wangle::SSLContextManager Class Reference

#include <SSLContextManager.h>

Inheritance diagram for wangle::SSLContextManager:

Classes
struct	ClientCertVerifyCallback
struct	SslContexts

Public Member Functions
	SSLContextManager (folly::EventBase *eventBase, const std::string &vipName, bool strict, SSLStats *stats)
virtual	~SSLContextManager ()
void	addSSLContextConfig (const SSLContextConfig &ctxConfig, const SSLCacheOptions &cacheOptions, const TLSTicketKeySeeds *ticketSeeds, const folly::SocketAddress &vipAddress, const std::shared_ptr< SSLCacheProvider > &externalCache, SslContexts *contexts=nullptr)
void	resetSSLContextConfigs (const std::vector< SSLContextConfig > &ctxConfig, const SSLCacheOptions &cacheOptions, const TLSTicketKeySeeds *ticketSeeds, const folly::SocketAddress &vipAddress, const std::shared_ptr< SSLCacheProvider > &externalCache)
void	clear ()
std::shared_ptr< folly::SSLContext >	getDefaultSSLCtx () const
std::shared_ptr< folly::SSLContext >	getSSLCtx (const SSLContextKey &key) const
std::shared_ptr< folly::SSLContext >	getSSLCtxBySuffix (const SSLContextKey &key) const
std::shared_ptr< folly::SSLContext >	getSSLCtxByExactDomain (const SSLContextKey &key) const
void	reloadTLSTicketKeys (const std::vector< std::string > &oldSeeds, const std::vector< std::string > &currentSeeds, const std::vector< std::string > &newSeeds)
void	setSSLStats (SSLStats *stats)
void	setClientHelloExtStats (ClientHelloExtStats *stats)
void	setClientVerifyCallback (std::unique_ptr< ClientCertVerifyCallback > cb)

Protected Member Functions
virtual void	loadCertKeyPairExternal (const std::shared_ptr< folly::SSLContext > &, const SSLContextConfig &, const std::string &)
virtual void	overrideConfiguration (const std::shared_ptr< folly::SSLContext > &, const SSLContextConfig &)
void	insertSSLCtxByDomainName (const char *dn, size_t len, std::shared_ptr< folly::SSLContext > sslCtx, SslContexts &contexts, CertCrypto certCrypto=CertCrypto::BEST_AVAILABLE)
void	insertSSLCtxByDomainName (const char *dn, size_t len, std::shared_ptr< folly::SSLContext > sslCtx, CertCrypto certCrypto=CertCrypto::BEST_AVAILABLE)

Protected Attributes
std::string	vipName_
SSLStats *	stats_ {nullptr}

Private Member Functions
	SSLContextManager (const SSLContextManager &)=delete
void	ctxSetupByOpensslFeature (std::shared_ptr< ServerSSLContext > sslCtx, const SSLContextConfig &ctxConfig, SslContexts &contexts)
void	insert (std::shared_ptr< ServerSSLContext > sslCtx, bool defaultFallback, SslContexts &contexts)
void	insertSSLCtxByDomainNameImpl (const char *dn, size_t len, std::shared_ptr< folly::SSLContext > sslCtx, SslContexts &contexts, CertCrypto certCrypto)
void	insertIntoDnMap (SSLContextKey key, std::shared_ptr< folly::SSLContext > sslCtx, bool overwrite, SslContexts &contexts)

Private Attributes
SslContexts	contexts_
folly::EventBase *	eventBase_
ClientHelloExtStats *	clientHelloTLSExtStats_ {nullptr}
SSLContextConfig::SNINoMatchFn	noMatchFn_
bool	strict_ {true}
std::unique_ptr< ClientCertVerifyCallback >	clientCertVerifyCallback_ {nullptr}

Detailed Description

Definition at line 47 of file SSLContextManager.h.

Constructor & Destructor Documentation

wangle::SSLContextManager::SSLContextManager ( folly::EventBase *  eventBase, const std::string &  vipName, bool  strict, SSLStats *  stats  )

explicit

Definition at line 186 of file SSLContextManager.cpp.

