[GitHub] trafficserver pull request #1446: Need dedicated TS_SSL_SERVERNAME_HOOK

2017-03-07 Thread shinrich 
Github user shinrich commented on a diff in the pull request:

https://github.com/apache/trafficserver/pull/1446#discussion_r104750433
  
--- Diff: iocore/net/SSLNetVConnection.cc ---
@@ -1438,17 +1438,22 @@ bool
 SSLNetVConnection::callHooks(TSEvent eventId)
 {
   // Only dealing with the SNI/CERT hook so far.
-  ink_assert(eventId == TS_EVENT_SSL_CERT);
+  ink_assert(eventId == TS_EVENT_SSL_CERT || eventId == 
TS_EVENT_SSL_SERVERNAME);
   Debug("ssl", "callHooks sslHandshakeHookState=%d", 
this->sslHandshakeHookState);
 
   // First time through, set the type of the hook that is currently being 
invoked
-  if (HANDSHAKE_HOOKS_PRE == sslHandshakeHookState) {
+  if ((this->sslHandshakeHookState == HANDSHAKE_HOOKS_PRE || 
this->sslHandshakeHookState == HANDSHAKE_HOOKS_DONE) &&
--- End diff --

For SSL_CTX_set_early_cb, perhaps as we move to openssl1.1 we should make 
that change.  

For the sslHandshakeHookState == DONE, probably not needed since we reset 
the hook state to PRE at the end of the servername chain.  There is a flaw with 
this PR, and I am in the process of putting up another one.  I'll probably 
leave the DONE check for now.  I'm in the process of writing a test suite for 
this logic since it has bitten me multiple times.  I'll do the tidy up once the 
test suite is there to check me.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] trafficserver pull request #1446: Need dedicated TS_SSL_SERVERNAME_HOOK

2017-03-07 Thread oknet 
Github user oknet commented on a diff in the pull request:

https://github.com/apache/trafficserver/pull/1446#discussion_r104651844
  
--- Diff: iocore/net/SSLNetVConnection.cc ---
@@ -1438,17 +1438,22 @@ bool
 SSLNetVConnection::callHooks(TSEvent eventId)
 {
   // Only dealing with the SNI/CERT hook so far.
-  ink_assert(eventId == TS_EVENT_SSL_CERT);
+  ink_assert(eventId == TS_EVENT_SSL_CERT || eventId == 
TS_EVENT_SSL_SERVERNAME);
   Debug("ssl", "callHooks sslHandshakeHookState=%d", 
this->sslHandshakeHookState);
 
   // First time through, set the type of the hook that is currently being 
invoked
-  if (HANDSHAKE_HOOKS_PRE == sslHandshakeHookState) {
+  if ((this->sslHandshakeHookState == HANDSHAKE_HOOKS_PRE || 
this->sslHandshakeHookState == HANDSHAKE_HOOKS_DONE) &&
--- End diff --

@shinrich Why you add "this->sslHandshakeHookState == HANDSHAKE_HOOKS_DONE" 
here ?


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] trafficserver pull request #1446: Need dedicated TS_SSL_SERVERNAME_HOOK

2017-03-01 Thread shinrich 
Github user shinrich closed the pull request at:

https://github.com/apache/trafficserver/pull/1446


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] trafficserver pull request #1446: Need dedicated TS_SSL_SERVERNAME_HOOK

2017-02-14 Thread shinrich 
GitHub user shinrich opened a pull request:

https://github.com/apache/trafficserver/pull/1446

Need dedicated TS_SSL_SERVERNAME_HOOK

If you have a plugin that needs to trigger on every TLS client hello, this 
won't
work the TS_SSL_SNI_HOOK with openssl-1.0.2.  In that version 
TS_SSL_SNI_HOOK
is shared with the TS_SSL_CERT_HOOK which does not trigger on session reuse.

I propose adding a dedicated TS_SSL_SERVERNAME_HOOK and deprecate the
TS_SSL_SNI_HOOK to drop on the next major release

You can merge this pull request into a Git repository by running:

$ git pull https://github.com/shinrich/trafficserver ts_ssl_servername_hook

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/trafficserver/pull/1446.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #1446


commit 2507909055ca96ff09458c8ffac73d912b262c06
Author: Susan Hinrichs 
Date:   2017-02-11T00:35:01Z

Need dedicated TS_SSL_SERVERNAME_HOOK

If you have a plugin that needs to trigger on every TLS client hello, this 
won't
work the TS_SSL_SNI_HOOK with openssl-1.0.2.  In that version 
TS_SSL_SNI_HOOK
is shared with the TS_SSL_CERT_HOOK which does not trigger on session reuse.

I propose adding a dedicated TS_SSL_SERVERNAME_HOOK and deprecate the
TS_SSL_SNI_HOOK to drop on the next major release




---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---