Add vconn reenable event#4427
Conversation
|
|
||
| An extended verion of TSVConnEnable that allows the plugin to return a status to | ||
| the core logic. If all goes well this is TS_EVENT_VCONN_CONTINUE. However, if | ||
| the plugin wants to stop the processing it can set the event to TS_EVENT_VCONN_CONTINUE. |
There was a problem hiding this comment.
Do you mean TS_EVENT_VCONN_ERROR?
| TS_EVENT_SSL_VERIFY_CLIENT = 60206 | ||
| TS_EVENT_SSL_VERIFY_CLIENT = 60206, | ||
| TS_EVENT_VCONN_CONTINUE = 60207, | ||
| TS_EVENT_VCONN_ERROR = 60208 |
There was a problem hiding this comment.
Why can't TS_EVENT_CONTINUE and TS_EVENT_ERROR (generic) be used? Or, why do we need an event at all, why not:
tsapi void TSVConnErrorTermination(TSVConn sslvcp);
instead of:
tsapi void TSVConnReenableEx(TSVConn sslvcp, TSEvent event);
There was a problem hiding this comment.
Hmmm. There is a already a TS_EVENT_ERROR/CONTINUE. I was following the pattern of TSHttpTxnReenable/TSHttpSsnReenable with TS_EVENT_HTTP_ERROR/CONTINUE.
We could use TS_EVENT_ERROR/CONTINUE instead of adding another pair of events.
I do like the Reenable pattern with a general event argument rather than having an explicit error reenable method. This gives you the option of inserting different events to impact processing in the future.
| if (netvc && netvc->options.verifyServerPolicy == YamlSNIConfig::Policy::DISABLED) { | ||
| return true; // Tell them that all is well | ||
| } else if (!netvc) { // No netvc, very bad. Go away. Things are not good. | ||
| return false; |
There was a problem hiding this comment.
We don't need an entry in diags.log, or even ink_assert in this case?
There was a problem hiding this comment.
Probably. This is in the other commit. Will update in the other PR.
| cert = X509_STORE_CTX_get_current_cert(ctx); | ||
| err = X509_STORE_CTX_get_error(ctx); | ||
|
|
||
| bool enforce_mode = (netvc && netvc->options.verifyServerPolicy == YamlSNIConfig::Policy::ENFORCED); |
There was a problem hiding this comment.
After line 59 no more checks of netvc being non-null are needed.
There was a problem hiding this comment.
True. Will fix in other PR
| Warning("%s is invalid for proxy.config.ssl.client.verify.server.policy. Should be one of DISABLED, PERMISSIVE, or ENFORCED", | ||
| verify_server); | ||
| verifyServerPolicy = YamlSNIConfig::Policy::DISABLED; | ||
| ; |
There was a problem hiding this comment.
Emoji? @SolidWallOfCode may get jealous wondering who you're winking at.
| verifyServerProperties = YamlSNIConfig::Property::ALL_MASK; | ||
| } else if (strcmp(verify_server, "NONE") == 0) { | ||
| verifyServerProperties = YamlSNIConfig::Property::NONE; | ||
| ; |
| if (!this->getSSLHandShakeComplete()) { | ||
| this->sslHandShakeComplete = true; | ||
| this->sslHandshakeStatus = SSL_HANDSHAKE_DONE; | ||
| ; |
| ats_free(verify_server); | ||
|
|
||
| REC_ReadConfigStringAlloc(verify_server, "proxy.config.ssl.client.verify.server.properties"); | ||
| if (strcmp(verify_server, "SIGNATURE") == 0) { |
There was a problem hiding this comment.
should these be strcasecmp()?
There was a problem hiding this comment.
No the keyword is upcase
| constexpr char TS_verify_origin_server[] = "verify_origin_server"; | ||
| constexpr char TS_client_cert[] = "client_cert"; | ||
| constexpr char TS_ip_allow[] = "ip_allow"; | ||
| constexpr char TS_fqdn[] = "fqdn"; |
There was a problem hiding this comment.
#define X(ID) constexpr char TS_##ID #ID;
X(fqdn)
There was a problem hiding this comment.
Ok, I see. A means to avoid double typing (and messing up) the same string.
There was a problem hiding this comment.
It's just a thought, I suppose some might find it overly tricky. To me, this sort of technique makes it more clear when there's a consistent pattern. Also helps avoid typos.
| constexpr char TS_verify_server_properties[] = "verify_server_properties"; | ||
| constexpr char TS_verify_origin_server[] = "verify_origin_server"; | ||
| constexpr char TS_client_cert[] = "client_cert"; | ||
| constexpr char TS_ip_allow[] = "ip_allow"; |
shinrich
force-pushed
the
add-vconn-reenable-event
branch
2 times, most recently
from
ec9c52c to
949e83a
Compare
|
Accidentally closed. |
shinrich
force-pushed
the
add-vconn-reenable-event
branch
from
949e83a to
25119ea
Compare
|
Updated the PR to rebase against the pre-cursor PR which has been merged in. |
shinrich
force-pushed
the
add-vconn-reenable-event
branch
from
25119ea to
64359be
Compare
|
updated to actually add the test files to the PR. |
3 participants
Depends on PR #4414. So this PR is only the second commit. Most of the changes are in the first commit (PR #4414).
Adds TSVConnReenableEx(), which is like TSVConnReenable() but it takes a TSEvent argument as the Txn and Ssn reenable functions do. With the event argument the plugin can indicate back to the core whether the plugin fails and the underlying VConn should error out.
This PR adds a test to exercise the TS_SSL_SERVER_VERIFY_HOOK with a plugin. The plugin fails some of the handshakes based on detecting a "bad" cert.
As an API change, I will send an API review email on the dev mailing list.