This is an automated email from the ASF dual-hosted git repository. zwoop pushed a commit to branch 9.1.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/9.1.x by this push: new 5ca791a Add server_name option to proxy.config.ssl.client.sni_policy (#7533) 5ca791a is described below commit 5ca791a809de8140cb847f5fd2f951406523637c Author: Masaori Koshiba <masa...@apache.org> AuthorDate: Wed Feb 24 07:56:22 2021 +0900 Add server_name option to proxy.config.ssl.client.sni_policy (#7533) (cherry picked from commit 884f4a4e57378100847d7d5cfd56c688155321a6) --- doc/admin-guide/files/records.config.en.rst | 3 +++ proxy/http/HttpSM.cc | 2 ++ .../tls/tls_verify_override_base.test.py | 26 +++++++++++++++++++++- 3 files changed, 30 insertions(+), 1 deletion(-) diff --git a/doc/admin-guide/files/records.config.en.rst b/doc/admin-guide/files/records.config.en.rst index fcbec12..6f7529a 100644 --- a/doc/admin-guide/files/records.config.en.rst +++ b/doc/admin-guide/files/records.config.en.rst @@ -3662,6 +3662,9 @@ Client-Related Configuration ``host`` This is the default. The value of the ``Host`` field in the proxy request is used. + ``server_name`` + The SNI value of the inbound TLS connection is used. + ``remap`` The remapped upstream name is used. diff --git a/proxy/http/HttpSM.cc b/proxy/http/HttpSM.cc index ec539af..ee1b09a 100644 --- a/proxy/http/HttpSM.cc +++ b/proxy/http/HttpSM.cc @@ -4876,6 +4876,8 @@ HttpSM::get_outbound_sni() const int len; char const *ptr = t_state.hdr_info.server_request.host_get(&len); zret.assign(ptr, len); + } else if (ua_txn && !strcmp(policy, "server_name"_tv)) { + zret.assign(ua_txn->get_netvc()->get_server_name(), ts::TextView::npos); } else if (policy.front() == '@') { // guaranteed non-empty from previous clause zret = policy.remove_prefix(1); } else { diff --git a/tests/gold_tests/tls/tls_verify_override_base.test.py b/tests/gold_tests/tls/tls_verify_override_base.test.py index 8650ad6..b5d06d4 100644 --- a/tests/gold_tests/tls/tls_verify_override_base.test.py +++ b/tests/gold_tests/tls/tls_verify_override_base.test.py @@ -21,7 +21,7 @@ Test tls server certificate verification options. Exercise conf_remap ''' # Define default ATS -ts = Test.MakeATSProcess("ts", select_ports=True) +ts = Test.MakeATSProcess("ts", select_ports=True, enable_tls=True) server_foo = Test.MakeOriginServer("server_foo", ssl=True, options={"--key": "{0}/signed-foo.key".format(Test.RunDirectory), @@ -85,11 +85,17 @@ ts.Disk.remap_config.AddLine( 'map /snipolicyfoohost https://foo.com:{0} @plugin=conf_remap.so @pparam=proxy.config.ssl.client.verify.server.properties=NAME @plugin=conf_remap.so @pparam=proxy.config.ssl.client.verify.server.policy=ENFORCED @plugin=conf_remap.so @pparam=proxy.config.ssl.client.sni_policy=host'.format( server_bar.Variables.SSL_Port)) ts.Disk.remap_config.AddLine( + 'map /snipolicyfooservername https://foo.com:{0} @plugin=conf_remap.so @pparam=proxy.config.ssl.client.verify.server.properties=NAME @plugin=conf_remap.so @pparam=proxy.config.ssl.client.verify.server.policy=ENFORCED @plugin=conf_remap.so @pparam=proxy.config.ssl.client.sni_policy=server_name'.format( + server_bar.Variables.SSL_Port)) +ts.Disk.remap_config.AddLine( 'map /snipolicybarremap https://bar.com:{0} @plugin=conf_remap.so @pparam=proxy.config.ssl.client.verify.server.properties=NAME @plugin=conf_remap.so @pparam=proxy.config.ssl.client.verify.server.policy=ENFORCED @plugin=conf_remap.so @pparam=proxy.config.ssl.client.sni_policy=remap'.format( server_bar.Variables.SSL_Port)) ts.Disk.remap_config.AddLine( 'map /snipolicybarhost https://bar.com:{0} @plugin=conf_remap.so @pparam=proxy.config.ssl.client.verify.server.properties=NAME @plugin=conf_remap.so @pparam=proxy.config.ssl.client.verify.server.policy=ENFORCED @plugin=conf_remap.so @pparam=proxy.config.ssl.client.sni_policy=host'.format( server_bar.Variables.SSL_Port)) +ts.Disk.remap_config.AddLine( + 'map /snipolicybarservername https://bar.com:{0} @plugin=conf_remap.so @pparam=proxy.config.ssl.client.verify.server.properties=NAME @plugin=conf_remap.so @pparam=proxy.config.ssl.client.verify.server.policy=ENFORCED @plugin=conf_remap.so @pparam=proxy.config.ssl.client.sni_policy=server_name'.format( + server_bar.Variables.SSL_Port)) ts.Disk.ssl_multicert_config.AddLine( 'dest_ip=* ssl_cert_name=server.pem ssl_key_name=server.key' @@ -194,6 +200,15 @@ tr.StillRunningAfter = ts tr.Processes.Default.Streams.stdout = Testers.ContainsExpression("Could not connect", "Curl attempt should fail") # Should fail +tr = Test.AddTestRun("foo-to-bar-sni-policy-servername") +tr.Processes.Default.Command = "curl -k --resolv foo.com:{0}:127.0.0.1 https://foo.com:{0}/snipolicybarservername".format( + ts.Variables.ssl_port) +tr.ReturnCode = 0 +tr.StillRunningAfter = server +tr.StillRunningAfter = ts +tr.Processes.Default.Streams.stdout = Testers.ContainsExpression("Could not connect", "Curl attempt should fail") + +# Should fail tr = Test.AddTestRun("bar-to-foo-sni-policy-remap") tr.Processes.Default.Command = "curl -k -H \"host: bar.com\" http://127.0.0.1:{0}/snipolicyfooremap".format(ts.Variables.port) tr.ReturnCode = 0 @@ -209,6 +224,15 @@ tr.StillRunningAfter = server tr.StillRunningAfter = ts tr.Processes.Default.Streams.stdout = Testers.ExcludesExpression("Could not connect", "Curl attempt should succeed") +# Should succeed +tr = Test.AddTestRun("bar-to-foo-sni-policy-servername") +tr.Processes.Default.Command = "curl -k --resolv bar.com:{0}:127.0.0.1 https://bar.com:{0}/snipolicyfooservername".format( + ts.Variables.ssl_port) +tr.ReturnCode = 0 +tr.StillRunningAfter = server +tr.StillRunningAfter = ts +tr.Processes.Default.Streams.stdout = Testers.ExcludesExpression("Could not connect", "Curl attempt should succeed") + # Over riding the built in ERROR check since we expect some cases to fail