Cleaning up TLS server verify options

doc/admin-guide/files/ssl_server_name.yaml.en.rst

@@ -43,34 +43,46 @@ wildcard entries. To apply an SNI based setting on all the servernames with a co
 the user needs to enter the fqdn in the configuration with a ``*.`` followed by the common domain name. (``*.yahoo.com`` for e.g.,).
 
 .. _override-verify-origin-server:
+.. _override-verify-server-policy:
+.. _override-verify-server-properties:
 
-======================= ==============================================================================
-Key                     Meaning
-======================= ==============================================================================
-fqdn                    Fully Qualified Domain Name. This item is used if the SNI value matches this.
+========================= ==============================================================================
+Key                       Meaning
+========================= ==============================================================================
+fqdn                      Fully Qualified Domain Name. This item is used if the SNI value matches this.
 
-verify_origin_server    One of the values :code:`NONE`, :code:`MODERATE`, or :code:`STRICT`.
+verify_server_policy      One of the values :code:`DISABLED`, :code:`PERMISSIVE`, or :code:`ENFORCED`.
 
-                        By default this is :ts:cv:`proxy.config.ssl.client.verify.server`.
+                          By default this is :ts:cv:`proxy.config.ssl.client.verify.server.policy`.
+                          This controls how Traffic Server evaluated the origin certificate.
 
-verify_client           One of the values :code:`NONE`, :code:`MODERATE`, or :code:`STRICT`.
+verify_server_properties  One of the values :code:`NONE`, :code:`SIGNATURE`, :code:`NAME`, and :code:`ALL`
 
-                        By default this is :ts:cv:`proxy.config.ssl.client.certification_level`.
+                          By default this is :ts:cv:`proxy.config.ssl.client.verify.server.properties`.
+                          This controls what Traffic Server checks when evaluating the origin certificate.
 
-client_cert             The client certificate to use for the outbound connection.
+verify_origin_server      Deprecated.  Use verify_server_policy and verify_server_properties instead.
+                          One of the values :code:`NONE`, :code:`MODERATE`, or :code:`STRICT`.
+                          By default this is :ts:cv:`proxy.config.ssl.client.verify.server`.
 
-                        If this is relative it is relative to the path in
-                        :ts:cv:`proxy.config.ssl.server.cert.path`. If not set
-                        :ts:cv:`proxy.config.ssl.client.cert.filename` is used.
+verify_client             One of the values :code:`NONE`, :code:`MODERATE`, or :code:`STRICT`.
 
-disable_h2              :code:`true` or :code:`false`.
+                          By default this is :ts:cv:`proxy.config.ssl.client.certification_level`.
 
-                        If :code:`false` then HTTP/2 is removed from
-                        the valid next protocol list. It is not an error to set this to :code:`false`
-                        for proxy ports on which HTTP/2 is not enabled.
+client_cert               The file containing the client certificate to use for the outbound connection.
 
-tunnel_route            Destination as an FQDN and port, separated by a colon ``:``.
-======================= ==============================================================================
+                          If this is relative it is relative to the path in
+                          :ts:cv:`proxy.config.ssl.server.cert.path`. If not set
+                          :ts:cv:`proxy.config.ssl.client.cert.filename` is used.
+
+disable_h2                :code:`true` or :code:`false`.
+
+                          If :code:`false` then HTTP/2 is removed from
+                          the valid next protocol list. It is not an error to set this to :code:`false`
+                          for proxy ports on which HTTP/2 is not enabled.
+
+tunnel_route              Destination as an FQDN and port, separated by a colon ``:``.
+========================= ==============================================================================
 
 Client verification, via ``verify_client``, correponds to setting
 :ts:cv:`proxy.config.ssl.client.certification_level` for this connection as noted below.
@@ -85,21 +97,38 @@ Client verification, via ``verify_client``, correponds to setting
    If the verification fails the failure is logged to :file:`diags.log` and the connection is
    denied.
 
-Upstream (server) verification, via ``verify_origin_server``, is similar to client verification
+Upstream (server) verification, via ``verify_server_policy`` and ``verify_server_properties``, is similar to client verification
 except there is always an upstream certificate. This is equivalent to setting
-:ts:cv:`proxy.config.ssl.client.verify.server` for this connection.
+:ts:cv:`proxy.config.ssl.client.verify.server.policy` and :ts:cv:`proxy.config.ssl.client.verify.server.properties` for this connection.
 
-:code:`NONE` - ``0``
+``verify_server_policy`` specifies how Traffic Server will enforce the server certificate verification.
+
+:code:`DISABLED` 
    Do not verify the upstream server certificate.
 
-:code:`MODERATE` - ``2``
+:code:`PERMISSIVE`
    Do verification of the upstream certificate but do not enforce. If the verification fails the
    failure is logged in :file:`diags.log` but the connection is allowed.
 
