mutually authenticated, but there is no proof they are the same as
for the HTTP authentication.
+A different address or port must be specified when using the "config-set"
+command to switch from HTTP to HTTPS or from HTTPS to HTTP.
+
The :iscman:`kea-shell` tool also supports TLS.
.. _agent-launch:
Since Kea-2.7.6 Kea supports multiple HTTP/HTTPS connections.
Both IPv4 and IPv6 addresses can be used.
+A different address or port must be specified when using the "config-set"
+command to switch from HTTP to HTTPS or from HTTPS to HTTP.
When files are used, they are read when the configuration is loaded,
to detect configuration errors as soon as possible.
Since Kea-2.7.6 Kea supports multiple HTTP/HTTPS connections.
Both IPv4 and IPv6 addresses can be used.
+A different address or port must be specified when using the "config-set"
+command to switch from HTTP to HTTPS or from HTTPS to HTTP.
When files are used, they are read when the configuration is loaded,
to detect configuration errors as soon as possible.
Since Kea-2.7.6 Kea supports multiple HTTP/HTTPS connections.
Both IPv4 and IPv6 addresses can be used.
+A different address or port must be specified when using the "config-set"
+command to switch from HTTP to HTTPS or from HTTPS to HTTP.
When files are used, they are read when the configuration is loaded,
to detect configuration errors as soon as possible.
extern const isc::log::MessageID CTRL_AGENT_CONFIG_FAIL = "CTRL_AGENT_CONFIG_FAIL";
extern const isc::log::MessageID CTRL_AGENT_CONFIG_SYNTAX_WARNING = "CTRL_AGENT_CONFIG_SYNTAX_WARNING";
extern const isc::log::MessageID CTRL_AGENT_FAILED = "CTRL_AGENT_FAILED";
-extern const isc::log::MessageID CTRL_AGENT_HTTPS_SERVICE_REUSED = "CTRL_AGENT_HTTPS_SERVICE_REUSED";
+extern const isc::log::MessageID CTRL_AGENT_HTTPS_SERVICE_REUSE_FAILED = "CTRL_AGENT_HTTPS_SERVICE_REUSE_FAILED";
extern const isc::log::MessageID CTRL_AGENT_HTTPS_SERVICE_STARTED = "CTRL_AGENT_HTTPS_SERVICE_STARTED";
extern const isc::log::MessageID CTRL_AGENT_HTTPS_SERVICE_UPDATED = "CTRL_AGENT_HTTPS_SERVICE_UPDATED";
-extern const isc::log::MessageID CTRL_AGENT_HTTP_SERVICE_REUSED = "CTRL_AGENT_HTTP_SERVICE_REUSED";
+extern const isc::log::MessageID CTRL_AGENT_HTTP_SERVICE_REUSE_FAILED = "CTRL_AGENT_HTTP_SERVICE_REUSE_FAILED";
extern const isc::log::MessageID CTRL_AGENT_HTTP_SERVICE_STARTED = "CTRL_AGENT_HTTP_SERVICE_STARTED";
extern const isc::log::MessageID CTRL_AGENT_RUN_EXIT = "CTRL_AGENT_RUN_EXIT";
extern const isc::log::MessageID CTRL_AGENT_STARTED = "CTRL_AGENT_STARTED";
"CTRL_AGENT_CONFIG_FAIL", "Control Agent configuration failed: %1",
"CTRL_AGENT_CONFIG_SYNTAX_WARNING", "Control Agent configuration syntax warning: %1",
"CTRL_AGENT_FAILED", "application experienced a fatal error: %1",
- "CTRL_AGENT_HTTPS_SERVICE_REUSED", "reused HTTPS service bound to address %1:%2",
+ "CTRL_AGENT_HTTPS_SERVICE_REUSE_FAILED", "failed to reuse HTTPS service bound to address %1:%2",
"CTRL_AGENT_HTTPS_SERVICE_STARTED", "HTTPS service bound to address %1:%2",
"CTRL_AGENT_HTTPS_SERVICE_UPDATED", "reused HTTPS service bound to address %1:%2 and updated TLS settings",
- "CTRL_AGENT_HTTP_SERVICE_REUSED", "reused HTTP service bound to address %1:%2",
+ "CTRL_AGENT_HTTP_SERVICE_REUSE_FAILED", "failed to reused HTTP service bound to address %1:%2",
"CTRL_AGENT_HTTP_SERVICE_STARTED", "HTTP service bound to address %1:%2",
