From df025b3d9fa539eb09456a3d70f317ff697bf1a4 Mon Sep 17 00:00:00 2001 From: luqiuwen Date: Tue, 19 Feb 2019 15:11:15 +0600 Subject: [PATCH] =?UTF-8?q?Close=20#116=20=E5=8E=BB=E9=99=A4=E6=A0=B9?= =?UTF-8?q?=E6=8D=AEClientHello=E9=95=9C=E5=83=8F=E4=B8=8A=E6=B8=B8SSL?= =?UTF-8?q?=E7=89=88=E6=9C=AC=E7=9A=84=E5=8A=9F=E8=83=BD=EF=BC=8C=E5=A2=9E?= =?UTF-8?q?=E5=8A=A0=E5=9C=A8=E8=BF=9E=E6=8E=A5=E6=91=98=E8=A6=81=E6=97=A5?= =?UTF-8?q?=E5=BF=97=E8=AE=B0=E5=BD=95SSL=E7=89=88=E6=9C=AC=E5=92=8CSNI?= =?UTF-8?q?=E7=9A=84=E5=8A=9F=E8=83=BD?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- platform/include/internal/platform.h | 4 ++++ platform/src/ssl_stream.cpp | 32 ++++++++++++++-------------- platform/src/tcp_stream.cpp | 12 +++++++++-- 3 files changed, 30 insertions(+), 18 deletions(-) diff --git a/platform/include/internal/platform.h b/platform/include/internal/platform.h index fd5e959..2c25831 100644 --- a/platform/include/internal/platform.h +++ b/platform/include/internal/platform.h @@ -134,6 +134,10 @@ struct tfe_stream_private #define STREAM_EVENT_LOG_MAX 8 struct tfe_stream_event_log log_event[STREAM_EVENT_LOG_MAX]; unsigned int nr_log_event; + + /* CONNECTION LOG */ + char ssl_downstream_info_dump[TFE_STRING_MAX]; + char ssl_upstream_info_dump[TFE_STRING_MAX]; }; static inline void * __STREAM_LOGGER(struct tfe_stream_private * _stream) diff --git a/platform/src/ssl_stream.cpp b/platform/src/ssl_stream.cpp index ccfd716..934d001 100644 --- a/platform/src/ssl_stream.cpp +++ b/platform/src/ssl_stream.cpp @@ -124,6 +124,7 @@ struct ssl_mgr unsigned int no_alpn; unsigned int no_cert_verify; unsigned int no_mirror_client_cipher_suite; + CONST_SSL_METHOD * (* sslmethod)(void); //Parameter of SSL_CTX_new int ssl_min_version, ssl_max_version; char ssl_session_context[8]; @@ -133,22 +134,18 @@ struct ssl_mgr struct sess_cache * down_sess_cache; struct sess_cache * up_sess_cache; - struct session_ticket_key ticket_key; - char default_ciphers[TFE_SYMBOL_MAX]; DH * dh; char * ecdhcurve; char * crl_url; - struct cert_store_param cert_verify_param; uint8_t ssl_mode_release_buffers; char trusted_cert_file[TFE_PATH_MAX]; char trusted_cert_dir[TFE_PATH_MAX]; - struct ssl_trusted_cert_storage * trust_CA_store; struct key_keeper * key_keeper; struct event_base * ev_base_gc; @@ -582,21 +579,25 @@ struct ssl_mgr * ssl_manager_init(const char * ini_profile, const char * section MESA_load_profile_uint_def(ini_profile, section, "no_tls12", &(mgr->no_tls12), 0); MESA_load_profile_string_def(ini_profile, section, "default_ciphers", mgr->default_ciphers, sizeof(mgr->default_ciphers), DFLT_CIPHERS); + MESA_load_profile_uint_def(ini_profile, section, "no_session_cache", &(mgr->no_sesscache), 0); MESA_load_profile_uint_def(ini_profile, section, "no_session_ticket", &(mgr->no_sessticket), 0); MESA_load_profile_uint_def(ini_profile, section, "no_alpn", &(mgr->no_alpn), 0); MESA_load_profile_uint_def(ini_profile, section, "no_cert_verify", &(mgr->no_cert_verify), 0); - MESA_load_profile_uint_def(ini_profile, section, "no_mirror_client_cipher_suite", &(mgr->no_mirror_client_cipher_suite), 0); - - MESA_load_profile_uint_def(ini_profile, section, "session_cache_slots", &(mgr->cache_slots), 4 * 1024 * 1024); - MESA_load_profile_uint_def(ini_profile, section, "session_cache_expire_seconds", &(mgr->sess_expire_seconds), 