Skip to content

N
nghttp2
Commit f3e1dc7a authored by Tatsuhiro Tsujikawa's avatar Tatsuhiro Tsujikawa
Browse files
Options

nghttpx: Structured TLS related configurations

parent b12af8c4
Expand all Hide whitespace changes
Inline Side-by-side
Showing with 266 additions and 212 deletions
src/shrpx.cc
View file @ f3e1dc7a
This diff is collapsed.
src/shrpx_client_handler.cc
View file @ f3e1dc7a
......@@ -375,8 +375,8 @@ ClientHandler::ClientHandler(Worker *worker, int fd, SSL *ssl,
get_config()->upstream_read_timeout, get_config()->write_rate,
get_config()->write_burst, get_config()->read_rate,
get_config()->read_burst, writecb, readcb, timeoutcb, this,
get_config()->tls_dyn_rec_warmup_threshold,
get_config()->tls_dyn_rec_idle_timeout),
get_config()->tls.dyn_rec.warmup_threshold,
get_config()->tls.dyn_rec.idle_timeout),
pinned_http2sessions_(
get_config()->downstream_proto == PROTO_HTTP2
? make_unique<std::vector<ssize_t>>(
......@@ -521,7 +521,8 @@ int ClientHandler::validate_next_proto() {
CLOG(INFO, this) << "The negotiated next protocol: " << proto;
}
if (!ssl::in_proto_list(get_config()->npn_list, next_proto, next_proto_len)) {
if (!ssl::in_proto_list(get_config()->tls.npn_list, next_proto,
next_proto_len)) {
if (LOG_ENABLED(INFO)) {
CLOG(INFO, this) << "The negotiated protocol is not supported";
}
......
src/shrpx_config.cc
View file @ f3e1dc7a
......@@ -1601,7 +1601,7 @@ int parse_config(const char *opt, const char *optarg,
return 0;
case SHRPX_OPTID_BACKEND_TLS_SNI_FIELD:
mod_config()->backend_tls_sni_name = optarg;
mod_config()->tls.backend_sni_name = optarg;
return 0;
case SHRPX_OPTID_PID_FILE:
......@@ -1622,7 +1622,7 @@ int parse_config(const char *opt, const char *optarg,
return 0;
}
case SHRPX_OPTID_PRIVATE_KEY_FILE:
mod_config()->private_key_file = strcopy(optarg);
mod_config()->tls.private_key_file = strcopy(optarg);
return 0;
case SHRPX_OPTID_PRIVATE_KEY_PASSWD_FILE: {
......@@ -1631,16 +1631,16 @@ int parse_config(const char *opt, const char *optarg,
LOG(ERROR) << opt << ": Couldn't read key file's passwd from " << optarg;
return -1;
}
mod_config()->private_key_passwd = strcopy(passwd);
mod_config()->tls.private_key_passwd = strcopy(passwd);
return 0;
}
case SHRPX_OPTID_CERTIFICATE_FILE:
mod_config()->cert_file = strcopy(optarg);
mod_config()->tls.cert_file = strcopy(optarg);
return 0;
case SHRPX_OPTID_DH_PARAM_FILE:
mod_config()->dh_param_file = strcopy(optarg);
mod_config()->tls.dh_param_file = strcopy(optarg);
return 0;
case SHRPX_OPTID_SUBCERT: {
......@@ -1649,7 +1649,7 @@ int parse_config(const char *opt, const char *optarg,
if (sp) {
std::string keyfile(optarg, sp);
// TODO Do we need private key for subcert?
