic Server is fully initialized', 'process should fail when invalid
certificate specified')
-ts2.Disk.diags_log.Content = Testers.IncludesExpression('FATAL: failed to load
SSL certificate file', 'check diags.log"')
+ts2.Disk.diags_log.Content = Testers.IncludesExpression('EMERGENCY: failed to
load SSL certificate file', 'check diags.log"')
(trafficserver) branch master updated: Added config to support exit on client cert load failure (#10958)
This is an automated email from the ASF dual-hosted git repository.
lzx404243 pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push:
new 7ccdbd30ac Added config to support exit on client cert load failure
(#10958)
7ccdbd30ac is described below
commit 7ccdbd30ac8f03667d734fa40f04f1c250eed2c8
Author: Zhengxi Li
AuthorDate: Tue Feb 27 10:48:50 2024 -0500
Added config to support exit on client cert load failure (#10958)
* Added ssl.client.cert.exit_on_load option.
* Added doc for config
* Updated test run names
---
doc/admin-guide/files/records.yaml.en.rst | 6 ++
src/iocore/net/P_SSLConfig.h | 1 +
src/iocore/net/SSLConfig.cc| 10 +-
src/records/RecordsConfig.cc | 2 +
tests/gold_tests/records/gold/full_records.yaml| 1 +
.../records/legacy_config/full_records.config | 1 +
.../gold_tests/tls/exit_on_cert_load_fail.test.py | 119 +
7 files changed, 139 insertions(+), 1 deletion(-)
diff --git a/doc/admin-guide/files/records.yaml.en.rst
b/doc/admin-guide/files/records.yaml.en.rst
index 81c02e4fb4..93da31b31d 100644
--- a/doc/admin-guide/files/records.yaml.en.rst
+++ b/doc/admin-guide/files/records.yaml.en.rst
@@ -3992,6 +3992,12 @@ Client-Related Configuration
The filename of SSL client certificate installed on |TS|.
+.. ts:cv:: CONFIG proxy.config.ssl.client.cert.exit_on_load_fail INT 0
+
+ By default (``0``), |TS| will start even if problems occur when loading the
+ SSL client certificates. If true (``1``), SSL client certificate load
+ failures will prevent |TS| from starting.
+
.. ts:cv:: CONFIG proxy.config.ssl.client.cert.path STRING /config
:reloadable:
diff --git a/src/iocore/net/P_SSLConfig.h b/src/iocore/net/P_SSLConfig.h
index 7870bf9467..0fa6439979 100644
--- a/src/iocore/net/P_SSLConfig.h
+++ b/src/iocore/net/P_SSLConfig.h
@@ -96,6 +96,7 @@ struct SSLConfigParams : public ConfigInfo {
char *clientKeyPathOnly;
char *clientCACertFilename;
char *clientCACertPath;
+ int clientCertExitOnLoadError;
YamlSNIConfig::Policy verifyServerPolicy;
YamlSNIConfig::Property verifyServerProperties;
bool tls_server_connection;
diff --git a/src/iocore/net/SSLConfig.cc b/src/iocore/net/SSLConfig.cc
index df1f2299e2..fc84ce517d 100644
--- a/src/iocore/net/SSLConfig.cc
+++ b/src/iocore/net/SSLConfig.cc
@@ -129,6 +129,7 @@ SSLConfigParams::reset()
ssl_session_cache_timeout= 0;
ssl_session_cache_auto_clear = 1;
configExitOnLoadError= 1;
+ clientCertExitOnLoadError= 0;
}
void
@@ -503,6 +504,7 @@ SSLConfigParams::initialize()
ssl_client_cert_path = nullptr;
REC_ReadConfigStringAlloc(ssl_client_cert_filename,
"proxy.config.ssl.client.cert.filename");
REC_ReadConfigStringAlloc(ssl_client_cert_path,
"proxy.config.ssl.client.cert.path");
+ REC_ReadConfigInteger(clientCertExitOnLoadError,
"proxy.config.ssl.client.cert.exit_on_load_fail");
set_paths_helper(ssl_client_cert_path, ssl_client_cert_filename,
, );
ats_free_null(ssl_client_cert_filename);
ats_free_null(ssl_client_cert_path);
@@ -543,7 +545,13 @@ SSLConfigParams::initialize()
// can cause HTTP layer to connect using SSL. But only if SSL
// initialization hasn't failed already.
client_ctx = this->getCTX(this->clientCertPath, this->clientKeyPath,
this->clientCACertFilename, this->clientCACertPath);
- if (!client_ctx) {
+ if (client_ctx) {
+return;
+ }
+ // Can't get SSL client context.
