Make client cert overridable#4712
Conversation
shinrich
force-pushed
the
make-cilent-cert-overridable
branch
from
cd22a08 to
2dbd7ab
Compare
SolidWallOfCode
changed the title
shinrich
force-pushed
the
make-cilent-cert-overridable
branch
3 times, most recently
from
4c0fc85 to
6587140
Compare
|
Waiting for fix in PR #4718 |
shinrich
force-pushed
the
make-cilent-cert-overridable
branch
from
6587140 to
56a3e60
Compare
|
Rebased against the merged fix in PR #4718. Ready to go. |
| std::string key; | ||
| ts::bwprint(key, "{}:{}:{}:{}", client_cert, key_file, ca_bundle_file, ca_bundle_path); | ||
|
|
||
| ink_mutex_acquire(&ctxMapLock); |
There was a problem hiding this comment.
ink_scoped_mutex_lock? And do lock.release() after the if? Or put the setup and conditional in a block.
There was a problem hiding this comment.
I acquire, drop, and reacquire the lock if we need to add a new SSL_CTX. Could add extra scopes to deal with that, but I find acquire/release more straightforward for this use case.
| // Set public and private keys | ||
| if (!SSL_CTX_use_certificate_chain_file(client_ctx, client_cert)) { | ||
| SSLError("failed to load client certificate from %s", client_cert); | ||
| goto fail; |
There was a problem hiding this comment.
Walt would be bitterly disappointed - he'd say "why not use PostScript?".
PostScript after([&client_ctx](){ if (client_ctx) SSL_CTX_free(client_ctx); });
There was a problem hiding this comment.
Following the existing style of the function.
| caCertFilePath = Layout::get()->relative_to(params->clientCACertPath, options.ssl_client_ca_cert_name); | ||
| } | ||
| clientCTX = | ||
| params->getCTX(certFilePath.c_str(), keyFilePath.empty() ? nullptr : keyFilePath.c_str(), |
There was a problem hiding this comment.
Does this potentially load from disk?
There was a problem hiding this comment.
Yes, it does potentially load from disk. We are lazy loading the conf_remap override files.
There was a problem hiding this comment.
I could add the logic to spawn another thread to do the SSL_CTX load and signal back. Do we have core logic spawning task threads, or is that only plugins that do that?
There was a problem hiding this comment.
The best option might be to toss it over to an ET_TASK thread and then have it send an event back to the current thread.
shinrich
force-pushed
the
make-cilent-cert-overridable
branch
from
56a3e60 to
c55e2be
Compare
3 participants
This PR is based on PR #4663 which should land first.
This PR allows for proxy.config.ssl.client.cert.filename, proxy.config.ssl.client.private_key.filename, and proxy.config.ssl.client.CA.cert.filename to be overridden by a plugin such as conf_remap. This override takes precedence over the settings in ssl_server_name.yaml.
The PR updates the documentation and adds tests to exercise remapping all three settings.