From 6775a5c207e6eccb234dccbfe17f6cea88f704cd Mon Sep 17 00:00:00 2001 From: Bryan Call Date: Thu, 7 Sep 2023 13:25:07 -0700 Subject: [PATCH 1/4] Allow origins to do TLS renegotiation --- iocore/net/SSLClientUtils.cc | 14 +------------- 1 file changed, 1 insertion(+), 13 deletions(-) diff --git a/iocore/net/SSLClientUtils.cc b/iocore/net/SSLClientUtils.cc index 54b63c88142..c871916b0fa 100644 --- a/iocore/net/SSLClientUtils.cc +++ b/iocore/net/SSLClientUtils.cc @@ -127,19 +127,7 @@ verify_callback(int signature_ok, X509_STORE_CTX *ctx) netvc->set_verify_cert(ctx); netvc->callHooks(TS_EVENT_SSL_VERIFY_SERVER); netvc->set_verify_cert(nullptr); - if (netvc->getSSLHandShakeComplete()) { // hook moved the handshake state to terminal - unsigned char *sni_name; - char buff[INET6_ADDRSTRLEN]; - if (netvc->options.sni_servername) { - sni_name = reinterpret_cast(netvc->options.sni_servername.get()); - } else { - sni_name = reinterpret_cast(buff); - ats_ip_ntop(netvc->get_remote_addr(), buff, INET6_ADDRSTRLEN); - } - Warning("TS_EVENT_SSL_VERIFY_SERVER plugin failed the origin certificate check for %s. Action=%s SNI=%s", - netvc->options.ssl_servername.get(), enforce_mode ? "Terminate" : "Continue", sni_name); - return !enforce_mode; - } + // Made it this far. All is good return true; } From 12a780bcc1e57f3c4ddab6a63c927bb5a6661db4 Mon Sep 17 00:00:00 2001 From: Bryan Call Date: Thu, 7 Sep 2023 14:16:44 -0700 Subject: [PATCH 2/4] Revert "Allow origins to do TLS renegotiation" This reverts commit 6775a5c207e6eccb234dccbfe17f6cea88f704cd. --- iocore/net/SSLClientUtils.cc | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/iocore/net/SSLClientUtils.cc b/iocore/net/SSLClientUtils.cc index c871916b0fa..54b63c88142 100644 --- a/iocore/net/SSLClientUtils.cc +++ b/iocore/net/SSLClientUtils.cc @@ -127,7 +127,19 @@ verify_callback(int signature_ok, X509_STORE_CTX *ctx) netvc->set_verify_cert(ctx); netvc->callHooks(TS_EVENT_SSL_VERIFY_SERVER); netvc->set_verify_cert(nullptr); - + if (netvc->getSSLHandShakeComplete()) { // hook moved the handshake state to terminal + unsigned char *sni_name; + char buff[INET6_ADDRSTRLEN]; + if (netvc->options.sni_servername) { + sni_name = reinterpret_cast(netvc->options.sni_servername.get()); + } else { + sni_name = reinterpret_cast(buff); + ats_ip_ntop(netvc->get_remote_addr(), buff, INET6_ADDRSTRLEN); + } + Warning("TS_EVENT_SSL_VERIFY_SERVER plugin failed the origin certificate check for %s. Action=%s SNI=%s", + netvc->options.ssl_servername.get(), enforce_mode ? "Terminate" : "Continue", sni_name); + return !enforce_mode; + } // Made it this far. All is good return true; } From ede1f34e6260551726bc9e466c886278d305980c Mon Sep 17 00:00:00 2001 From: Bryan Call Date: Thu, 7 Sep 2023 14:27:03 -0700 Subject: [PATCH 3/4] Updated to check for the correct SSLHandshakeStatus after calling the hook --- iocore/net/P_SSLNetVConnection.h | 6 ++++++ iocore/net/SSLClientUtils.cc | 4 +++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/iocore/net/P_SSLNetVConnection.h b/iocore/net/P_SSLNetVConnection.h index 7eb2973eb5d..3d27b853340 100644 --- a/iocore/net/P_SSLNetVConnection.h +++ b/iocore/net/P_SSLNetVConnection.h @@ -124,6 +124,12 @@ class SSLNetVConnection : public UnixNetVConnection, return retval; } + int + getSSLHandshakeStatus() const + { + return sslHandshakeStatus; + } + bool getSSLHandShakeComplete() const override { diff --git a/iocore/net/SSLClientUtils.cc b/iocore/net/SSLClientUtils.cc index 54b63c88142..a1b141b16b9 100644 --- a/iocore/net/SSLClientUtils.cc +++ b/iocore/net/SSLClientUtils.cc @@ -127,7 +127,9 @@ verify_callback(int signature_ok, X509_STORE_CTX *ctx) netvc->set_verify_cert(ctx); netvc->callHooks(TS_EVENT_SSL_VERIFY_SERVER); netvc->set_verify_cert(nullptr); - if (netvc->getSSLHandShakeComplete()) { // hook moved the handshake state to terminal + + if (netvc->getSSLHandshakeStatus() == SSLHandshakeStatus::SSL_HANDSHAKE_ERROR) { + // Verify server hook failed and set the status to SSL_HANDSHAKE_ERROR unsigned char *sni_name; char buff[INET6_ADDRSTRLEN]; if (netvc->options.sni_servername) { From 0caa732512e1c8b752c30486bc845477dcc2af9d Mon Sep 17 00:00:00 2001 From: Bryan Call Date: Thu, 7 Sep 2023 15:06:49 -0700 Subject: [PATCH 4/4] Updated SSLHandshakeStatus to be an enum class --- iocore/net/P_SSLNetVConnection.h | 10 +++++----- iocore/net/SSLNetVConnection.cc | 22 +++++++++++----------- 2 files changed, 16 insertions(+), 16 deletions(-) diff --git a/iocore/net/P_SSLNetVConnection.h b/iocore/net/P_SSLNetVConnection.h index 3d27b853340..048accbac82 100644 --- a/iocore/net/P_SSLNetVConnection.h +++ b/iocore/net/P_SSLNetVConnection.h @@ -89,7 +89,7 @@ typedef enum { SSL_HOOK_OP_LAST = SSL_HOOK_OP_TERMINATE ///< End marker value. } SslVConnOp; -enum SSLHandshakeStatus { SSL_HANDSHAKE_ONGOING, SSL_HANDSHAKE_DONE, SSL_HANDSHAKE_ERROR }; +enum class SSLHandshakeStatus { SSL_HANDSHAKE_ONGOING, SSL_HANDSHAKE_DONE, SSL_HANDSHAKE_ERROR }; ////////////////////////////////////////////////////////////////// // @@ -124,7 +124,7 @@ class SSLNetVConnection : public UnixNetVConnection, return retval; } - int + SSLHandshakeStatus getSSLHandshakeStatus() const { return sslHandshakeStatus; @@ -133,11 +133,11 @@ class SSLNetVConnection : public UnixNetVConnection, bool getSSLHandShakeComplete() const override { - return sslHandshakeStatus != SSL_HANDSHAKE_ONGOING; + return sslHandshakeStatus != SSLHandshakeStatus::SSL_HANDSHAKE_ONGOING; } virtual void - setSSLHandShakeComplete(enum SSLHandshakeStatus state) + setSSLHandShakeComplete(SSLHandshakeStatus state) { sslHandshakeStatus = state; } @@ -429,7 +429,7 @@ class SSLNetVConnection : public UnixNetVConnection, NetProcessor *_getNetProcessor() override; void *_prepareForMigration() override; - enum SSLHandshakeStatus sslHandshakeStatus = SSL_HANDSHAKE_ONGOING; + enum SSLHandshakeStatus sslHandshakeStatus = SSLHandshakeStatus::SSL_HANDSHAKE_ONGOING; bool sslClientRenegotiationAbort = false; bool first_ssl_connect = true; MIOBuffer *handShakeBuffer = nullptr; diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc index b43bd91a829..ddf72565b93 100644 --- a/iocore/net/SSLNetVConnection.cc +++ b/iocore/net/SSLNetVConnection.cc @@ -607,7 +607,7 @@ SSLNetVConnection::net_read_io(NetHandler *nh, EThread *lthread) // the client hello message back into the standard read.vio // so it will get forwarded onto the origin server if (!this->getSSLHandShakeComplete()) { - this->sslHandshakeStatus = SSL_HANDSHAKE_DONE; + this->sslHandshakeStatus = SSLHandshakeStatus::SSL_HANDSHAKE_DONE; // Copy over all data already read in during the SSL_accept // (the client hello message) @@ -986,7 +986,7 @@ SSLNetVConnection::clear() TLSTunnelSupport::_clear(); TLSCertSwitchSupport::_clear(); - sslHandshakeStatus = SSL_HANDSHAKE_ONGOING; + sslHandshakeStatus = SSLHandshakeStatus::SSL_HANDSHAKE_ONGOING; sslLastWriteTime = 0; sslTotalBytesSent = 0; sslClientRenegotiationAbort = false; @@ -1079,7 +1079,7 @@ SSLNetVConnection::sslStartHandShake(int event, int &err) if (cc && SSLCertContextOption::OPT_TUNNEL == cc->opt) { if (this->is_transparent) { this->attributes = HttpProxyPort::TRANSPORT_BLIND_TUNNEL; - sslHandshakeStatus = SSL_HANDSHAKE_DONE; + sslHandshakeStatus = SSLHandshakeStatus::SSL_HANDSHAKE_DONE; SSL_free(this->ssl); this->ssl = nullptr; return EVENT_DONE; @@ -1268,7 +1268,7 @@ SSLNetVConnection::sslServerHandShakeEvent(int &err) // over the buffered handshake packets to the O.S. return EVENT_DONE; } else if (SSL_HOOK_OP_TERMINATE == hookOpRequested) { - sslHandshakeStatus = SSL_HANDSHAKE_DONE; + sslHandshakeStatus = SSLHandshakeStatus::SSL_HANDSHAKE_DONE; return EVENT_DONE; } @@ -1348,7 +1348,7 @@ SSLNetVConnection::sslServerHandShakeEvent(int &err) if (getTransparentPassThrough() && buf && *buf != SSL_OP_HANDSHAKE) { SSLVCDebug(this, "Data does not look like SSL handshake, starting blind tunnel"); this->attributes = HttpProxyPort::TRANSPORT_BLIND_TUNNEL; - sslHandshakeStatus = SSL_HANDSHAKE_ONGOING; + sslHandshakeStatus = SSLHandshakeStatus::SSL_HANDSHAKE_ONGOING; return EVENT_CONT; } } @@ -1370,7 +1370,7 @@ SSLNetVConnection::sslServerHandShakeEvent(int &err) } } - sslHandshakeStatus = SSL_HANDSHAKE_DONE; + sslHandshakeStatus = SSLHandshakeStatus::SSL_HANDSHAKE_DONE; if (this->get_tls_handshake_begin_time()) { this->_record_tls_handshake_end_time(); @@ -1446,7 +1446,7 @@ SSLNetVConnection::sslServerHandShakeEvent(int &err) #if defined(SSL_ERROR_WANT_SNI_RESOLVE) || defined(SSL_ERROR_WANT_X509_LOOKUP) if (this->attributes == HttpProxyPort::TRANSPORT_BLIND_TUNNEL || SSL_HOOK_OP_TUNNEL == hookOpRequested) { this->attributes = HttpProxyPort::TRANSPORT_BLIND_TUNNEL; - sslHandshakeStatus = SSL_HANDSHAKE_ONGOING; + sslHandshakeStatus = SSLHandshakeStatus::SSL_HANDSHAKE_ONGOING; return EVENT_CONT; } else { // Stopping for some other reason, perhaps loading certificate @@ -1578,7 +1578,7 @@ SSLNetVConnection::sslClientHandShakeEvent(int &err) SSL_INCREMENT_DYN_STAT(ssl_total_success_handshake_count_out_stat); - sslHandshakeStatus = SSL_HANDSHAKE_DONE; + sslHandshakeStatus = SSLHandshakeStatus::SSL_HANDSHAKE_DONE; return EVENT_DONE; case SSL_ERROR_WANT_WRITE: @@ -1645,7 +1645,7 @@ SSLNetVConnection::reenable(NetHandler *nh, int event) // Mark as error to stop the Handshake if (event == TS_EVENT_ERROR) { - sslHandshakeStatus = SSL_HANDSHAKE_ERROR; + sslHandshakeStatus = SSLHandshakeStatus::SSL_HANDSHAKE_ERROR; } switch (sslHandshakeHookState) { @@ -1914,7 +1914,7 @@ SSLNetVConnection::populate(Connection &con, Continuation *c, void *arg) this->ssl = static_cast(arg); // Maybe bring over the stats? - sslHandshakeStatus = SSL_HANDSHAKE_DONE; + sslHandshakeStatus = SSLHandshakeStatus::SSL_HANDSHAKE_DONE; this->_bindSSLObject(); return EVENT_DONE; } @@ -2041,7 +2041,7 @@ SSLNetVConnection::_lookupContextByName(const std::string &servername, SSLCertCo if (cc && ctx && SSLCertContextOption::OPT_TUNNEL == cc->opt && this->get_is_transparent()) { this->attributes = HttpProxyPort::TRANSPORT_BLIND_TUNNEL; - this->setSSLHandShakeComplete(SSL_HANDSHAKE_DONE); + this->setSSLHandShakeComplete(SSLHandshakeStatus::SSL_HANDSHAKE_DONE); return nullptr; } else { return ctx;