Repository: trafficserver Updated Branches: refs/heads/master 49ff82732 -> 2b3dcf6eb
TS-3292: Make tr-pass work for SSL port. This closes #162 Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/2b3dcf6e Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/2b3dcf6e Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/2b3dcf6e Branch: refs/heads/master Commit: 2b3dcf6eb4862e6293c91e0427e1e1a8cfe46116 Parents: 49ff827 Author: Lev Stipakov <lstipa...@gmail.com> Authored: Wed Jan 14 12:56:00 2015 -0600 Committer: shinrich <shinr...@yahoo-inc.com> Committed: Wed Jan 14 12:56:00 2015 -0600 ---------------------------------------------------------------------- CHANGES | 3 +++ iocore/net/P_SSLNetVConnection.h | 14 ++++++++++++++ iocore/net/P_SSLNextProtocolAccept.h | 3 ++- iocore/net/SSLNetVConnection.cc | 9 +++++++++ iocore/net/SSLNextProtocolAccept.cc | 8 ++++++-- proxy/http/HttpProxyServerMain.cc | 2 +- 6 files changed, 35 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/trafficserver/blob/2b3dcf6e/CHANGES ---------------------------------------------------------------------- diff --git a/CHANGES b/CHANGES index c988b38..001c687 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,9 @@ -*- coding: utf-8 -*- Changes with Apache Traffic Server 5.3.0 + *) [TS-3292] Make tr-pass work for SSL. + Author: Lev Stipakov <lstipa...@gmail.com> + *) [TS-3291] Remove remnants from "dev" builds from configure.ac. *) [TS-3285] Fix premature freeing of MIOBuffer to prevent freelist corruption http://git-wip-us.apache.org/repos/asf/trafficserver/blob/2b3dcf6e/iocore/net/P_SSLNetVConnection.h ---------------------------------------------------------------------- diff --git a/iocore/net/P_SSLNetVConnection.h b/iocore/net/P_SSLNetVConnection.h index 77a3034..dc4f081 100644 --- a/iocore/net/P_SSLNetVConnection.h +++ b/iocore/net/P_SSLNetVConnection.h @@ -52,6 +52,8 @@ #define SSL_TLSEXT_ERR_NOACK 3 #endif +#define SSL_OP_HANDSHAKE 0x16 + // TS-2503: dynamic TLS record sizing // For smaller records, we should also reserve space for various TCP options // (timestamps, SACKs.. up to 40 bytes [1]), and account for TLS record overhead @@ -136,6 +138,16 @@ public: sslClientRenegotiationAbort = state; }; + bool getTransparentPassThrough() const + { + return transparentPassThrough; + }; + + void setTransparentPassThrough(bool val) + { + transparentPassThrough = val; + }; + // Copy up here so we overload but don't override using super::reenable; @@ -182,6 +194,8 @@ private: IOBufferReader *handShakeHolder; IOBufferReader *handShakeReader; + bool transparentPassThrough; + /// The current hook. /// @note For @C SSL_HOOKS_INVOKE, this is the hook to invoke. class APIHook* curHook; http://git-wip-us.apache.org/repos/asf/trafficserver/blob/2b3dcf6e/iocore/net/P_SSLNextProtocolAccept.h ---------------------------------------------------------------------- diff --git a/iocore/net/P_SSLNextProtocolAccept.h b/iocore/net/P_SSLNextProtocolAccept.h index 2c53f20..800d881 100644 --- a/iocore/net/P_SSLNextProtocolAccept.h +++ b/iocore/net/P_SSLNextProtocolAccept.h @@ -34,7 +34,7 @@ class SSLNextProtocolAccept: public SessionAccept { public: - SSLNextProtocolAccept(Continuation *); + SSLNextProtocolAccept(Continuation *, bool); ~SSLNextProtocolAccept(); void accept(NetVConnection *, MIOBuffer *, IOBufferReader*); @@ -58,6 +58,7 @@ private: MIOBuffer * buffer; // XXX do we really need this? Continuation * endpoint; SSLNextProtocolSet protoset; + bool transparent_passthrough; friend struct SSLNextProtocolTrampoline; }; http://git-wip-us.apache.org/repos/asf/trafficserver/blob/2b3dcf6e/iocore/net/SSLNetVConnection.cc ---------------------------------------------------------------------- diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc index ab79163..04a571e 100644 --- a/iocore/net/SSLNetVConnection.cc +++ b/iocore/net/SSLNetVConnection.cc @@ -960,6 +960,15 @@ SSLNetVConnection::sslServerHandShakeEvent(int &err) if (ssl_error != SSL_ERROR_NONE) { err = errno; SSLDebugVC(this,"SSL handshake error: %s (%d), errno=%d", SSLErrorName(ssl_error), ssl_error, err); + + // start a blind tunnel if tr-pass is set and data does not look like ClientHello + char* buf = handShakeBuffer->buf(); + if (getTransparentPassThrough() && buf && *buf != SSL_OP_HANDSHAKE) { + SSLDebugVC(this, "Data does not look like SSL handshake, starting blind tunnel"); + this->attributes = HttpProxyPort::TRANSPORT_BLIND_TUNNEL; + sslHandShakeComplete = 0; + return EVENT_CONT; + } } switch (ssl_error) { http://git-wip-us.apache.org/repos/asf/trafficserver/blob/2b3dcf6e/iocore/net/SSLNextProtocolAccept.cc ---------------------------------------------------------------------- diff --git a/iocore/net/SSLNextProtocolAccept.cc b/iocore/net/SSLNextProtocolAccept.cc index 558a1b1..9dce31c 100644 --- a/iocore/net/SSLNextProtocolAccept.cc +++ b/iocore/net/SSLNextProtocolAccept.cc @@ -125,6 +125,9 @@ SSLNextProtocolAccept::mainEvent(int event, void * edata) switch (event) { case NET_EVENT_ACCEPT: ink_release_assert(netvc != NULL); + + netvc->setTransparentPassThrough(transparent_passthrough); + // Register our protocol set with the VC and kick off a zero-length read to // force the SSLNetVConnection to complete the SSL handshake. Don't tell // the endpoint that there is an accept to handle until the read completes @@ -158,8 +161,9 @@ SSLNextProtocolAccept::unregisterEndpoint( return this->protoset.unregisterEndpoint(protocol, handler); } -SSLNextProtocolAccept::SSLNextProtocolAccept(Continuation * ep) - : SessionAccept(NULL), buffer(new_empty_MIOBuffer()), endpoint(ep) +SSLNextProtocolAccept::SSLNextProtocolAccept(Continuation * ep, bool transparent_passthrough) + : SessionAccept(NULL), buffer(new_empty_MIOBuffer()), endpoint(ep), + transparent_passthrough(transparent_passthrough) { SET_HANDLER(&SSLNextProtocolAccept::mainEvent); } http://git-wip-us.apache.org/repos/asf/trafficserver/blob/2b3dcf6e/proxy/http/HttpProxyServerMain.cc ---------------------------------------------------------------------- diff --git a/proxy/http/HttpProxyServerMain.cc b/proxy/http/HttpProxyServerMain.cc index 6196496..313cec2 100644 --- a/proxy/http/HttpProxyServerMain.cc +++ b/proxy/http/HttpProxyServerMain.cc @@ -190,7 +190,7 @@ MakeHttpProxyAcceptor(HttpProxyAcceptor& acceptor, HttpProxyPort& port, unsigned } if (port.isSSL()) { - SSLNextProtocolAccept *ssl = new SSLNextProtocolAccept(probe); + SSLNextProtocolAccept *ssl = new SSLNextProtocolAccept(probe, port.m_transparent_passthrough); // ALPN selects the first server-offered protocol, // so make sure that we offer the newest protocol first.