                   :
    vipName_(vipName),
    stats_(stats),
    eventBase_(eventBase),
    strict_(strict) {

}

wangle::SSLContextManager::~SSLContextManager ( )

virtualdefault

wangle::SSLContextManager::SSLContextManager ( const SSLContextManager &  )

privatedelete

Member Function Documentation

void wangle::SSLContextManager::addSSLContextConfig	(	const SSLContextConfig &	ctxConfig,
		const SSLCacheOptions &	cacheOptions,
		const TLSTicketKeySeeds *	ticketSeeds,
		const folly::SocketAddress &	vipAddress,
		const std::shared_ptr< SSLCacheProvider > &	externalCache,
		SslContexts *	contexts = nullptr
	)

Add a new X509 to SSLContextManager. The details of a X509 is passed as a SSLContextConfig object.

Parameters

ctxConfig	Details of a X509, its private key, password, etc.
cacheOptions	Options for how to do session caching.
ticketSeeds	If non-null, the initial ticket key seeds to use.
vipAddress	Which VIP are the X509(s) used for? It is only for for user friendly log message
externalCache	Optional external provider for the session cache; may be null

Definition at line 248 of file SSLContextManager.cpp.

References wangle::BEST_AVAILABLE, wangle::SSLContextConfig::certificates, wangle::SSLContextConfig::clientCAFile, clientCertVerifyCallback_, clientHelloTLSExtStats_, wangle::SSLContextConfig::clientVerification, contexts_, count, ctxSetupByOpensslFeature(), wangle::SSLContextManager::SslContexts::defaultCtxDomainName, folly::SocketAddress::describe(), wangle::SSLContextConfig::eccCurveName, folly::exceptionStr(), folly::AsyncSSLSocket::getClientHelloInfo(), wangle::SSLUtil::getCommonName(), folly::AsyncSSLSocket::getFromSSL(), getSSLCtx(), wangle::SSLUtil::getSubjectAltName(), folly::gen::guard(), insert(), wangle::SSLContextConfig::isDefault, wangle::SSLContextConfig::keyOffloadParams, loadCertKeyPairExternal(), folly::makeGuard(), folly::gen::move, noMatchFn_, wangle::SSLContextConfig::KeyOffloadParams::offloadType, overrideConfiguration(), wangle::ClientHelloExtStats::recordAbsentHostname(), wangle::ClientHelloExtStats::recordCertCrypto(), wangle::ClientHelloExtStats::recordMatch(), wangle::ClientHelloExtStats::recordNotMatch(), folly::ssl::SERVER_NAME, wangle::SSLContextConfig::sessionContext, wangle::SHA1_SIGNATURE, folly::ssl::SHA256, wangle::SSLContextConfig::sslCiphers, wangle::SSLContextConfig::sslVersion, stats_, string, folly::stringPrintf(), uint32_t, and vipName_.

Referenced by resetSSLContextConfigs(), and wangle::TEST().

                         {

  if (!contexts) {
    contexts = &contexts_;
  }

  unsigned numCerts = 0;
  std::string commonName;
  std::string lastCertPath;
  std::unique_ptr<std::list<std::string>> subjectAltName;
  auto sslCtx =
      std::make_shared<ServerSSLContext>(ctxConfig.sslVersion);
  for (const auto& cert : ctxConfig.certificates) {
    try {
      if (ctxConfig.keyOffloadParams.offloadType.empty()) {
        // The private key lives in the same process
        // This needs to be called before loadPrivateKey().
        if (!cert.passwordPath.empty()) {
          auto sslPassword = std::make_shared<folly::PasswordInFile>(
              cert.passwordPath);
          sslCtx->passwordCollector(std::move(sslPassword));
        }
        sslCtx->loadCertKeyPairFromFiles(
          cert.certPath.c_str(),
          cert.keyPath.c_str(),
          "PEM",
          "PEM");
      } else {
        loadCertKeyPairExternal(sslCtx, ctxConfig, cert.certPath);
      }
    } catch (const std::exception& ex) {
        // The exception isn't very useful without the certificate path name,
        // so throw a new exception that includes the path to the certificate.
        string msg = folly::to<string>("error loading SSL certificate ",
                                       cert.certPath, ": ",
                                       folly::exceptionStr(ex));
        LOG(ERROR) << msg;
        throw std::runtime_error(msg);
    }

