Bug fix in origin connection handling

author Aron Xu <aron@debian.org>

Sat, 21 May 2022 19:14:28 +0000 (20:14 +0100)

committer Jean Baptiste Favre <debian@jbfavre.org>

Sat, 21 May 2022 19:14:28 +0000 (20:14 +0100)
author Aron Xu <aron@debian.org>
Sat, 21 May 2022 19:14:28 +0000 (20:14 +0100)
committer Jean Baptiste Favre <debian@jbfavre.org>
Sat, 21 May 2022 19:14:28 +0000 (20:14 +0100)
diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc

index a03022c003092c35f8e716a0923eaa338fae12a7..1505cfeeee8ec026d3c321cc250727ef6c80fef7 100644 (file)
--- a/iocore/net/SSLNetVConnection.cc
+++ b/iocore/net/SSLNetVConnection.cc
@@ -1036,8 +1036,7 @@ SSLNetVConnection::sslStartHandShake(int event, int &err)
        // Making the check here instead of later, so we only
        // do this setting immediately after we create the SSL object
        SNIConfig::scoped_config sniParam;
-      int8_t clientVerify = 0;
-      cchar *serverKey    = this->options.sni_servername;
+      cchar *serverKey = this->options.sni_servername;
        if (!serverKey) {
          ats_ip_ntop(this->get_remote_addr(), buff, INET6_ADDRSTRLEN);
          serverKey = buff;
@@ -1046,24 +1045,30 @@ SSLNetVConnection::sslStartHandShake(int event, int &err)
        SSL_CTX *clientCTX = nullptr;
  
        if (nps) {
-        clientCTX    = nps->ctx;
-        clientVerify = nps->verifyLevel;
+        clientCTX = nps->ctx;
        } else {
-        clientCTX    = params->client_ctx;
-        clientVerify = params->clientVerify;
+        clientCTX = params->client_ctx;
        }
+
        if (!clientCTX) {
          SSLErrorVC(this, "failed to create SSL client session");
          return EVENT_ERROR;
        }
  
+      if (nps && nps->verifyLevel != static_cast<uint8_t>(YamlSNIConfig::Level::UNSET)) {
+        this->options.clientVerificationFlag = nps->verifyLevel;
+      } else {
+        // Keeping backwards compatibility on the proxy.config.ssl.client.verify.server setting
+        this->options.clientVerificationFlag = params->clientVerify ? (params->clientVerify == 1 ? 2 : 1) : 0;
+      }
+
        this->ssl = make_ssl_connection(clientCTX, this);
        if (this->ssl == nullptr) {
          SSLErrorVC(this, "failed to create SSL client session");
          return EVENT_ERROR;
        }
        int verify_op;
-      if (clientVerify) {
+      if (this->options.clientVerificationFlag) {
          verify_op = SSL_VERIFY_PEER;
          SSL_set_verify(this->ssl, verify_op, verify_callback);
        } else {
diff --git a/iocore/net/YamlSNIConfig.h b/iocore/net/YamlSNIConfig.h

index cb57d5b7646748a82d1c066345c3887049e7858e..3eed92441a617552cb9eaa2f84097c4800871da8 100644 (file)
--- a/iocore/net/YamlSNIConfig.h
+++ b/iocore/net/YamlSNIConfig.h
@@ -44,7 +44,7 @@ struct YamlSNIConfig {
      client_cert
  
    };
-  enum class Level { NONE = 0, MODERATE, STRICT };
+  enum class Level { NONE = 0, MODERATE, STRICT, UNSET };
  
    YamlSNIConfig() {}
  
@@ -53,7 +53,7 @@ struct YamlSNIConfig {
      bool disable_h2             = false;
      uint8_t verify_client_level = 0;
      std::string tunnel_destination;
-    uint8_t verify_origin_server = 0;
+    uint8_t verify_origin_server = static_cast<uint8_t>(Level::UNSET);
      std::string client_cert;
      std::string ip_allow;
    };
author	Aron Xu <aron@debian.org>
	Sat, 21 May 2022 19:14:28 +0000 (20:14 +0100)
committer	Jean Baptiste Favre <debian@jbfavre.org>
	Sat, 21 May 2022 19:14:28 +0000 (20:14 +0100)
iocore/net/SSLNetVConnection.cc		patch \| blob \| history
iocore/net/YamlSNIConfig.h		patch \| blob \| history