mod_config()->subcerts.emplace_back(keyfile, sp + 1);
mod_config()->tls.subcerts.emplace_back(keyfile, sp + 1);
}
return 0;
......@@ -1681,7 +1681,7 @@ int parse_config(const char *opt, const char *optarg,
return 0;
}
case SHRPX_OPTID_CIPHERS:
mod_config()->ciphers = strcopy(optarg);
mod_config()->tls.ciphers = strcopy(optarg);
return 0;
case SHRPX_OPTID_CLIENT:
......@@ -1689,11 +1689,11 @@ int parse_config(const char *opt, const char *optarg,
return 0;
case SHRPX_OPTID_INSECURE:
mod_config()->insecure = util::strieq(optarg, "yes");
mod_config()->tls.insecure = util::strieq(optarg, "yes");
return 0;
case SHRPX_OPTID_CACERT:
mod_config()->cacert = strcopy(optarg);
mod_config()->tls.cacert = strcopy(optarg);
return 0;
case SHRPX_OPTID_BACKEND_IPV4:
......@@ -1762,27 +1762,27 @@ int parse_config(const char *opt, const char *optarg,
LOG(WARN) << opt << ": not implemented yet";
return parse_uint_with_unit(&mod_config()->worker_write_burst, opt, optarg);
case SHRPX_OPTID_NPN_LIST:
mod_config()->npn_list = util::parse_config_str_list(optarg);
mod_config()->tls.npn_list = util::parse_config_str_list(optarg);
return 0;
case SHRPX_OPTID_TLS_PROTO_LIST:
mod_config()->tls_proto_list = util::parse_config_str_list(optarg);
mod_config()->tls.tls_proto_list = util::parse_config_str_list(optarg);
return 0;
case SHRPX_OPTID_VERIFY_CLIENT:
mod_config()->verify_client = util::strieq(optarg, "yes");
mod_config()->tls.client_verify.enabled = util::strieq(optarg, "yes");
return 0;
case SHRPX_OPTID_VERIFY_CLIENT_CACERT:
mod_config()->verify_client_cacert = strcopy(optarg);
mod_config()->tls.client_verify.cacert = strcopy(optarg);
return 0;
case SHRPX_OPTID_CLIENT_PRIVATE_KEY_FILE:
mod_config()->client_private_key_file = strcopy(optarg);
mod_config()->tls.client.private_key_file = strcopy(optarg);
return 0;
case SHRPX_OPTID_CLIENT_CERT_FILE:
mod_config()->client_cert_file = strcopy(optarg);
mod_config()->tls.client.cert_file = strcopy(optarg);
return 0;
case SHRPX_OPTID_FRONTEND_HTTP2_DUMP_REQUEST_HEADER:
......@@ -1899,7 +1899,7 @@ int parse_config(const char *opt, const char *optarg,
case SHRPX_OPTID_LISTENER_DISABLE_TIMEOUT:
return parse_duration(&mod_config()->listener_disable_timeout, opt, optarg);
case SHRPX_OPTID_TLS_TICKET_KEY_FILE:
mod_config()->tls_ticket_key_files.push_back(optarg);
mod_config()->tls.ticket.files.push_back(optarg);
return 0;
case SHRPX_OPTID_RLIMIT_NOFILE: {
int n;
......@@ -1948,13 +1948,13 @@ int parse_config(const char *opt, const char *optarg,
return parse_uint(&mod_config()->http2_downstream_connections_per_worker,
opt, optarg);
case SHRPX_OPTID_FETCH_OCSP_RESPONSE_FILE:
mod_config()->fetch_ocsp_response_file = strcopy(optarg);
mod_config()->tls.ocsp.fetch_ocsp_response_file = strcopy(optarg);
return 0;
case SHRPX_OPTID_OCSP_UPDATE_INTERVAL:
return parse_duration(&mod_config()->ocsp_update_interval, opt, optarg);
return parse_duration(&mod_config()->tls.ocsp.update_interval, opt, optarg);
case SHRPX_OPTID_NO_OCSP:
mod_config()->no_ocsp = util::strieq(optarg, "yes");
mod_config()->tls.ocsp.disabled = util::strieq(optarg, "yes");
return 0;
case SHRPX_OPTID_HEADER_FIELD_BUFFER:
......@@ -1980,15 +1980,15 @@ int parse_config(const char *opt, const char *optarg,
}
case SHRPX_OPTID_TLS_TICKET_KEY_CIPHER:
if (util::strieq(optarg, "aes-128-cbc")) {
mod_config()->tls_ticket_key_cipher = EVP_aes_128_cbc();
mod_config()->tls.ticket.cipher = EVP_aes_128_cbc();
} else if (util::strieq(optarg, "aes-256-cbc")) {
mod_config()->tls_ticket_key_cipher = EVP_aes_256_cbc();