    // Verify that the Common Name and (if present) Subject Alternative Names
    // are the same for all the certs specified for the SSL context.
    numCerts++;
    X509* x509 = getX509(sslCtx->getSSLCtx());
    if (!x509) {
      throw std::runtime_error(
          folly::to<std::string>(
              "Certificate: ", cert.certPath, " is invalid"));
    }
    auto guard = folly::makeGuard([x509] { X509_free(x509); });
    auto cn = SSLUtil::getCommonName(x509);
    if (!cn) {
      throw std::runtime_error(folly::to<string>("Cannot get CN for X509 ",
                                                 cert.certPath));
    }
    auto altName = SSLUtil::getSubjectAltName(x509);
    VLOG(2) << "cert " << cert.certPath << " CN: " << *cn;
    if (altName) {
      altName->sort();
      VLOG(2) << "cert " << cert.certPath << " SAN: " << flattenList(*altName);
    } else {
      VLOG(2) << "cert " << cert.certPath << " SAN: " << "{none}";
    }
    if (numCerts == 1) {
      commonName = *cn;
      subjectAltName = std::move(altName);
    } else {
      if (commonName != *cn) {
        throw std::runtime_error(folly::to<string>("X509 ", cert.certPath,
                                          " does not have same CN as ",
                                          lastCertPath));
      }
      if (altName == nullptr) {
        if (subjectAltName != nullptr) {
          throw std::runtime_error(folly::to<string>("X509 ", cert.certPath,
                                            " does not have same SAN as ",
                                            lastCertPath));
        }
      } else {
        if ((subjectAltName == nullptr) || (*altName != *subjectAltName)) {
          throw std::runtime_error(folly::to<string>("X509 ", cert.certPath,
                                            " does not have same SAN as ",
                                            lastCertPath));
        }
      }
    }
    lastCertPath = cert.certPath;
  }

  overrideConfiguration(sslCtx, ctxConfig);

  // Let the server pick the highest performing cipher from among the client's
  // choices.
  //
  // Let's use a unique private key for all DH key exchanges.
  //
  // Because some old implementations choke on empty fragments, most SSL
  // applications disable them (it's part of SSL_OP_ALL).  This
  // will improve performance and decrease write buffer fragmentation.
  sslCtx->setOptions(SSL_OP_CIPHER_SERVER_PREFERENCE |
    SSL_OP_SINGLE_DH_USE |
    SSL_OP_SINGLE_ECDH_USE |
    SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);

  // Important that we do this *after* checking the TLS1.1 ciphers above,
  // since we test their validity by actually setting them.
  sslCtx->ciphers(ctxConfig.sslCiphers);

  // Use a fix DH param
  DH* dh = get_dh2048();
  SSL_CTX_set_tmp_dh(sslCtx->getSSLCtx(), dh);
  DH_free(dh);

  const string& curve = ctxConfig.eccCurveName;
  if (!curve.empty()) {
    set_key_from_curve(sslCtx->getSSLCtx(), curve);
  }

  if (!ctxConfig.clientCAFile.empty()) {
    try {
      sslCtx->loadTrustedCertificates(ctxConfig.clientCAFile.c_str());
      sslCtx->loadClientCAList(ctxConfig.clientCAFile.c_str());

      // Only allow over-riding of verification callback if one
      // isn't explicitly set on the context
      if (clientCertVerifyCallback_ == nullptr) {
        sslCtx->setVerificationOption(ctxConfig.clientVerification);
      } else {
        clientCertVerifyCallback_->attachSSLContext(sslCtx);
      }

    } catch (const std::exception& ex) {
      string msg = folly::to<string>("error loading client CA",
                                     ctxConfig.clientCAFile, ": ",
                                     folly::exceptionStr(ex));
      LOG(ERROR) << msg;
      throw std::runtime_error(msg);
    }
  }

