Permalink
Browse files

TS-2437: add a lifecycle hook to expose loaded SSL certificates to pl…

…ugins

Add two new lifecycle hooks, TS_LIFECYCLE_SERVER_SSL_CTX_INITIALIZED_HOOK
and TS_LIFECYCLE_CLIENT_SSL_CTX_INITIALIZED_HOOK.

The reason for these hooks is that I have a use case to manipulate
(overwrite) the OpenSSL related callbacks in my plugin. I think it
is also useful for applications who have a need to change or retrieve
the SSL related attributes (callbacks, certs, configurations, etc).
  • Loading branch information...
1 parent 744eaba commit a5a93ac5ac45b2ba810c4b3e8ce311cd23bf8ff2 @suenway suenway committed with jpeach Feb 24, 2014
Showing with 54 additions and 1 deletion.
  1. +3 −0 CHANGES
  2. +4 −0 iocore/net/P_SSLConfig.h
  3. +1 −0 iocore/net/SSLConfig.cc
  4. +12 −0 iocore/net/SSLUtils.cc
  5. +16 −1 proxy/Main.cc
  6. +18 −0 proxy/api/ts/ts.h.in
View
@@ -1,6 +1,9 @@
-*- coding: utf-8 -*-
Changes with Apache Traffic Server 5.0.0
+ *) [TS-2437] Add a lifecycle hook to expose loaded SSL certificates to plugins.
+ Author: Wei Sun <sunwei@yahoo-inc.com>
+
*) [TS-2582] Make traffic_cop debugging eadier by logging to stdout.
*) [TS-2579] Remove ipv4 limit for FetchSM and TSFetchUrl/TSFetchPages.
View
@@ -44,6 +44,8 @@ struct SSLCertLookup;
/////////////////////////////////////////////////////////////
+typedef void (*init_ssl_ctx_func)(void *, bool);
+
struct SSLConfigParams : public ConfigInfo
{
enum SSL_SESSION_CACHE_MODE
@@ -79,6 +81,8 @@ struct SSLConfigParams : public ConfigInfo
static int ssl_maxrecord;
static bool ssl_allow_client_renegotiation;
+ static init_ssl_ctx_func init_ssl_ctx_cb;
+
void initialize();
void cleanup();
};
View
@@ -43,6 +43,7 @@ int SSLConfig::configid = 0;
int SSLCertificateConfig::configid = 0;
int SSLConfigParams::ssl_maxrecord = 0;
bool SSLConfigParams::ssl_allow_client_renegotiation = false;
+init_ssl_ctx_func SSLConfigParams::init_ssl_ctx_cb = NULL;
static ConfigUpdateHandler<SSLCertificateConfig> * sslCertUpdate;
View
@@ -601,6 +601,10 @@ SSLInitClientContext(const SSLConfigParams * params)
}
}
+ if (SSLConfigParams::init_ssl_ctx_cb) {
+ SSLConfigParams::init_ssl_ctx_cb(client_ctx, false);
+ }
+
return client_ctx;
fail:
@@ -761,6 +765,10 @@ ssl_store_ssl_context(
Debug("ssl", "importing SNI names from %s", (const char *)certpath);
ssl_index_certificate(lookup, ctx, certpath);
+ if (SSLConfigParams::init_ssl_ctx_cb) {
+ SSLConfigParams::init_ssl_ctx_cb(ctx, true);
+ }
+
return true;
}
@@ -908,6 +916,10 @@ SSLParseCertificateConfiguration(
#endif /* TS_USE_TLS_ALPN */
lookup->insert(lookup->ssl_default, "*");
+ if (SSLConfigParams::init_ssl_ctx_cb) {
+ SSLConfigParams::init_ssl_ctx_cb(lookup->ssl_default, true);
+ }
+
}
return true;
View
@@ -118,6 +118,7 @@ static const long MAX_LOGIN = sysconf(_SC_LOGIN_NAME_MAX) <= 0 ? _POSIX_LOGIN_N
static void * mgmt_restart_shutdown_callback(void *, char *, int data_len);
static void* mgmt_storage_device_cmd_callback(void* x, char* data, int len);
+static void init_ssl_ctx_callback(void *ctx, bool server);
static int version_flag = DEFAULT_VERSION_FLAG;
@@ -1523,7 +1524,6 @@ main(int /* argc ATS_UNUSED */, char **argv)
NetProcessor::accept_mss = accept_mss;
netProcessor.start(0, stacksize);
- sslNetProcessor.start(getNumSSLThreads(), stacksize);
dnsProcessor.start(0, stacksize);
if (hostDBProcessor.start() < 0)
@@ -1535,6 +1535,9 @@ main(int /* argc ATS_UNUSED */, char **argv)
// Init plugins as soon as logging is ready.
plugin_init(); // plugin.config
+
+ SSLConfigParams::init_ssl_ctx_cb = init_ssl_ctx_callback;
+ sslNetProcessor.start(getNumSSLThreads(), stacksize);
pmgmt->registerPluginCallbacks(global_config_cbs);
cacheProcessor.set_after_init_callback(&CB_After_Cache_Init);
@@ -1699,3 +1702,15 @@ mgmt_storage_device_cmd_callback(void* data, char* arg, int len)
}
return NULL;
}
+
+static void
+init_ssl_ctx_callback(void *ctx, bool server)
+{
+ TSEvent event = server ? TS_EVENT_LIFECYCLE_SERVER_SSL_CTX_INITIALIZED : TS_EVENT_LIFECYCLE_CLIENT_SSL_CTX_INITIALIZED;
+ APIHook *hook = lifecycle_hooks->get(server ? TS_LIFECYCLE_SERVER_SSL_CTX_INITIALIZED_HOOK : TS_LIFECYCLE_CLIENT_SSL_CTX_INITIALIZED_HOOK);
+
+ while (hook) {
+ hook->invoke(event, ctx);
+ hook = hook->next();
+ }
+}
View
@@ -310,6 +310,20 @@ extern "C"
Event: TS_EVENT_LIFECYCLE_CACHE_READY
+ TS_LIFECYCLE_SERVER_SSL_CTX_INITIALIZED_HOOK
+
+ called every time after a server SSL_CTX has finished the initialization.
+ It exposes the initialized SSL_CTX pointer.
+
+ Event: TS_EVENT_LIFECYCLE_SERVER_SSL_CTX_INITIALIZED
+
+ TS_LIFECYCLE_CLIENT_SSL_CTX_INITIALIZED_HOOK
+
+ called once, after the client SSL_CTX has finished the initialization.
+ It exposes the initialized SSL_CTX pointer.
+
+ Event: TS_EVENT_LIFECYCLE_CLIENT_SSL_CTX_INITIALIZED
+
Ordering guarantees:
- TS_LIFECYCLE_PORTS_INITIALIZED_HOOK before TS_LIFECYCLE_PORTS_READY_HOOK.
@@ -322,6 +336,8 @@ extern "C"
TS_LIFECYCLE_PORTS_INITIALIZED_HOOK,
TS_LIFECYCLE_PORTS_READY_HOOK,
TS_LIFECYCLE_CACHE_READY_HOOK,
+ TS_LIFECYCLE_SERVER_SSL_CTX_INITIALIZED_HOOK,
+ TS_LIFECYCLE_CLIENT_SSL_CTX_INITIALIZED_HOOK,
TS_LIFECYCLE_LAST_HOOK
} TSLifecycleHookID;
@@ -413,6 +429,8 @@ extern "C"
TS_EVENT_LIFECYCLE_PORTS_INITIALIZED = 60018,
TS_EVENT_LIFECYCLE_PORTS_READY = 60019,
TS_EVENT_LIFECYCLE_CACHE_READY = 60020,
+ TS_EVENT_LIFECYCLE_SERVER_SSL_CTX_INITIALIZED = 60021,
+ TS_EVENT_LIFECYCLE_CLIENT_SSL_CTX_INITIALIZED = 60022,
TS_EVENT_MGMT_UPDATE = 60100,
/* EVENTS 60200 - 60202 for internal use */

0 comments on commit a5a93ac

Please sign in to comment.