apache · shinrich · Dec 18, 2018 · Nov 29, 2018
diff --git a/doc/admin-guide/files/records.config.en.rst b/doc/admin-guide/files/records.config.en.rst
@@ -3455,11 +3455,14 @@ Client-Related Configuration
 
 .. ts:cv:: CONFIG proxy.config.ssl.client.verify.server.policy STRING DISABLED
    :reloadable:
+   :overridable:
 
    Configures |TS| to verify the origin server certificate
    with the Certificate Authority (CA). This configuration takes a value of :code:`DISABLED`, :code:`PERMISSIVE`, or :code:`ENFORCED`
 
-   You can override this global setting on a per domain basis in the ssl_servername.yaml file using the :ref:`verify_server_policy attribute<override-verify-server-policy>`.
+   You can override this global setting on a per domain basis in the ssl_server_name.yaml file using the :ref:`verify_server_policy attribute<override-verify-server-policy>`.
+
+   You can also override via the conf_remap plugin. Those changes will take precedence over the changes in ssl_server_name.yaml.
 
 :code:`DISABLED`
    Server Certificate will not be verified
@@ -3470,11 +3473,14 @@ Client-Related Configuration
 
 .. ts:cv:: CONFIG proxy.config.ssl.client.verify.server.properties STRING ALL
    :reloadable:
+   :overridable:
 
    Configures |TS| for what the default verify callback should check during origin server verification.
 
    You can override this global setting on a per domain basis in the ssl_servername.yaml file using the :ref:`verify_server_properties attribute<override-verify-server-properties>`.
 
+   You can also override via the conf_remap plugin. Those changes will take precedence over the changes in ssl_server_name.yaml.
+
 :code:`NONE`
    Check nothing in the standard callback.  Rely entirely on plugins to check the certificate.
 :code:`SIGNATURE`

diff --git a/include/ts/apidefs.h.in b/include/ts/apidefs.h.in
@@ -782,6 +782,9 @@ typedef enum {
   TS_CONFIG_HTTP_ALLOW_HALF_OPEN,
   TS_CONFIG_HTTP_PER_SERVER_CONNECTION_MAX,
   TS_CONFIG_HTTP_PER_SERVER_CONNECTION_MATCH,
+  TS_CONFIG_SSL_CLIENT_VERIFY_SERVER,
+  TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_POLICY,
+  TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_PROPERTIES,
   TS_CONFIG_LAST_ENTRY
 } TSOverridableConfigKey;
 

diff --git a/iocore/net/P_SSLSNI.h b/iocore/net/P_SSLSNI.h
@@ -42,9 +42,9 @@
 
 // Properties for the next hop server
 struct NextHopProperty {
-  std::string name;                                                                 // name of the server
-  YamlSNIConfig::Policy verifyServerPolicy       = YamlSNIConfig::Policy::DISABLED; // whether to verify the next hop
-  YamlSNIConfig::Property verifyServerProperties = YamlSNIConfig::Property::NONE;   // what to verify on the next hop
+  std::string name;                                                                // name of the server
+  YamlSNIConfig::Policy verifyServerPolicy       = YamlSNIConfig::Policy::UNSET;   // whether to verify the next hop
+  YamlSNIConfig::Property verifyServerProperties = YamlSNIConfig::Property::UNSET; // what to verify on the next hop
   SSL_CTX *ctx                                   = nullptr; // ctx generated off the certificate to present to this server
   NextHopProperty();
 };

diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc
@@ -971,15 +971,27 @@ SSLNetVConnection::sslStartHandShake(int event, int &err)
       SSL_CTX *clientCTX = nullptr;
 
       if (nps) {
-        clientCTX                      = nps->ctx;
-        options.verifyServerPolicy     = nps->verifyServerPolicy;
-        options.verifyServerProperties = nps->verifyServerProperties;
+        clientCTX = nps->ctx;
+      } else { // Just stay with the values passed down from the SM for verify
+        clientCTX = params->client_ctx;
+      }
 