  // we always want to setup the session id context
  // to make session resumption work (tickets or session cache)
  std::string sessionIdContext = commonName;
  if (ctxConfig.sessionContext && !ctxConfig.sessionContext->empty()) {
    sessionIdContext = *ctxConfig.sessionContext;
  }
  VLOG(2) << "For vip " << vipName_ << ", CN " << commonName
          << ", setting sid_ctx " << sessionIdContext;
  sslCtx->setSessionCacheContext(sessionIdContext);

  sslCtx->setupSessionCache(
      ctxConfig,
      cacheOptions,
      externalCache,
      sessionIdContext,
      stats_);
  sslCtx->setupTicketManager(ticketSeeds, ctxConfig, stats_);
  VLOG(2) << "On VipID=" << vipAddress.describe() << " context=" << sslCtx;

  // finalize sslCtx setup by the individual features supported by openssl
  ctxSetupByOpensslFeature(sslCtx, ctxConfig, *contexts);

  try {
    insert(sslCtx,
           ctxConfig.isDefault,
           *contexts);
  } catch (const std::exception& ex) {
    string msg = folly::to<string>("Error adding certificate : ",
                                   folly::exceptionStr(ex));
    LOG(ERROR) << msg;
    throw std::runtime_error(msg);
  }

}

void wangle::SSLContextManager::clear

(

)

Clears all ssl contexts

Definition at line 751 of file SSLContextManager.cpp.

References wangle::SSLContextManager::SslContexts::clear(), and contexts_.

                              {
  contexts_.clear();
}

void wangle::SSLContextManager::ctxSetupByOpensslFeature ( std::shared_ptr< ServerSSLContext >  sslCtx, const SSLContextConfig &  ctxConfig, SslContexts &  contexts  )

private

Definition at line 526 of file SSLContextManager.cpp.

References folly::netops::bind(), wangle::SSLContextManager::SslContexts::ctxs, wangle::SSLContextManager::SslContexts::defaultCtx, wangle::SSLContextConfig::isDefault, wangle::SSLContextConfig::nextProtocols, noMatchFn_, OPENSSL_MISSING_FEATURE, and wangle::SSLContextConfig::sniNoMatchFn.

Referenced by addSSLContextConfig().

                         {
  // Disable compression - profiling shows this to be very expensive in
  // terms of CPU and memory consumption.
  //
#ifdef SSL_OP_NO_COMPRESSION
  sslCtx->setOptions(SSL_OP_NO_COMPRESSION);
#endif

  // Enable early release of SSL buffers to reduce the memory footprint
#ifdef SSL_MODE_RELEASE_BUFFERS
  // Note: SSL_CTX_set_mode doesn't set, just ORs the arg with existing mode
  SSL_CTX_set_mode(sslCtx->getSSLCtx(), SSL_MODE_RELEASE_BUFFERS);

#endif
#ifdef SSL_MODE_EARLY_RELEASE_BBIO
  // Note: SSL_CTX_set_mode doesn't set, just ORs the arg with existing mode
  SSL_CTX_set_mode(sslCtx->getSSLCtx(), SSL_MODE_EARLY_RELEASE_BBIO);
#endif

  // This number should (probably) correspond to HTTPSession::kMaxReadSize
  // For now, this number must also be large enough to accommodate our
  // largest certificate, because some older clients (IE6/7) require the
  // cert to be in a single fragment.
#ifdef SSL_CTRL_SET_MAX_SEND_FRAGMENT
  SSL_CTX_set_max_send_fragment(sslCtx->getSSLCtx(), 8000);
#endif

  // NPN (Next Protocol Negotiation)
  if (!ctxConfig.nextProtocols.empty()) {
#if FOLLY_OPENSSL_HAS_ALPN
    sslCtx->setRandomizedAdvertisedNextProtocols(
        ctxConfig.nextProtocols);
#else
    OPENSSL_MISSING_FEATURE(NPN);
#endif
  }

  // SNI
#ifdef PROXYGEN_HAVE_SERVERNAMECALLBACK
  noMatchFn_ = ctxConfig.sniNoMatchFn;
  if (ctxConfig.isDefault) {
    if (contexts.defaultCtx) {
      throw std::runtime_error(">1 X509 is set as default");
    }

    contexts.defaultCtx = sslCtx;
    contexts.defaultCtx->setServerNameCallback(
      std::bind(&SSLContextManager::serverNameCallback, this,
                std::placeholders::_1));
  }
#else
  if (contexts.ctxs.size() > 1) {
    OPENSSL_MISSING_FEATURE(SNI);
  }
#endif
}

shared_ptr< SSLContext > wangle::SSLContextManager::getDefaultSSLCtx

(

)

const

Get the default SSL_CTX for a VIP

Definition at line 803 of file SSLContextManager.cpp.

