[trafficserver/el6] Add patch for TS-1392:
Jan-Frode Myklebust
janfrode at fedoraproject.org
Thu Aug 16 08:41:36 UTC 2012
commit bef88bff1a4d674da26b7310fc5bc419e85f31fc
Author: Jan-Frode Myklebust <janfrode at tanso.net>
Date: Thu Aug 16 10:40:18 2012 +0200
Add patch for TS-1392:
TS-1392: Fix SNI certificate fallback path
When the SNI lookup fails, we fall back to a bad default SSL context
instead of the context that we selected when we accepted the TCP
connection. Make sure that we don't clobber a SSL context if the
SNI lookup fails.
...TS-1392-Fix-SNI-certificate-fallback-path.patch | 79 ++++++++++++++++++++
trafficserver.spec | 8 ++-
2 files changed, 86 insertions(+), 1 deletions(-)
---
diff --git a/0001-TS-1392-Fix-SNI-certificate-fallback-path.patch b/0001-TS-1392-Fix-SNI-certificate-fallback-path.patch
new file mode 100644
index 0000000..439a4dc
--- /dev/null
+++ b/0001-TS-1392-Fix-SNI-certificate-fallback-path.patch
@@ -0,0 +1,79 @@
+From 5ec4fb5eff9f5c1e2dc82e187bdd8d5f02080512 Mon Sep 17 00:00:00 2001
+From: James Peach <jpeach at apache.org>
+Date: Mon, 6 Aug 2012 20:42:43 -0700
+Subject: [PATCH] TS-1392: Fix SNI certificate fallback path
+
+When the SNI lookup fails, we fall back to a bad default SSL context
+instead of the context that we selected when we accepted the TCP
+connection. Make sure that we don't clobber a SSL context if the
+SNI lookup fails.
+---
+ iocore/net/SSLCertLookup.cc | 7 -------
+ iocore/net/SSLNetVConnection.cc | 17 ++++++++++++++---
+ 2 files changed, 14 insertions(+), 10 deletions(-)
+
+index 8c323a5..8438ef2 100644
+--- a/iocore/net/SSLCertLookup.cc
++++ b/iocore/net/SSLCertLookup.cc
+@@ -113,13 +113,6 @@ SSLCertLookup::init(SslConfigParams * p)
+ {
+ param = p;
+ multipleCerts = buildTable();
+-
+- // If there wasn't a default SSL context, make a default one. We need this to bootstrap
+- // the SNI process and also to avoid crashing (which is generaly frowned upon).
+- if (!this->ssl_default) {
+- // XXX this leaks, but we're a singleton, so ....
+- this->ssl_default = SSL_CTX_new(SSLv23_server_method());
+- }
+ }
+
+ bool
+diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc
+index e9372e9..fd89cba 100644
+--- a/iocore/net/SSLNetVConnection.cc
++++ b/iocore/net/SSLNetVConnection.cc
+@@ -46,6 +46,8 @@ ClassAllocator<SSLNetVConnection> sslNetVCAllocator("sslNetVCAllocator");
+ // Private
+ //
+
++static SSL_CTX * ssl_default = SSL_CTX_new(SSLv23_server_method());
++
+ #if TS_USE_TLS_SNI
+
+ static int
+@@ -65,12 +67,18 @@ ssl_servername_callback(SSL * ssl, int * ad, void * arg)
+ ctx = lookup->defaultContext();
+ }
+
+- if (ctx == NULL) {
+- return SSL_TLSEXT_ERR_NOACK;
++ if (ctx != NULL) {
++ SSL_set_SSL_CTX(ssl, ctx);
+ }
+
++ // At this point, we might have updated ctx based on the SNI lookup, or we might still have the
++ // original SSL context that we set when we accepted the connection.
++ ctx = SSL_get_SSL_CTX(ssl);
+ Debug("ssl", "found SSL context %p for requested name '%s'", ctx, servername);
+- SSL_set_SSL_CTX(ssl, ctx);
++
++ if (ctx == NULL) {
++ return SSL_TLSEXT_ERR_NOACK;
++ }
+
+ // We need to return one of the SSL_TLSEXT_ERR constants. If we return an
+ // error, we can fill in *ad with an alert code to propgate to the
+@@ -495,6 +503,9 @@ SSLNetVConnection::sslStartHandShake(int event, int &err)
+ if (ctx == NULL) {
+ ctx = sslCertLookup.defaultContext();
+ }
++ if (ctx == NULL) {
++ ctx = ssl_default;
++ }
+
+ #if TS_USE_TLS_SNI
+ Debug("ssl", "setting SNI callbacks with initial ctx %p", ctx);
+--
+1.7.1
+
diff --git a/trafficserver.spec b/trafficserver.spec
index e6a48ee..49ad7d8 100644
--- a/trafficserver.spec
+++ b/trafficserver.spec
@@ -3,7 +3,7 @@
Summary: Fast, scalable and extensible HTTP/1.1 compliant caching proxy server
Name: trafficserver
Version: 3.2.0
-Release: 2%{?dist}
+Release: 3%{?dist}
License: ASL 2.0
Group: System Environment/Daemons
Source0: http://www.apache.org/dist/%{name}/%{name}-%{version}.tar.bz2
@@ -29,6 +29,8 @@ Requires(postun): initscripts
Patch2: trafficserver-init_scripts.patch
Patch7: trafficserver_make_install.patch
+# TS-1392, scheduled to be fixed in next minor release.
+Patch8: 0001-TS-1392-Fix-SNI-certificate-fallback-path.patch
%description
@@ -40,6 +42,7 @@ caching proxy server.
%patch2 -p1 -b .patch2
%patch7 -p1 -b .patch7
+%patch8 -p1 -b .patch8
%build
./configure --enable-layout=Gentoo --libdir=%{_libdir}/trafficserver --with-tcl=%{_libdir} --with-user=ats --with-group=ats
@@ -191,6 +194,9 @@ header files, and Apache httpd style module build system.
%attr(0644,root,root) %{_libdir}/trafficserver/*.so
%changelog
+* Thu Aug 16 2012 Jan-Frode Myklebust <janfrode at tanso.net> - 3.2.0-3
+- Add patch for TS-1392, to fix problem with SNI fallback.
+
* Mon Jun 25 2012 Jan-Frode Myklebust <janfrode at tanso.net> - 3.2.0-2
- Remove duplicate man-pages.
More information about the scm-commits
mailing list