mod_config()->tls.ticket.cipher = EVP_aes_256_cbc();
} else {
LOG(ERROR) << opt
<< ": unsupported cipher for ticket encryption: " << optarg;
return -1;
}
mod_config()->tls_ticket_key_cipher_given = true;
mod_config()->tls.ticket.cipher_given = true;
return 0;
case SHRPX_OPTID_HOST_REWRITE:
......@@ -2001,8 +2001,9 @@ int parse_config(const char *opt, const char *optarg,
return -1;
}
mod_config()->session_cache_memcached_host = strcopy(host);
mod_config()->session_cache_memcached_port = port;
auto &memcachedconf = mod_config()->tls.session_cache.memcached;
memcachedconf.host = strcopy(host);
memcachedconf.port = port;
return 0;
}
......@@ -2012,13 +2013,14 @@ int parse_config(const char *opt, const char *optarg,
return -1;
}
mod_config()->tls_ticket_key_memcached_host = strcopy(host);
mod_config()->tls_ticket_key_memcached_port = port;
auto &memcachedconf = mod_config()->tls.ticket.memcached;
memcachedconf.host = strcopy(host);
memcachedconf.port = port;
return 0;
}
case SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_INTERVAL:
return parse_duration(&mod_config()->tls_ticket_key_memcached_interval, opt,
return parse_duration(&mod_config()->tls.ticket.memcached.interval, opt,
optarg);
case SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_MAX_RETRY: {
int n;
......@@ -2031,11 +2033,11 @@ int parse_config(const char *opt, const char *optarg,
return -1;
}
mod_config()->tls_ticket_key_memcached_max_retry = n;
mod_config()->tls.ticket.memcached.max_retry = n;
return 0;
}
case SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_MAX_FAIL:
return parse_uint(&mod_config()->tls_ticket_key_memcached_max_fail, opt,
return parse_uint(&mod_config()->tls.ticket.memcached.max_fail, opt,
optarg);
case SHRPX_OPTID_TLS_DYN_REC_WARMUP_THRESHOLD: {
size_t n;
......@@ -2043,13 +2045,13 @@ int parse_config(const char *opt, const char *optarg,
return -1;
}
mod_config()->tls_dyn_rec_warmup_threshold = n;
mod_config()->tls.dyn_rec.warmup_threshold = n;
return 0;
}
case SHRPX_OPTID_TLS_DYN_REC_IDLE_TIMEOUT:
return parse_duration(&mod_config()->tls_dyn_rec_idle_timeout, opt, optarg);
return parse_duration(&mod_config()->tls.dyn_rec.idle_timeout, opt, optarg);
case SHRPX_OPTID_MRUBY_FILE:
#ifdef HAVE_MRUBY
......
src/shrpx_config.h
View file @ f3e1dc7a
......@@ -292,25 +292,94 @@ struct HttpProxy {
uint16_t port;
};
struct Config {
struct TLSConfig {
// RFC 5077 Session ticket related configurations
struct {
struct {
Address addr;
uint16_t port;
std::unique_ptr<char[]> host;
ev_tstamp interval;
// Maximum number of retries when getting TLS ticket key from
// mamcached, due to network error.
size_t max_retry;
// Maximum number of consecutive error from memcached, when this
// limit reached, TLS ticket is disabled.
size_t max_fail;
} memcached;
std::vector<std::string> files;
const EVP_CIPHER *cipher;
// true if --tls-ticket-key-cipher is used
bool cipher_given;
} ticket;
// Session cache related configurations
struct {
struct {
Address addr;
uint16_t port;
std::unique_ptr<char[]> host;
} memcached;
} session_cache;
// Dynamic record sizing configurations
struct {
size_t warmup_threshold;
ev_tstamp idle_timeout;
} dyn_rec;
// OCSP realted configurations
struct {
ev_tstamp update_interval;
std::unique_ptr<char[]> fetch_ocsp_response_file;
bool disabled;
} ocsp;
// Client verification configurations
struct {
// Path to file containing CA certificate solely used for client
// certificate validation
std::unique_ptr<char[]> cacert;
bool enabled;
} client_verify;
// Client private key and certificate used in backend connections.