References contexts_, and wangle::SSLContextManager::SslContexts::defaultCtx.

                                         {
  return contexts_.defaultCtx;
}

shared_ptr< SSLContext > wangle::SSLContextManager::getSSLCtx

(

const SSLContextKey &

key

)

const

Search first by exact domain, then by one level up

Definition at line 756 of file SSLContextManager.cpp.

References getSSLCtxByExactDomain(), and getSSLCtxBySuffix().

Referenced by addSSLContextConfig(), and wangle::TEST().

{
  auto ctx = getSSLCtxByExactDomain(key);
  if (ctx) {
    return ctx;
  }
  return getSSLCtxBySuffix(key);
}

shared_ptr< SSLContext > wangle::SSLContextManager::getSSLCtxByExactDomain

(

const SSLContextKey &

key

)

const

Search by the full-string domain name

Definition at line 788 of file SSLContextManager.cpp.

References contexts_, wangle::SSLContextManager::SslContexts::dnMap, wangle::SSLContextKey::dnString, and folly::stringPrintf().

Referenced by getSSLCtx(), and wangle::TEST().

{
  const auto v = contexts_.dnMap.find(key);
  if (v == contexts_.dnMap.end()) {
    VLOG(6) << folly::stringPrintf("\"%s\" is not an exact match",
                                   key.dnString.c_str());
    return shared_ptr<SSLContext>();
  } else {
    VLOG(6) << folly::stringPrintf("\"%s\" is an exact match",
                                   key.dnString.c_str());
    return v->second;
  }
}

shared_ptr< SSLContext > wangle::SSLContextManager::getSSLCtxBySuffix

(

const SSLContextKey &

key

)

const

Search by the one level up subdomain

Definition at line 766 of file SSLContextManager.cpp.

References wangle::SSLContextKey::certCrypto, contexts_, wangle::SSLContextManager::SslContexts::dnMap, wangle::SSLContextKey::dnString, GCC61971::dot, and folly::stringPrintf().

Referenced by getSSLCtx(), and wangle::TEST().

{
  size_t dot;

  if ((dot = key.dnString.find_first_of(".")) != DNString::npos) {
    SSLContextKey suffixKey(DNString(key.dnString, dot),
        key.certCrypto);
    const auto v = contexts_.dnMap.find(suffixKey);
    if (v != contexts_.dnMap.end()) {
      VLOG(6) << folly::stringPrintf("\"%s\" is a willcard match to \"%s\"",
                                     key.dnString.c_str(),
                                     suffixKey.dnString.c_str());
      return v->second;
    }
  }

  VLOG(6) << folly::stringPrintf("\"%s\" is not a wildcard match",
                                 key.dnString.c_str());
  return shared_ptr<SSLContext>();
}

void wangle::SSLContextManager::insert ( std::shared_ptr< ServerSSLContext >  sslCtx, bool  defaultFallback, SslContexts &  contexts  )

private

Callback function from openssl to find the right X509 to use during SSL handshake The following functions help to maintain the data structure for domain name matching in SNI. Some notes:

1. It is a best match.
2. It allows wildcard CN and wildcard subject alternative name in a X509. The wildcard name must be prefixed by '*.'. It errors out whenever it sees '*' in any other locations.
3. It uses one std::unordered_map<DomainName, SSL_CTX> object to do this. For wildcard name like "*.facebook.com", ".facebook.com" is used as the key.
4. After getting tlsext_hostname from the client hello message, it will do a full string search first and then try one level up to match any wildcard name (if any) in the X509. [Note, browser also only looks one level up when matching the requesting domain name with the wildcard name in the server X509].

Some notes from RFC 2818. Only for future quick references in case of bugs

RFC 2818 section 3.1: "...... If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead. ...... In some cases, the URI is specified as an IP address rather than a hostname. In this case, the iPAddress subjectAltName must be present in the certificate and must exactly match the IP in the URI. ......"

Definition at line 587 of file SSLContextManager.cpp.

