trafficserver
trafficserver copied to clipboard
apache
In what cases are updates by TSSslSecretSet() actually used?
I'm running a test with this ssl_multicert.config file:
dest_ip=* ssl_cert_name=2050.crt ssl_key_name=private.key
The cert in 2050.crt expires in the year 2050. The steps of the test are:
- Execute a
curlthat makes a TLS connection, but does not authenticate the received server cert, with verbose output enabled. - Use TSSslSecretSet()/TSSslSecretUpdate() to change the 2050.crt to one that is identical, except for expiring in 2060.
- Repeat the same
curlcommand.
Here is the debug trace output with the debug regex ssl: https://gist.github.com/ywkaras/a7b511a290d62627be18ba301653944c
The update of the cert can be seen starting a line 201. However, the expiration date in the verbose output in the second curl does not change. Presumably this means the new cert is not used.
I notice that, in this function: https://github.com/apache/trafficserver/blob/de8e2439fdd4dc491bb7af512b8f8603a81a7be1/iocore/net/SSLNetVConnection.cc#L1129 getCTX() is only called in the client case, not the server case. Does this limit the cases where updates to secrets are actually used?
It should work in the server side as well as I recall. It definitely should work in the client side case. Yahoo has a plugin that uses these calls. You could review which calls are being used there.
It should work in the server side as well as I recall. It definitely should work in the client side case. Yahoo has a plugin that uses these calls. You could review which calls are being used there.
From the debug traces it looks like all correct calls are being made, but ATS nonetheless seems to send the un-updated server cert to curl.
I wonder if the plugin that calls TSSslSecretSet is something you use on prod or just a test plugin. Is the API called at a right timing (hook)?
I wonder if the plugin that calls TSSslSecretSet is something you use on prod or just a test plugin. Is the API called at a right timing (hook)?
Yes it's a prod plugin. TSSslSecretSet() is called from a periodic scheduled event handler, not from a hook.
You mean schedule_every()? I'm not familiar with how this API works, but the documentation suggests you use it at TS_LIFECYCLE_SSL_SECRET_HOOK, although it may not necessarily mean you can't use it at different timings.
@ywkaras could you make a test plugin that exercises the paths used by the Yahoo plugin? Then folks outside of Yahoo could help you debug. And we could make sure that the secret API doesn't regress.
@ywkaras could you make a test plugin that exercises the paths used by the Yahoo plugin? Then folks outside of Yahoo could help you debug. And we could make sure that the secret API doesn't regress.
OK I'll write a simple plugin as a part of a new Au test.
The Au test in this PR, https://github.com/apache/trafficserver/pull/9587 , illustrates a case where a update to an X509 cert does not seem to get used.
I cherry-picked the new test onto what I think is the first commit with the TSSslSecretXxx API functions: https://github.com/ywkaras/trafficserver/tree/test_ts_ssl_old . The result was the same. Here is the trace output from the test on this branch: https://gist.github.com/ywkaras/88bb0c7e8bd39072bbc0d877a8714121 .
Maybe I need to read the test closely, but I'm confused. You said the API doesn't works as expected but the autest passes.
This issue has been automatically marked as stale because it has not had recent activity. Marking it stale to flag it for further consideration by the community.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hi, this is Peter from Yahoo, we are seeing the issues in our prod hosts. It used to work some time back last year, but now we are seeing the issues everything there are cert/key updates. The cert/key fetched from secure storages are not taking effect in memory.
