[trafficserver/el6] Add patch for TS-1392:

Thu Aug 16 08:41:36 UTC 2012

commit bef88bff1a4d674da26b7310fc5bc419e85f31fc
Author: Jan-Frode Myklebust <janfrode at tanso.net>
Date:   Thu Aug 16 10:40:18 2012 +0200

    Add patch for TS-1392:
    
        TS-1392: Fix SNI certificate fallback path
    
        When the SNI lookup fails, we fall back to a bad default SSL context
        instead of the context that we selected when we accepted the TCP
        connection. Make sure that we don't clobber a SSL context if the
        SNI lookup fails.

 ...TS-1392-Fix-SNI-certificate-fallback-path.patch |   79 ++++++++++++++++++++
 trafficserver.spec                                 |    8 ++-
 2 files changed, 86 insertions(+), 1 deletions(-)
---

diff --git a/0001-TS-1392-Fix-SNI-certificate-fallback-path.patch b/0001-TS-1392-Fix-SNI-certificate-fallback-path.patch
new file mode 100644
index 0000000..439a4dc
--- /dev/null
+++ b/0001-TS-1392-Fix-SNI-certificate-fallback-path.patch
@@ -0,0 +1,79 @@
+From 5ec4fb5eff9f5c1e2dc82e187bdd8d5f02080512 Mon Sep 17 00:00:00 2001
+From: James Peach <jpeach at apache.org>
+Date: Mon, 6 Aug 2012 20:42:43 -0700
+Subject: [PATCH] TS-1392: Fix SNI certificate fallback path
+
+When the SNI lookup fails, we fall back to a bad default SSL context
+instead of the context that we selected when we accepted the TCP
+connection. Make sure that we don't clobber a SSL context if the
+SNI lookup fails.
+---
+ iocore/net/SSLCertLookup.cc     |    7 -------
+ iocore/net/SSLNetVConnection.cc |   17 ++++++++++++++---
+ 2 files changed, 14 insertions(+), 10 deletions(-)
+
+index 8c323a5..8438ef2 100644
+--- a/iocore/net/SSLCertLookup.cc
++++ b/iocore/net/SSLCertLookup.cc
+@@ -113,13 +113,6 @@ SSLCertLookup::init(SslConfigParams * p)
+ {
+   param = p;
+   multipleCerts = buildTable();
+-
+-  // If there wasn't a default SSL context, make a default one. We need this to bootstrap
+-  // the SNI process and also to avoid crashing (which is generaly frowned upon).
+-  if (!this->ssl_default) {
+-    // XXX this leaks, but we're a singleton, so ....
+-    this->ssl_default = SSL_CTX_new(SSLv23_server_method());
+-  }
+ }
+ 
+ bool
+diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc
+index e9372e9..fd89cba 100644
+--- a/iocore/net/SSLNetVConnection.cc
++++ b/iocore/net/SSLNetVConnection.cc
+@@ -46,6 +46,8 @@ ClassAllocator<SSLNetVConnection> sslNetVCAllocator("sslNetVCAllocator");
+ // Private
+ //
+ 
++static SSL_CTX * ssl_default = SSL_CTX_new(SSLv23_server_method());
++
+ #if TS_USE_TLS_SNI
+ 
+ static int
+@@ -65,12 +67,18 @@ ssl_servername_callback(SSL * ssl, int * ad, void * arg)
+     ctx = lookup->defaultContext();
+   }
+ 
+-  if (ctx == NULL) {
+-    return SSL_TLSEXT_ERR_NOACK;
++  if (ctx != NULL) {
++    SSL_set_SSL_CTX(ssl, ctx);
+   }
+ 
++  // At this point, we might have updated ctx based on the SNI lookup, or we might still have the
++  // original SSL context that we set when we accepted the connection.
++  ctx = SSL_get_SSL_CTX(ssl);
+   Debug("ssl", "found SSL context %p for requested name '%s'", ctx, servername);
+-  SSL_set_SSL_CTX(ssl, ctx);
++
++  if (ctx == NULL) {
++    return SSL_TLSEXT_ERR_NOACK;
++  }
+ 
+   // We need to return one of the SSL_TLSEXT_ERR constants. If we return an
+   // error, we can fill in *ad with an alert code to propgate to the
+@@ -495,6 +503,9 @@ SSLNetVConnection::sslStartHandShake(int event, int &err)
+       if (ctx == NULL) {
+         ctx = sslCertLookup.defaultContext();
+       }
++      if (ctx == NULL) {
++        ctx = ssl_default;
++      }
+ 
+ #if TS_USE_TLS_SNI
+       Debug("ssl", "setting SNI callbacks with initial ctx %p", ctx);
+-- 
+1.7.1
+
diff --git a/trafficserver.spec b/trafficserver.spec
index e6a48ee..49ad7d8 100644
--- a/trafficserver.spec
+++ b/trafficserver.spec
@@ -3,7 +3,7 @@
 Summary:	Fast, scalable and extensible HTTP/1.1 compliant caching proxy server
 Name:		trafficserver
 Version:	3.2.0
-Release:	2%{?dist}
+Release:	3%{?dist}
 License:	ASL 2.0
 Group:		System Environment/Daemons
 Source0:	http://www.apache.org/dist/%{name}/%{name}-%{version}.tar.bz2
@@ -29,6 +29,8 @@ Requires(postun): initscripts
 
 Patch2:		trafficserver-init_scripts.patch
 Patch7:		trafficserver_make_install.patch
+# TS-1392, scheduled to be fixed in next minor release.
+Patch8:		0001-TS-1392-Fix-SNI-certificate-fallback-path.patch
 
 
 %description
@@ -40,6 +42,7 @@ caching proxy server.
 
 %patch2 -p1 -b .patch2
 %patch7 -p1 -b .patch7
+%patch8 -p1 -b .patch8
 
 %build
 ./configure --enable-layout=Gentoo --libdir=%{_libdir}/trafficserver --with-tcl=%{_libdir} --with-user=ats --with-group=ats
@@ -191,6 +194,9 @@ header files, and Apache httpd style module build system.
 %attr(0644,root,root) %{_libdir}/trafficserver/*.so
 
 %changelog
+* Thu Aug 16 2012 Jan-Frode Myklebust <janfrode at tanso.net> - 3.2.0-3
+- Add patch for TS-1392, to fix problem with SNI fallback.
+
 * Mon Jun 25 2012 Jan-Frode Myklebust <janfrode at tanso.net> - 3.2.0-2
 - Remove duplicate man-pages.
 