References wangle::BEST_AVAILABLE, wangle::SSLContextManager::SslContexts::ctxs, wangle::SSLUtil::getCommonName(), wangle::SSLUtil::getSubjectAltName(), folly::gen::guard(), insertSSLCtxByDomainName(), folly::makeGuard(), name, and wangle::SHA1_SIGNATURE.

Referenced by addSSLContextConfig().

                                                 {
  X509* x509 = getX509(sslCtx->getSSLCtx());
  if (!x509) {
    throw std::runtime_error("SSLCtx is invalid");
  }
  auto guard = folly::makeGuard([x509] { X509_free(x509); });
  auto cn = SSLUtil::getCommonName(x509);
  if (!cn) {
    throw std::runtime_error("Cannot get CN");
  }

  // Not sure if we ever get this kind of X509...
  // If we do, assume '*' is always in the CN and ignore all subject alternative
  // names.
  if (cn->length() == 1 && (*cn)[0] == '*') {
    if (!defaultFallback) {
      throw std::runtime_error("STAR X509 is not the default");
    }
    contexts.ctxs.emplace_back(sslCtx);
    return;
  }

  CertCrypto certCrypto;
  int sigAlg = X509_get_signature_nid(x509);
  if (sigAlg == NID_sha1WithRSAEncryption ||
      sigAlg == NID_ecdsa_with_SHA1) {
    certCrypto = CertCrypto::SHA1_SIGNATURE;
    VLOG(4) << "Adding SSLContext with SHA1 Signature";
  } else {
    certCrypto = CertCrypto::BEST_AVAILABLE;
    VLOG(4) << "Adding SSLContext with best available crypto";
  }

  // Insert by CN
  insertSSLCtxByDomainName(cn->c_str(),
                           cn->length(),
                           sslCtx,
                           contexts,
                           certCrypto);

  // Insert by subject alternative name(s)
  auto altNames = SSLUtil::getSubjectAltName(x509);
  if (altNames) {
    for (auto& name : *altNames) {
      insertSSLCtxByDomainName(name.c_str(),
                               name.length(),
                               sslCtx,
                               contexts,
                               certCrypto);
    }
  }

  if (defaultFallback) {
    contexts.defaultCtxDomainName = *cn;
  }

  contexts.ctxs.emplace_back(sslCtx);
}

void wangle::SSLContextManager::insertIntoDnMap ( SSLContextKey  key, std::shared_ptr< folly::SSLContext >  sslCtx, bool  overwrite, SslContexts &  contexts  )

private

Definition at line 731 of file SSLContextManager.cpp.

References wangle::SSLContextManager::SslContexts::dnMap.

Referenced by insertSSLCtxByDomainNameImpl().

{
  const auto v = contexts.dnMap.find(key);
  if (v == contexts.dnMap.end()) {
    VLOG(6) << "Inserting SSLContext into map.";
    contexts.dnMap.emplace(key, sslCtx);
  } else if (v->second == sslCtx) {
    VLOG(6)<< "Duplicate CN or subject alternative name found in the same X509."
      "  Ignore the later name.";
  } else if (overwrite) {
    VLOG(6) << "Overwriting SSLContext.";
    v->second = sslCtx;
  } else {
    VLOG(6) << "Leaving existing SSLContext in map.";
  }
}

void wangle::SSLContextManager::insertSSLCtxByDomainName ( const char *  dn, size_t  len, std::shared_ptr< folly::SSLContext >  sslCtx, SslContexts &  contexts, CertCrypto  certCrypto = CertCrypto::BEST_AVAILABLE  )

protected

Insert a SSLContext by domain name.

Definition at line 666 of file SSLContextManager.cpp.

References insertSSLCtxByDomainNameImpl(), and strict_.

Referenced by insert(), and wangle::TEST().

                                                                   {
  try {
    insertSSLCtxByDomainNameImpl(dn, len, sslCtx, contexts, certCrypto);
  } catch (const std::runtime_error& ex) {
    if (strict_) {
      throw ex;
    } else {
      LOG(ERROR) << ex.what() << " DN=" << dn;
    }
  }
}

void wangle::SSLContextManager::insertSSLCtxByDomainName ( const char *  dn, size_t  len, std::shared_ptr< folly::SSLContext >  sslCtx, CertCrypto  certCrypto = CertCrypto::BEST_AVAILABLE  )

inlineprotected

Definition at line 198 of file SSLContextManager.h.