30 * 60); + MESA_load_profile_uint_def(ini_profile, section, "no_mirror_client_cipher_suite", + &(mgr->no_mirror_client_cipher_suite), 0); + MESA_load_profile_uint_def(ini_profile, section, "session_cache_slots", + &(mgr->cache_slots), 4 * 1024 * 1024); + MESA_load_profile_uint_def(ini_profile, section, "session_cache_expire_seconds", + &(mgr->sess_expire_seconds), 30 * 60); if(!mgr->no_sesscache) { mgr->up_sess_cache = ssl_sess_cache_create(mgr->cache_slots, mgr->sess_expire_seconds, CONN_DIR_UPSTREAM); mgr->down_sess_cache = ssl_sess_cache_create(mgr->cache_slots, mgr->sess_expire_seconds, CONN_DIR_DOWNSTREAM); } + //Reference to NGINX: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key //Support key rotation in futher. @@ -775,6 +776,7 @@ static SSL * upstream_ssl_create(struct ssl_mgr * mgr, const struct ssl_chello * sslctx = SSL_CTX_new(mgr->sslmethod()); sslctx_set_opts(sslctx, mgr); int ret=0; + if(chello->cipher_suites!=NULL) { //SSL_CTX_set_cipher_list() and SSL_set_cipher_list() return 1 if any cipher could be selected and 0 on complete failure. @@ -789,19 +791,17 @@ static SSL * upstream_ssl_create(struct ssl_mgr * mgr, const struct ssl_chello * { ret=SSL_CTX_set_cipher_list(sslctx, mgr->default_ciphers); } - if (mgr->ssl_min_version) + + if (SSL_CTX_set_min_proto_version(sslctx, mgr->ssl_min_version) == 0 || + SSL_CTX_set_max_proto_version(sslctx, mgr->ssl_max_version) == 0) { - if (SSL_CTX_set_min_proto_version(sslctx, MAX(chello->min_version.ossl_format, mgr->ssl_min_version)) == 0 || - SSL_CTX_set_max_proto_version(sslctx, MIN(chello->max_version.ossl_format, mgr->ssl_max_version)) == 0) - { - SSL_CTX_free(sslctx); - return NULL; - } + SSL_CTX_free(sslctx); + return NULL; } SSL_CTX_set_verify(sslctx, SSL_VERIFY_NONE, NULL); ssl = SSL_new(sslctx); - SSL_CTX_free(sslctx); /* SSL_new() increments refcount */ + SSL_CTX_free(sslctx); /* SSL_new() increments refcount */ if (!ssl) { diff --git a/platform/src/tcp_stream.cpp b/platform/src/tcp_stream.cpp index d0f2c24..454398c 100644 --- a/platform/src/tcp_stream.cpp +++ b/platform/src/tcp_stream.cpp @@ -875,6 +875,13 @@ void ssl_downstream_create_on_success(future_result_t * result, void * user) _stream->defer_fd_downstream = 0; assert(_stream->conn_downstream != NULL && _stream->conn_upstream != NULL); + + ssl_stream_dump_info(_stream->ssl_downstream, _stream->ssl_downstream_info_dump, + sizeof(_stream->ssl_downstream_info_dump)); + + ssl_stream_dump_info(_stream->ssl_upstream, _stream->ssl_upstream_info_dump, + sizeof(_stream->ssl_upstream_info_dump)); + __conn_private_enable(_stream->conn_downstream); __conn_private_enable(_stream->conn_upstream); @@ -964,8 +971,9 @@ void __stream_access_log_write(struct tfe_stream_private * stream) } MESA_handle_runtime_log(stream->stream_logger, RLOG_LV_INFO, "access", - "%d %d %d %s %s %s %s", stream->log_fd_downstream, stream->log_fd_upstream, stream->keyring_id, - stream->str_stream_addr, str_passthrough, str_kill, str_log_event); + "%d %d %d %s %s %s %s %s %s", stream->log_fd_downstream, stream->log_fd_upstream, stream->keyring_id, + stream->str_stream_addr, str_passthrough, str_kill, str_log_event, + stream->ssl_downstream_info_dump, stream->ssl_upstream_info_dump); } static int ev_log_to_stat_map[__EVENT_LOG_CLOSE_MAX][__CONN_DIR_MAX]{{-1}};