Skip to content

Bubble up ssl_multicert.config load failures #8256

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
randall merged 1 commit into from
Aug 19, 2021
Merged

Bubble up ssl_multicert.config load failures #8256

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion iocore/net/SSLConfig.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -539,11 +539,14 @@ SSLCertificateConfig::reconfigure()
}

SSLMultiCertConfigLoader loader(params);
loader.load(lookup);
if (!loader.load(lookup)) {
retStatus = false;
}

if (!lookup->is_valid) {
retStatus = false;
}

// If there are errors in the certificate configs and we had wanted to exit on error
// we won't want to reset the config
if (lookup->is_valid || !params->configExitOnLoadError) {
Expand Down
7 changes: 5 additions & 2 deletions iocore/net/SSLUtils.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1953,8 +1953,9 @@ SSLMultiCertConfigLoader::load(SSLCertLookup *lookup)
if (ec) {
switch (ec.value()) {
case ENOENT:
// missing config file is an acceptable runtime state
Copy link
Copy Markdown
Member

@shinrich shinrich Aug 18, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't what to fail if ssl_multicert.config is unavailable?

Copy link
Copy Markdown
Contributor Author

@randall randall Aug 18, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

autest fails all over the place without allowing this. I think we generally try to strive to allow for missing config files (at least since I've been involved in the project)

Copy link
Copy Markdown
Contributor

@mlibbey mlibbey Aug 18, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A server may not have any https remaps ... can imagine that requiring a blank ssl_multicert would be confusing.

Copy link
Copy Markdown
Member

@shinrich shinrich Aug 19, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok. Good point.

Warning("Cannot open SSL certificate configuration from %s - %s", params->configFilePath, strerror(ec.value()));
return false;
return true;
default:
Error("Failed to read SSL certificate configuration from %s - %s", params->configFilePath, strerror(ec.value()));
return false;
Expand Down Expand Up @@ -1989,7 +1990,9 @@ SSLMultiCertConfigLoader::load(SSLCertLookup *lookup)
if (ssl_extract_certificate(&line_info, sslMultiCertSettings.get())) {
// There must be a certificate specified unless the tunnel action is set
if (sslMultiCertSettings->cert || sslMultiCertSettings->opt != SSLCertContextOption::OPT_TUNNEL) {
this->_store_ssl_ctx(lookup, sslMultiCertSettings);
if (!this->_store_ssl_ctx(lookup, sslMultiCertSettings)) {
return false;
}
} else {
Warning("No ssl_cert_name specified and no tunnel action set");
}
Expand Down