+      if (options.verifyServerPolicy != YamlSNIConfig::Policy::UNSET) {
+        // Stay with conf-override version as the highest priority
+      } else if (nps && nps->verifyServerPolicy != YamlSNIConfig::Policy::UNSET) {
+        options.verifyServerPolicy = nps->verifyServerPolicy;
+      } else {
+        options.verifyServerPolicy = params->verifyServerPolicy;
+      }
+
+      if (options.verifyServerProperties != YamlSNIConfig::Property::UNSET) {
+        // Stay with conf-override version as the highest priority
+      } else if (nps && nps->verifyServerProperties != YamlSNIConfig::Property::UNSET) {
+        options.verifyServerProperties = nps->verifyServerProperties;
       } else {
-        clientCTX                      = params->client_ctx;
-        options.verifyServerPolicy     = params->verifyServerPolicy;
         options.verifyServerProperties = params->verifyServerProperties;
       }
+
       if (!clientCTX) {
         SSLErrorVC(this, "failed to create SSL client session");
         return EVENT_ERROR;

diff --git a/iocore/net/YamlSNIConfig.h b/iocore/net/YamlSNIConfig.h
@@ -52,8 +52,8 @@ struct YamlSNIConfig {
     client_cert
   };
   enum class Level { NONE = 0, MODERATE, STRICT };
-  enum class Policy : uint8_t { DISABLED = 0, PERMISSIVE, ENFORCED };
-  enum class Property : uint8_t { NONE = 0, SIGNATURE_MASK = 0x1, NAME_MASK = 0x2, ALL_MASK = 0x3 };
+  enum class Policy : uint8_t { DISABLED = 0, PERMISSIVE, ENFORCED, UNSET };
+  enum class Property : uint8_t { NONE = 0, SIGNATURE_MASK = 0x1, NAME_MASK = 0x2, ALL_MASK = 0x3, UNSET };
 
   YamlSNIConfig() {}
 
@@ -63,8 +63,8 @@ struct YamlSNIConfig {
     uint8_t verify_client_level = 255;
     std::string tunnel_destination;
     bool tunnel_decrypt               = false;
-    Policy verify_server_policy       = Policy::DISABLED;
-    Property verify_server_properties = Property::NONE;
+    Policy verify_server_policy       = Policy::UNSET;
+    Property verify_server_properties = Property::UNSET;
     std::string client_cert;
     std::string client_key;
     std::string ip_allow;

diff --git a/plugins/lua/ts_lua_http_config.c b/plugins/lua/ts_lua_http_config.c
@@ -134,6 +134,9 @@ typedef enum {
   TS_LUA_CONFIG_HTTP_ALLOW_MULTI_RANGE                        = TS_CONFIG_HTTP_ALLOW_MULTI_RANGE,
   TS_LUA_CONFIG_HTTP_REQUEST_BUFFER_ENABLED                   = TS_CONFIG_HTTP_REQUEST_BUFFER_ENABLED,
   TS_LUA_CONFIG_HTTP_ALLOW_HALF_OPEN                          = TS_CONFIG_HTTP_ALLOW_HALF_OPEN,
+  TS_LUA_CONFIG_SSL_CLIENT_VERIFY_SERVER                      = TS_CONFIG_SSL_CLIENT_VERIFY_SERVER,
+  TS_LUA_CONFIG_SSL_CLIENT_VERIFY_SERVER_POLICY               = TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_POLICY,
+  TS_LUA_CONFIG_SSL_CLIENT_VERIFY_SERVER_PROPERTIES           = TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_PROPERTIES,
   TS_LUA_CONFIG_LAST_ENTRY                                    = TS_CONFIG_LAST_ENTRY,
 } TSLuaOverridableConfigKey;
 
@@ -258,6 +261,9 @@ ts_lua_var_item ts_lua_http_config_vars[] = {
   TS_LUA_MAKE_VAR_ITEM(TS_LUA_CONFIG_HTTP_ALLOW_MULTI_RANGE),
   TS_LUA_MAKE_VAR_ITEM(TS_LUA_CONFIG_HTTP_REQUEST_BUFFER_ENABLED),
   TS_LUA_MAKE_VAR_ITEM(TS_LUA_CONFIG_HTTP_ALLOW_HALF_OPEN),
+  TS_LUA_MAKE_VAR_ITEM(TS_CONFIG_SSL_CLIENT_VERIFY_SERVER),
+  TS_LUA_MAKE_VAR_ITEM(TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_POLICY),
+  TS_LUA_MAKE_VAR_ITEM(TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_PROPERTIES),
   TS_LUA_MAKE_VAR_ITEM(TS_LUA_CONFIG_HTTP_PER_SERVER_CONNECTION_MAX),
   TS_LUA_MAKE_VAR_ITEM(TS_LUA_CONFIG_HTTP_PER_SERVER_CONNECTION_MATCH),
   TS_LUA_MAKE_VAR_ITEM(TS_LUA_CONFIG_LAST_ENTRY),