"CTRL_AGENT_RUN_EXIT", "application is exiting the event loop",
"CTRL_AGENT_STARTED", "Kea Control Agent version %1 started",
extern const isc::log::MessageID CTRL_AGENT_CONFIG_FAIL;
extern const isc::log::MessageID CTRL_AGENT_CONFIG_SYNTAX_WARNING;
extern const isc::log::MessageID CTRL_AGENT_FAILED;
-extern const isc::log::MessageID CTRL_AGENT_HTTPS_SERVICE_REUSED;
+extern const isc::log::MessageID CTRL_AGENT_HTTPS_SERVICE_REUSE_FAILED;
extern const isc::log::MessageID CTRL_AGENT_HTTPS_SERVICE_STARTED;
extern const isc::log::MessageID CTRL_AGENT_HTTPS_SERVICE_UPDATED;
-extern const isc::log::MessageID CTRL_AGENT_HTTP_SERVICE_REUSED;
+extern const isc::log::MessageID CTRL_AGENT_HTTP_SERVICE_REUSE_FAILED;
extern const isc::log::MessageID CTRL_AGENT_HTTP_SERVICE_STARTED;
extern const isc::log::MessageID CTRL_AGENT_RUN_EXIT;
extern const isc::log::MessageID CTRL_AGENT_STARTED;
This is a fatal error message issued when the Control Agent application
encounters an unrecoverable error from within the event loop.
-% CTRL_AGENT_HTTPS_SERVICE_REUSED reused HTTPS service bound to address %1:%2
-This informational message indicates that the server has reused existing
-HTTPS service on the specified address and port. Note that any change in
-the TLS setup was ignored.
+% CTRL_AGENT_HTTPS_SERVICE_REUSE_FAILED failed to reuse HTTPS service bound to address %1:%2
+This error message indicates that the server has failed reusing existing
+HTTPS service on the specified address and port. The server can not swith from
+HTTPS to HTTP sockets using the same address and port.
% CTRL_AGENT_HTTPS_SERVICE_STARTED HTTPS service bound to address %1:%2
This informational message indicates that the server has started HTTPS service
HTTPS service on the specified address and port. Note that any change in
the TLS setup has been applied.
-% CTRL_AGENT_HTTP_SERVICE_REUSED reused HTTP service bound to address %1:%2
-This informational message indicates that the server has reused existing
-HTTP service on the specified address and port.
+% CTRL_AGENT_HTTP_SERVICE_REUSE_FAILED failed to reused HTTP service bound to address %1:%2
+This error message indicates that the server has failed reusing existing
+HTTP service on the specified address and port. The server can not swith from
+HTTP to HTTPS sockets using the same address and port.
% CTRL_AGENT_HTTP_SERVICE_STARTED HTTP service bound to address %1:%2
This informational message indicates that the server has started HTTP service
if (listener->getTlsContext()) {
if (ctx->getTrustAnchor().empty()) {
// Can not switch from HTTPS to HTTP
- LOG_ERROR(agent_logger, CTRL_AGENT_HTTPS_SERVICE_REUSED)
+ LOG_ERROR(agent_logger, CTRL_AGENT_HTTPS_SERVICE_REUSE_FAILED)
.arg(server_address.toText())
.arg(server_port);
+ isc_throw(BadValue,
+ "Can not switch from HTTPS to HTTP sockets using the same address and port.");
} else {
// Apply TLS settings each time.
TlsContextPtr tls_context;
}
} else if (!ctx->getTrustAnchor().empty()) {
// Can not switch from HTTP to HTTPS
- LOG_ERROR(agent_logger, CTRL_AGENT_HTTP_SERVICE_REUSED)
+ LOG_ERROR(agent_logger, CTRL_AGENT_HTTP_SERVICE_REUSE_FAILED)
.arg(server_address.toText())
.arg(server_port);
+ isc_throw(BadValue,
+ "Can not switch from HTTP to HTTPS sockets using the same address and port.");
}
}
// If the connection can be reused, mark it as usable.