-:code:`STRICT` - ``1``
+:code:`ENFORCED` 
    Do verification of the upstream certificate. If verification fails, the failure is
    logged in :file:`diags.log` and the connection is denied.
 
+In addition ``verify_server_properties`` specifies what Traffic Server will check when performing the verification.
+
+:code:`NONE`
+  Do not check anything in the standard Traffic Server verification routine.  Rely entirely on the ``TS_SSL_VERIFY_SERVER_HOOK`` for evaluating the origin's certificate.
+
+:code:`SIGNATURE`
+  Check the signature of the origin certificate.
+
+:code:`NAME`
+  Verify that the SNI is in the origin certificate.
+
+:code:`ALL`
+  Verify both the signature and the SNI in the origin certificate.
+
+
 If ``tunnel_route`` is specified, none of the certificate verification will be done because the TLS
 negotiation will be tunneled to the upstream target, making those values irrelevant for that
 configuration item. This option is explained in more detail in :ref:`sni-routing`.
@@ -129,7 +158,7 @@ client certificate.
 .. code-block:: yaml
 
    - fqdn: trusted.example.com
-     verify_origin_server: NONE
+     verify_server_policy: DISABLED
      verify_client: STRICT
 
 See Also

doc/admin-guide/security/index.en.rst

@@ -220,10 +220,10 @@ and origin server connections, you must do the following:
         CONFIG proxy.config.ssl.client.private_key.filename STRING "client.pem"
 
 #. Enable or disable, per your security policy, server SSL certificate
-   verification using :ts:cv:`proxy.config.ssl.client.verify.server` in
+   verification using :ts:cv:`proxy.config.ssl.client.verify.server.policy` in
    :file:`records.config`. ::
 
-        CONFIG proxy.config.ssl.client.verify.server INT 1
+        CONFIG proxy.config.ssl.client.verify.server.policy STRING ENFORCED
 
 #. Add the collection of authorized Certificate Authorities to the Traffic
    Server configuration in :file:`records.config` using the settings

doc/developer-guide/api/functions/TSVConnReenable.en.rst

@@ -35,10 +35,9 @@ Reenable the SSL connection :arg:`svc`. If a plugin hook is called, ATS
 processing on that connnection will not resume until this is invoked for that
 connection.
 
-If the server is running OpenSSL 1.0.1 with the appropraite patch installed or
-it is running OpenSSL 1.0.2, the plugin writer can pause SSL handshake
-processing by not reenabling the connection. Without the OpenSSL patch or
-running an OpenSSL versions older than 1.0.2, the handshake processing in
+If the server is running OpenSSL 1.0.2, the plugin writer can pause SSL handshake
+processing at the certificate callback  by not reenabling the connection.
+Running an OpenSSL versions older than 1.0.2, the handshake processing in
 ``SSL_accept`` will not be stopped even if the SNI callback does not reenable
 the connection.
 
@@ -49,3 +48,4 @@ Traffic Server.
 
 This call does appropriate locking and scheduling, so it is safe to call from
 another thread.
+

doc/developer-guide/plugins/example-plugins/tls_bridge.en.rst

@@ -96,7 +96,7 @@ Configuration
 
 #. Configure the Ingress |TS| to verify the Peer server certificate::
 
-      CONFIG proxy.config.ssl.client.verify.server INT 1
+      CONFIG proxy.config.ssl.client.verify.server.policy STRING ENFORCED
 
 #. Configure Certificate Authority used by the Ingress |TS| to verify the Peer server certificate. If this
    is a directory all of the certificates in the directory are treated as Certificate Authorites. ::

iocore/net/I_NetVConnection.h

@@ -33,6 +33,7 @@
 #include "I_Socks.h"
 #include "ts/apidefs.h"
 #include <string_view>
+#include "YamlSNIConfig.h"
 
 #define CONNECT_SUCCESS 1
 #define CONNECT_FAILURE 0
@@ -188,7 +189,17 @@ struct NetVCOptions {
   ats_scoped_str clientCertificate;
   /// Reset all values to defaults.
 
-  uint8_t clientVerificationFlag = 0;
+  /**
+   * Set to DISABLED, PERFMISSIVE, or ENFORCED
+   * Controls how the server certificate verification is handled
+   */
+  YamlSNIConfig::Policy verifyServerPolicy = YamlSNIConfig::Policy::DISABLED;
+
+  /**
+   * Bit mask of which features of the server certificate should be checked
+   * Currently SIGNATURE and NAME
+   */
+  YamlSNIConfig::Property verifyServerProperties = YamlSNIConfig::Property::NONE;
   void reset();
 
   void set_sock_param(int _recv_bufsize, int _send_bufsize, unsigned long _opt_flags, unsigned long _packet_mark = 0,

iocore/net/P_SSLConfig.h

@@ -35,6 +35,7 @@
 #include "tscore/ink_inet.h"
 #include <openssl/rand.h>
 #include "P_SSLCertLookup.h"
+#include "YamlSNIConfig.h"
 
