From 80b5995a4c0f4b51bace0cc6f3343177348dfbdf Mon Sep 17 00:00:00 2001 From: Amos Jeffries Date: Fri, 4 Dec 2015 05:35:13 -0800 Subject: [PATCH] Cleanup TLS: shuffle AnyP::PortCfg::staticSslContext into libsecurity There are no logic changes in this patch. Only symbol moves and debugs documentation polish. --- src/anyp/PortCfg.cc | 8 +++----- src/anyp/PortCfg.h | 3 +-- src/client_side.cc | 15 +++++++-------- src/security/ServerOptions.h | 8 +++++--- src/ssl/support.cc | 4 ++-- 5 files changed, 18 insertions(+), 20 deletions(-) diff --git a/src/anyp/PortCfg.cc b/src/anyp/PortCfg.cc index a4430573fd..ae3c677d61 100644 --- a/src/anyp/PortCfg.cc +++ b/src/anyp/PortCfg.cc @@ -46,7 +46,6 @@ AnyP::PortCfg::PortCfg() : sslContextSessionId(NULL), generateHostCertificates(false), dynamicCertMemCacheSize(std::numeric_limits::max()), - staticSslContext(), signingCert(), signPkey(), certsToChain(), @@ -143,12 +142,11 @@ AnyP::PortCfg::configureSslServerContext() } secure.updateTlsVersionLimits(); + secure.staticContext.reset(sslCreateServerContext(*this)); - staticSslContext.reset(sslCreateServerContext(*this)); - - if (!staticSslContext) { + if (!secure.staticContext) { char buf[128]; - fatalf("%s_port %s initialization error", AnyP::ProtocolType_str[transport.protocol], s.toUrl(buf, sizeof(buf))); + fatalf("%s_port %s initialization error", AnyP::ProtocolType_str[transport.protocol], s.toUrl(buf, sizeof(buf))); } } #endif diff --git a/src/anyp/PortCfg.h b/src/anyp/PortCfg.h index dcdcc597e2..301e9656ea 100644 --- a/src/anyp/PortCfg.h +++ b/src/anyp/PortCfg.h @@ -74,11 +74,10 @@ public: #if USE_OPENSSL char *clientca; - char *sslContextSessionId; ///< "session id context" for staticSslContext + char *sslContextSessionId; ///< "session id context" for secure.staticSslContext bool generateHostCertificates; ///< dynamically make host cert for sslBump size_t dynamicCertMemCacheSize; ///< max size of generated certificates memory cache - Security::ContextPointer staticSslContext; ///< for HTTPS accelerator or static sslBump Security::CertPointer signingCert; ///< x509 certificate for signing generated certificates Ssl::EVP_PKEY_Pointer signPkey; ///< private key for sighing generated certificates Ssl::X509_STACK_Pointer certsToChain; ///< x509 certificates to send with the generated cert diff --git a/src/client_side.cc b/src/client_side.cc index 02894faf45..f8ec73c158 100644 --- a/src/client_side.cc +++ b/src/client_side.cc @@ -3542,8 +3542,7 @@ ConnStateData::postHttpsAccept() acl_checklist->nonBlockingCheck(httpsSslBumpAccessCheckDone, this); return; } else { - Security::ContextPtr sslContext = port->staticSslContext.get(); - httpsEstablish(this, sslContext); + httpsEstablish(this, port->secure.staticContext.get()); } } @@ -3783,13 +3782,13 @@ ConnStateData::getSslContextDone(Security::ContextPtr sslContext, bool isNew) // If generated ssl context = NULL, try to use static ssl context. if (!sslContext) { - if (!port->staticSslContext) { - debugs(83, DBG_IMPORTANT, "Closing SSL " << clientConnection->remote << " as lacking SSL context"); + if (!port->secure.staticContext) { + debugs(83, DBG_IMPORTANT, "Closing " << clientConnection->remote << " as lacking TLS context"); clientConnection->close(); return; } else { - debugs(33, 5, HERE << "Using static ssl context."); - sslContext = port->staticSslContext.get(); + debugs(33, 5, "Using static TLS context."); + sslContext = port->secure.staticContext.get(); } } @@ -4139,7 +4138,7 @@ clientHttpConnectionsOpen(void) debugs(33, DBG_IMPORTANT, "WARNING: No ssl_bump configured. Disabling ssl-bump on " << scheme << "_port " << s->s); s->flags.tunnelSslBumping = false; } - if (!s->staticSslContext && !s->generateHostCertificates) { + if (!s->secure.staticContext && !s->generateHostCertificates) { debugs(1, DBG_IMPORTANT, "Will not bump SSL at " << scheme << "_port " << s->s << " due to TLS initialization failure."); s->flags.tunnelSslBumping = false; if (s->transport.protocol == AnyP::PROTO_HTTP) @@ -4152,7 +4151,7 @@ clientHttpConnectionsOpen(void) } } - if (s->secure.encryptTransport && !s->staticSslContext) { + if (s->secure.encryptTransport && !s->secure.staticContext) { debugs(1, DBG_CRITICAL, "ERROR: Ignoring " << scheme << "_port " << s->s << " due to TLS context initialization failure."); continue; } diff --git a/src/security/ServerOptions.h b/src/security/ServerOptions.h index f4831bb51e..2b38620600 100644 --- a/src/security/ServerOptions.h +++ b/src/security/ServerOptions.h @@ -30,13 +30,15 @@ public: /// update the context with DH, EDH, EECDH settings void updateContextEecdh(Security::ContextPtr &); +public: + /// TLS context to use for HTTPS accelerator or static SSL-Bump + Security::ContextPointer staticContext; + private: void loadDhParams(); -//public: - SBuf dh; ///< Diffi-Helman cipher config - private: + SBuf dh; ///< Diffi-Helman cipher config SBuf dhParamsFile; ///< Diffi-Helman ciphers parameter file SBuf eecdhCurve; ///< Elliptic curve for ephemeral EC-based DH key exchanges diff --git a/src/ssl/support.cc b/src/ssl/support.cc index 13e7e52c19..3ce6c43f72 100644 --- a/src/ssl/support.cc +++ b/src/ssl/support.cc @@ -1531,8 +1531,8 @@ Ssl::initialize_session_cache() } for (AnyP::PortCfgPointer s = HttpPortList; s != NULL; s = s->next) { - if (s->staticSslContext.get() != NULL) - setSessionCallbacks(s->staticSslContext.get()); + if (s->secure.staticContext.get()) + setSessionCallbacks(s->secure.staticContext.get()); } } -- 2.47.2