EXPECT_FALSE(process->isListening());
}
-// Verify that the reload will reuse listener
-TEST_F(CtrlAgentControllerTest, ignoreHttpToHttpsSwitch) {
+// Verify that the reload will issue an error
+TEST_F(CtrlAgentControllerTest, handleHttpToHttpsSwitch) {
string ca_dir(string(TEST_CA_DIR));
// This configuration should be used to override the initial configuration.
EXPECT_EQ("127.0.0.1", ctx->getHttpHost());
EXPECT_EQ(8081, ctx->getHttpPort());
- // The forwarding configuration should have been updated.
- testUnixSocketInfo("dhcp4", "/second/dhcp4/socket");
- testUnixSocketInfo("dhcp6", "/second/dhcp6/socket");
+ // The forwarding configuration should have not been updated.
+ testUnixSocketInfo("dhcp4", "/first/dhcp4/socket");
+ testUnixSocketInfo("dhcp6", "/first/dhcp6/socket");
CtrlAgentProcessPtr process = getCtrlAgentProcess();
ASSERT_TRUE(process);
EXPECT_FALSE(process->isListening());
}
-// Verify that the reload will reuse listener
-TEST_F(CtrlAgentControllerTest, ignoreHttpsToHttpSwitch) {
+// Verify that the reload will issue an error
+TEST_F(CtrlAgentControllerTest, handleHttpsToHttpSwitch) {
string ca_dir(string(TEST_CA_DIR));
ostringstream agent_st;
agent_st << "{"
EXPECT_EQ("127.0.0.1", ctx->getHttpHost());
EXPECT_EQ(8081, ctx->getHttpPort());
- // The forwarding configuration should have been updated.
- testUnixSocketInfo("dhcp4", "/second/dhcp4/socket");
- testUnixSocketInfo("dhcp6", "/second/dhcp6/socket");
+ // The forwarding configuration should have not been updated.
+ testUnixSocketInfo("dhcp4", "/first/dhcp4/socket");
+ testUnixSocketInfo("dhcp6", "/first/dhcp6/socket");
CtrlAgentProcessPtr process = getCtrlAgentProcess();
ASSERT_TRUE(process);
EXPECT_EQ(1, keys->size());
}
-// Verify that the "config-set" command will reuse listener
-TEST_F(HttpCtrlChannelD2Test, ignoreHttpToHttpsSwitch) {
+// Verify that the "config-set" command will exit with an error
+TEST_F(HttpCtrlChannelD2Test, handleHttpToHttpsSwitch) {
string d2_cfg_txt =
" { \n"
EXPECT_EQ(listener, HttpCommandMgr::instance().getHttpListener().get());
ASSERT_FALSE(HttpCommandMgr::instance().getHttpListener()->getTlsContext());
- // Verify the configuration was successful.
- EXPECT_NE(response.find("\"result\": 0"), std::string::npos);
- EXPECT_NE(response.find("\"text\": \"Configuration applied successfully.\""),
+ // Verify the configuration was rejected.
+ EXPECT_NE(response.find("\"result\": 1"), std::string::npos);
+ EXPECT_NE(response.find("\"text\": \"Can not switch from HTTP to HTTPS sockets using the same address and port.\""),
std::string::npos);
- // Check that the config was applied.
+ // Check that the config was not applied.
d2_context = cfg_mgr->getD2CfgContext();
keys = d2_context->getKeys();
ASSERT_TRUE(keys);
EXPECT_EQ(1, keys->size());
}
-// Verify that the "config-set" command will reuse listener
-TEST_F(HttpsCtrlChannelD2Test, ignoreHttpsToHttpSwitch) {
+// Verify that the "config-set" command will exit with an error
+TEST_F(HttpsCtrlChannelD2Test, handleHttpsToHttpSwitch) {
string ca_dir(string(TEST_CA_DIR));
ostringstream d2_st;
// The TLS settings have not changed
EXPECT_EQ(context, HttpCommandMgr::instance().getHttpListener()->getTlsContext().get());
- // Verify the configuration was successful.