struct {
std::unique_ptr<char[]> private_key_file;
std::unique_ptr<char[]> cert_file;
} client;
// The list of (private key file, certificate file) pair
std::vector<std::pair<std::string, std::string>> subcerts;
std::vector<AltSvc> altsvcs;
std::vector<std::pair<std::string, std::string>> add_request_headers;
std::vector<std::pair<std::string, std::string>> add_response_headers;
std::vector<unsigned char> alpn_prefs;
std::vector<LogFragment> accesslog_format;
std::vector<DownstreamAddrGroup> downstream_addr_groups;
std::vector<std::string> tls_ticket_key_files;
// list of supported NPN/ALPN protocol strings in the order of
// preference.
std::vector<std::string> npn_list;
// list of supported SSL/TLS protocol strings.
std::vector<std::string> tls_proto_list;
Address session_cache_memcached_addr;
Address tls_ticket_key_memcached_addr;
// Bit mask to disable SSL/TLS protocol versions. This will be
// passed to SSL_CTX_set_options().
long int tls_proto_mask;
std::string backend_sni_name;
std::chrono::seconds session_timeout;
std::unique_ptr<char[]> private_key_file;
std::unique_ptr<char[]> private_key_passwd;
std::unique_ptr<char[]> cert_file;
std::unique_ptr<char[]> dh_param_file;
std::unique_ptr<char[]> ciphers;
std::unique_ptr<char[]> cacert;
bool insecure;
};
struct Config {
std::vector<AltSvc> altsvcs;
std::vector<std::pair<std::string, std::string>> add_request_headers;
std::vector<std::pair<std::string, std::string>> add_response_headers;
std::vector<LogFragment> accesslog_format;
std::vector<DownstreamAddrGroup> downstream_addr_groups;
Router router;
HttpProxy downstream_http_proxy;
TLSConfig tls;
// obfuscated value used in "by" parameter of Forwarded header
// field.
std::string forwarded_by_obfuscated;
......@@ -318,9 +387,7 @@ struct Config {
// field. This is only used when user defined static obfuscated
// string is provided.
std::string forwarded_for_obfuscated;
std::string backend_tls_sni_name;
StringRef server_name;
std::chrono::seconds tls_session_timeout;
ev_tstamp http2_upstream_read_timeout;
ev_tstamp upstream_read_timeout;
ev_tstamp upstream_write_timeout;
......@@ -330,32 +397,16 @@ struct Config {
ev_tstamp stream_write_timeout;
ev_tstamp downstream_idle_read_timeout;
ev_tstamp listener_disable_timeout;
ev_tstamp ocsp_update_interval;
ev_tstamp tls_ticket_key_memcached_interval;
// address of frontend connection. This could be a path to UNIX
// domain socket. In this case, |host_unix| must be true.
std::unique_ptr<char[]> host;
std::unique_ptr<char[]> private_key_file;
std::unique_ptr<char[]> private_key_passwd;
std::unique_ptr<char[]> cert_file;
std::unique_ptr<char[]> dh_param_file;
std::unique_ptr<char[]> pid_file;
std::unique_ptr<char[]> conf_path;
std::unique_ptr<char[]> ciphers;
std::unique_ptr<char[]> cacert;
std::unique_ptr<char[]> http2_upstream_dump_request_header_file;
std::unique_ptr<char[]> http2_upstream_dump_response_header_file;
// Path to file containing CA certificate solely used for client
// certificate validation
std::unique_ptr<char[]> verify_client_cacert;
std::unique_ptr<char[]> client_private_key_file;
std::unique_ptr<char[]> client_cert_file;
std::unique_ptr<char[]> accesslog_file;
std::unique_ptr<char[]> errorlog_file;
std::unique_ptr<char[]> fetch_ocsp_response_file;
std::unique_ptr<char[]> user;
std::unique_ptr<char[]> session_cache_memcached_host;
std::unique_ptr<char[]> tls_ticket_key_memcached_host;
std::unique_ptr<char[]> mruby_file;
FILE *http2_upstream_dump_request_header;
FILE *http2_upstream_dump_response_header;
......@@ -363,7 +414,6 @@ struct Config {
nghttp2_session_callbacks *http2_downstream_callbacks;
nghttp2_option *http2_option;
nghttp2_option *http2_client_option;
const EVP_CIPHER *tls_ticket_key_cipher;
char **original_argv;
char **argv;
char *cwd;
......@@ -393,15 +443,6 @@ struct Config {
size_t max_header_fields;
// The index of catch-all group in downstream_addr_groups.
