[GitHub] trafficserver pull request #1488: This allows old ssl_multicert.config to st...
Github user zwoop closed the pull request at: https://github.com/apache/trafficserver/pull/1488 --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] trafficserver pull request #1488: This allows old ssl_multicert.config to st...
Github user zwoop commented on a diff in the pull request: https://github.com/apache/trafficserver/pull/1488#discussion_r103039976 --- Diff: iocore/net/SSLUtils.cc --- @@ -2007,7 +2007,10 @@ SSLParseCertificateConfiguration(const SSLConfigParams *params, SSLCertLookup *l if (ssl_extract_certificate(_info, sslMultiCertSettings)) { // There must be a certificate specified unless the tunnel action is set if (sslMultiCertSettings.cert || sslMultiCertSettings.opt != SSLCertContext::OPT_TUNNEL) { -ssl_store_ssl_context(params, lookup, ); +if (ssl_store_ssl_context(params, lookup, ) == nullptr) { + Error("failed to load SSL server contexts"); + return false; +} } else { --- End diff -- I'd be fine adding additional actionable checks here if you like, I'm just not familiar with most of this code. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] trafficserver pull request #1488: This allows old ssl_multicert.config to st...
Github user zwoop commented on a diff in the pull request: https://github.com/apache/trafficserver/pull/1488#discussion_r103039820 --- Diff: iocore/net/SSLUtils.cc --- @@ -2007,7 +2007,10 @@ SSLParseCertificateConfiguration(const SSLConfigParams *params, SSLCertLookup *l if (ssl_extract_certificate(_info, sslMultiCertSettings)) { // There must be a certificate specified unless the tunnel action is set if (sslMultiCertSettings.cert || sslMultiCertSettings.opt != SSLCertContext::OPT_TUNNEL) { -ssl_store_ssl_context(params, lookup, ); +if (ssl_store_ssl_context(params, lookup, ) == nullptr) { + Error("failed to load SSL server contexts"); + return false; +} } else { --- End diff -- Yeh, it's not used, but the point is that we stop parsing the configuration at this point, which leaves lookup->is_valid == false (correctly). I believe in the old version, the status of the lookup is the status of the *last* certificate in the configuration. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] trafficserver pull request #1488: This allows old ssl_multicert.config to st...
Github user shinrich commented on a diff in the pull request: https://github.com/apache/trafficserver/pull/1488#discussion_r103023456 --- Diff: iocore/net/SSLUtils.cc --- @@ -2007,7 +2007,10 @@ SSLParseCertificateConfiguration(const SSLConfigParams *params, SSLCertLookup *l if (ssl_extract_certificate(_info, sslMultiCertSettings)) { // There must be a certificate specified unless the tunnel action is set if (sslMultiCertSettings.cert || sslMultiCertSettings.opt != SSLCertContext::OPT_TUNNEL) { -ssl_store_ssl_context(params, lookup, ); +if (ssl_store_ssl_context(params, lookup, ) == nullptr) { + Error("failed to load SSL server contexts"); + return false; +} } else { --- End diff -- I'm a bit confused why this fixes anything. I don't see any callers checking the return value. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] trafficserver pull request #1488: This allows old ssl_multicert.config to st...
GitHub user zwoop opened a pull request: https://github.com/apache/trafficserver/pull/1488 This allows old ssl_multicert.config to still function on reload The problem is that if a certificate fails to load, for whatever reason that might be, ATS still switches the configuration, leaving the server in a crippled state. This patch fixes this, to the normal behavior of ATS retaining the old configurations if the new fails to load. You can merge this pull request into a Git repository by running: $ git pull https://github.com/zwoop/trafficserver FixSSLLoadFailure Alternatively you can review and apply these changes as the patch at: https://github.com/apache/trafficserver/pull/1488.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #1488 commit 2f636d23c493039626fae51c7cd37047140bb657 Author: Leif HedstromDate: 2017-02-24T19:47:29Z This allows old ssl_multicert.config to still function on reload --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---