Make client cert overridable

doc/admin-guide/files/records.config.en.rst

@@ -3508,6 +3508,7 @@ Client-Related Configuration
 
 .. ts:cv:: CONFIG proxy.config.ssl.client.cert.filename STRING NULL
    :reloadable:
+   :overridable:
 
    The filename of SSL client certificate installed on |TS|.
 
@@ -3519,6 +3520,7 @@ Client-Related Configuration
 
 .. ts:cv:: CONFIG proxy.config.ssl.client.private_key.filename STRING NULL
    :reloadable:
+   :overridable:
 
    The filename of the |TS| private key. Change this variable
    only if the private key is not located in the |TS| SSL
@@ -3532,11 +3534,14 @@ Client-Related Configuration
    file.
 
 .. ts:cv:: CONFIG proxy.config.ssl.client.CA.cert.filename STRING NULL
+   :reloadable:
+   :overridable:
 
    The filename of the certificate authority against which the origin
    server will be verified.
 
 .. ts:cv:: CONFIG proxy.config.ssl.client.CA.cert.path STRING NULL
+   :reloadable:
 
    Specifies the location of the certificate authority file against
    which the origin server will be verified.

doc/developer-guide/api/functions/TSHttpOverridableConfig.en.rst

@@ -152,7 +152,7 @@ TSOverridableConfigKey Value                                        Configuratio
 :c:macro:`TS_CONFIG_HTTP_POST_CHECK_CONTENT_LENGTH_ENABLED`         :ts:cv:`proxy.config.http.post.check.content_length.enabled`
 :c:macro:`TS_CONFIG_HTTP_POST_CONNECT_ATTEMPTS_TIMEOUT`             :ts:cv:`proxy.config.http.post_connect_attempts_timeout`
 :c:macro:`TS_CONFIG_HTTP_REDIRECT_USE_ORIG_CACHE_KEY`               :ts:cv:`proxy.config.http.redirect_use_orig_cache_key`
-TS_CONFIG_HTTP_REQUEST_BUFFER_ENABLED                               proxy.config.http.request_buffer_enabled
+:c:macro:`TS_CONFIG_HTTP_REQUEST_BUFFER_ENABLED`                    :ts:cv:`proxy.config.http.request_buffer_enabled`
 :c:macro:`TS_CONFIG_HTTP_REQUEST_HEADER_MAX_SIZE`                   :ts:cv:`proxy.config.http.request_header_max_size`
 :c:macro:`TS_CONFIG_HTTP_RESPONSE_HEADER_MAX_SIZE`                  :ts:cv:`proxy.config.http.response_header_max_size`
 :c:macro:`TS_CONFIG_HTTP_RESPONSE_SERVER_ENABLED`                   :ts:cv:`proxy.config.http.response_server_enabled`
@@ -184,6 +184,11 @@ TS_CONFIG_HTTP_REQUEST_BUFFER_ENABLED                               proxy.config
 :c:macro:`TS_CONFIG_URL_REMAP_PRISTINE_HOST_HDR`                    :ts:cv:`proxy.config.url_remap.pristine_host_hdr`
 :c:macro:`TS_CONFIG_WEBSOCKET_ACTIVE_TIMEOUT`                       :ts:cv:`proxy.config.websocket.active_timeout`
 :c:macro:`TS_CONFIG_WEBSOCKET_NO_ACTIVITY_TIMEOUT`                  :ts:cv:`proxy.config.websocket.no_activity_timeout`
+:c:macro:`TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_POLICY`                :ts:cv:`proxy.config.ssl.client.verify.server.policy`
+:c:macro:`TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_PROPERTIES`            :ts:cv:`proxy.config.ssl.client.verify.server.properties`
+:c:macro:`TS_CONFIG_SSL_CLIENT_CERT_FILENAME`                       :ts:cv:`proxy.config.ssl.client.cert.filename`
+:c:macro:`TS_CONFIG_SSL_CLIENT_PRIVATE_KEY_FILENAME`                :ts:cv:`proxy.config.ssl.client.private_key.filename`
+:c:macro:`TS_CONFIG_SSL_CLIENT_CA_CERT_FILENAME`                    :ts:cv:`proxy.config.ssl.client.CA.cert.filename`
 ==================================================================  ====================================================================
 
