[jira] [Commented] (TS-2437) Add an API to expose SSL_CTX for applications
[ https://issues.apache.org/jira/browse/TS-2437?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13910957#comment-13910957 ] ASF subversion and git services commented on TS-2437: - Commit a5a93ac5ac45b2ba810c4b3e8ce311cd23bf8ff2 in trafficserver's branch refs/heads/master from [~sunwei] [ https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;h=a5a93ac ] TS-2437: add a lifecycle hook to expose loaded SSL certificates to plugins Add two new lifecycle hooks, TS_LIFECYCLE_SERVER_SSL_CTX_INITIALIZED_HOOK and TS_LIFECYCLE_CLIENT_SSL_CTX_INITIALIZED_HOOK. The reason for these hooks is that I have a use case to manipulate (overwrite) the OpenSSL related callbacks in my plugin. I think it is also useful for applications who have a need to change or retrieve the SSL related attributes (callbacks, certs, configurations, etc). Add an API to expose SSL_CTX for applications - Key: TS-2437 URL: https://issues.apache.org/jira/browse/TS-2437 Project: Traffic Server Issue Type: Task Components: SSL, TS API Reporter: Wei Sun Assignee: James Peach Labels: Review Fix For: 5.0.0 Attachments: TS-2437-2.diff, TS-2437-liefecycle-2.diff It'll be good to add an API to expose all the SSL_CTXs, so that plugins can manipulate their specific ssl settings / call back, etc. -- This message was sent by Atlassian JIRA (v6.1.5#6160)
[jira] [Commented] (TS-2437) Add an API to expose SSL_CTX for applications
[ https://issues.apache.org/jira/browse/TS-2437?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13911322#comment-13911322 ] Wei Sun commented on TS-2437: - Thanks for the committing. I think the default ssl_ctx is necessary since client presenting a ticket will go into the ticket_callback which is prior to SNI callback, at that time the default ssl_ctx is attached to the request. If the default ssl_ctx is not exposed to application and is not able to register ticket_callback, ticket reuse will be skipped... A similar issue is in https://issues.apache.org/jira/browse/TS-2480?focusedCommentId=13874730page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13874730 Add an API to expose SSL_CTX for applications - Key: TS-2437 URL: https://issues.apache.org/jira/browse/TS-2437 Project: Traffic Server Issue Type: Task Components: SSL, TS API Reporter: Wei Sun Assignee: James Peach Labels: Review Fix For: 5.0.0 Attachments: TS-2437-2.diff, TS-2437-liefecycle-2.diff It'll be good to add an API to expose all the SSL_CTXs, so that plugins can manipulate their specific ssl settings / call back, etc. -- This message was sent by Atlassian JIRA (v6.1.5#6160)
[jira] [Commented] (TS-2437) Add an API to expose SSL_CTX for applications
[ https://issues.apache.org/jira/browse/TS-2437?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13897621#comment-13897621 ] Wei Sun commented on TS-2437: - The lifecycle hook works for my use case - get the SSL_CTX pointers and overwrite the SSL callbacks. Do you have any concern on the hooks? Add an API to expose SSL_CTX for applications - Key: TS-2437 URL: https://issues.apache.org/jira/browse/TS-2437 Project: Traffic Server Issue Type: Task Components: SSL, TS API Reporter: Wei Sun Assignee: James Peach Labels: Review Fix For: 5.0.0 Attachments: TS-2437-2.diff, TS-2437-lifecycle.diff, TS-2437.diff It'll be good to add an API to expose all the SSL_CTXs, so that plugins can manipulate their specific ssl settings / call back, etc. -- This message was sent by Atlassian JIRA (v6.1.5#6160)
[jira] [Commented] (TS-2437) Add an API to expose SSL_CTX for applications
[ https://issues.apache.org/jira/browse/TS-2437?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13896728#comment-13896728 ] James Peach commented on TS-2437: - Will review. Does the lifecycle hook get called early enough for your needs? Add an API to expose SSL_CTX for applications - Key: TS-2437 URL: https://issues.apache.org/jira/browse/TS-2437 Project: Traffic Server Issue Type: Task Components: SSL, TS API Reporter: Wei Sun Assignee: James Peach Labels: Review Fix For: 5.0.0 Attachments: TS-2437-2.diff, TS-2437-lifecycle.diff, TS-2437.diff It'll be good to add an API to expose all the SSL_CTXs, so that plugins can manipulate their specific ssl settings / call back, etc. -- This message was sent by Atlassian JIRA (v6.1.5#6160)
[jira] [Commented] (TS-2437) Add an API to expose SSL_CTX for applications
[ https://issues.apache.org/jira/browse/TS-2437?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13872309#comment-13872309 ] James Peach commented on TS-2437: - There's a patch in TS-2058 which proposes a change to the startup ordering. Add an API to expose SSL_CTX for applications - Key: TS-2437 URL: https://issues.apache.org/jira/browse/TS-2437 Project: Traffic Server Issue Type: Task Components: SSL, TS API Reporter: Wei Sun Assignee: James Peach Fix For: 4.2.0 Attachments: TS-2437-2.diff, TS-2437.diff It'll be good to add an API to expose all the SSL_CTXs, so that plugins can manipulate their specific ssl settings / call back, etc. -- This message was sent by Atlassian JIRA (v6.1.5#6160)
[jira] [Commented] (TS-2437) Add an API to expose SSL_CTX for applications
[
https://issues.apache.org/jira/browse/TS-2437?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13871652#comment-13871652
]
James Peach commented on TS-2437:
-
I think that the right way to do this might be using the lifecycle hooks API.