                                                      {
    insertSSLCtxByDomainName(dn, len, sslCtx, contexts_, certCrypto);
  }

void wangle::SSLContextManager::insertSSLCtxByDomainNameImpl ( const char *  dn, size_t  len, std::shared_ptr< folly::SSLContext >  sslCtx, SslContexts &  contexts, CertCrypto  certCrypto  )

private

Definition at line 682 of file SSLContextManager.cpp.

References wangle::BEST_AVAILABLE, insertIntoDnMap(), string, and folly::stringPrintf().

Referenced by insertSSLCtxByDomainName().

{
  VLOG(4) <<
    folly::stringPrintf("Adding CN/Subject-alternative-name \"%s\" for "
                        "SNI search", dn);

  // Only support wildcard domains which are prefixed exactly by "*." .
  // "*" appearing at other locations is not accepted.

  if (len > 2 && dn[0] == '*') {
    if (dn[1] == '.') {
      // skip the first '*'
      dn++;
      len--;
    } else {
      throw std::runtime_error(
        "Invalid wildcard CN/subject-alternative-name \"" + std::string(dn) + "\" "
        "(only allow character \".\" after \"*\"");
    }
  }

  if (len == 1 && *dn == '.') {
    throw std::runtime_error("X509 has only '.' in the CN or subject alternative name "
                    "(after removing any preceding '*')");
  }

  if (strchr(dn, '*')) {
    throw std::runtime_error("X509 has '*' in the the CN or subject alternative name "
                    "(after removing any preceding '*')");
  }

  DNString dnstr(dn, len);
  insertIntoDnMap(SSLContextKey(dnstr, certCrypto), sslCtx, true, contexts);
  if (certCrypto != CertCrypto::BEST_AVAILABLE) {
    // Note: there's no partial ordering here (you either get what you request,
    // or you get best available).
    VLOG(6) << "Attempting insert of weak crypto SSLContext as best available.";
    insertIntoDnMap(
        SSLContextKey(dnstr, CertCrypto::BEST_AVAILABLE),
        sslCtx,
        false,
        contexts);
  }
}

virtual void wangle::SSLContextManager::loadCertKeyPairExternal ( const std::shared_ptr< folly::SSLContext > &  , const SSLContextConfig &  , const std::string &    )

inlineprotectedvirtual

Definition at line 174 of file SSLContextManager.h.

References folly::FATAL.

Referenced by addSSLContextConfig().

                        {
    LOG(FATAL) << "Unsupported in base SSLContextManager";
  }

virtual void wangle::SSLContextManager::overrideConfiguration ( const std::shared_ptr< folly::SSLContext > &  , const SSLContextConfig &    )

inlineprotectedvirtual

Definition at line 181 of file SSLContextManager.h.

Referenced by addSSLContextConfig().

                             {}

void wangle::SSLContextManager::reloadTLSTicketKeys	(	const std::vector< std::string > &	oldSeeds,
		const std::vector< std::string > &	currentSeeds,
		const std::vector< std::string > &	newSeeds
	)

Definition at line 808 of file SSLContextManager.cpp.

References contexts_, and wangle::SSLContextManager::SslContexts::ctxs.

                                        {
#ifdef SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB
  for (auto& ctx : contexts_.ctxs) {
    auto tmgr = ctx->getTicketManager();
    if (tmgr) {
      tmgr->setTLSTicketKeySeeds(oldSeeds, currentSeeds, newSeeds);
    }
  }
#endif
}

void wangle::SSLContextManager::resetSSLContextConfigs	(	const std::vector< SSLContextConfig > &	ctxConfig,
		const SSLCacheOptions &	cacheOptions,
		const TLSTicketKeySeeds *	ticketSeeds,
		const folly::SocketAddress &	vipAddress,
		const std::shared_ptr< SSLCacheProvider > &	externalCache
	)

Resets SSLContextManager with new X509s

Parameters

ctxConfigs	Details of a X509s, private key, password, etc.
cacheOptions	Options for how to do session caching.
ticketSeeds	If non-null, the initial ticket key seeds to use.
vipAddress	Which VIP are the X509(s) used for? It is only for for user friendly log message
externalCache	Optional external provider for the session cache; may be null

Definition at line 212 of file SSLContextManager.cpp.