- EXPECT_EQ("[ { \"arguments\": { \"hash\": \"029AE1208415D6911B5651A6F82D054F55B7877D2589CFD1DCEB5BFFCD3B13A3\" }, \"result\": 0, \"text\": \"Configuration applied successfully.\" } ]",
+ // Verify the configuration was rejected.
+ EXPECT_EQ("[ { \"result\": 1, \"text\": \"Can not switch from HTTPS to HTTP sockets using the same address and port.\" } ]",
response);
- // Check that the config was applied.
+ // Check that the config was not applied.
d2_context = cfg_mgr->getD2CfgContext();
keys = d2_context->getKeys();
ASSERT_TRUE(keys);
CfgMgr::instance().clear();
}
-// Verify that the "config-set" command will reuse listener
-TEST_F(HttpCtrlChannelDhcpv4Test, ignoredHttpToHttpsSwitch) {
+// Verify that the "config-set" command will exit with an error
+TEST_F(HttpCtrlChannelDhcpv4Test, handleHttpToHttpsSwitch) {
createHttpChannelServer();
// Define strings to permutate the config arguments
EXPECT_EQ(listener, HttpCommandMgr::instance().getHttpListener().get());
ASSERT_FALSE(HttpCommandMgr::instance().getHttpListener()->getTlsContext());
- EXPECT_NE(response.find("\"result\": 0"), std::string::npos);
- EXPECT_NE(response.find("\"text\": \"Configuration successful.\""),
+ EXPECT_NE(response.find("\"result\": 1"), std::string::npos);
+ EXPECT_NE(response.find("\"text\": \"Can not switch from HTTP to HTTPS sockets using the same address and port.\""),
std::string::npos);
// Check that the config was not lost
CfgMgr::instance().clear();
}
-// Verify that the "config-set" command will reuse listener
-TEST_F(HttpsCtrlChannelDhcpv4Test, ignoreHttpsToHttpSwitch) {
+// Verify that the "config-set" command will exit with an error
+TEST_F(HttpsCtrlChannelDhcpv4Test, handleHttpsToHttpSwitch) {
createHttpChannelServer();
// Define strings to permutate the config arguments
ASSERT_TRUE(HttpCommandMgr::instance().getHttpListener()->getTlsContext());
EXPECT_EQ(context, HttpCommandMgr::instance().getHttpListener()->getTlsContext().get());
- EXPECT_NE(response.find("\"result\": 0"), std::string::npos);
- EXPECT_NE(response.find("\"text\": \"Configuration successful.\""),
+ EXPECT_NE(response.find("\"result\": 1"), std::string::npos);
+ EXPECT_NE(response.find("\"text\": \"Can not switch from HTTPS to HTTP sockets using the same address and port.\""),
std::string::npos);
// Check that the config was not lost
CfgMgr::instance().clear();
}
-// Verify that the "config-set" command will reuse listener
-TEST_F(HttpCtrlChannelDhcpv6Test, ignoreHttpToHttpsSwitch) {
+// Verify that the "config-set" command will exit with an error
+TEST_F(HttpCtrlChannelDhcpv6Test, handleHttpToHttpsSwitch) {
createHttpChannelServer();
// Define strings to permutate the config arguments
EXPECT_EQ(listener, HttpCommandMgr::instance().getHttpListener().get());
ASSERT_FALSE(HttpCommandMgr::instance().getHttpListener()->getTlsContext());
- EXPECT_NE(response.find("\"result\": 0"), std::string::npos);
- EXPECT_NE(response.find("\"text\": \"Configuration successful.\""),
+ EXPECT_NE(response.find("\"result\": 1"), std::string::npos);
+ EXPECT_NE(response.find("\"text\": \"Can not switch from HTTP to HTTPS sockets using the same address and port.\""),
std::string::npos);
// Check that the config was not lost
CfgMgr::instance().clear();
}
-// Verify that the "config-set" command will reuse listener
-TEST_F(HttpsCtrlChannelDhcpv6Test, ignoreHttpsToHttpSwitch) {
+// Verify that the "config-set" command will exit with an error
+TEST_F(HttpsCtrlChannelDhcpv6Test, handleHttpsToHttpSwitch) {
createHttpChannelServer();
// Define strings to permutate the config arguments
ASSERT_TRUE(HttpCommandMgr::instance().getHttpListener()->getTlsContext());
EXPECT_EQ(context, HttpCommandMgr::instance().getHttpListener()->getTlsContext().get());
- EXPECT_NE(response.find("\"result\": 0"), std::string::npos);
- EXPECT_NE(response.find("\"text\": \"Configuration successful.\""),
+ EXPECT_NE(response.find("\"result\": 1"), std::string::npos);
+ EXPECT_NE(response.find("\"text\": \"Can not switch from HTTPS to HTTP sockets using the same address and port.\""),
std::string::npos);
// Check that the config was not lost
extern const isc::log::MessageID COMMAND_WATCH_SOCKET_CLEAR_ERROR = "COMMAND_WATCH_SOCKET_CLEAR_ERROR";
extern const isc::log::MessageID COMMAND_WATCH_SOCKET_CLOSE_ERROR = "COMMAND_WATCH_SOCKET_CLOSE_ERROR";
extern const isc::log::MessageID COMMAND_WATCH_SOCKET_MARK_READY_ERROR = "COMMAND_WATCH_SOCKET_MARK_READY_ERROR";
-extern const isc::log::MessageID HTTP_COMMAND_MGR_HTTPS_SERVICE_REUSED = "HTTP_COMMAND_MGR_HTTPS_SERVICE_REUSED";
+extern const isc::log::MessageID HTTP_COMMAND_MGR_HTTPS_SERVICE_REUSE_FAILED = "HTTP_COMMAND_MGR_HTTPS_SERVICE_REUSE_FAILED";
extern const isc::log::MessageID HTTP_COMMAND_MGR_HTTPS_SERVICE_UPDATED = "HTTP_COMMAND_MGR_HTTPS_SERVICE_UPDATED";
-extern const isc::log::MessageID HTTP_COMMAND_MGR_HTTP_SERVICE_REUSED = "HTTP_COMMAND_MGR_HTTP_SERVICE_REUSED";
+extern const isc::log::MessageID HTTP_COMMAND_MGR_HTTP_SERVICE_REUSE_FAILED = "HTTP_COMMAND_MGR_HTTP_SERVICE_REUSE_FAILED";
extern const isc::log::MessageID HTTP_COMMAND_MGR_SERVICE_STARTED = "HTTP_COMMAND_MGR_SERVICE_STARTED";
extern const isc::log::MessageID HTTP_COMMAND_MGR_SERVICE_STOPPING = "HTTP_COMMAND_MGR_SERVICE_STOPPING";
"COMMAND_WATCH_SOCKET_CLEAR_ERROR", "watch socket failed to clear: %1",
"COMMAND_WATCH_SOCKET_CLOSE_ERROR", "watch socket failed to close: %1",
"COMMAND_WATCH_SOCKET_MARK_READY_ERROR", "watch socket failed to mark ready: %1",
- "HTTP_COMMAND_MGR_HTTPS_SERVICE_REUSED", "reused HTTPS service bound to address %1:%2",
+ "HTTP_COMMAND_MGR_HTTPS_SERVICE_REUSE_FAILED", "failed to reused HTTPS service bound to address %1:%2",
"HTTP_COMMAND_MGR_HTTPS_SERVICE_UPDATED", "reused HTTPS service bound to address %1:%2 and updated TLS settings",
- "HTTP_COMMAND_MGR_HTTP_SERVICE_REUSED", "reused HTTP service bound to address %1:%2",
+ "HTTP_COMMAND_MGR_HTTP_SERVICE_REUSE_FAILED", "failed to reused HTTP service bound to address %1:%2",
"HTTP_COMMAND_MGR_SERVICE_STARTED", "started %1 service bound to address %2 port %3",
"HTTP_COMMAND_MGR_SERVICE_STOPPING", "Server is stopping %1 service %2",
NULL
extern const isc::log::MessageID COMMAND_WATCH_SOCKET_CLEAR_ERROR;
extern const isc::log::MessageID COMMAND_WATCH_SOCKET_CLOSE_ERROR;
extern const isc::log::MessageID COMMAND_WATCH_SOCKET_MARK_READY_ERROR;
-extern const isc::log::MessageID HTTP_COMMAND_MGR_HTTPS_SERVICE_REUSED;
+extern const isc::log::MessageID HTTP_COMMAND_MGR_HTTPS_SERVICE_REUSE_FAILED;
extern const isc::log::MessageID HTTP_COMMAND_MGR_HTTPS_SERVICE_UPDATED;
-extern const isc::log::MessageID HTTP_COMMAND_MGR_HTTP_SERVICE_REUSED;
+extern const isc::log::MessageID HTTP_COMMAND_MGR_HTTP_SERVICE_REUSE_FAILED;
extern const isc::log::MessageID HTTP_COMMAND_MGR_SERVICE_STARTED;
extern const isc::log::MessageID HTTP_COMMAND_MGR_SERVICE_STOPPING;
that should be reported. The command manager may or may not continue
to operate correctly.
-% HTTP_COMMAND_MGR_HTTPS_SERVICE_REUSED reused HTTPS service bound to address %1:%2
-This informational message indicates that the server has reused existing
-HTTPS service on the specified address and port. Note that any change in
-the TLS setup was ignored.
+% HTTP_COMMAND_MGR_HTTPS_SERVICE_REUSE_FAILED failed to reused HTTPS service bound to address %1:%2
+This error message indicates that the server has failed reusing existing
+HTTPS service on the specified address and port. The server can not swith from
+HTTPS to HTTP sockets using the same address and port.
% HTTP_COMMAND_MGR_HTTPS_SERVICE_UPDATED reused HTTPS service bound to address %1:%2 and updated TLS settings
This informational message indicates that the server has reused existing
HTTPS service on the specified address and port. Note that any change in
the TLS setup has been applied.
-% HTTP_COMMAND_MGR_HTTP_SERVICE_REUSED reused HTTP service bound to address %1:%2
-This informational message indicates that the server has reused existing
-HTTP service on the specified address and port.
+% HTTP_COMMAND_MGR_HTTP_SERVICE_REUSE_FAILED failed to reused HTTP service bound to address %1:%2
+This error message indicates that the server has failed reusing existing
+HTTP service on the specified address and port. The server can not swith from
+HTTP to HTTPS sockets using the same address and port.
% HTTP_COMMAND_MGR_SERVICE_STARTED started %1 service bound to address %2 port %3
This informational message indicates that the server has started
if (listener->getTlsContext()) {
if (cmd_config->getTrustAnchor().empty()) {
// Can not switch from HTTPS to HTTP
- LOG_ERROR(command_logger, HTTP_COMMAND_MGR_HTTPS_SERVICE_REUSED)
+ LOG_ERROR(command_logger, HTTP_COMMAND_MGR_HTTPS_SERVICE_REUSE_FAILED)
.arg(server_address.toText())
.arg(server_port);
+ isc_throw(BadValue,
+ "Can not switch from HTTPS to HTTP sockets using the same address and port.");
} else {
// Apply TLS settings each time.
TlsContextPtr tls_context;
}
} else if (!cmd_config->getTrustAnchor().empty()) {
// Can not switch from HTTP to HTTPS
- LOG_ERROR(command_logger, HTTP_COMMAND_MGR_HTTP_SERVICE_REUSED)
+ LOG_ERROR(command_logger, HTTP_COMMAND_MGR_HTTP_SERVICE_REUSE_FAILED)
.arg(server_address.toText())
.arg(server_port);
+ isc_throw(BadValue,
+ "Can not switch from HTTP to HTTPS sockets using the same address and port.");
}
}
// If the connection can be reused, mark it as usable.
projects / thirdparty / kea.git / commitdiff