size_t downstream_addr_group_catch_all;
// Maximum number of retries when getting TLS ticket key from
// mamcached, due to network error.
size_t tls_ticket_key_memcached_max_retry;
// Maximum number of consecutive error from memcached, when this
// limit reached, TLS ticket is disabled.
size_t tls_ticket_key_memcached_max_fail;
// Bit mask to disable SSL/TLS protocol versions. This will be
// passed to SSL_CTX_set_options().
long int tls_proto_mask;
// downstream protocol; this will be determined by given options.
shrpx_proto downstream_proto;
// bitwise-OR of one or more of shrpx_forwarded_param values.
......@@ -424,11 +465,8 @@ struct Config {
uint16_t port;
// port in http proxy URI
uint16_t downstream_http_proxy_port;
uint16_t session_cache_memcached_port;
uint16_t tls_ticket_key_memcached_port;
bool verbose;
bool daemon;
bool verify_client;
bool http2_proxy;
bool http2_bridge;
bool client_proxy;
......@@ -445,7 +483,6 @@ struct Config {
bool client;
// true if --client or --client-proxy are enabled.
bool client_mode;
bool insecure;
bool backend_ipv4;
bool backend_ipv6;
bool http2_no_cookie_crumbling;
......@@ -455,12 +492,7 @@ struct Config {
bool no_server_push;
// true if host contains UNIX domain socket path
bool host_unix;
bool no_ocsp;
// true if --tls-ticket-key-cipher is used
bool tls_ticket_key_cipher_given;
bool accept_proxy_protocol;
size_t tls_dyn_rec_warmup_threshold;
ev_tstamp tls_dyn_rec_idle_timeout;
};
const Config *get_config();
......
src/shrpx_connection_handler.cc
View file @ f3e1dc7a
......@@ -450,7 +450,7 @@ int ConnectionHandler::start_ocsp_update(const char *cert_file) {
assert(!ev_is_active(&ocsp_.chldev));
char *const argv[] = {
const_cast<char *>(get_config()->fetch_ocsp_response_file.get()),
const_cast<char *>(get_config()->tls.ocsp.fetch_ocsp_response_file.get()),
const_cast<char *>(cert_file), nullptr};
char *const envp[] = {nullptr};
......@@ -634,7 +634,7 @@ void ConnectionHandler::proceed_next_cert_ocsp() {
if (ocsp_.next == all_ssl_ctx_.size()) {
ocsp_.next = 0;
// We have updated all ocsp response, and schedule next update.
ev_timer_set(&ocsp_timer_, get_config()->ocsp_update_interval, 0.);
ev_timer_set(&ocsp_timer_, get_config()->tls.ocsp.update_interval, 0.);
ev_timer_start(loop_, &ocsp_timer_);
return;
}
......@@ -673,7 +673,7 @@ ConnectionHandler::get_tls_ticket_key_memcached_dispatcher() const {
void ConnectionHandler::on_tls_ticket_key_network_error(ev_timer *w) {
if (++tls_ticket_key_memcached_get_retry_count_ >=
get_config()->tls_ticket_key_memcached_max_retry) {
get_config()->tls.ticket.memcached.max_retry) {
LOG(WARN) << "Memcached: tls ticket get retry all failed "
<< tls_ticket_key_memcached_get_retry_count_ << " times.";
......@@ -697,7 +697,7 @@ void ConnectionHandler::on_tls_ticket_key_not_found(ev_timer *w) {
tls_ticket_key_memcached_get_retry_count_ = 0;
if (++tls_ticket_key_memcached_fail_count_ >=
get_config()->tls_ticket_key_memcached_max_fail) {
get_config()->tls.ticket.memcached.max_fail) {
LOG(WARN) << "Memcached: could not get tls ticket; disable tls ticket";
tls_ticket_key_memcached_fail_count_ = 0;
......@@ -742,7 +742,7 @@ void ConnectionHandler::on_tls_ticket_key_get_success(
void ConnectionHandler::schedule_next_tls_ticket_key_memcached_get(
ev_timer *w) {
ev_timer_set(w, get_config()->tls_ticket_key_memcached_interval, 0.);
ev_timer_set(w, get_config()->tls.ticket.memcached.interval, 0.);
ev_timer_start(loop_, w);
}
......
