拦截策略支持allow_http2的开关;恢复cmakelist漏掉的HTTP2的编译开关。
This commit is contained in:
zhengchao
@@ -16,14 +16,15 @@ enum SSL_STREAM_OPT
|
||||
SSL_STREAM_OPT_IS_CT_CERT, //0:FALSE, 1:TRUE.
|
||||
SSL_STREAM_OPT_IS_MUTUAL_AUTH, //0:FALSE, 1:TRUE.
|
||||
SSL_STREAM_OPT_PINNING_STATUS, //0:FALSE, 1:TRUE.
|
||||
SSL_STREAM_OPT_HAS_PROTOCOL_ERRORS, //0:FALSE, 1:TRUE.
|
||||
SSL_STREAM_OPT_HAS_PROTOCOL_ERRORS, //0:FALSE, 1:TRUE.
|
||||
SSL_STREAM_OPT_NO_VERIFY_SELF_SIGNED, //VALUE is an interger, SIZE=sizeof(int). 1:ON, 0:OFF. DEFAULT:0.
|
||||
SSL_STREAM_OPT_NO_VERIFY_COMMON_NAME, //VALUE is an interger, SIZE=sizeof(int). 1:ON, 0:OFF. DEFAULT:1.
|
||||
SSL_STREAM_OPT_NO_VERIFY_ISSUER, //VALUE is an interger, SIZE=sizeof(int). 1:ON, 0:OFF. DEFAULT:0.
|
||||
SSL_STREAM_OPT_NO_VERIFY_EXPIRY_DATE, //VALUE is an interger, SIZE=sizeof(int). 1:ON, 0:OFF. DEFAULT:0.
|
||||
SSL_STREAM_OPT_BLOCK_FAKE_CERT, //VALUE is an interger, SIZE=sizeof(int). 1:PASSTHROUGH, 0:BLOCK. DEFAULT:1.
|
||||
SSL_STREAM_OPT_BLOCK_FAKE_CERT, //VALUE is an interger, SIZE=sizeof(int). 1:PASSTHROUGH, 0:BLOCK. DEFAULT:1.
|
||||
SSL_STREAM_OPT_PROTOCOL_MIN_VERSION,
|
||||
SSL_STREAM_OPT_PROTOCOL_MAX_VERSION,
|
||||
SSL_STREAM_OPT_ENABLE_ALPN,
|
||||
SSL_STREAM_OPT_KEYRING_ID
|
||||
};
|
||||
int sslver_str2num(const char * version_str);
|
||||
|
||||
@@ -26,6 +26,10 @@ if(ENABLE_PLUGIN_HTTP)
|
||||
target_link_libraries(tfe -Wl,--whole-archive http -Wl,--no-whole-archive)
|
||||
endif()
|
||||
|
||||
if(ENABLE_PLUGIN_HTTP2)
|
||||
target_link_libraries(tfe -Wl,--whole-archive http2 -Wl,--no-whole-archive)
|
||||
endif()
|
||||
|
||||
if(ENABLE_PLUGIN_DECRYPT_MIRRORING)
|
||||
target_link_libraries(tfe -Wl,--whole-archive decrypt-mirroring -Wl,--no-whole-archive)
|
||||
endif()
|
||||
|
||||
@@ -182,6 +182,7 @@ struct ssl_upstream_parts
|
||||
char block_fake_cert;
|
||||
struct ssl_service_status svc_status;
|
||||
enum ssl_stream_action action;
|
||||
int apln_enabled;
|
||||
int keyring_id;
|
||||
struct ssl_chello * client_hello;
|
||||
int is_server_cert_verify_passed;
|
||||
@@ -892,7 +893,7 @@ static void upstream_ossl_init(struct ssl_stream* s_stream)
|
||||
{
|
||||
SSL_set_tlsext_host_name(ssl, chello->sni);
|
||||
}
|
||||
if (chello->alpn && !mgr->no_alpn)
|
||||
if (chello->alpn && s_stream->up_parts.apln_enabled)
|
||||
{
|
||||
ret=SSL_set_alpn_protos(ssl, (unsigned char*)chello->alpn, strlen(chello->alpn));
|
||||
assert(ret==0);
|
||||
@@ -1603,7 +1604,7 @@ void downstream_ossl_init(struct ssl_stream *s_stream)
|
||||
SSL_CTX_set_tmp_ecdh(sslctx, ecdh);
|
||||
EC_KEY_free(ecdh);
|
||||
}
|
||||
if(!mgr->no_alpn && selected_alpn)
