[GitHub] trafficserver pull request #1488: This allows old ssl_multicert.config to st...

2017-02-24 Thread zwoop 
Github user zwoop closed the pull request at:

https://github.com/apache/trafficserver/pull/1488


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] trafficserver pull request #1488: This allows old ssl_multicert.config to st...

2017-02-24 Thread zwoop 
Github user zwoop commented on a diff in the pull request:

https://github.com/apache/trafficserver/pull/1488#discussion_r103039976
  
--- Diff: iocore/net/SSLUtils.cc ---
@@ -2007,7 +2007,10 @@ SSLParseCertificateConfiguration(const 
SSLConfigParams *params, SSLCertLookup *l
 if (ssl_extract_certificate(_info, sslMultiCertSettings)) {
   // There must be a certificate specified unless the tunnel 
action is set
   if (sslMultiCertSettings.cert || sslMultiCertSettings.opt != 
SSLCertContext::OPT_TUNNEL) {
-ssl_store_ssl_context(params, lookup, );
+if (ssl_store_ssl_context(params, lookup, 
) == nullptr) {
+  Error("failed to load SSL server contexts");
+  return false;
+}
   } else {
--- End diff --

I'd be fine adding additional actionable checks here if you like, I'm just 
not familiar with most of this code.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] trafficserver pull request #1488: This allows old ssl_multicert.config to st...

2017-02-24 Thread zwoop 
Github user zwoop commented on a diff in the pull request:

https://github.com/apache/trafficserver/pull/1488#discussion_r103039820
  
--- Diff: iocore/net/SSLUtils.cc ---
@@ -2007,7 +2007,10 @@ SSLParseCertificateConfiguration(const 
SSLConfigParams *params, SSLCertLookup *l
 if (ssl_extract_certificate(_info, sslMultiCertSettings)) {
   // There must be a certificate specified unless the tunnel 
action is set
   if (sslMultiCertSettings.cert || sslMultiCertSettings.opt != 
SSLCertContext::OPT_TUNNEL) {
-ssl_store_ssl_context(params, lookup, );
+if (ssl_store_ssl_context(params, lookup, 
) == nullptr) {
+  Error("failed to load SSL server contexts");
+  return false;
+}
   } else {
--- End diff --

Yeh, it's not used, but the point is that we stop parsing the configuration 
at this point, which leaves lookup->is_valid == false (correctly). I believe in 
the old version, the status of the lookup is the status of the *last* 
certificate in the configuration.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] trafficserver pull request #1488: This allows old ssl_multicert.config to st...

2017-02-24 Thread shinrich 
Github user shinrich commented on a diff in the pull request:

https://github.com/apache/trafficserver/pull/1488#discussion_r103023456
  
--- Diff: iocore/net/SSLUtils.cc ---
@@ -2007,7 +2007,10 @@ SSLParseCertificateConfiguration(const 
SSLConfigParams *params, SSLCertLookup *l
 if (ssl_extract_certificate(_info, sslMultiCertSettings)) {
   // There must be a certificate specified unless the tunnel 
action is set
   if (sslMultiCertSettings.cert || sslMultiCertSettings.opt != 
SSLCertContext::OPT_TUNNEL) {
-ssl_store_ssl_context(params, lookup, );
+if (ssl_store_ssl_context(params, lookup, 
) == nullptr) {
+  Error("failed to load SSL server contexts");
+  return false;
+}
   } else {
--- End diff --

I'm a bit confused why this fixes anything.  I don't see any callers 
checking the return value.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] trafficserver pull request #1488: This allows old ssl_multicert.config to st...

2017-02-24 Thread zwoop 
GitHub user zwoop opened a pull request:

https://github.com/apache/trafficserver/pull/1488

This allows old ssl_multicert.config to still function on reload

The problem is that if a certificate fails to load, for whatever reason 
that might be, ATS still switches the configuration, leaving the server in a 
crippled state. This patch fixes this, to the normal behavior of ATS retaining 
the old configurations if the new fails to load.

You can merge this pull request into a Git repository by running:

$ git pull https://github.com/zwoop/trafficserver FixSSLLoadFailure

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/trafficserver/pull/1488.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #1488


commit 2f636d23c493039626fae51c7cd37047140bb657
Author: Leif Hedstrom 
Date:   2017-02-24T19:47:29Z

This allows old ssl_multicert.config to still function on reload




---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---