 struct SSLCertLookup;
 struct ssl_ticket_key_block;
@@ -82,7 +83,8 @@ struct SSLConfigParams : public ConfigInfo {
   char *clientKeyPath;
   char *clientCACertFilename;
   char *clientCACertPath;
-  int8_t clientVerify;
+  YamlSNIConfig::Policy verifyServerPolicy;
+  YamlSNIConfig::Property verifyServerProperties;
   int client_verify_depth;
   long ssl_ctx_options;
   long ssl_client_ctx_options;

iocore/net/P_SSLNetVConnection.h

@@ -77,6 +77,8 @@ typedef enum {
   SSL_HOOK_OP_LAST = SSL_HOOK_OP_TERMINATE ///< End marker value.
 } SslVConnOp;
 
+enum SSLHandshakeStatus { SSL_HANDSHAKE_ONGOING, SSL_HANDSHAKE_DONE, SSL_HANDSHAKE_ERROR };
+
 //////////////////////////////////////////////////////////////////
 //
 //  class NetVConnection
@@ -113,13 +115,13 @@ class SSLNetVConnection : public UnixNetVConnection
   bool
   getSSLHandShakeComplete() const override
   {
-    return sslHandShakeComplete;
+    return sslHandshakeStatus != SSL_HANDSHAKE_ONGOING;
   }
 
   virtual void
-  setSSLHandShakeComplete(bool state)
+  setSSLHandShakeComplete(enum SSLHandshakeStatus state)
   {
-    sslHandShakeComplete = state;
+    sslHandshakeStatus = state;
   }
 
   void
@@ -192,7 +194,7 @@ class SSLNetVConnection : public UnixNetVConnection
   using super::reenable;
 
   /// Reenable the VC after a pre-accept or SNI hook is called.
-  virtual void reenable(NetHandler *nh);
+  virtual void reenable(NetHandler *nh, int event = TS_EVENT_CONTINUE);
 
   /// Set the SSL context.
   /// @note This must be called after the SSL endpoint has been created.
@@ -280,6 +282,10 @@ class SSLNetVConnection : public UnixNetVConnection
       }
       break;
 
+    case HANDSHAKE_HOOKS_VERIFY_SERVER:
+      retval = (eventId == TS_EVENT_SSL_VERIFY_SERVER);
+      break;
+
     case HANDSHAKE_HOOKS_DONE:
       retval = true;
       break;
@@ -340,13 +346,13 @@ class SSLNetVConnection : public UnixNetVConnection
   std::string_view map_tls_protocol_to_tag(const char *proto_string) const;
   bool update_rbio(bool move_to_socket);
 
-  bool sslHandShakeComplete        = false;
-  bool sslClientRenegotiationAbort = false;
-  bool sslSessionCacheHit          = false;
-  MIOBuffer *handShakeBuffer       = nullptr;
-  IOBufferReader *handShakeHolder  = nullptr;
-  IOBufferReader *handShakeReader  = nullptr;
-  int handShakeBioStored           = 0;
+  enum SSLHandshakeStatus sslHandshakeStatus = SSL_HANDSHAKE_ONGOING;
+  bool sslClientRenegotiationAbort           = false;
+  bool sslSessionCacheHit                    = false;
+  MIOBuffer *handShakeBuffer                 = nullptr;
+  IOBufferReader *handShakeHolder            = nullptr;
+  IOBufferReader *handShakeReader            = nullptr;
+  int handShakeBioStored                     = 0;
 
   bool transparentPassThrough = false;
 
@@ -364,6 +370,7 @@ class SSLNetVConnection : public UnixNetVConnection
     HANDSHAKE_HOOKS_CLIENT_CERT_INVOKE,
     HANDSHAKE_HOOKS_OUTBOUND_PRE,
     HANDSHAKE_HOOKS_OUTBOUND_PRE_INVOKE,
+    HANDSHAKE_HOOKS_VERIFY_SERVER,
     HANDSHAKE_HOOKS_DONE
   } sslHandshakeHookState = HANDSHAKE_HOOKS_PRE;
 

iocore/net/P_SSLSNI.h

@@ -41,9 +41,10 @@
 
 // Properties for the next hop server
 struct NextHopProperty {
-  const char *name   = nullptr; // name of the server
-  int8_t verifyLevel = 0;       // whether to verify the next hop
-  SSL_CTX *ctx       = nullptr; // ctx generated off the certificate to present to this server
+  const char *name                               = nullptr;                         // name of the server
+  YamlSNIConfig::Policy verifyServerPolicy       = YamlSNIConfig::Policy::DISABLED; // whether to verify the next hop
+  YamlSNIConfig::Property verifyServerProperties = YamlSNIConfig::Property::NONE;   // what to verify on the next hop
+  SSL_CTX *ctx                                   = nullptr; // ctx generated off the certificate to present to this server
   NextHopProperty();
 };