References addSSLContextConfig(), contexts_, wangle::SSLContextManager::SslContexts::ctxs, wangle::TLSTicketKeySeeds::currentSeeds, wangle::TLSTicketKeySeeds::newSeeds, wangle::TLSTicketKeySeeds::oldSeeds, and wangle::SSLContextManager::SslContexts::swap().

                                                        {

  SslContexts contexts;
  TLSTicketKeySeeds oldTicketSeeds;
  // This assumes that all ctxs have the same ticket seeds. Which we assume in
  // other places as well
  if (!ticketSeeds) {
    // find first non null ticket manager and update seeds from it
    for (auto& ctx : contexts_.ctxs) {
      auto ticketManager = ctx->getTicketManager();
      if (ticketManager) {
        ticketManager->getTLSTicketKeySeeds(
          oldTicketSeeds.oldSeeds,
          oldTicketSeeds.currentSeeds,
          oldTicketSeeds.newSeeds);
        break;
      }
    }
  }

  for (const auto& ctxConfig : ctxConfigs) {
    addSSLContextConfig(ctxConfig,
                        cacheOptions,
                        ticketSeeds ? ticketSeeds : &oldTicketSeeds,
                        vipAddress,
                        externalCache,
                        &contexts);
  }
  contexts_.swap(contexts);
}

void wangle::SSLContextManager::setClientHelloExtStats ( ClientHelloExtStats *  stats )

inline

SSLContextManager only collects SNI stats now

Definition at line 165 of file SSLContextManager.h.

                                                          {
    clientHelloTLSExtStats_ = stats;
  }

void wangle::SSLContextManager::setClientVerifyCallback ( std::unique_ptr< ClientCertVerifyCallback >  cb )

inline

Definition at line 169 of file SSLContextManager.h.

References folly::gen::move.

                                                                           {
        clientCertVerifyCallback_ = std::move(cb);
  }

void wangle::SSLContextManager::setSSLStats ( SSLStats *  stats )

inline

Definition at line 158 of file SSLContextManager.h.

                                    {
    stats_ = stats;
  }

Member Data Documentation

std::unique_ptr<ClientCertVerifyCallback> wangle::SSLContextManager::clientCertVerifyCallback_ {nullptr}

private

Definition at line 267 of file SSLContextManager.h.

Referenced by addSSLContextConfig().

ClientHelloExtStats* wangle::SSLContextManager::clientHelloTLSExtStats_ {nullptr}

private

Definition at line 264 of file SSLContextManager.h.

Referenced by addSSLContextConfig().

SslContexts wangle::SSLContextManager::contexts_

private

Definition at line 262 of file SSLContextManager.h.

Referenced by addSSLContextConfig(), clear(), getDefaultSSLCtx(), getSSLCtxByExactDomain(), getSSLCtxBySuffix(), reloadTLSTicketKeys(), and resetSSLContextConfigs().

folly::EventBase* wangle::SSLContextManager::eventBase_

private

Definition at line 263 of file SSLContextManager.h.

SSLContextConfig::SNINoMatchFn wangle::SSLContextManager::noMatchFn_

private

Definition at line 265 of file SSLContextManager.h.

Referenced by addSSLContextConfig(), and ctxSetupByOpensslFeature().

SSLStats* wangle::SSLContextManager::stats_ {nullptr}

protected

Definition at line 186 of file SSLContextManager.h.

Referenced by addSSLContextConfig().

bool wangle::SSLContextManager::strict_ {true}

private

Definition at line 266 of file SSLContextManager.h.

Referenced by insertSSLCtxByDomainName().

std::string wangle::SSLContextManager::vipName_

protected

Definition at line 185 of file SSLContextManager.h.

Referenced by addSSLContextConfig().

---

The documentation for this class was generated from the following files:

• proxygen/wangle/wangle/ssl/SSLContextManager.h
• proxygen/wangle/wangle/ssl/SSLContextManager.cpp