If you use an observer pattern, you can decouple the API from the code in
iocore. The lifecycle hooks would also let you handle the case where
certificates are reloaded, it's re-entrant and safe for multiple plugins, and
does not require the additional copy of the {{SSL_CTX}} pointers. Take a look
at {{TSLifecycleHookAdd}} and see what you think.
Add an API to expose SSL_CTX for applications
-
Key: TS-2437
URL: https://issues.apache.org/jira/browse/TS-2437
Project: Traffic Server
Issue Type: Task
Components: SSL, TS API
Reporter: Wei Sun
Assignee: James Peach
Fix For: 4.2.0
Attachments: TS-2437-2.diff, TS-2437.diff
It'll be good to add an API to expose all the SSL_CTXs, so that plugins can
manipulate their specific ssl settings / call back, etc.
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
[jira] [Commented] (TS-2437) Add an API to expose SSL_CTX for applications
[ https://issues.apache.org/jira/browse/TS-2437?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13871778#comment-13871778 ] Wei Sun commented on TS-2437: - Thanks for the reply. Per my understanding, the SSL contexts are initialized before loading plugins (TSPluginInit). It might not work If I invoke a lifecycle hook (e.g. TS_LIFECYCLE_SSL_CTX_INITIALIZED_HOOK) when creating SSL ctx, since the TSLifecycleHookAdd is delayed in TSPluginInit. Then I still need to store the created ssl_ctx in somewhere, and iterate them at a later time. Please correct me if I misunderstand your comment. Add an API to expose SSL_CTX for applications - Key: TS-2437 URL: https://issues.apache.org/jira/browse/TS-2437 Project: Traffic Server Issue Type: Task Components: SSL, TS API Reporter: Wei Sun Assignee: James Peach Fix For: 4.2.0 Attachments: TS-2437-2.diff, TS-2437.diff It'll be good to add an API to expose all the SSL_CTXs, so that plugins can manipulate their specific ssl settings / call back, etc. -- This message was sent by Atlassian JIRA (v6.1.5#6160)
[jira] [Commented] (TS-2437) Add an API to expose SSL_CTX for applications
[ https://issues.apache.org/jira/browse/TS-2437?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13870186#comment-13870186 ] James Peach commented on TS-2437: - Changes to the public API need to go through the review process described here: https://cwiki.apache.org/confluence/display/TS/API+Review+Process Comments on this proposal: - I'm uncomfortable directly exposing OpenSSL data structures Although the probability of using a different SSL implementation is quite low, it still seems like something we should try hard to avoid. - This creates a dependency from iocore up to the HTTP proxy. - The API itself has a fixed limit on the number of certificates, which won't work. There's no way to determine the number of registered certificates, so the only use case here is to iterate over them all and alter them one at a time. - I think that an API of this nature should be better integrated into the existing Traffic Server API. For example, it would be useful to manipulate the SSL context at session creating time. There's some more ideas for a SSL API in TS-1584 and TS-2210 Add an API to expose SSL_CTX for applications - Key: TS-2437 URL: https://issues.apache.org/jira/browse/TS-2437 Project: Traffic Server Issue Type: Task Components: SSL Reporter: Wei Sun Assignee: James Peach Fix For: 4.2.0 Attachments: TS-2437.diff It'll be good to add an API to expose all the SSL_CTXs, so that plugins can manipulate their specific ssl settings / call back, etc. -- This message was sent by Atlassian JIRA (v6.1.5#6160)