 Examples

include/ts/apidefs.h.in

@@ -777,6 +777,7 @@ typedef enum {
   TS_CONFIG_SRV_ENABLED,
   TS_CONFIG_HTTP_FORWARD_CONNECT_METHOD,
   TS_CONFIG_SSL_CERT_FILENAME,
+  TS_CONFIG_SSL_CLIENT_CERT_FILENAME = TS_CONFIG_SSL_CERT_FILENAME,
   TS_CONFIG_SSL_CERT_FILEPATH,
   TS_CONFIG_PARENT_FAILURES_UPDATE_HOSTDB,
   TS_CONFIG_HTTP_CACHE_ENABLE_DEFAULT_VARY_HEADER,
@@ -802,6 +803,8 @@ typedef enum {
   TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_POLICY,
   TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_PROPERTIES,
   TS_CONFIG_SSL_CLIENT_SNI_POLICY,
+  TS_CONFIG_SSL_CLIENT_PRIVATE_KEY_FILENAME,
+  TS_CONFIG_SSL_CLIENT_CA_CERT_FILENAME,
   TS_CONFIG_LAST_ENTRY
 } TSOverridableConfigKey;
 

iocore/net/I_NetVConnection.h

@@ -186,7 +186,20 @@ struct NetVCOptions {
   /**
    * Client certificate to use in response to OS's certificate request
    */
-  ats_scoped_str clientCertificate;
+  const char *ssl_client_cert_name = nullptr;
+  /*
+   * File containing private key matching certificate
+   */
+  const char *ssl_client_private_key_name = nullptr;
+  /*
+   * File containing CA certs for verifying origin's cert
+   */
+  const char *ssl_client_ca_cert_name = nullptr;
+  /*
+   * Directory containing CA certs for verifying origin's cert
+   */
+  const char *ssl_client_ca_cert_path = nullptr;
+
   /// Reset all values to defaults.
 
   /**
@@ -233,13 +246,6 @@ struct NetVCOptions {
     }
     return *this;
   }
-  self &
-  set_client_certname(const char *name)
-  {
-    clientCertificate = ats_strdup(name);
-    // clientCertificate = name;
-    return *this;
-  }
 
   self &
   operator=(self const &that)
@@ -255,9 +261,8 @@ struct NetVCOptions {
        * memcpy removes the extra reference to that's copy of the string
        * Removing the release will eventualy cause a double free crash
        */
-      sni_servername    = nullptr; // release any current name.
-      ssl_servername    = nullptr;
-      clientCertificate = nullptr;
+      sni_servername = nullptr; // release any current name.
+      ssl_servername = nullptr;
       memcpy(static_cast<void *>(this), &that, sizeof(self));
       if (that.sni_servername) {
         sni_servername.release(); // otherwise we'll free the source string.
@@ -267,10 +272,6 @@ struct NetVCOptions {
         ssl_servername.release(); // otherwise we'll free the source string.
         this->ssl_servername = ats_strdup(that.ssl_servername);
       }
-      if (that.clientCertificate) {
-        clientCertificate.release(); // otherwise we'll free the source string.
-        this->clientCertificate = ats_strdup(that.clientCertificate);
-      }
     }
     return *this;
   }

iocore/net/P_SSLConfig.h

@@ -80,7 +80,9 @@ struct SSLConfigParams : public ConfigInfo {
   int ssl_session_cache_auto_clear;
 
   char *clientCertPath;
+  char *clientCertPathOnly;
   char *clientKeyPath;
+  char *clientKeyPathOnly;
   char *clientCACertFilename;
   char *clientCACertPath;
   YamlSNIConfig::Policy verifyServerPolicy;
@@ -115,11 +117,15 @@ struct SSLConfigParams : public ConfigInfo {
 
   SSL_CTX *client_ctx;
 
+  // Making this mutable since this is a updatable
+  // cache on an otherwise immutable config object
+  // The ctx_map owns the client SSL_CTX objects and is responseible for cleaning them up
   mutable std::unordered_map<std::string, SSL_CTX *> ctx_map;
   mutable ink_mutex ctxMapLock;
 
