Re: [1/3] trafficserver git commit: TS-3437: Make DH params configurable
The added configuration is proxy.config.ssl.server.enable_dhparams, but the code checks proxy.config.ssl.client.enable_dhparams. The added configuration is marked RECU_RESTART_TS, but will actually take effect when ssl_multicert.config is reloaded. So I think this should be RECU_DYNAMIC (though this is almost an intermediate state). On Mar 11, 2015, at 3:17 PM, bri...@apache.org wrote: Repository: trafficserver Updated Branches: refs/heads/master 66bdd406f - 4361f4d0d TS-3437: Make DH params configurable Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/091b59ca Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/091b59ca Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/091b59ca Branch: refs/heads/master Commit: 091b59ca3f772ebc4a6cbc832b57fb0794c6b82e Parents: 66bdd40 Author: Brian Geffon bri...@apache.org Authored: Wed Mar 11 15:16:07 2015 -0700 Committer: Brian Geffon bri...@apache.org Committed: Wed Mar 11 15:16:07 2015 -0700 -- iocore/net/P_SSLConfig.h | 1 + iocore/net/SSLConfig.cc | 2 ++ iocore/net/SSLUtils.cc | 4 +++- mgmt/RecordsConfig.cc| 2 ++ 4 files changed, 8 insertions(+), 1 deletion(-) -- http://git-wip-us.apache.org/repos/asf/trafficserver/blob/091b59ca/iocore/net/P_SSLConfig.h -- diff --git a/iocore/net/P_SSLConfig.h b/iocore/net/P_SSLConfig.h index cda2dcb..376036d 100644 --- a/iocore/net/P_SSLConfig.h +++ b/iocore/net/P_SSLConfig.h @@ -81,6 +81,7 @@ struct SSLConfigParams : public ConfigInfo char * clientKeyPath; char * clientCACertFilename; char * clientCACertPath; + int enable_dhparams; int clientVerify; int client_verify_depth; longssl_ctx_options; http://git-wip-us.apache.org/repos/asf/trafficserver/blob/091b59ca/iocore/net/SSLConfig.cc -- diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc index 627ccd2..1e1c0df 100644 --- a/iocore/net/SSLConfig.cc +++ b/iocore/net/SSLConfig.cc @@ -74,6 +74,7 @@ SSLConfigParams::SSLConfigParams() clientCertLevel = client_verify_depth = verify_depth = clientVerify = 0; + enable_dhparams = 0; ssl_ctx_options = 0; ssl_client_ctx_protocols = 0; ssl_session_cache = SSL_SESSION_CACHE_MODE_SERVER_ATS_IMPL; @@ -159,6 +160,7 @@ SSLConfigParams::initialize() REC_ReadConfigStringAlloc(cipherSuite, proxy.config.ssl.server.cipher_suite); REC_ReadConfigStringAlloc(client_cipherSuite, proxy.config.ssl.client.cipher_suite); dhparamsFile = RecConfigReadConfigPath(proxy.config.ssl.server.dhparams_file); + REC_ReadConfigInt32(enable_dhparams, proxy.config.ssl.client.enable_dhparams); int options; int client_ssl_options; http://git-wip-us.apache.org/repos/asf/trafficserver/blob/091b59ca/iocore/net/SSLUtils.cc -- diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc index 361d344..83ce5e5 100644 --- a/iocore/net/SSLUtils.cc +++ b/iocore/net/SSLUtils.cc @@ -1473,8 +1473,10 @@ SSLInitServerContext(const SSLConfigParams * params, const ssl_user_config ssl SSL_CTX_set_default_passwd_cb_userdata(CTX, NULL);\ } SSL_CLEAR_PW_REFERENCES(ud,ctx) - if (!ssl_context_enable_dhe(params-dhparamsFile, ctx)) { + if (params-enable_dhparams !ssl_context_enable_dhe(params-dhparamsFile, ctx)) { goto fail; + } else if (!params-enable_dhparams) { +Debug(ssl, Not using dhparams); } return ssl_context_enable_ecdh(ctx); http://git-wip-us.apache.org/repos/asf/trafficserver/blob/091b59ca/mgmt/RecordsConfig.cc -- diff --git a/mgmt/RecordsConfig.cc b/mgmt/RecordsConfig.cc index b360aa0..76d6cb2 100644 --- a/mgmt/RecordsConfig.cc +++ b/mgmt/RecordsConfig.cc @@ -1322,6 +1322,8 @@ static const RecordElement RecordsConfig[] = , {RECT_CONFIG, proxy.config.ssl.allow_client_renegotiation, RECD_INT, 0, RECU_DYNAMIC, RR_NULL, RECC_INT, [0-1], RECA_NULL} , + {RECT_CONFIG, proxy.config.ssl.server.enable_dhparams, RECD_INT, 0, RECU_RESTART_TS, RR_NULL, RECC_INT, [0-1], RECA_NULL} + , {RECT_CONFIG, proxy.config.ssl.server.dhparams_file, RECD_STRING, NULL, RECU_RESTART_TS, RR_NULL, RECC_NULL, NULL, RECA_NULL} , //##