diff --git a/proxy/http/HttpConfig.h b/proxy/http/HttpConfig.h
@@ -492,6 +492,8 @@ struct OverridableHttpConfigParams {
       request_buffer_enabled(0),
       allow_half_open(1),
       ssl_client_verify_server(0),
+      ssl_client_verify_server_policy(nullptr),
+      ssl_client_verify_server_properties(nullptr),
       redirect_use_orig_cache_key(0),
       number_of_redirections(0),
       proxy_response_hsts_max_age(-1),
@@ -677,6 +679,8 @@ struct OverridableHttpConfigParams {
   // server verification mode//
   /////////////////////////////
   MgmtByte ssl_client_verify_server;
+  char *ssl_client_verify_server_policy;
+  char *ssl_client_verify_server_properties;
 
   //////////////////
   // Redirection  //

diff --git a/proxy/http/HttpSM.cc b/proxy/http/HttpSM.cc
@@ -4671,6 +4671,46 @@ HttpSM::send_origin_throttled_response()
   call_transact_and_set_next_state(HttpTransact::HandleResponse);
 }
 
+static void
+set_tls_options(NetVCOptions &opt, OverridableHttpConfigParams *txn_conf)
+{
+  char *verify_server = nullptr;
+  if (txn_conf->ssl_client_verify_server_policy == nullptr) {
+    opt.verifyServerPolicy = YamlSNIConfig::Policy::UNSET;
+  } else {
+    verify_server = txn_conf->ssl_client_verify_server_policy;
+    if (strcmp(verify_server, "DISABLED") == 0) {
+      opt.verifyServerPolicy = YamlSNIConfig::Policy::DISABLED;
+    } else if (strcmp(verify_server, "PERMISSIVE") == 0) {
+      opt.verifyServerPolicy = YamlSNIConfig::Policy::PERMISSIVE;
+    } else if (strcmp(verify_server, "ENFORCED") == 0) {
+      opt.verifyServerPolicy = YamlSNIConfig::Policy::ENFORCED;
+    } else {
+      Warning("%s is invalid for proxy.config.ssl.client.verify.server.policy.  Should be one of DISABLED, PERMISSIVE, or ENFORCED",
+              verify_server);
+      opt.verifyServerPolicy = YamlSNIConfig::Policy::UNSET;
+    }
+  }
+  if (txn_conf->ssl_client_verify_server_properties == nullptr) {
+    opt.verifyServerProperties = YamlSNIConfig::Property::UNSET;
+  } else {
+    verify_server = txn_conf->ssl_client_verify_server_properties;
+    if (strcmp(verify_server, "SIGNATURE") == 0) {
+      opt.verifyServerProperties = YamlSNIConfig::Property::SIGNATURE_MASK;
+    } else if (strcmp(verify_server, "NAME") == 0) {
+      opt.verifyServerProperties = YamlSNIConfig::Property::NAME_MASK;
+    } else if (strcmp(verify_server, "ALL") == 0) {
+      opt.verifyServerProperties = YamlSNIConfig::Property::ALL_MASK;
+    } else if (strcmp(verify_server, "NONE") == 0) {
+      opt.verifyServerProperties = YamlSNIConfig::Property::NONE;
+    } else {
+      Warning("%s is invalid for proxy.config.ssl.client.verify.server.properties.  Should be one of SIGNATURE, NAME, or ALL",
+              verify_server);
+      opt.verifyServerProperties = YamlSNIConfig::Property::NONE;
+    }
+  }
+}
+
 //////////////////////////////////////////////////////////////////////////
 //
 //  HttpSM::do_http_server_open()
@@ -4959,6 +4999,8 @@ HttpSM::do_http_server_open(bool raw)
                      t_state.txn_conf->sock_option_flag_out, t_state.txn_conf->sock_packet_mark_out,
                      t_state.txn_conf->sock_packet_tos_out);
 
