Re: [1/3] trafficserver git commit: TS-3437: Make DH params configurable

[James Peach]

The added configuration is proxy.config.ssl.server.enable_dhparams, but the 
code checks proxy.config.ssl.client.enable_dhparams.

The added configuration is marked RECU_RESTART_TS, but will actually take 
effect when ssl_multicert.config is reloaded. So I think this should be 
RECU_DYNAMIC (though this is almost an intermediate state).

 On Mar 11, 2015, at 3:17 PM, bri...@apache.org wrote:
 
 Repository: trafficserver
 Updated Branches:
  refs/heads/master 66bdd406f - 4361f4d0d
 
 
 TS-3437: Make DH params configurable
 
 
 Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
 Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/091b59ca
 Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/091b59ca
 Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/091b59ca
 
 Branch: refs/heads/master
 Commit: 091b59ca3f772ebc4a6cbc832b57fb0794c6b82e
 Parents: 66bdd40
 Author: Brian Geffon bri...@apache.org
 Authored: Wed Mar 11 15:16:07 2015 -0700
 Committer: Brian Geffon bri...@apache.org
 Committed: Wed Mar 11 15:16:07 2015 -0700
 
 --
 iocore/net/P_SSLConfig.h | 1 +
 iocore/net/SSLConfig.cc  | 2 ++
 iocore/net/SSLUtils.cc   | 4 +++-
 mgmt/RecordsConfig.cc| 2 ++
 4 files changed, 8 insertions(+), 1 deletion(-)
 --
 
 
 http://git-wip-us.apache.org/repos/asf/trafficserver/blob/091b59ca/iocore/net/P_SSLConfig.h
 --
 diff --git a/iocore/net/P_SSLConfig.h b/iocore/net/P_SSLConfig.h
 index cda2dcb..376036d 100644
 --- a/iocore/net/P_SSLConfig.h
 +++ b/iocore/net/P_SSLConfig.h
 @@ -81,6 +81,7 @@ struct SSLConfigParams : public ConfigInfo
   char *  clientKeyPath;
   char *  clientCACertFilename;
   char *  clientCACertPath;
 +  int enable_dhparams;
   int clientVerify;
   int client_verify_depth;
   longssl_ctx_options;
 
 http://git-wip-us.apache.org/repos/asf/trafficserver/blob/091b59ca/iocore/net/SSLConfig.cc
 --
 diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc
 index 627ccd2..1e1c0df 100644
 --- a/iocore/net/SSLConfig.cc
 +++ b/iocore/net/SSLConfig.cc
 @@ -74,6 +74,7 @@ SSLConfigParams::SSLConfigParams()
 
   clientCertLevel = client_verify_depth = verify_depth = clientVerify = 0;
 
 +  enable_dhparams = 0;
   ssl_ctx_options = 0;
   ssl_client_ctx_protocols = 0;
   ssl_session_cache = SSL_SESSION_CACHE_MODE_SERVER_ATS_IMPL;
 @@ -159,6 +160,7 @@ SSLConfigParams::initialize()
   REC_ReadConfigStringAlloc(cipherSuite, 
 proxy.config.ssl.server.cipher_suite);
   REC_ReadConfigStringAlloc(client_cipherSuite, 
 proxy.config.ssl.client.cipher_suite);
   dhparamsFile = 
 RecConfigReadConfigPath(proxy.config.ssl.server.dhparams_file);
 +  REC_ReadConfigInt32(enable_dhparams, 
 proxy.config.ssl.client.enable_dhparams);
 
   int options;
   int client_ssl_options;
 
 http://git-wip-us.apache.org/repos/asf/trafficserver/blob/091b59ca/iocore/net/SSLUtils.cc
 --
 diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
 index 361d344..83ce5e5 100644
 --- a/iocore/net/SSLUtils.cc
 +++ b/iocore/net/SSLUtils.cc
 @@ -1473,8 +1473,10 @@ SSLInitServerContext(const SSLConfigParams * params, 
 const ssl_user_config  ssl
   SSL_CTX_set_default_passwd_cb_userdata(CTX, NULL);\
   }
   SSL_CLEAR_PW_REFERENCES(ud,ctx)
 -  if (!ssl_context_enable_dhe(params-dhparamsFile, ctx)) {
 +  if (params-enable_dhparams  
 !ssl_context_enable_dhe(params-dhparamsFile, ctx)) {
 goto fail;
 +  } else if (!params-enable_dhparams) {
 +Debug(ssl, Not using dhparams);
   }
   return ssl_context_enable_ecdh(ctx);
 
