diff --git a/iocore/net/P_SSLUtils.h b/iocore/net/P_SSLUtils.h index 5b73d2eacb0..1d876946441 100644 --- a/iocore/net/P_SSLUtils.h +++ b/iocore/net/P_SSLUtils.h @@ -144,6 +144,10 @@ void setTLSValidProtocols(SSL *ssl, unsigned long proto_mask, unsigned long max_ // Used as part of the lookup key into the origin server session cache std::string get_sni_addr(SSL *ssl); +// Helper functions to retrieve server verify policy and properties from a SSL object +// Used as part of the lookup key into the origin server session cache +std::string get_verify_str(SSL *ssl); + namespace ssl { namespace detail diff --git a/iocore/net/SSLClientUtils.cc b/iocore/net/SSLClientUtils.cc index 8e30bbfb5ee..3089b050acf 100644 --- a/iocore/net/SSLClientUtils.cc +++ b/iocore/net/SSLClientUtils.cc @@ -161,11 +161,8 @@ ssl_new_session_callback(SSL *ssl, SSL_SESSION *sess) { std::string sni_addr = get_sni_addr(ssl); if (!sni_addr.empty()) { - SSL_CTX *ctx = SSL_get_SSL_CTX(ssl); - std::stringstream ctx_ss; - ctx_ss << static_cast(ctx); std::string lookup_key; - ts::bwprint(lookup_key, "{}:{}", sni_addr.c_str(), ctx_ss.str().c_str()); + ts::bwprint(lookup_key, "{}:{}:{}", sni_addr.c_str(), SSL_get_SSL_CTX(ssl), get_verify_str(ssl)); origin_sess_cache->insert_session(lookup_key, sess); return 1; } else { diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc index 60934a2d898..c01cd387526 100644 --- a/iocore/net/SSLUtils.cc +++ b/iocore/net/SSLUtils.cc @@ -1997,11 +1997,8 @@ SSLConnect(SSL *ssl) if (!sess && SSLConfigParams::origin_session_cache == 1 && SSLConfigParams::origin_session_cache_size > 0) { std::string sni_addr = get_sni_addr(ssl); if (!sni_addr.empty()) { - SSL_CTX *ctx = SSL_get_SSL_CTX(ssl); - std::stringstream ctx_ss; - ctx_ss << static_cast(ctx); std::string lookup_key; - ts::bwprint(lookup_key, "{}:{}", sni_addr.c_str(), ctx_ss.str().c_str()); + ts::bwprint(lookup_key, "{}:{}:{}", sni_addr.c_str(), SSL_get_SSL_CTX(ssl), get_verify_str(ssl)); Debug("ssl.origin_session_cache", "origin session cache lookup key = %s", lookup_key.c_str()); @@ -2065,6 +2062,54 @@ get_sni_addr(SSL *ssl) return sni_addr; } +std::string +get_verify_str(SSL *ssl) +{ + std::string verify_str; + + SSLNetVConnection *netvc = SSLNetVCAccess(ssl); + if (netvc != nullptr) { + std::string policy_str; + switch (netvc->options.verifyServerPolicy) { + case YamlSNIConfig::Policy::DISABLED: + policy_str.assign("DISABLED"); + break; + case YamlSNIConfig::Policy::PERMISSIVE: + policy_str.assign("PERMISSIVE"); + break; + case YamlSNIConfig::Policy::ENFORCED: + policy_str.assign("ENFORCED"); + break; + case YamlSNIConfig::Policy::UNSET: + policy_str.assign("UNSET"); + break; + } + + std::string property_str; + switch (netvc->options.verifyServerProperties) { + case YamlSNIConfig::Property::NONE: + property_str.assign("NONE"); + break; + case YamlSNIConfig::Property::SIGNATURE_MASK: + property_str.assign("SIGNATURE_MASK"); + break; + case YamlSNIConfig::Property::NAME_MASK: + property_str.assign("NAME_MASK"); + break; + case YamlSNIConfig::Property::ALL_MASK: + property_str.assign("ALL_MASK"); + break; + case YamlSNIConfig::Property::UNSET: + property_str.assign("UNSET"); + break; + } + + ts::bwprint(verify_str, "{}:{}", policy_str.c_str(), property_str.c_str()); + } + + return verify_str; +} + /** * Process the config to pull out the list of file names, and process the certs to get the list * of subject and sni names. Thanks to dual cert configurations, there may be mulitple files of each type.