+  set_tls_options(opt, t_state.txn_conf);
+
   opt.ip_family = ip_family;
 
   if (ua_txn) {

diff --git a/src/traffic_server/InkAPI.cc b/src/traffic_server/InkAPI.cc
@@ -8204,6 +8204,13 @@ _conf_to_memberp(TSOverridableConfigKey conf, OverridableHttpConfigParams *overr
   case TS_CONFIG_SSL_CERT_FILEPATH:
     ret = _memberp_to_generic(&overridableHttpConfig->client_cert_filepath, conv);
     break;
+  case TS_CONFIG_SSL_CLIENT_VERIFY_SERVER:
+    ret = _memberp_to_generic(&overridableHttpConfig->ssl_client_verify_server, conv);
+    break;
+  case TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_POLICY:
+  case TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_PROPERTIES:
+    // String, must be handled elsewhere
+    break;
   case TS_CONFIG_PARENT_FAILURES_UPDATE_HOSTDB:
     ret = _memberp_to_generic(&overridableHttpConfig->parent_failures_update_hostdb, conv);
     break;
@@ -8408,6 +8415,16 @@ TSHttpTxnConfigStringSet(TSHttpTxn txnp, TSOverridableConfigKey conf, const char
       }
     }
     break;
+  case TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_POLICY:
+    if (value && length > 0) {
+      s->t_state.txn_conf->ssl_client_verify_server_policy = const_cast<char *>(value);
+    }
+    break;
+  case TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_PROPERTIES:
+    if (value && length > 0) {
+      s->t_state.txn_conf->ssl_client_verify_server_properties = const_cast<char *>(value);
+    }
+    break;
   default: {
     MgmtConverter const *conv;
     void *dest = _conf_to_memberp(conf, s->t_state.txn_conf, conv);
@@ -8594,7 +8611,11 @@ static const std::unordered_map<std::string_view, std::tuple<const TSOverridable
    {"proxy.config.http.connect_attempts_max_retries_dead_server",
     {TS_CONFIG_HTTP_CONNECT_ATTEMPTS_MAX_RETRIES_DEAD_SERVER, TS_RECORDDATATYPE_INT}},
    {"proxy.config.http.parent_proxy.per_parent_connect_attempts",
-    {TS_CONFIG_HTTP_PER_PARENT_CONNECT_ATTEMPTS, TS_RECORDDATATYPE_INT}}});
+    {TS_CONFIG_HTTP_PER_PARENT_CONNECT_ATTEMPTS, TS_RECORDDATATYPE_INT}},
+   {"proxy.config.ssl.client.verify.server", {TS_CONFIG_SSL_CLIENT_VERIFY_SERVER, TS_RECORDDATATYPE_INT}},
+   {"proxy.config.ssl.client.verify.server.policy", {TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_POLICY, TS_RECORDDATATYPE_STRING}},
+   {"proxy.config.ssl.client.verify.server.properties",
+    {TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_PROPERTIES, TS_RECORDDATATYPE_STRING}}});
 
 TSReturnCode
 TSHttpTxnConfigFind(const char *name, int length, TSOverridableConfigKey *conf, TSRecordDataType *type)

diff --git a/src/traffic_server/InkAPITest.cc b/src/traffic_server/InkAPITest.cc
@@ -8689,7 +8689,10 @@ std::array<std::string_view, TS_CONFIG_LAST_ENTRY> SDK_Overridable_Configs = {
    "proxy.config.http.request_buffer_enabled",
    "proxy.config.http.allow_half_open",
    OutboundConnTrack::CONFIG_VAR_MAX,
-   OutboundConnTrack::CONFIG_VAR_MATCH}};
+   OutboundConnTrack::CONFIG_VAR_MATCH,
+   "proxy.config.ssl.client.verify.server",
+   "proxy.config.ssl.client.verify.server.policy",
+   "proxy.config.ssl.client.verify.server.properties"}};
 
 REGRESSION_TEST(SDK_API_OVERRIDABLE_CONFIGS)(RegressionTest *test, int /* atype ATS_UNUSED */, int *pstatus)
 {