----- Original Message ----- > TS-1147: Remove defaultEnabled flag from > SSLNetProcessor::initSSLServerCTX() > > > Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo > Commit: > http://git-wip-us.apache.org/repos/asf/trafficserver/commit/47255d30 > Tree: > http://git-wip-us.apache.org/repos/asf/trafficserver/tree/47255d30 > Diff: > http://git-wip-us.apache.org/repos/asf/trafficserver/diff/47255d30 > > Branch: refs/heads/master > Commit: 47255d3000c32d75a24c98c6695f4011f6098c89 > Parents: e7d5784 > Author: James Peach <jpe...@apache.org> > Authored: Fri Mar 30 21:58:44 2012 -0700 > Committer: James Peach <jpe...@apache.org> > Committed: Fri Apr 6 21:19:54 2012 -0700 > > ---------------------------------------------------------------------- > iocore/net/P_SSLNetProcessor.h | 2 +- > iocore/net/SSLCertLookup.cc | 2 +- > iocore/net/SSLNetProcessor.cc | 86 > +++++++++++----------------------- > 3 files changed, 30 insertions(+), 60 deletions(-) > ---------------------------------------------------------------------- > > > http://git-wip-us.apache.org/repos/asf/trafficserver/blob/47255d30/iocore/net/P_SSLNetProcessor.h > ---------------------------------------------------------------------- > diff --git a/iocore/net/P_SSLNetProcessor.h > b/iocore/net/P_SSLNetProcessor.h > index fdfb2bc..6ce5ca2 100644 > --- a/iocore/net/P_SSLNetProcessor.h > +++ b/iocore/net/P_SSLNetProcessor.h > @@ -67,7 +67,7 @@ public: > int initSSLServerCTX(SSL_CTX * ctx, > const SslConfigParams * param, > const char *serverCertPtr, const char *serverCaPtr, > - const char *serverKeyPtr, bool defaultEnabled); > + const char *serverKeyPtr); > > SSL_CTX *getSSL_CTX(void) const {return ctx; } > SSL_CTX *getClientSSL_CTX(void) const { return client_ctx; } > > http://git-wip-us.apache.org/repos/asf/trafficserver/blob/47255d30/iocore/net/SSLCertLookup.cc > ---------------------------------------------------------------------- > diff --git a/iocore/net/SSLCertLookup.cc > b/iocore/net/SSLCertLookup.cc > index 2795b2b..fb50a1d 100644 > --- a/iocore/net/SSLCertLookup.cc > +++ b/iocore/net/SSLCertLookup.cc > @@ -284,7 +284,7 @@ SSLCertLookup::addInfoToHash( > // if (serverPrivateKey == NULL) > // serverPrivateKey = cert; > > - if (ssl_NetProcessor.initSSLServerCTX(ctx, this->param, cert, > caCert, serverPrivateKey, false) == 0) { > + if (ssl_NetProcessor.initSSLServerCTX(ctx, this->param, cert, > caCert, serverPrivateKey) == 0) { > char * certpath = > Layout::relative_to(this->param->getServerCertPathOnly(), > cert);
https://cwiki.apache.org/confluence/display/TS/Coding+Style > > // Index this certificate by the specified IP(v6) address; > > http://git-wip-us.apache.org/repos/asf/trafficserver/blob/47255d30/iocore/net/SSLNetProcessor.cc > ---------------------------------------------------------------------- > diff --git a/iocore/net/SSLNetProcessor.cc > b/iocore/net/SSLNetProcessor.cc > index eef1967..3e6a96d 100644 > --- a/iocore/net/SSLNetProcessor.cc > +++ b/iocore/net/SSLNetProcessor.cc > @@ -214,7 +214,7 @@ SSLNetProcessor::logSSLError(const char *errStr, > int critical) > int > SSLNetProcessor::initSSLServerCTX(SSL_CTX * lCtx, const > SslConfigParams * param, > const char *serverCertPtr, const char *serverCaCertPtr, > - const char *serverKeyPtr, bool defaultEnabled) > + const char *serverKeyPtr) > { > int session_id_context; > int server_verify_client; > @@ -237,75 +237,45 @@ SSLNetProcessor::initSSLServerCTX(SSL_CTX * > lCtx, const SslConfigParams * param, https://cwiki.apache.org/confluence/display/TS/Coding+Style > int verify_depth = param->verify_depth; > SSL_CTX_set_quiet_shutdown(lCtx, 1); > > - if (defaultEnabled) { > - if (SSL_CTX_use_certificate_file(lCtx, param->serverCertPath, > SSL_FILETYPE_PEM) <= 0) { > - Error ("SSL ERROR: Cannot use server certificate file: %s", > param->serverCertPath); > - return -2; > - } > - if (param->serverKeyPath != NULL) { > - if (SSL_CTX_use_PrivateKey_file(lCtx, param->serverKeyPath, > SSL_FILETYPE_PEM) <= 0) { > - Error("SSL ERROR: Cannot use server private key file: %s", > param->serverKeyPath); > - return -3; > - } > - } else // assume key is contained in the > cert file. > - { > - if (SSL_CTX_use_PrivateKey_file(lCtx, param->serverCertPath, > SSL_FILETYPE_PEM) <= 0) { > - Error("SSL ERROR: Cannot use server private key file: %s", > param->serverKeyPath); > - return -3; > - } > - } > + completeServerCertPath = Layout::relative_to > (param->getServerCertPathOnly(), serverCertPtr); > > - if (param->serverCertChainPath) { > - char *completeServerCaCertPath = Layout::relative_to > (param->getServerCACertPathOnly(), param->serverCertChainPath); > - if (SSL_CTX_add_extra_chain_cert_file(lCtx, > param->serverCertChainPath) <= 0) { > - Error ("SSL ERROR: Cannot use server certificate chain file: > %s", completeServerCaCertPath); > - ats_free(completeServerCaCertPath); > - return -2; > - } > + if (SSL_CTX_use_certificate_file(lCtx, completeServerCertPath, > SSL_FILETYPE_PEM) <= 0) { > + Error ("SSL ERROR: Cannot use server certificate file: %s", > completeServerCertPath); > + ats_free(completeServerCertPath); > + return -2; > + } > + if (serverCaCertPtr) { > + char *completeServerCaCertPath = Layout::relative_to > (param->getServerCACertPathOnly(), serverCaCertPtr); > + if (SSL_CTX_add_extra_chain_cert_file(lCtx, > completeServerCaCertPath) <= 0) { > + Error ("SSL ERROR: Cannot use server certificate chain file: > %s", completeServerCaCertPath); > ats_free(completeServerCaCertPath); > + return -2; > } > - } else { > - completeServerCertPath = Layout::relative_to > (param->getServerCertPathOnly(), serverCertPtr); > + ats_free(completeServerCaCertPath); > + } > > - if (SSL_CTX_use_certificate_file(lCtx, completeServerCertPath, > SSL_FILETYPE_PEM) <= 0) { > - Error ("SSL ERROR: Cannot use server certificate file: %s", > completeServerCertPath); > + if (serverKeyPtr == NULL) // assume private key is contained in > cert obtained from multicert file. > + { > + if (SSL_CTX_use_PrivateKey_file(lCtx, completeServerCertPath, > SSL_FILETYPE_PEM) <= 0) { > + Error("SSL ERROR: Cannot use server private key file: %s", > completeServerCertPath); > ats_free(completeServerCertPath); > - return -2; > - } > - if (serverCaCertPtr) { > - char *completeServerCaCertPath = Layout::relative_to > (param->getServerCACertPathOnly(), serverCaCertPtr); > - if (SSL_CTX_add_extra_chain_cert_file(lCtx, > completeServerCaCertPath) <= 0) { > - Error ("SSL ERROR: Cannot use server certificate chain file: > %s", completeServerCaCertPath); > - ats_free(completeServerCaCertPath); > - return -2; > - } > - ats_free(completeServerCaCertPath); > + return -3; > } > - > - if (serverKeyPtr == NULL) // assume private key is contained > in cert obtained from multicert file. > - { > - if (SSL_CTX_use_PrivateKey_file(lCtx, completeServerCertPath, > SSL_FILETYPE_PEM) <= 0) { > - Error("SSL ERROR: Cannot use server private key file: %s", > completeServerCertPath); > - ats_free(completeServerCertPath); > + } else { > + if (param->getServerKeyPathOnly() != NULL) { > + char *completeServerKeyPath = > Layout::get()->relative_to(param->getServerKeyPathOnly(), > serverKeyPtr); > + if (SSL_CTX_use_PrivateKey_file(lCtx, completeServerKeyPath, > SSL_FILETYPE_PEM) <= 0) { > + Error("SSL ERROR: Cannot use server private key file: %s", > completeServerKeyPath); > + ats_free(completeServerKeyPath); > return -3; > } > + ats_free(completeServerKeyPath); > } else { > - if (param->getServerKeyPathOnly() != NULL) { > - char *completeServerKeyPath = > Layout::get()->relative_to(param->getServerKeyPathOnly(), > serverKeyPtr); > - if (SSL_CTX_use_PrivateKey_file(lCtx, completeServerKeyPath, > SSL_FILETYPE_PEM) <= 0) { > - Error("SSL ERROR: Cannot use server private key file: %s", > completeServerKeyPath); > - ats_free(completeServerKeyPath); > - return -3; > - } > - ats_free(completeServerKeyPath); > - } else { > - logSSLError("Empty ssl private key path in > records.config."); > - } > - > + logSSLError("Empty ssl private key path in records.config."); > } > - ats_free(completeServerCertPath); > > } > + ats_free(completeServerCertPath); > > if (!SSL_CTX_check_private_key(lCtx)) { > logSSLError("Server private key does not match the certificate > public key"); > > -- Igor Galić Tel: +43 (0) 664 886 22 883 Mail: i.ga...@brainsware.org URL: http://brainsware.org/ GPG: 6880 4155 74BD FD7C B515 2EA5 4B1D 9E08 A097 C9AE
