修改 is_app_not_pinning 的判定条件:原来在 client connected 之后判定,现在在 ssl stream free 之前判定
This commit is contained in:
luwenpeng
@@ -1871,10 +1871,10 @@ static void ssl_client_connected_eventcb(struct bufferevent * bev, short events,
|
||||
}
|
||||
s_stream->negotiated_version=SSL_version(s_stream->ssl);
|
||||
ssl_stream_set_cmsg_string(s_stream, TFE_CMSG_SSL_CLIENT_SIDE_VERSION, SSL_get_version(s_stream->ssl));
|
||||
struct ssl_service_status svc_status;
|
||||
memset(&svc_status, 0, sizeof(svc_status));
|
||||
svc_status.is_app_not_pinning=1;
|
||||
ssl_service_cache_write(mgr->svc_cache, s_upstream->client_hello, s_stream->tcp_stream->addr, &svc_status);
|
||||
// struct ssl_service_status svc_status;
|
||||
// memset(&svc_status, 0, sizeof(svc_status));
|
||||
// svc_status.is_app_not_pinning=1;
|
||||
// ssl_service_cache_write(mgr->svc_cache, s_upstream->client_hello, s_stream->tcp_stream->addr, &svc_status);
|
||||
promise_success(p, ctx);
|
||||
}
|
||||
|
||||
@@ -2110,6 +2110,17 @@ void ssl_stream_free_and_close_fd(struct ssl_stream * s_stream, struct event_bas
|
||||
fd=bufferevent_getfd(bev);
|
||||
assert(fd==s_stream->_do_not_use.fd);
|
||||
unsigned long sslerr=0;
|
||||
|
||||
size_t rx_offset_this_time = 0;
|
||||
int ret = tfe_stream_info_get(s_stream->tcp_stream, INFO_FROM_DOWNSTREAM_RX_OFFSET, &rx_offset_this_time, sizeof(rx_offset_this_time));
|
||||
if (ret >= 0 && rx_offset_this_time > 0)
|
||||
{
|
||||
struct ssl_service_status svc_status;
|
||||
memset(&svc_status, 0, sizeof(svc_status));
|
||||
svc_status.is_app_not_pinning=1;
|
||||
ssl_service_cache_write(s_stream->mgr->svc_cache, s_stream->up_parts.client_hello, s_stream->tcp_stream->addr, &svc_status);
|
||||
}
|
||||
|
||||
if(errno)
|
||||
{
|
||||
sslerr=ssl_stream_log_error(bev, s_stream->dir, s_stream->mgr);
|
||||
@@ -2198,6 +2209,7 @@ int ssl_stream_set_integer_opt(struct ssl_stream *upstream, enum SSL_STREAM_OPT
|
||||
}
|
||||
int ssl_stream_get_integer_opt(struct ssl_stream *upstream, enum SSL_STREAM_OPT opt_type, int *opt_val)
|
||||
{
|
||||
const char * sni = (upstream->up_parts.client_hello->sni) ? (upstream->up_parts.client_hello->sni) : "null";
|
||||
struct ssl_service_status* svc=&upstream->up_parts.svc_status;
|
||||
struct ssl_mgr* mgr=upstream->mgr;
|
||||
struct tfe_cmsg *cmsg=NULL;
|
||||
@@ -2217,10 +2229,14 @@ int ssl_stream_get_integer_opt(struct ssl_stream *upstream, enum SSL_STREAM_OPT
|
||||
case SSL_STREAM_OPT_PINNING_STATUS:
|
||||
if(mgr->root_cert_not_installed_is_not_pinning && svc->is_app_not_pinning)
|
||||
{
|
||||
TFE_LOG_DEBUG(g_default_logger, "ssl svc client root_cert_not_installed_is_not_pinning:%d, is_app_not_pinning:%d, cli_pinning_status:%d, mod pinning:%d, sni:%s",
|
||||
mgr->root_cert_not_installed_is_not_pinning, svc->is_app_not_pinning, svc->cli_pinning_status, PINNING_ST_NOT_PINNING, sni);
|
||||
*opt_val=PINNING_ST_NOT_PINNING;
|
||||
}
|
||||
else
|
||||
{
|
||||
TFE_LOG_DEBUG(g_default_logger, "ssl svc client root_cert_not_installed_is_not_pinning:%d, is_app_not_pinning:%d, cli_pinning_status:%d, set pinning:%d, sni:%s",
|
||||
mgr->root_cert_not_installed_is_not_pinning, svc->is_app_not_pinning, svc->cli_pinning_status, svc->cli_pinning_status, sni);
|
||||
*opt_val=svc->cli_pinning_status;
|
||||
}
|
||||
break;
|
||||
|
||||
Reference in New Issue
Block a user