   SSL_CTX *getClientSSL_CTX(void) const;
-  SSL_CTX *getNewCTX(const char *client_cert, const char *key_file) const;
+  SSL_CTX *getCTX(const char *client_cert, const char *key_file, const char *ca_bundle_file, const char *ca_bundle_path) const;
+  void cleanupCTXTable();
 
   void initialize();
   void cleanup();

iocore/net/P_SSLSNI.h

@@ -46,7 +46,7 @@ struct NextHopProperty {
   YamlSNIConfig::Policy verifyServerPolicy       = YamlSNIConfig::Policy::UNSET;   // whether to verify the next hop
   YamlSNIConfig::Property verifyServerProperties = YamlSNIConfig::Property::UNSET; // what to verify on the next hop
   SSL_CTX *ctx                                   = nullptr; // ctx generated off the certificate to present to this server
-  NextHopProperty();
+  NextHopProperty() {}
 };
 
 using actionVector = std::vector<std::unique_ptr<ActionItem>>;

iocore/net/P_UnixNetVConnection.h

@@ -66,9 +66,11 @@ NetVCOptions::reset()
 
   etype = ET_NET;
 
-  sni_servername    = nullptr;
-  ssl_servername    = nullptr;
-  clientCertificate = nullptr;
+  sni_servername              = nullptr;
+  ssl_servername              = nullptr;
+  ssl_client_cert_name        = nullptr;
+  ssl_client_private_key_name = nullptr;
+  ssl_client_ca_cert_name     = nullptr;
 }
 
 TS_INLINE void

iocore/net/SSLClientUtils.cc

@@ -143,7 +143,6 @@ SSLInitClientContext(const SSLConfigParams *params)
 {
   ink_ssl_method_t meth = nullptr;
   SSL_CTX *client_ctx   = nullptr;
-  char *clientKeyPtr    = nullptr;
 
   // Note that we do not call RAND_seed() explicitly here, we depend on OpenSSL
   // to do the seeding of the PRNG for us. This is the case for all platforms that
@@ -183,44 +182,8 @@ SSLInitClientContext(const SSLConfigParams *params)
   }
 #endif
 
-  // if no path is given for the client private key,
-  // assume it is contained in the client certificate file.
-  clientKeyPtr = params->clientKeyPath;
-  if (clientKeyPtr == nullptr) {
-    clientKeyPtr = params->clientCertPath;
-  }
-
-  if (params->clientCertPath != nullptr && params->clientCertPath[0] != '\0') {
-    if (!SSL_CTX_use_certificate_chain_file(client_ctx, params->clientCertPath)) {
-      SSLError("failed to load client certificate from %s", params->clientCertPath);
-      goto fail;
-    }
-
-    if (!SSL_CTX_use_PrivateKey_file(client_ctx, clientKeyPtr, SSL_FILETYPE_PEM)) {
-      SSLError("failed to load client private key file from %s", clientKeyPtr);
-      goto fail;
-    }
-
-    if (!SSL_CTX_check_private_key(client_ctx)) {
-      SSLError("client private key (%s) does not match the certificate public key (%s)", clientKeyPtr, params->clientCertPath);
-      goto fail;
-    }
-  }
-
   SSL_CTX_set_verify(client_ctx, SSL_VERIFY_PEER, verify_callback);
   SSL_CTX_set_verify_depth(client_ctx, params->client_verify_depth);
-
-  if (params->clientCACertFilename != nullptr || params->clientCACertPath != nullptr) {
-    if (!SSL_CTX_load_verify_locations(client_ctx, params->clientCACertFilename, params->clientCACertPath)) {
-      SSLError("invalid client CA Certificate file (%s) or CA Certificate path (%s)", params->clientCACertFilename,
-               params->clientCACertPath);
-      goto fail;
-    }
-  } else if (!SSL_CTX_set_default_verify_paths(client_ctx)) {
-    SSLError("failed to set the default verify paths");
-    goto fail;
-  }
-
   if (SSLConfigParams::init_ssl_ctx_cb) {
     SSLConfigParams::init_ssl_ctx_cb(client_ctx, false);
   }