[GitHub] trafficserver pull request #1446: Need dedicated TS_SSL_SERVERNAME_HOOK
Github user shinrich commented on a diff in the pull request: https://github.com/apache/trafficserver/pull/1446#discussion_r104750433 --- Diff: iocore/net/SSLNetVConnection.cc --- @@ -1438,17 +1438,22 @@ bool SSLNetVConnection::callHooks(TSEvent eventId) { // Only dealing with the SNI/CERT hook so far. - ink_assert(eventId == TS_EVENT_SSL_CERT); + ink_assert(eventId == TS_EVENT_SSL_CERT || eventId == TS_EVENT_SSL_SERVERNAME); Debug("ssl", "callHooks sslHandshakeHookState=%d", this->sslHandshakeHookState); // First time through, set the type of the hook that is currently being invoked - if (HANDSHAKE_HOOKS_PRE == sslHandshakeHookState) { + if ((this->sslHandshakeHookState == HANDSHAKE_HOOKS_PRE || this->sslHandshakeHookState == HANDSHAKE_HOOKS_DONE) && --- End diff -- For SSL_CTX_set_early_cb, perhaps as we move to openssl1.1 we should make that change. For the sslHandshakeHookState == DONE, probably not needed since we reset the hook state to PRE at the end of the servername chain. There is a flaw with this PR, and I am in the process of putting up another one. I'll probably leave the DONE check for now. I'm in the process of writing a test suite for this logic since it has bitten me multiple times. I'll do the tidy up once the test suite is there to check me. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] trafficserver pull request #1446: Need dedicated TS_SSL_SERVERNAME_HOOK
Github user oknet commented on a diff in the pull request: https://github.com/apache/trafficserver/pull/1446#discussion_r104651844 --- Diff: iocore/net/SSLNetVConnection.cc --- @@ -1438,17 +1438,22 @@ bool SSLNetVConnection::callHooks(TSEvent eventId) { // Only dealing with the SNI/CERT hook so far. - ink_assert(eventId == TS_EVENT_SSL_CERT); + ink_assert(eventId == TS_EVENT_SSL_CERT || eventId == TS_EVENT_SSL_SERVERNAME); Debug("ssl", "callHooks sslHandshakeHookState=%d", this->sslHandshakeHookState); // First time through, set the type of the hook that is currently being invoked - if (HANDSHAKE_HOOKS_PRE == sslHandshakeHookState) { + if ((this->sslHandshakeHookState == HANDSHAKE_HOOKS_PRE || this->sslHandshakeHookState == HANDSHAKE_HOOKS_DONE) && --- End diff -- @shinrich Why you add "this->sslHandshakeHookState == HANDSHAKE_HOOKS_DONE" here ? --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] trafficserver pull request #1446: Need dedicated TS_SSL_SERVERNAME_HOOK
Github user shinrich closed the pull request at: https://github.com/apache/trafficserver/pull/1446 --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] trafficserver pull request #1446: Need dedicated TS_SSL_SERVERNAME_HOOK
GitHub user shinrich opened a pull request: https://github.com/apache/trafficserver/pull/1446 Need dedicated TS_SSL_SERVERNAME_HOOK If you have a plugin that needs to trigger on every TLS client hello, this won't work the TS_SSL_SNI_HOOK with openssl-1.0.2. In that version TS_SSL_SNI_HOOK is shared with the TS_SSL_CERT_HOOK which does not trigger on session reuse. I propose adding a dedicated TS_SSL_SERVERNAME_HOOK and deprecate the TS_SSL_SNI_HOOK to drop on the next major release You can merge this pull request into a Git repository by running: $ git pull https://github.com/shinrich/trafficserver ts_ssl_servername_hook Alternatively you can review and apply these changes as the patch at: https://github.com/apache/trafficserver/pull/1446.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #1446 commit 2507909055ca96ff09458c8ffac73d912b262c06 Author: Susan HinrichsDate: 2017-02-11T00:35:01Z Need dedicated TS_SSL_SERVERNAME_HOOK If you have a plugin that needs to trigger on every TLS client hello, this won't work the TS_SSL_SNI_HOOK with openssl-1.0.2. In that version TS_SSL_SNI_HOOK is shared with the TS_SSL_CERT_HOOK which does not trigger on session reuse. I propose adding a dedicated TS_SSL_SERVERNAME_HOOK and deprecate the TS_SSL_SNI_HOOK to drop on the next major release --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---