+ if (this->clientCertExitOnLoadError) {
+Fatal("Can't initialize the SSL client, HTTPS in remap rules will not
function");
+ } else {
SSLError("Can't initialize the SSL client, HTTPS in remap rules will not
function");
}
}
diff --git a/src/records/RecordsConfig.cc b/src/records/RecordsConfig.cc
index e8a7abc8ff..7aedc3fe00 100644
--- a/src/records/RecordsConfig.cc
+++ b/src/records/RecordsConfig.cc
@@ -1134,6 +1134,8 @@ static const RecordElement RecordsConfig[] =
,
{RECT_CONFIG, "proxy.config.ssl.client.verify.server.properties",
RECD_STRING, "ALL", RECU_DYNAMIC, RR_NULL, RECC_NULL, nullptr, RECA_NULL}
,
+ {RECT_CONFIG, "proxy.config.ssl.client.cert.exit_on_load_fail", RECD_INT,
"0", RECU_RESTART_TS, RR_NULL, RECC_NULL, "[0-1]", RECA_NULL}
+ ,
{RECT_CONFIG, "proxy.config.ssl.client.cert.filename", RECD_STRING, nullptr,
RECU_DYNAMIC, RR_NULL, RECC_STR, "^[^[:space:]]*$", RECA_NULL}
,
{RECT_CONFIG, "proxy.config.ssl.client.cert.path", RECD_STRING,
TS_BUILD_SYSCONFDIR, RECU_DYNAMIC, RR_NULL, RECC_NULL, nullptr, RECA_NULL}
diff --git a/tests/gold_tests/records/gold/full_records.yaml
b/t
(trafficserver) branch master updated: Support elevated access option when loading client certs. (#10957)
This is an automated email from the ASF dual-hosted git repository.
lzx404243 pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push:
new 51d6cd762e Support elevated access option when loading client certs.
(#10957)
51d6cd762e is described below
commit 51d6cd762e92831bd39da7307c716ca65c3a0c76
Author: Zhengxi Li
AuthorDate: Wed Jan 3 11:19:16 2024 -0500
Support elevated access option when loading client certs. (#10957)
---
src/iocore/net/SSLConfig.cc | 5 +
1 file changed, 5 insertions(+)
diff --git a/src/iocore/net/SSLConfig.cc b/src/iocore/net/SSLConfig.cc
index 00e00a4931..15dbcbfa81 100644
--- a/src/iocore/net/SSLConfig.cc
+++ b/src/iocore/net/SSLConfig.cc
@@ -918,6 +918,11 @@ SSLConfigParams::getCTX(const std::string _cert,
const std::string _f
Debug("ssl_client_ctx", "Load new cert for %s %s", top_level_key.c_str(),
ctx_key.c_str());
client_ctx = shared_SSL_CTX(SSLInitClientContext(this), SSLReleaseContext);
+// Upon configuration, elevate file access to be able to read root-only
+// certificates. The destructor will drop privilege.
+uint32_t elevate_setting = 0;
+REC_ReadConfigInteger(elevate_setting,
"proxy.config.ssl.cert.load_elevated");
+ElevateAccess elevate_access(elevate_setting ?
ElevateAccess::FILE_PRIVILEGE : 0);
// Set public and private keys
if (!client_cert.empty()) {
std::string secret_data;
(trafficserver) branch master updated: Reenable management control for ts logging (#10883)
This is an automated email from the ASF dual-hosted git repository. lzx404243 pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/trafficserver.git The following commit(s) were added to refs/heads/master by this push: new 515b610d45 Reenable management control for ts logging (#10883) 515b610d45 is described below commit 515b610d458c8262fe486df0010a900093959fdd Author: Zhengxi Li AuthorDate: Fri Dec 1 11:25:43 2023 -0500 Reenable management control for ts logging (#10883) --- src/traffic_server/traffic_server.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/traffic_server/traffic_server.cc b/src/traffic_server/traffic_server.cc index 99c7fef3d8..0835228b7a 100644 --- a/src/traffic_server/traffic_server.cc +++ b/src/traffic_server/traffic_server.cc @@ -2172,7 +2172,7 @@ main(int /* argc ATS_UNUSED */, const char **argv) } // initialize logging (after event and net processor) -Log::init(Log::NO_REMOTE_MANAGEMENT); +Log::init(); (void)parsePluginConfig();
(trafficserver) branch master updated (3e52401991 -> faebf95ba3)
This is an automated email from the ASF dual-hosted git repository.
lzx404243 pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
from 3e52401991 Update to libswoc 1.5.8 (#10849)
add faebf95ba3 Move FetchSM out of tsapi to break cycle (#10852)
No new revisions were added by this update.
Summary of changes:
include/{api => proxy}/FetchSM.h | 0
.../proxy/PluginHttpConnect.h | 4 +-
src/api/CMakeLists.txt | 3 +-
src/api/InkAPI.cc | 34 ++--
src/iocore/cache/unit_tests/stub.cc| 2 +-
src/iocore/net/OCSPStapling.cc | 2 +-
src/iocore/net/libinknet_stub.cc | 2 +-
src/proxy/CMakeLists.txt | 2 +
src/{api => proxy}/FetchSM.cc | 45 ++--
src/proxy/PluginHttpConnect.cc | 61 ++
src/traffic_quic/traffic_quic.cc | 2 +-
11 files changed, 104 insertions(+), 53 deletions(-)
rename include/{api => proxy}/FetchSM.h (100%)
copy src/records/test_RecordsConfig.h => include/proxy/PluginHttpConnect.h
(89%)
rename src/{api => proxy}/FetchSM.cc (94%)
create mode 100644 src/proxy/PluginHttpConnect.cc
(trafficserver) branch master updated: Cleanup/Flatten out some headers inclusion (#10768)
This is an automated email from the ASF dual-hosted git repository.
lzx404243 pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push:
new e3de68848f Cleanup/Flatten out some headers inclusion (#10768)
e3de68848f is described below
commit e3de68848f3cdded4c843f11d6d06065ca2abeaf
Author: Zhengxi Li
AuthorDate: Mon Nov 27 17:54:50 2023 -0500
Cleanup/Flatten out some headers inclusion (#10768)
* optimize includes around EventSystem.h
* optimize includes
---
src/api/InkIOCoreAPI.cc | 4
src/iocore/cache/CacheEvacuateDocVC.cc | 13 -
src/iocore/eventsystem/ProxyAllocator.cc| 3 ++-
src/iocore/net/ProxyProtocol.cc | 5 ++---
src/iocore/net/SNIActionPerformer.cc| 4 +---
src/iocore/net/SSLCertLookup.cc | 10 +-
src/iocore/net/quic/QUICTypes.cc| 3 +--
src/iocore/net/unit_tests/unit_test_main.cc | 4 +---
src/proxy/ControlMatcher.cc | 10 +-
src/proxy/ParentSelection.cc| 3 +--
src/proxy/hdrs/HdrHeap.cc | 3 ++-
src/proxy/hdrs/unit_tests/test_mime.cc | 3 +--
src/proxy/http/HttpConfig.cc| 1 +
src/proxy/http/HttpTunnel.cc| 4 ++--
src/proxy/http2/test_HPACK.cc | 3 ++-
src/proxy/http3/test/main_qpack.cc | 1 -
src/proxy/private/SSLProxySession.cc| 4 ++--
src/records/unit_tests/unit_test_main_on_eventsystem.cc | 1 -
tools/benchmark/benchmark_ProxyAllocator.cc | 1 -
19 files changed, 24 insertions(+), 56 deletions(-)
diff --git a/src/api/InkIOCoreAPI.cc b/src/api/InkIOCoreAPI.cc
index 7d918b3511..47f1c0895c 100644
--- a/src/api/InkIOCoreAPI.cc
+++ b/src/api/InkIOCoreAPI.cc
@@ -30,10 +30,6 @@
#include "tscore/ink_platform.h"
#include "ts/ts.h"
#include "ts/InkAPIPrivateIOCore.h"
-#include "iocore/eventsystem/EventSystem.h"
-#include "iocore/net/Net.h"
-#include "iocore/cache/Cache.h"
-#include "iocore/hostdb/HostDB.h"
#include "../iocore/net/P_UnixUDPConnection.h"
// This assert is for internal API use only.
diff --git a/src/iocore/cache/CacheEvacuateDocVC.cc
b/src/iocore/cache/CacheEvacuateDocVC.cc
index dfc7b1e6c7..edba3379b9 100644
--- a/src/iocore/cache/CacheEvacuateDocVC.cc
+++ b/src/iocore/cache/CacheEvacuateDocVC.cc
@@ -22,21 +22,16 @@
*/
// make sure there are no incomplete types
-#include "P_Cache.h"
+
+// aio
+#include "../aio/P_AIO.h"
// inkcache
-#include "iocore/cache/CacheEvacuateDocVC.h"
#include "iocore/cache/CacheDefs.h"
-#include "P_CacheDir.h"
#include "P_CacheHttp.h"
#include "P_CacheInternal.h"
#include "P_CacheVol.h"
-
-// aio
-#include "iocore/aio/AIO.h"
-
-// inkevent
-#include "iocore/eventsystem/EThread.h"
+#include "iocore/cache/CacheEvacuateDocVC.h"
// tscore
#include "tscore/Diags.h"
diff --git a/src/iocore/eventsystem/ProxyAllocator.cc
b/src/iocore/eventsystem/ProxyAllocator.cc
index 0e6f92fcc1..5cc1c908fe 100644
--- a/src/iocore/eventsystem/ProxyAllocator.cc
+++ b/src/iocore/eventsystem/ProxyAllocator.cc
@@ -20,7 +20,8 @@
See the License for the specific language governing permissions and
limitations under the License.
