This is an automated email from the ASF dual-hosted git repository. bcall pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push: new 236b749b2b Allow origins to do TLS renegotiation (#10385) 236b749b2b is described below commit 236b749b2b3cc746829ad534a7034ab7799d1b71 Author: Bryan Call <bc...@apache.org> AuthorDate: Wed Sep 13 13:19:20 2023 -0700 Allow origins to do TLS renegotiation (#10385) --- iocore/net/P_SSLNetVConnection.h | 14 ++++++++++---- iocore/net/SSLClientUtils.cc | 4 +++- iocore/net/SSLNetVConnection.cc | 22 +++++++++++----------- 3 files changed, 24 insertions(+), 16 deletions(-) diff --git a/iocore/net/P_SSLNetVConnection.h b/iocore/net/P_SSLNetVConnection.h index 7eb2973eb5..048accbac8 100644 --- a/iocore/net/P_SSLNetVConnection.h +++ b/iocore/net/P_SSLNetVConnection.h @@ -89,7 +89,7 @@ typedef enum { SSL_HOOK_OP_LAST = SSL_HOOK_OP_TERMINATE ///< End marker value. } SslVConnOp; -enum SSLHandshakeStatus { SSL_HANDSHAKE_ONGOING, SSL_HANDSHAKE_DONE, SSL_HANDSHAKE_ERROR }; +enum class SSLHandshakeStatus { SSL_HANDSHAKE_ONGOING, SSL_HANDSHAKE_DONE, SSL_HANDSHAKE_ERROR }; ////////////////////////////////////////////////////////////////// // @@ -124,14 +124,20 @@ public: return retval; } + SSLHandshakeStatus + getSSLHandshakeStatus() const + { + return sslHandshakeStatus; + } + bool getSSLHandShakeComplete() const override { - return sslHandshakeStatus != SSL_HANDSHAKE_ONGOING; + return sslHandshakeStatus != SSLHandshakeStatus::SSL_HANDSHAKE_ONGOING; } virtual void - setSSLHandShakeComplete(enum SSLHandshakeStatus state) + setSSLHandShakeComplete(SSLHandshakeStatus state) { sslHandshakeStatus = state; } @@ -423,7 +429,7 @@ private: NetProcessor *_getNetProcessor() override; void *_prepareForMigration() override; - enum SSLHandshakeStatus sslHandshakeStatus = SSL_HANDSHAKE_ONGOING; + enum SSLHandshakeStatus sslHandshakeStatus = SSLHandshakeStatus::SSL_HANDSHAKE_ONGOING; bool sslClientRenegotiationAbort = false; bool first_ssl_connect = true; MIOBuffer *handShakeBuffer = nullptr; diff --git a/iocore/net/SSLClientUtils.cc b/iocore/net/SSLClientUtils.cc index 54b63c8814..a1b141b16b 100644 --- a/iocore/net/SSLClientUtils.cc +++ b/iocore/net/SSLClientUtils.cc @@ -127,7 +127,9 @@ verify_callback(int signature_ok, X509_STORE_CTX *ctx) netvc->set_verify_cert(ctx); netvc->callHooks(TS_EVENT_SSL_VERIFY_SERVER); netvc->set_verify_cert(nullptr); - if (netvc->getSSLHandShakeComplete()) { // hook moved the handshake state to terminal + + if (netvc->getSSLHandshakeStatus() == SSLHandshakeStatus::SSL_HANDSHAKE_ERROR) { + // Verify server hook failed and set the status to SSL_HANDSHAKE_ERROR unsigned char *sni_name; char buff[INET6_ADDRSTRLEN]; if (netvc->options.sni_servername) { diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc index 4e4fcdab6e..7f0f74eaf0 100644 --- a/iocore/net/SSLNetVConnection.cc +++ b/iocore/net/SSLNetVConnection.cc @@ -623,7 +623,7 @@ SSLNetVConnection::net_read_io(NetHandler *nh, EThread *lthread) // the client hello message back into the standard read.vio // so it will get forwarded onto the origin server if (!this->getSSLHandShakeComplete()) { - this->sslHandshakeStatus = SSL_HANDSHAKE_DONE; + this->sslHandshakeStatus = SSLHandshakeStatus::SSL_HANDSHAKE_DONE; // Copy over all data already read in during the SSL_accept // (the client hello message) @@ -1003,7 +1003,7 @@ SSLNetVConnection::clear() TLSTunnelSupport::_clear(); TLSCertSwitchSupport::_clear(); - sslHandshakeStatus = SSL_HANDSHAKE_ONGOING; + sslHandshakeStatus = SSLHandshakeStatus::SSL_HANDSHAKE_ONGOING; sslLastWriteTime = 0; sslTotalBytesSent = 0; sslClientRenegotiationAbort = false; @@ -1096,7 +1096,7 @@ SSLNetVConnection::sslStartHandShake(int event, int &err) if (cc && SSLCertContextOption::OPT_TUNNEL == cc->opt) { if (this->is_transparent) { this->attributes = HttpProxyPort::TRANSPORT_BLIND_TUNNEL; - sslHandshakeStatus = SSL_HANDSHAKE_DONE; + sslHandshakeStatus = SSLHandshakeStatus::SSL_HANDSHAKE_DONE; SSL_free(this->ssl); this->ssl = nullptr; return EVENT_DONE; @@ -1285,7 +1285,7 @@ SSLNetVConnection::sslServerHandShakeEvent(int &err) // over the buffered handshake packets to the O.S. return EVENT_DONE; } else if (SSL_HOOK_OP_TERMINATE == hookOpRequested) { - sslHandshakeStatus = SSL_HANDSHAKE_DONE; + sslHandshakeStatus = SSLHandshakeStatus::SSL_HANDSHAKE_DONE; return EVENT_DONE; } @@ -1365,7 +1365,7 @@ SSLNetVConnection::sslServerHandShakeEvent(int &err) if (getTransparentPassThrough() && buf && *buf != SSL_OP_HANDSHAKE) { SSLVCDebug(this, "Data does not look like SSL handshake, starting blind tunnel"); this->attributes = HttpProxyPort::TRANSPORT_BLIND_TUNNEL; - sslHandshakeStatus = SSL_HANDSHAKE_ONGOING; + sslHandshakeStatus = SSLHandshakeStatus::SSL_HANDSHAKE_ONGOING; return EVENT_CONT; } } @@ -1387,7 +1387,7 @@ SSLNetVConnection::sslServerHandShakeEvent(int &err) } } - sslHandshakeStatus = SSL_HANDSHAKE_DONE; + sslHandshakeStatus = SSLHandshakeStatus::SSL_HANDSHAKE_DONE; if (this->get_tls_handshake_begin_time()) { this->_record_tls_handshake_end_time(); @@ -1463,7 +1463,7 @@ SSLNetVConnection::sslServerHandShakeEvent(int &err) #if defined(SSL_ERROR_WANT_SNI_RESOLVE) || defined(SSL_ERROR_WANT_X509_LOOKUP) if (this->attributes == HttpProxyPort::TRANSPORT_BLIND_TUNNEL || SSL_HOOK_OP_TUNNEL == hookOpRequested) { this->attributes = HttpProxyPort::TRANSPORT_BLIND_TUNNEL; - sslHandshakeStatus = SSL_HANDSHAKE_ONGOING; + sslHandshakeStatus = SSLHandshakeStatus::SSL_HANDSHAKE_ONGOING; return EVENT_CONT; } else { // Stopping for some other reason, perhaps loading certificate @@ -1595,7 +1595,7 @@ SSLNetVConnection::sslClientHandShakeEvent(int &err) SSL_INCREMENT_DYN_STAT(ssl_total_success_handshake_count_out_stat); - sslHandshakeStatus = SSL_HANDSHAKE_DONE; + sslHandshakeStatus = SSLHandshakeStatus::SSL_HANDSHAKE_DONE; return EVENT_DONE; case SSL_ERROR_WANT_WRITE: @@ -1662,7 +1662,7 @@ SSLNetVConnection::reenable(NetHandler *nh, int event) // Mark as error to stop the Handshake if (event == TS_EVENT_ERROR) { - sslHandshakeStatus = SSL_HANDSHAKE_ERROR; + sslHandshakeStatus = SSLHandshakeStatus::SSL_HANDSHAKE_ERROR; } switch (sslHandshakeHookState) { @@ -1931,7 +1931,7 @@ SSLNetVConnection::populate(Connection &con, Continuation *c, void *arg) this->ssl = static_cast<SSL *>(arg); // Maybe bring over the stats? - sslHandshakeStatus = SSL_HANDSHAKE_DONE; + sslHandshakeStatus = SSLHandshakeStatus::SSL_HANDSHAKE_DONE; this->_bindSSLObject(); return EVENT_DONE; } @@ -2058,7 +2058,7 @@ SSLNetVConnection::_lookupContextByName(const std::string &servername, SSLCertCo if (cc && ctx && SSLCertContextOption::OPT_TUNNEL == cc->opt && this->get_is_transparent()) { this->attributes = HttpProxyPort::TRANSPORT_BLIND_TUNNEL; - this->setSSLHandShakeComplete(SSL_HANDSHAKE_DONE); + this->setSSLHandShakeComplete(SSLHandshakeStatus::SSL_HANDSHAKE_DONE); return nullptr; } else { return ctx;