This is an automated email from the ASF dual-hosted git repository.
bcall pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push:
new 236b749b2b Allow origins to do TLS renegotiation (#10385)
236b749b2b is described below
commit 236b749b2b3cc746829ad534a7034ab7799d1b71
Author: Bryan Call <bc...@apache.org>
AuthorDate: Wed Sep 13 13:19:20 2023 -0700
Allow origins to do TLS renegotiation (#10385)
---
iocore/net/P_SSLNetVConnection.h | 14 ++++++++++----
iocore/net/SSLClientUtils.cc | 4 +++-
iocore/net/SSLNetVConnection.cc | 22 +++++++++++-----------
3 files changed, 24 insertions(+), 16 deletions(-)
diff --git a/iocore/net/P_SSLNetVConnection.h b/iocore/net/P_SSLNetVConnection.h
index 7eb2973eb5..048accbac8 100644
--- a/iocore/net/P_SSLNetVConnection.h
+++ b/iocore/net/P_SSLNetVConnection.h
@@ -89,7 +89,7 @@ typedef enum {
SSL_HOOK_OP_LAST = SSL_HOOK_OP_TERMINATE ///< End marker value.
} SslVConnOp;
-enum SSLHandshakeStatus { SSL_HANDSHAKE_ONGOING, SSL_HANDSHAKE_DONE,
SSL_HANDSHAKE_ERROR };
+enum class SSLHandshakeStatus { SSL_HANDSHAKE_ONGOING, SSL_HANDSHAKE_DONE,
SSL_HANDSHAKE_ERROR };
//////////////////////////////////////////////////////////////////
//
@@ -124,14 +124,20 @@ public:
return retval;
}
+ SSLHandshakeStatus
+ getSSLHandshakeStatus() const
+ {
+ return sslHandshakeStatus;
+ }
+
bool
getSSLHandShakeComplete() const override
{
- return sslHandshakeStatus != SSL_HANDSHAKE_ONGOING;
+ return sslHandshakeStatus != SSLHandshakeStatus::SSL_HANDSHAKE_ONGOING;
}
virtual void
- setSSLHandShakeComplete(enum SSLHandshakeStatus state)
+ setSSLHandShakeComplete(SSLHandshakeStatus state)
{
sslHandshakeStatus = state;
}
@@ -423,7 +429,7 @@ private:
NetProcessor *_getNetProcessor() override;
void *_prepareForMigration() override;
- enum SSLHandshakeStatus sslHandshakeStatus = SSL_HANDSHAKE_ONGOING;
+ enum SSLHandshakeStatus sslHandshakeStatus =
SSLHandshakeStatus::SSL_HANDSHAKE_ONGOING;
bool sslClientRenegotiationAbort = false;
bool first_ssl_connect = true;
MIOBuffer *handShakeBuffer = nullptr;
diff --git a/iocore/net/SSLClientUtils.cc b/iocore/net/SSLClientUtils.cc
index 54b63c8814..a1b141b16b 100644
--- a/iocore/net/SSLClientUtils.cc
+++ b/iocore/net/SSLClientUtils.cc
@@ -127,7 +127,9 @@ verify_callback(int signature_ok, X509_STORE_CTX *ctx)
netvc->set_verify_cert(ctx);
netvc->callHooks(TS_EVENT_SSL_VERIFY_SERVER);
netvc->set_verify_cert(nullptr);
- if (netvc->getSSLHandShakeComplete()) { // hook moved the handshake state to
terminal
+
+ if (netvc->getSSLHandshakeStatus() ==
SSLHandshakeStatus::SSL_HANDSHAKE_ERROR) {
+ // Verify server hook failed and set the status to SSL_HANDSHAKE_ERROR
unsigned char *sni_name;
char buff[INET6_ADDRSTRLEN];
if (netvc->options.sni_servername) {
diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc
index 4e4fcdab6e..7f0f74eaf0 100644
--- a/iocore/net/SSLNetVConnection.cc
+++ b/iocore/net/SSLNetVConnection.cc
@@ -623,7 +623,7 @@ SSLNetVConnection::net_read_io(NetHandler *nh, EThread
*lthread)
// the client hello message back into the standard read.vio
// so it will get forwarded onto the origin server
if (!this->getSSLHandShakeComplete()) {
- this->sslHandshakeStatus = SSL_HANDSHAKE_DONE;
+ this->sslHandshakeStatus = SSLHandshakeStatus::SSL_HANDSHAKE_DONE;
// Copy over all data already read in during the SSL_accept
// (the client hello message)
@@ -1003,7 +1003,7 @@ SSLNetVConnection::clear()
TLSTunnelSupport::_clear();
TLSCertSwitchSupport::_clear();
- sslHandshakeStatus = SSL_HANDSHAKE_ONGOING;
+ sslHandshakeStatus = SSLHandshakeStatus::SSL_HANDSHAKE_ONGOING;
sslLastWriteTime = 0;
sslTotalBytesSent = 0;
sslClientRenegotiationAbort = false;
@@ -1096,7 +1096,7 @@ SSLNetVConnection::sslStartHandShake(int event, int &err)
if (cc && SSLCertContextOption::OPT_TUNNEL == cc->opt) {
if (this->is_transparent) {
this->attributes = HttpProxyPort::TRANSPORT_BLIND_TUNNEL;
- sslHandshakeStatus = SSL_HANDSHAKE_DONE;
+ sslHandshakeStatus = SSLHandshakeStatus::SSL_HANDSHAKE_DONE;
SSL_free(this->ssl);
this->ssl = nullptr;
return EVENT_DONE;
@@ -1285,7 +1285,7 @@ SSLNetVConnection::sslServerHandShakeEvent(int &err)
// over the buffered handshake packets to the O.S.