src/shrpx_http2_session.cc
View file @ f3e1dc7a
......@@ -148,8 +148,8 @@ Http2Session::Http2Session(struct ev_loop *loop, SSL_CTX *ssl_ctx,
: conn_(loop, -1, nullptr, worker->get_mcpool(),
get_config()->downstream_write_timeout,
get_config()->downstream_read_timeout, 0, 0, 0, 0, writecb, readcb,
timeoutcb, this, get_config()->tls_dyn_rec_warmup_threshold,
get_config()->tls_dyn_rec_idle_timeout),
timeoutcb, this, get_config()->tls.dyn_rec.warmup_threshold,
get_config()->tls.dyn_rec.idle_timeout),
worker_(worker), connect_blocker_(connect_blocker), ssl_ctx_(ssl_ctx),
session_(nullptr), data_pending_(nullptr), data_pendinglen_(0),
addr_idx_(0), group_(group), index_(idx), state_(DISCONNECTED),
......@@ -331,8 +331,8 @@ int Http2Session::initiate_connection() {
conn_.set_ssl(ssl);
}
StringRef sni_name = !get_config()->backend_tls_sni_name.empty()
? get_config()->backend_tls_sni_name
StringRef sni_name = !get_config()->tls.backend_sni_name.empty()
? get_config()->tls.backend_sni_name
: downstream_addr.host;
if (!util::numeric_host(sni_name.c_str())) {
......@@ -1718,7 +1718,7 @@ int Http2Session::tls_handshake() {
SSLOG(INFO, this) << "SSL/TLS handshake completed";
}
if (!get_config()->downstream_no_tls && !get_config()->insecure &&
if (!get_config()->downstream_no_tls && !get_config()->tls.insecure &&
check_cert() != 0) {
return -1;
}
......
src/shrpx_http_downstream_connection.cc
View file @ f3e1dc7a
......@@ -115,8 +115,8 @@ HttpDownstreamConnection::HttpDownstreamConnection(
: DownstreamConnection(dconn_pool),
conn_(loop, -1, nullptr, nullptr, get_config()->downstream_write_timeout,
get_config()->downstream_read_timeout, 0, 0, 0, 0, connectcb,
readcb, timeoutcb, this, get_config()->tls_dyn_rec_warmup_threshold,
get_config()->tls_dyn_rec_idle_timeout),
readcb, timeoutcb, this, get_config()->tls.dyn_rec.warmup_threshold,
get_config()->tls.dyn_rec.idle_timeout),
ioctrl_(&conn_.rlimit), response_htp_{0}, group_(group), addr_idx_(0),
connected_(false) {}
......
src/shrpx_ssl.cc
View file @ f3e1dc7a
This diff is collapsed.
src/shrpx_worker.cc
View file @ f3e1dc7a
......@@ -83,9 +83,11 @@ Worker::Worker(struct ev_loop *loop, SSL_CTX *sv_ssl_ctx, SSL_CTX *cl_ssl_ctx,
ev_timer_init(&mcpool_clear_timer_, mcpool_clear_cb, 0., 0.);
mcpool_clear_timer_.data = this;
if (get_config()->session_cache_memcached_host) {
auto &session_cacheconf = get_config()->tls.session_cache;
if (session_cacheconf.memcached.host) {
session_cache_memcached_dispatcher_ = make_unique<MemcachedDispatcher>(
&get_config()->session_cache_memcached_addr, loop);
&session_cacheconf.memcached.addr, loop);
}
if (get_config()->downstream_proto == PROTO_HTTP2) {
......