trafficserver git commit: TS-3331 negative responses cached even when headers indicate otherwise
Repository: trafficserver Updated Branches: refs/heads/master b416a1dfa - e5f2bb554 TS-3331 negative responses cached even when headers indicate otherwise Slim down fix based on feedback from Sudheer Vinukonda Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/e5f2bb55 Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/e5f2bb55 Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/e5f2bb55 Branch: refs/heads/master Commit: e5f2bb554eb33e9b29cf728d2bcb04ba4f1b0e8a Parents: b416a1d Author: William Bardwell wbard...@apache.org Authored: Thu Mar 12 13:02:54 2015 -0400 Committer: William Bardwell wbard...@apache.org Committed: Thu Mar 12 13:18:33 2015 -0400 -- proxy/http/HttpTransact.cc | 7 ++- 1 file changed, 2 insertions(+), 5 deletions(-) -- http://git-wip-us.apache.org/repos/asf/trafficserver/blob/e5f2bb55/proxy/http/HttpTransact.cc -- diff --git a/proxy/http/HttpTransact.cc b/proxy/http/HttpTransact.cc index 2f585e7..0078ef1 100644 --- a/proxy/http/HttpTransact.cc +++ b/proxy/http/HttpTransact.cc @@ -198,10 +198,7 @@ is_negative_caching_appropriate(HttpTransact::State* s) case HTTP_STATUS_BAD_GATEWAY: case HTTP_STATUS_SERVICE_UNAVAILABLE: case HTTP_STATUS_GATEWAY_TIMEOUT: -return ((response_cacheable_indicated_by_cc(s-hdr_info.server_response) = 0) - (HttpTransactHeaders::does_server_allow_response_to_be_stored(s-hdr_info.server_response) || -s-cache_control.ignore_server_no_cache || -(s-cache_control.ttl_in_cache 0))); +return true; default: break; } @@ -4263,7 +4260,7 @@ HttpTransact::handle_cache_operation_on_forward_server_response(State* s) client_response_code = server_response_code; base_response = s-hdr_info.server_response; -s-negative_caching = is_negative_caching_appropriate(s); +s-negative_caching = is_negative_caching_appropriate(s) cacheable; // determine the correct cache action given the original cache action, // cacheability of server response, and request method
[1/2] trafficserver git commit: Revert TS-3312: KA timeout to origin does not seem to honor configurations
Repository: trafficserver Updated Branches: refs/heads/master 8861a399c - b711dd38a Revert TS-3312: KA timeout to origin does not seem to honor configurations This reverts commit 9acfba0a911c374c5fb1c4171d0041ebeafd3f33. There's a discussion on the Jira, I think we can improve on this. Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/fab096ed Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/fab096ed Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/fab096ed Branch: refs/heads/master Commit: fab096ed2f7789dc2d007791f44504d5fd21833b Parents: 8861a39 Author: Leif Hedstrom zw...@apache.org Authored: Thu Mar 12 14:59:40 2015 -0600 Committer: Leif Hedstrom zw...