return EVENT_DONE;
} else if (SSL_HOOK_OP_TERMINATE == hookOpRequested) {
- sslHandshakeStatus = SSL_HANDSHAKE_DONE;
+ sslHandshakeStatus = SSLHandshakeStatus::SSL_HANDSHAKE_DONE;
return EVENT_DONE;
}
@@ -1365,7 +1365,7 @@ SSLNetVConnection::sslServerHandShakeEvent(int &err)
if (getTransparentPassThrough() && buf && *buf != SSL_OP_HANDSHAKE) {
SSLVCDebug(this, "Data does not look like SSL handshake, starting blind
tunnel");
this->attributes = HttpProxyPort::TRANSPORT_BLIND_TUNNEL;
- sslHandshakeStatus = SSL_HANDSHAKE_ONGOING;
+ sslHandshakeStatus = SSLHandshakeStatus::SSL_HANDSHAKE_ONGOING;
return EVENT_CONT;
}
}
@@ -1387,7 +1387,7 @@ SSLNetVConnection::sslServerHandShakeEvent(int &err)
}
}
- sslHandshakeStatus = SSL_HANDSHAKE_DONE;
+ sslHandshakeStatus = SSLHandshakeStatus::SSL_HANDSHAKE_DONE;
if (this->get_tls_handshake_begin_time()) {
this->_record_tls_handshake_end_time();
@@ -1463,7 +1463,7 @@ SSLNetVConnection::sslServerHandShakeEvent(int &err)
#if defined(SSL_ERROR_WANT_SNI_RESOLVE) || defined(SSL_ERROR_WANT_X509_LOOKUP)
if (this->attributes == HttpProxyPort::TRANSPORT_BLIND_TUNNEL ||
SSL_HOOK_OP_TUNNEL == hookOpRequested) {
this->attributes = HttpProxyPort::TRANSPORT_BLIND_TUNNEL;
- sslHandshakeStatus = SSL_HANDSHAKE_ONGOING;
+ sslHandshakeStatus = SSLHandshakeStatus::SSL_HANDSHAKE_ONGOING;
return EVENT_CONT;
} else {
// Stopping for some other reason, perhaps loading certificate
@@ -1595,7 +1595,7 @@ SSLNetVConnection::sslClientHandShakeEvent(int &err)
SSL_INCREMENT_DYN_STAT(ssl_total_success_handshake_count_out_stat);
- sslHandshakeStatus = SSL_HANDSHAKE_DONE;
+ sslHandshakeStatus = SSLHandshakeStatus::SSL_HANDSHAKE_DONE;
return EVENT_DONE;
case SSL_ERROR_WANT_WRITE:
@@ -1662,7 +1662,7 @@ SSLNetVConnection::reenable(NetHandler *nh, int event)
// Mark as error to stop the Handshake
if (event == TS_EVENT_ERROR) {
- sslHandshakeStatus = SSL_HANDSHAKE_ERROR;
+ sslHandshakeStatus = SSLHandshakeStatus::SSL_HANDSHAKE_ERROR;
}
switch (sslHandshakeHookState) {
@@ -1931,7 +1931,7 @@ SSLNetVConnection::populate(Connection &con, Continuation
*c, void *arg)
this->ssl = static_cast<SSL *>(arg);
// Maybe bring over the stats?
- sslHandshakeStatus = SSL_HANDSHAKE_DONE;
+ sslHandshakeStatus = SSLHandshakeStatus::SSL_HANDSHAKE_DONE;
this->_bindSSLObject();
return EVENT_DONE;
}
@@ -2058,7 +2058,7 @@ SSLNetVConnection::_lookupContextByName(const std::string
&servername, SSLCertCo
if (cc && ctx && SSLCertContextOption::OPT_TUNNEL == cc->opt &&
this->get_is_transparent()) {
this->attributes = HttpProxyPort::TRANSPORT_BLIND_TUNNEL;
- this->setSSLHandShakeComplete(SSL_HANDSHAKE_DONE);
+ this->setSSLHandShakeComplete(SSLHandshakeStatus::SSL_HANDSHAKE_DONE);
return nullptr;
} else {
return ctx;
