Traffic Server
  1. Traffic Server
  2. TS-1147

deprecate records.config SSL configuration

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.1.4
    • Component/s: SSL
    • Labels:
      None

      Description

      Since ssl_multicert.config is a strict superset of the SSL certificate configuration in records.config, we should deprecate configuring SSL certificates in records.config and make ssl_multicert.config the One True Way.

        Activity

        Hide
        Igor Galić added a comment -

        doing a code reading now

        Show
        Igor Galić added a comment - doing a code reading now
        Hide
        James Peach added a comment -

        5fe79e6 TS-1147: Remove last cert.filename and private_key.filename references
        cadc9b6 TS-1147: Implement default certificate fallback.
        e2827c0 TS-1147: Remove default server SSL_CTX from SSLNetProcessor
        a238d13 TS-1147: Remove proxy.config.ssl.server.private_key.filename
        c426f4a TS-1147: Remove proxy.config.ssl.server.cert.filename
        47255d3 TS-1147: Remove defaultEnabled flag from SSLNetProcessor::initSSLServerCTX()
        e7d5784 TS-1147: Remove SSLNetProcessor::initSSL()

        Someone please review!

        Show
        James Peach added a comment - 5fe79e6 TS-1147 : Remove last cert.filename and private_key.filename references cadc9b6 TS-1147 : Implement default certificate fallback. e2827c0 TS-1147 : Remove default server SSL_CTX from SSLNetProcessor a238d13 TS-1147 : Remove proxy.config.ssl.server.private_key.filename c426f4a TS-1147 : Remove proxy.config.ssl.server.cert.filename 47255d3 TS-1147 : Remove defaultEnabled flag from SSLNetProcessor::initSSLServerCTX() e7d5784 TS-1147 : Remove SSLNetProcessor::initSSL() Someone please review!
        Hide
        James Peach added a comment -

        Wow, trying to reply in line via email really doesn't work so well ...

        Show
        James Peach added a comment - Wow, trying to reply in line via email really doesn't work so well ...
        Hide
        James Peach added a comment -

        Only the .filename options have been removed.

        I added explicit support for this in ssl_multicert:
        dest_ip=* ssl_cert_name=foo.crt

        No it doesn't. If we can't find a certificate we will just fail the connection.

        In my branch, the behaviour is to complete the SSL handshake using the default certificate. If the client accepts this, then there's no reason to return a 400.

        Show
        James Peach added a comment - Only the .filename options have been removed. I added explicit support for this in ssl_multicert: dest_ip=* ssl_cert_name=foo.crt No it doesn't. If we can't find a certificate we will just fail the connection. In my branch, the behaviour is to complete the SSL handshake using the default certificate. If the client accepts this, then there's no reason to return a 400.
        Hide
        Igor Galić added a comment -

        I suppose you'll only leave proxy.config.http.server_ports 443:ssl in records.config

        What about the default certificate that records.config still configures?
        It needs to be configured if one really wants SSL enabled, even if all of the real hosts are taken care of by ssl_multicert.config.

        Now, in certain cases this might even make sense - someone accesses a proxy via HTTPS, asking for a host this proxy does not serve. Do we terminate the TLS session? Do we finish the TLS handshake offering a default certificate and returning the RFC compliant 400 HTTP code?

        Here's what we do now, which begs the question why, exactly, we need the default certificate:

        i.galic@pheme ~ % curl -vk -H'Host: this-is-a-bad-example.at' https://176.9.55.235:443/
        * About to connect() to 176.9.55.235 port 443 (#0)
        *   Trying 176.9.55.235... connected
        * Connected to 176.9.55.235 (176.9.55.235) port 443 (#0)
        * successfully set certificate verify locations:
        *   CAfile: none
          CApath: /etc/ssl/certs
        * SSLv3, TLS handshake, Client hello (1):
        * Unknown SSL protocol error in connection to 176.9.55.235:443
        * Closing connection #0
        curl: (35) Unknown SSL protocol error in connection to 176.9.55.235:443
        35 i.galic@pheme ~ % 
        
        Show
        Igor Galić added a comment - I suppose you'll only leave proxy.config.http.server_ports 443:ssl in records.config What about the default certificate that records.config still configures? It needs to be configured if one really wants SSL enabled, even if all of the real hosts are taken care of by ssl_multicert.config . Now, in certain cases this might even make sense - someone accesses a proxy via HTTPS , asking for a host this proxy does not serve. Do we terminate the TLS session? Do we finish the TLS handshake offering a default certificate and returning the RFC compliant 400 HTTP code? Here's what we do now, which begs the question why, exactly, we need the default certificate: i.galic@pheme ~ % curl -vk -H'Host: this-is-a-bad-example.at' https://176.9.55.235:443/ * About to connect() to 176.9.55.235 port 443 (#0) * Trying 176.9.55.235... connected * Connected to 176.9.55.235 (176.9.55.235) port 443 (#0) * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * Unknown SSL protocol error in connection to 176.9.55.235:443 * Closing connection #0 curl: (35) Unknown SSL protocol error in connection to 176.9.55.235:443 35 i.galic@pheme ~ %
        Hide
        James Peach added a comment -

        I have a patch in my queue.

        Show
        James Peach added a comment - I have a patch in my queue.
        Hide
        James Peach added a comment -

        I'm going to investigate this for 3.1.5 (aka. 3.2).

        Show
        James Peach added a comment - I'm going to investigate this for 3.1.5 (aka. 3.2).

          People

          • Assignee:
            James Peach
            Reporter:
            James Peach
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development