src/shrpx_worker_process.cc
View file @ f3e1dc7a
......@@ -170,7 +170,7 @@ void ipc_readcb(struct ev_loop *loop, ev_io *w, int revents) {
namespace {
int generate_ticket_key(TicketKey &ticket_key) {
ticket_key.cipher = get_config()->tls_ticket_key_cipher;
ticket_key.cipher = get_config()->tls.ticket.cipher;
ticket_key.hmac = EVP_sha256();
ticket_key.hmac_keylen = EVP_MD_size(ticket_key.hmac);
......@@ -217,7 +217,7 @@ void renew_ticket_key_cb(struct ev_loop *loop, ev_timer *w, int revents) {
auto max_tickets =
static_cast<size_t>(std::chrono::duration_cast<std::chrono::hours>(
get_config()->tls_session_timeout).count());
get_config()->tls.session_timeout).count());
new_keys.resize(std::min(max_tickets, old_keys.size() + 1));
std::copy_n(std::begin(old_keys), new_keys.size() - 1,
......@@ -297,14 +297,16 @@ void memcached_get_ticket_key_cb(struct ev_loop *loop, ev_timer *w,
auto end = p + value.size();
p += 4;
auto &ticketconf = get_config()->tls.ticket;
size_t expectedlen;
size_t enc_keylen;
size_t hmac_keylen;
if (get_config()->tls_ticket_key_cipher == EVP_aes_128_cbc()) {
if (ticketconf.cipher == EVP_aes_128_cbc()) {
expectedlen = 48;
enc_keylen = 16;
hmac_keylen = 16;
} else if (get_config()->tls_ticket_key_cipher == EVP_aes_256_cbc()) {
} else if (ticketconf.cipher == EVP_aes_256_cbc()) {
expectedlen = 80;
enc_keylen = 32;
hmac_keylen = 32;
......@@ -335,7 +337,7 @@ void memcached_get_ticket_key_cb(struct ev_loop *loop, ev_timer *w,
return;
}
auto key = TicketKey();
key.cipher = get_config()->tls_ticket_key_cipher;
key.cipher = ticketconf.cipher;
key.hmac = EVP_sha256();
key.hmac_keylen = hmac_keylen;
......@@ -423,10 +425,11 @@ int worker_process_event_loop(WorkerProcessConfig *wpconf) {
ev_timer renew_ticket_key_timer;
if (!get_config()->upstream_no_tls) {
if (get_config()->tls_ticket_key_memcached_host) {
auto &ticketconf = get_config()->tls.ticket;
if (ticketconf.memcached.host) {
conn_handler.set_tls_ticket_key_memcached_dispatcher(
make_unique<MemcachedDispatcher>(
&get_config()->tls_ticket_key_memcached_addr, loop));
make_unique<MemcachedDispatcher>(&ticketconf.memcached.addr, loop));
ev_timer_init(&renew_ticket_key_timer, memcached_get_ticket_key_cb, 0.,
0.);
......@@ -435,8 +438,8 @@ int worker_process_event_loop(WorkerProcessConfig *wpconf) {
memcached_get_ticket_key_cb(loop, &renew_ticket_key_timer, 0);
} else {
bool auto_tls_ticket_key = true;
if (!get_config()->tls_ticket_key_files.empty()) {
if (!get_config()->tls_ticket_key_cipher_given) {
if (!ticketconf.files.empty()) {
if (!ticketconf.cipher_given) {
LOG(WARN)
<< "It is strongly recommended to specify "
"--tls-ticket-key-cipher=aes-128-cbc (or "
......@@ -446,8 +449,7 @@ int worker_process_event_loop(WorkerProcessConfig *wpconf) {
"becomes aes-256-cbc";
}
auto ticket_keys = read_tls_ticket_key_file(
get_config()->tls_ticket_key_files,
get_config()->tls_ticket_key_cipher, EVP_sha256());
ticketconf.files, ticketconf.cipher, EVP_sha256());
if (!ticket_keys) {
LOG(WARN) << "Use internal session ticket key generator";
} else {
......@@ -512,7 +514,7 @@ int worker_process_event_loop(WorkerProcessConfig *wpconf) {
ipcev.data = &conn_handler;
ev_io_start(loop, &ipcev);
if (!get_config()->upstream_no_tls && !get_config()->no_ocsp) {
if (!get_config()->upstream_no_tls && !get_config()->tls.ocsp.disabled) {
conn_handler.proceed_next_cert_ocsp();
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment