Fix ats_replay.test.ext to use ssl_multicert_yaml#12991
Closed
bryancall wants to merge 54 commits intoapache:masterfrom
Closed
Fix ats_replay.test.ext to use ssl_multicert_yaml#12991bryancall wants to merge 54 commits intoapache:masterfrom
bryancall wants to merge 54 commits intoapache:masterfrom
Conversation
Conflicts:
CMakeLists.txt
Conflicts are related to: apache#11157
There were no conflicts.
Conflicts:
include/iocore/net/TLSSessionResumptionSupport.h
src/iocore/net/SSLUtils.cc
Conflicts:
doc/admin-guide/files/records.yaml.en.rst
The conflict is a result of apache#11157 but is easy enough to resolve since Conflicts: src/api/InkAPI.cc
Conflicts:
CMakeLists.txt
```
FAILED: src/iocore/net/CMakeFiles/inknet.dir/SSLUtils.cc.o
/Library/Developer/CommandLineTools/usr/bin/clang++ -DDEBUG -DOPENSSL_API_COMPAT=10002 -DOPENSSL_IS_OPENSSL3 -DPACKAGE_NAME="\"Apache Traffic Server\"" -DPACKAGE_VERSION=\"11.0.0\" -D_DEBUG -Ddarwin -I/Users/bneradt/project_not_synced/repos/ts_os/include -I/Users/bneradt/project_not_synced/repos/ts_os/build/include -I/Users/bneradt/project_not_synced/repos/ts_os/lib/swoc/include -I/Users/bneradt/project_not_synced/repos/ts_os/lib/yamlcpp/include -isystem /opt/ats_h3_tools/openssl-quic/include -isystem /opt/homebrew/include -isystem /Users/bneradt/project_not_synced/repos/ts_os/lib/systemtap -isystem /opt/homebrew/Cellar/pcre2/10.44/include -Qunused-arguments -g -std=c++20 -arch arm64 -isysroot /Library/Developer/CommandLineTools/SDKs/MacOSX15.2.sdk -Wno-invalid-offsetof -pipe -Wall -Wextra -Wno-noexcept-type -Wsuggest-override -Wno-vla-extension -fno-strict-aliasing -Wno-deprecated-declarations -Werror -MD -MT src/iocore/net/CMakeFiles/inknet.dir/SSLUtils.cc.o -MF src/iocore/net/CMakeFiles/inknet.dir/SSLUtils.cc.o.d -o src/iocore/net/CMakeFiles/inknet.dir/SSLUtils.cc.o -c /Users/bneradt/project_not_synced/repos/ts_os/src/iocore/net/SSLUtils.cc
/Users/bneradt/project_not_synced/repos/ts_os/src/iocore/net/SSLUtils.cc:1284:57: error: unused parameter 'ctx' [-Werror,-Wunused-parameter]
1284 | SSLMultiCertConfigLoader::_setup_session_cache(SSL_CTX *ctx)
| ^
1 error generated.
```
Co-authored-by: bneradt <bneradt@yahooinc.com>
Conflicts:
src/api/InkAPI.cc
Conflicts:
doc/admin-guide/files/records.yaml.en.rst
src/iocore/net/SSLConfig.cc
src/records/RecordsConfig.cc
tests/gold_tests/pluginTest/stek_share/stek_share.test.py
tests/gold_tests/tls/tls_0rtt_server.test.py
tests/gold_tests/tls/tls_origin_session_reuse.test.py
tests/gold_tests/tls/tls_session_reuse.test.py
Conflicts:
include/iocore/net/TLSSessionResumptionSupport.h
src/iocore/net/SSLSessionCache.cc
src/iocore/net/TLSSessionResumptionSupport.cc
No conflicts.
The 11-Dev branch has removed the TLS session caching feature, but did not update the docs to remove references to it. This made the docs build to fail. This updates the docs to remove session cache references.
There were no conflicts.
Detect and ignore Cache-Control directives that are malformed (e.g., using semicolons instead of commas). When the parser cannot fully consume a Cache-Control directive value, leaving unparsed non-whitespace content, the directive is treated as unrecognized and ignored per RFC 7234 Section 5.2. For example, a malformed header such as 'public; max-age=30' (note the incorrect semicolon separator) would previously set the 'public' bit but ignore the unparsed 'max-age=30', causing the response to be cached with incorrect heuristic lifetimes. Not only is this incorrect per the RFC, but the intended max-age was, from the user's perspective, mysteriously ignored. Now the entire malformed directive is ignored, allowing default caching rules to apply correctly. Fixes: apache#12029
Replace the ssl_multicert.config format with YAML format, following the pattern established by sni.yaml. The new ssl_multicert.yaml uses a top-level 'ssl_multicert' key containing a sequence of certificate entries. This also supports config conversion via: traffic_ctl config ssl_multicert <old_config> <new_config>
Conflicts: doc/developer-guide/testing/blackbox-testing.en.rst src/iocore/net/SSLSessionCache.cc
Set proxy.config.http.cache.targeted_cache_control_headers to CDN-Cache-Control by default for 11-Dev so targeted cache control is active out of the box. Update admin docs and release notes to reflect the new default and document that an empty value disables targeted cache control. Extend targeted-cache-control AuTest coverage to verify default behavior without remap override, while preserving remap override coverage for header priority and custom targeted headers. Co-authored-by: bneradt <bneradt@yahooinc.com>
…ache#12892) ATS Configuration Reload with observability/tracing — Token model Replace the fire-and-forget configuration reload mechanism with a new token-based, observable reload framework. Every reload operation is now assigned a unique token, tracked through a task tree, and queryable via CLI or JSONRPC at any point after submission. Core components introduced: - ConfigRegistry: centralized singleton for config file registration, filename records, trigger records, and reload handlers. Replaces the scattered registration across AddConfigFilesHere.cc and individual modules. - ReloadCoordinator: manages reload session lifecycle including token generation, concurrency control (--force to override), timeout detection, and rolling history. - ConfigReloadTask: tracks a single reload as a tree of sub-tasks with per-handler status, timings, and logs. - ConfigContext: lightweight context passed to handlers providing in_progress(), complete(), fail(), log(), supplied_yaml(), and add_dependent_ctx(). Safe no-op at startup when no reload is active. - ConfigReloadProgress: periodic checker that detects stuck tasks and marks them as TIMEOUT. New traffic_ctl commands: - config reload [-m] [-t <token>] [-d @file] [--force] - config status [-t <token>] [-c all] All commands support --format json for automation and CI pipelines. New JSONRPC APIs: - admin_config_reload: unified file-based or inline reload with token, force, and configs parameters. - get_reload_config_status: query reload status by token or get the last N reloads. Migrated config handlers to ConfigRegistry: ip_allow, cache_control, cache_hosting, parent_proxy, split_dns, remap, logging, ssl_client_coordinator (with sni.yaml and ssl_multicert.config as dependencies), ssl_ticket_key, records, and pre-warm. Static configs (storage, volume, plugin, socks, jsonrpc) registered as inventory-only. Removed legacy ConfigUpdateHandler/ConfigUpdateContinuation from ConfigProcessor.h. Removed AddConfigFilesHere.cc in favor of per-module self-registration. Fixed duplicate handler execution for configs with multiple trigger records (e.g. ssl_client_coordinator) by deduplicating against the ConfigReloadTask subtask tree. Added RecFlushConfigUpdateCbs() to synchronously fire pending record callbacks after rereadConfig(), ensuring all subtasks are registered before the first status poll. New configuration records: - proxy.config.admin.reload.timeout (default: 1h) - proxy.config.admin.reload.check_interval (default: 2s) Backward compatible: existing `traffic_ctl config reload` works as before; internally it now uses the new framework with automatic token assignment and tracking.
Conflicts: include/ts/ts.h include/tscore/ArgParser.h src/iocore/cache/P_CacheHosting.h src/proxy/ReverseProxy.cc src/tscore/ArgParser.cc
…onfig to ssl_multicert.yaml migration (apache#12755) updated trafficserver.test.ext and traffic_replay.test.ext but missed ats_replay.test.ext. This caused an AttributeError exception for any ATSReplayTest using enable_tls (e.g. chunked_encoding large_chunked). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Contributor
Author
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
ssl_multicert.config→ssl_multicert.yamlmigration (ssl_multicert.config -> ssl_multicert.yaml #12755) updatedtrafficserver.test.extandtraffic_replay.test.extbut missedats_replay.test.extAttributeErrorexception for anyATSReplayTestusingenable_tls: true(e.g., thechunked_encodinglarge_chunkedsub-test), which is the root cause of the AuTest 0of4 failure on Merge 11-Dev back into master #12983ats_replay.test.extto usessl_multicert_yamlattribute and YAML format for the default cert configurationNote: This fix depends on #12983 (merge of 11-Dev into master) which brings in the
ssl_multicert.yamlmigration. It should be merged after or included in that PR.Test plan
ci.trafficserver.apache.org/ats/fedora:42)chunked_encodingtest passes (0 exceptions, 2 passed) with the fixcache-authtest still passes with the fix