@apache.org Committed: Thu Mar 12 14:59:40 2015 -0600 -- proxy/http/HttpSessionManager.cc | 10 ++ 1 file changed, 2 insertions(+), 8 deletions(-) -- http://git-wip-us.apache.org/repos/asf/trafficserver/blob/fab096ed/proxy/http/HttpSessionManager.cc -- diff --git a/proxy/http/HttpSessionManager.cc b/proxy/http/HttpSessionManager.cc index c650ab6..101955b 100644 --- a/proxy/http/HttpSessionManager.cc +++ b/proxy/http/HttpSessionManager.cc @@ -120,14 +120,8 @@ ServerSessionPool::releaseSession(HttpServerSession* ss) // Transfer control of the write side as well ss-do_io_write(this, 0, NULL); - HttpConfigParams *http_config_params = HttpConfig::acquire(); - - // when placing the session to the shared pool we have to set the time out to - // keep_alive_no_activity_timeout_out and not to transaction_no_activity_timeout_out, - // since there is no transaction pending at this point. - // Once there is an active transaction on this connection, inactivity timeout will be - // overwritten to transaction_no_activity_timeout_out - ss-get_netvc()-set_inactivity_timeout(HRTIME_SECONDS(http_config_params-oride.keep_alive_no_activity_timeout_out)); + // we probably don't need the active timeout set, but will leave it for now + ss-get_netvc()-set_inactivity_timeout(ss-get_netvc()-get_inactivity_timeout()); ss-get_netvc()-set_active_timeout(ss-get_netvc()-get_active_timeout()); // put it in the pools. m_ip_pool.insert(ss);
trafficserver git commit: TS-3417: Add overlooked include back
Repository: trafficserver Updated Branches: refs/heads/master c737a859a - a6be9807a TS-3417: Add overlooked include back Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/a6be9807 Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/a6be9807 Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/a6be9807 Branch: refs/heads/master Commit: a6be9807a47acb4ad1a63d9a720123fc2f2571a9 Parents: c737a85 Author: Phil Sorber sor...@apache.org Authored: Thu Mar 12 18:52:14 2015 -0600 Committer: Phil Sorber sor...@apache.org Committed: Thu Mar 12 18:52:14 2015 -0600 -- iocore/eventsystem/IOBuffer.cc | 1 + 1 file changed, 1 insertion(+) -- http://git-wip-us.apache.org/repos/asf/trafficserver/blob/a6be9807/iocore/eventsystem/IOBuffer.cc -- diff --git a/iocore/eventsystem/IOBuffer.cc b/iocore/eventsystem/IOBuffer.cc index 2ac527b..a8663ef 100644 --- a/iocore/eventsystem/IOBuffer.cc +++ b/iocore/eventsystem/IOBuffer.cc @@ -25,6 +25,7 @@ UIOBuffer.cc **/ +#include ink_defs.h #include P_EventSystem.h //
trafficserver git commit: TS-3437: Make DH params configurable: fix typo
Repository: trafficserver Updated Branches: refs/heads/master b711dd38a - c737a859a TS-3437: Make DH params configurable: fix typo Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/c737a859 Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/c737a859 Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/c737a859 Branch: refs/heads/master Commit: c737a859aee50ad1331bcaf41da832aae8041da3 Parents: b711dd3 Author: Brian Geffon bri...@apache.org Authored: Thu Mar 12 15:44:38 2015 -0700 Committer: Brian Geffon bri...@apache.org Committed: Thu Mar 12 15:44:38 2015 -0700 -- iocore/net/SSLConfig.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- http://git-wip-us.apache.org/repos/asf/trafficserver/blob/c737a859/iocore/net/SSLConfig.cc -- diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc index 1e1c0df..dc78020 100644 --- a/iocore/net/SSLConfig.cc +++ b/iocore/net/SSLConfig.cc @@ -160,7 +160,7 @@ SSLConfigParams::initialize() REC_ReadConfigStringAlloc(cipherSuite, proxy.config.ssl.server.cipher_suite); REC_ReadConfigStringAlloc(client_cipherSuite, proxy.config.ssl.client.cipher_suite); dhparamsFile = RecConfigReadConfigPath(proxy.config.ssl.server.dhparams_file); - REC_ReadConfigInt32(enable_dhparams, proxy.config.ssl.client.enable_dhparams); + REC_ReadConfigInt32(enable_dhparams, proxy.config.ssl.server.enable_dhparams); int options; int client_ssl_options;