*/
-#include "iocore/eventsystem/EventSystem.h"
+#include "iocore/eventsystem/ProxyAllocator.h"
+#include "tscore/ink_assert.h"
int thread_freelist_high_watermark = 512;
int thread_freelist_low_watermark = 32;
diff --git a/src/iocore/net/ProxyProtocol.cc b/src/iocore/net/ProxyProtocol.cc
index 7d63b44779..10a9fd97de 100644
--- a/src/iocore/net/ProxyProtocol.cc
+++ b/src/iocore/net/ProxyProtocol.cc
@@ -22,15 +22,14 @@
*/
#include "iocore/net/ProxyProtocol.h"
-
-#include "iocore/eventsystem/EventSystem.h"
-#include "iocore/net/NetVConnection.h"
+#include "tscore/Diags.h"
#include "tscpp/util/ts_bw.h"
#include "tscore/ink_assert.h"
#include "tscore/ink_string.h"
#include "tscore/ink_inet.h"
#include "swoc/TextView.h"
+#include "swoc/bwf_base.h"
namespace
{
diff --git a/src/iocore/net/SNIActionPerformer.cc
b/src/iocore/net/SNIActionPerformer.cc
index c3163a0cdd..f7adcfe898 100644
--- a/src/iocore/net/SNIActionPerformer.cc
+++ b/src/iocore/net/SNIActionPerformer.cc
@@ -23,12 +23,10 @@
#include "swoc/swoc_file.h"
#include "swoc/BufferWriter.h"
-#include "swoc/bwf_std.h&qu
(trafficserver) branch master updated: Remove unused header and source (#10771)
This is an automated email from the ASF dual-hosted git repository.
lzx404243 pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push:
new 117fa03761 Remove unused header and source (#10771)
117fa03761 is described below
commit 117fa037610b9ee3fc3509ed919d6e506022cd91
Author: Zhengxi Li
AuthorDate: Thu Nov 16 19:51:54 2023 -0500
Remove unused header and source (#10771)
Removed unused EventName.[h|cc].
---
src/traffic_server/CMakeLists.txt | 2 +-
src/traffic_server/EventName.cc | 47 ---
src/traffic_server/EventName.h| 35 -
3 files changed, 1 insertion(+), 83 deletions(-)
diff --git a/src/traffic_server/CMakeLists.txt
b/src/traffic_server/CMakeLists.txt
index 32eddec049..32e5936f7b 100644
--- a/src/traffic_server/CMakeLists.txt
+++ b/src/traffic_server/CMakeLists.txt
@@ -15,7 +15,7 @@
#
###
-add_executable(traffic_server Crash.cc EventName.cc SocksProxy.cc
traffic_server.cc RpcAdminPubHandlers.cc)
+add_executable(traffic_server Crash.cc SocksProxy.cc traffic_server.cc
RpcAdminPubHandlers.cc)
target_link_libraries(
traffic_server
PRIVATE ts::tscore
diff --git a/src/traffic_server/EventName.cc b/src/traffic_server/EventName.cc
deleted file mode 100644
index 9f7626e9da..00
--- a/src/traffic_server/EventName.cc
+++ /dev/null
@@ -1,47 +0,0 @@
-/** @file
-
- A brief file description
-
- @section license License
-
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
- */
-
-#include "tscore/ink_config.h"
-#include
-#include
-
-#include "../iocore/eventsystem/P_EventSystem.h"
-#include "iocore/cache/Cache.h"
-#include "iocore/net/Net.h"
-#include "iocore/hostdb/HostDB.h"
-#include "../iocore/hostdb/P_RefCountCache.h"
-
-/*-
- event_int_to_string
-
- This routine will translate an integer event number to a string
- identifier based on a brute-force search of a switch tag. If the event
- cannot be located in the switch table, the routine will construct and
- return a string of the integer identifier.
- -*/
-
-const char *
-event_int_to_string(int event, int blen, char *buffer)
-{
- return "UNKNOWN_EVENT";
-}
diff --git a/src/traffic_server/EventName.h b/src/traffic_server/EventName.h
deleted file mode 100644
index 9dd977f365..00
--- a/src/traffic_server/EventName.h
+++ /dev/null
@@ -1,35 +0,0 @@
-/** @file
-
- A brief file description
-
- @section license License
-
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
- */
-
-/
-
- EventName.h
-
- Description: Stringifying Events
- /
-
-#pragma once
-
-#include
-
-const char *event_int_to_string(int event, int blen = 0, char *buffer =
nullptr);