 
 http://git-wip-us.apache.org/repos/asf/trafficserver/blob/091b59ca/mgmt/RecordsConfig.cc
 --
 diff --git a/mgmt/RecordsConfig.cc b/mgmt/RecordsConfig.cc
 index b360aa0..76d6cb2 100644
 --- a/mgmt/RecordsConfig.cc
 +++ b/mgmt/RecordsConfig.cc
 @@ -1322,6 +1322,8 @@ static const RecordElement RecordsConfig[] =
   ,
   {RECT_CONFIG, proxy.config.ssl.allow_client_renegotiation, RECD_INT, 0, 
 RECU_DYNAMIC, RR_NULL, RECC_INT, [0-1], RECA_NULL}
   ,
 +  {RECT_CONFIG, proxy.config.ssl.server.enable_dhparams, RECD_INT, 0, 
 RECU_RESTART_TS, RR_NULL, RECC_INT, [0-1], RECA_NULL}
 +  ,
   {RECT_CONFIG, proxy.config.ssl.server.dhparams_file, RECD_STRING, NULL, 
 RECU_RESTART_TS, RR_NULL, RECC_NULL, NULL, RECA_NULL}
   ,
   
 //##
 

trafficserver git commit: TS-3331 negative responses cached even when headers indicate otherwise

[wbardwel]

Repository: trafficserver
Updated Branches:
  refs/heads/master b416a1dfa - e5f2bb554


TS-3331 negative responses cached even when headers indicate otherwise

Slim down fix based on feedback from Sudheer Vinukonda


Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/e5f2bb55
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/e5f2bb55
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/e5f2bb55

Branch: refs/heads/master
Commit: e5f2bb554eb33e9b29cf728d2bcb04ba4f1b0e8a
Parents: b416a1d
Author: William Bardwell wbard...@apache.org
Authored: Thu Mar 12 13:02:54 2015 -0400
Committer: William Bardwell wbard...@apache.org
Committed: Thu Mar 12 13:18:33 2015 -0400

--
 proxy/http/HttpTransact.cc | 7 ++-
 1 file changed, 2 insertions(+), 5 deletions(-)
--


http://git-wip-us.apache.org/repos/asf/trafficserver/blob/e5f2bb55/proxy/http/HttpTransact.cc
--
diff --git a/proxy/http/HttpTransact.cc b/proxy/http/HttpTransact.cc
index 2f585e7..0078ef1 100644
--- a/proxy/http/HttpTransact.cc
+++ b/proxy/http/HttpTransact.cc
@@ -198,10 +198,7 @@ is_negative_caching_appropriate(HttpTransact::State* s)
   case HTTP_STATUS_BAD_GATEWAY:
   case HTTP_STATUS_SERVICE_UNAVAILABLE:
   case HTTP_STATUS_GATEWAY_TIMEOUT:
-return ((response_cacheable_indicated_by_cc(s-hdr_info.server_response) 
= 0) 
-
(HttpTransactHeaders::does_server_allow_response_to_be_stored(s-hdr_info.server_response)
 ||
-s-cache_control.ignore_server_no_cache ||
-(s-cache_control.ttl_in_cache  0)));
+return true;
   default:
 break;
   }
@@ -4263,7 +4260,7 @@ 
HttpTransact::handle_cache_operation_on_forward_server_response(State* s)
 client_response_code = server_response_code;
 base_response = s-hdr_info.server_response;
 
-s-negative_caching = is_negative_caching_appropriate(s);
+s-negative_caching = is_negative_caching_appropriate(s)  cacheable;
 
 // determine the correct cache action given the original cache action,
 // cacheability of server response, and request method

[1/2] trafficserver git commit: Revert TS-3312: KA timeout to origin does not seem to honor configurations

[zwoop]

Repository: trafficserver
Updated Branches:
  refs/heads/master 8861a399c - b711dd38a


Revert TS-3312: KA timeout to origin does not seem to honor configurations

This reverts commit 9acfba0a911c374c5fb1c4171d0041ebeafd3f33.

There's a discussion on the Jira, I think we can improve on this.


Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/fab096ed
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/fab096ed
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/fab096ed

Branch: refs/heads/master
Commit: fab096ed2f7789dc2d007791f44504d5fd21833b
Parents: 8861a39
Author: Leif Hedstrom zw...@apache.org
Authored: Thu Mar 12 14:59:40 2015 -0600
Committer: Leif Hedstrom zw...@apache.org
Committed: Thu Mar 12 14:59:40 2015 -0600

--
 proxy/http/HttpSessionManager.cc | 10 ++
 1 file changed, 2 insertions(+), 8 deletions(-)
--


http://git-wip-us.apache.org/repos/asf/trafficserver/blob/fab096ed/proxy/http/HttpSessionManager.cc
--
diff --git a/proxy/http/HttpSessionManager.cc b/proxy/http/HttpSessionManager.cc
index c650ab6..101955b 100644
--- a/proxy/http/HttpSessionManager.cc
+++ b/proxy/http/HttpSessionManager.cc
@@ -120,14 +120,8 @@ ServerSessionPool::releaseSession(HttpServerSession* ss)
   // Transfer control of the write side as well
   ss-do_io_write(this, 0, NULL);
 
-  HttpConfigParams *http_config_params = HttpConfig::acquire();
-
-  // when placing the session to the shared pool we have to set the time out to
-  // keep_alive_no_activity_timeout_out and not to 
transaction_no_activity_timeout_out,
-  // since there is no transaction pending at this point.
-  // Once there is an active transaction on this connection, inactivity 
timeout will be
-  // overwritten to transaction_no_activity_timeout_out
-  
ss-get_netvc()-set_inactivity_timeout(HRTIME_SECONDS(http_config_params-oride.keep_alive_no_activity_timeout_out));
+  // we probably don't need the active timeout set, but will leave it for now
+  
ss-get_netvc()-set_inactivity_timeout(ss-get_netvc()-get_inactivity_timeout());
   ss-get_netvc()-set_active_timeout(ss-get_netvc()-get_active_timeout());
   // put it in the pools.
   m_ip_pool.insert(ss);

trafficserver git commit: TS-3417: Add overlooked include back

[sorber]

Repository: trafficserver
Updated Branches:
  refs/heads/master c737a859a - a6be9807a


TS-3417: Add overlooked include back


Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/a6be9807
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/a6be9807
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/a6be9807

Branch: refs/heads/master
Commit: a6be9807a47acb4ad1a63d9a720123fc2f2571a9
Parents: c737a85
Author: Phil Sorber sor...@apache.org
Authored: Thu Mar 12 18:52:14 2015 -0600
Committer: Phil Sorber sor...@apache.org
Committed: Thu Mar 12 18:52:14 2015 -0600

--
 iocore/eventsystem/IOBuffer.cc | 1 +
 1 file changed, 1 insertion(+)
--


http://git-wip-us.apache.org/repos/asf/trafficserver/blob/a6be9807/iocore/eventsystem/IOBuffer.cc
--
diff --git a/iocore/eventsystem/IOBuffer.cc b/iocore/eventsystem/IOBuffer.cc
index 2ac527b..a8663ef 100644
--- a/iocore/eventsystem/IOBuffer.cc
+++ b/iocore/eventsystem/IOBuffer.cc
@@ -25,6 +25,7 @@
   UIOBuffer.cc
 
 **/
+#include ink_defs.h
 #include P_EventSystem.h
 
 //

trafficserver git commit: TS-3437: Make DH params configurable: fix typo

[briang]

Repository: trafficserver
Updated Branches:
  refs/heads/master b711dd38a - c737a859a


TS-3437: Make DH params configurable: fix typo


Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/c737a859
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/c737a859
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/c737a859

Branch: refs/heads/master
Commit: c737a859aee50ad1331bcaf41da832aae8041da3
Parents: b711dd3
Author: Brian Geffon bri...@apache.org
Authored: Thu Mar 12 15:44:38 2015 -0700
Committer: Brian Geffon bri...@apache.org
Committed: Thu Mar 12 15:44:38 2015 -0700

--
 iocore/net/SSLConfig.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
--


http://git-wip-us.apache.org/repos/asf/trafficserver/blob/c737a859/iocore/net/SSLConfig.cc
--
diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc
index 1e1c0df..dc78020 100644
--- a/iocore/net/SSLConfig.cc
+++ b/iocore/net/SSLConfig.cc
@@ -160,7 +160,7 @@ SSLConfigParams::initialize()
   REC_ReadConfigStringAlloc(cipherSuite, 
proxy.config.ssl.server.cipher_suite);
   REC_ReadConfigStringAlloc(client_cipherSuite, 
proxy.config.ssl.client.cipher_suite);
   dhparamsFile = 
RecConfigReadConfigPath(proxy.config.ssl.server.dhparams_file);
-  REC_ReadConfigInt32(enable_dhparams, 
proxy.config.ssl.client.enable_dhparams);
+  REC_ReadConfigInt32(enable_dhparams, 
proxy.config.ssl.server.enable_dhparams);
 
   int options;
   int client_ssl_options;