|
||||
if(s_stream->peer->up_parts.apln_enabled && selected_alpn)
|
||||
{
|
||||
SSL_CTX_set_alpn_select_cb(sslctx, alpn_select_proto_cb, (void*)selected_alpn);
|
||||
}
|
||||
@@ -1992,7 +1993,7 @@ void ssl_manager_reset_trust_ca(struct ssl_mgr* mgr)
|
||||
int ssl_stream_set_integer_opt(struct ssl_stream *upstream, enum SSL_STREAM_OPT opt_type, int opt_val)
|
||||
{
|
||||
struct cert_verify_param *verify_param=&(upstream->up_parts.verify_param);
|
||||
|
||||
assert(upstream->dir==CONN_DIR_UPSTREAM);
|
||||
switch(opt_type)
|
||||
{
|
||||
case SSL_STREAM_OPT_NO_VERIFY_SELF_SIGNED:
|
||||
@@ -2016,6 +2017,9 @@ int ssl_stream_set_integer_opt(struct ssl_stream *upstream, enum SSL_STREAM_OPT
|
||||
case SSL_STREAM_OPT_PROTOCOL_MAX_VERSION:
|
||||
upstream->ssl_max_version=opt_val;
|
||||
break;
|
||||
case SSL_STREAM_OPT_ENABLE_ALPN:
|
||||
upstream->up_parts.apln_enabled=opt_val;
|
||||
break;
|
||||
case SSL_STREAM_OPT_KEYRING_ID:
|
||||
upstream->up_parts.keyring_id=opt_val;
|
||||
break;
|
||||
|
||||
@@ -29,6 +29,7 @@ struct intercept_param
|
||||
int block_fake_cert;
|
||||
int ssl_min_version;
|
||||
int ssl_max_version;
|
||||
int allow_http2;
|
||||
int mirror_client_version;
|
||||
int decrypt_mirror_enabled;
|
||||
int mirror_profile_id;
|
||||
@@ -125,6 +126,8 @@ void intercept_param_new_cb(int table_id, const char* key, const char* table_lin
|
||||
item=cJSON_GetObjectItem(ssl_ver, "max");
|
||||
if(item && item->type==cJSON_String) param->ssl_max_version=sslver_str2num(item->valuestring);
|
||||
}
|
||||
item=cJSON_GetObjectItem(ssl_ver, "allow_http2");
|
||||
if(item && item->type==cJSON_Number) param->allow_http2=item->valueint;
|
||||
}
|
||||
*ad=param;
|
||||
TFE_LOG_INFO(enforcer->logger, "Add intercept policy: %d", param->policy_id);
|
||||
@@ -188,6 +191,10 @@ enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void* u_p
|
||||
ret=ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_PROTOCOL_MIN_VERSION, param->ssl_min_version);
|
||||
ret=ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_PROTOCOL_MAX_VERSION, param->ssl_max_version);
|
||||
}
|
||||
if(param->allow_http2)
|
||||
{
|
||||
ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_ENABLE_ALPN, 1);
|
||||
}
|
||||
ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_NO_VERIFY_COMMON_NAME, param->no_verify_cn);
|
||||
ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_NO_VERIFY_ISSUER, param->no_verify_issuer);
|
||||
ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_NO_VERIFY_SELF_SIGNED, param->no_verify_self_signed);
|
||||
|
||||
Reference in New Issue
Block a user