[
https://issues.apache.org/jira/browse/TS-5022?focusedWorklogId=34655&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-34655
]
ASF GitHub Bot logged work on TS-5022:
--------------------------------------
Author: ASF GitHub Bot
Created on: 04/Jan/17 14:30
Start Date: 04/Jan/17 14:30
Worklog Time Spent: 10m
Work Description: Github user shinrich commented on a diff in the pull
request:
https://github.com/apache/trafficserver/pull/1226#discussion_r94591982
--- Diff: iocore/net/P_SSLNetProcessor.h ---
@@ -63,6 +64,90 @@ struct SSLNetProcessor : public UnixNetProcessor {
return client_ctx;
}
+ // InsertCTX hashes on the absolute path to the client certificate file
and stores in the map
+ bool
+ InsertCTX(cchar *client_cert, SSL_CTX *cctx)
+ {
+ ink_mutex_acquire(&ctxMapLock);
+ if (client_cert == nullptr) {
+ ctx_map.put(nullptr, cctx);
+ return true;
+ }
+ // dup is required here to avoid the nullifying of the keys stored in
the map.
+ // client_cert is coming from the overridable clientcert config
retrieved by the remap plugin.
+ cchar *cert = ats_strdup(client_cert);
+ // Hashmap has no delete functionality :(
+ ctx_map.put(cert, cctx);
+ ink_mutex_release(&ctxMapLock);
+ return true;
+ }
+
+ void
+ printCTXmap()
+ {
+ Vec<cchar *> keys;
+ ctx_map.get_keys(keys);
+ for (size_t i = 0; i < keys.length(); i++)
+ Debug("ssl", "Client certificates in the map %s", keys.get(i));
+ }
+ void
+ freeCTXmap()
+ {
+ ink_mutex_acquire(&ctxMapLock);
+ Vec<cchar *> keys;
+ ctx_map.get_keys(keys);
+ size_t n = keys.length();
+ Debug("ssl", "freeing CTX Map");
+ for (size_t i = 0; i < n; i++) {
+ deleteKey(keys.get(i));
+ ats_free((char *)keys.get(i));
+ }
+ ctx_map.clear();
+ ink_mutex_release(&ctxMapLock);
+ }
+
+ void
+ deleteKey(cchar *key)
+ {
+ SSL_CTX_free((SSL_CTX *)ctx_map.get(key));
+ }
+ // creates a new context attaching the provided certificate
+ SSL_CTX *
+ getNewCTX(char *client_cert)
+ {
+ SSL_CTX *client_ctx = nullptr;
+
+ SSLConfig::scoped_config params;
+
+ client_ctx = SSLInitClientContext(params);
+ if (!client_ctx) {
+ SSLError("Can't initialize the SSL client, HTTPS in remap rules will
not function");
+ }
+ if (client_ctx && client_cert != nullptr) {
+ if (!SSL_CTX_use_certificate_chain_file(client_ctx, (const char
*)client_cert)) {
+ SSLError("failed to load client certificate from %s",
params->clientCertPath);
+ goto fail;
+ }
+ }
+ return client_ctx;
+ fail:
+ SSLReleaseContext(client_ctx);
+ ::exit(1);
+ }
+
+ // getCTX: returns the context attached to the given certificate
+ SSL_CTX *
+ getCTX(cchar *client_cert)
+ {
+ ink_mutex_acquire(&ctxMapLock);
+ if (client_cert == nullptr) {
+ return ctx_map.get(nullptr);
--- End diff --
Are we returning without dropping the mutex?
Issue Time Tracking
-------------------
Worklog Id: (was: 34655)
Time Spent: 2h (was: 1h 50m)
> Multiple Client Certificate to Origin
> -------------------------------------
>
> Key: TS-5022
> URL: https://issues.apache.org/jira/browse/TS-5022
> Project: Traffic Server
> Issue Type: Improvement
> Components: Security, SSL, TLS
> Reporter: Scott Beardsley
> Assignee: Syeda Persia Aziz
> Labels: yahoo
> Fix For: 7.1.0
>
> Time Spent: 2h
> Remaining Estimate: 0h
>
> Yahoo has a use case where the origin is doing mutual TLS authentication
> which requires ATS to send a client certificate. This works fine (for now)
> because ATS supports configuring *one* client cert but this feature should
> really allow multiple client certificates to be configured which would depend
> upon the origin being contacted.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
