proxygen
|
#include <SSLContextManager.h>
Classes | |
struct | ClientCertVerifyCallback |
struct | SslContexts |
Public Member Functions | |
SSLContextManager (folly::EventBase *eventBase, const std::string &vipName, bool strict, SSLStats *stats) | |
virtual | ~SSLContextManager () |
void | addSSLContextConfig (const SSLContextConfig &ctxConfig, const SSLCacheOptions &cacheOptions, const TLSTicketKeySeeds *ticketSeeds, const folly::SocketAddress &vipAddress, const std::shared_ptr< SSLCacheProvider > &externalCache, SslContexts *contexts=nullptr) |
void | resetSSLContextConfigs (const std::vector< SSLContextConfig > &ctxConfig, const SSLCacheOptions &cacheOptions, const TLSTicketKeySeeds *ticketSeeds, const folly::SocketAddress &vipAddress, const std::shared_ptr< SSLCacheProvider > &externalCache) |
void | clear () |
std::shared_ptr< folly::SSLContext > | getDefaultSSLCtx () const |
std::shared_ptr< folly::SSLContext > | getSSLCtx (const SSLContextKey &key) const |
std::shared_ptr< folly::SSLContext > | getSSLCtxBySuffix (const SSLContextKey &key) const |
std::shared_ptr< folly::SSLContext > | getSSLCtxByExactDomain (const SSLContextKey &key) const |
void | reloadTLSTicketKeys (const std::vector< std::string > &oldSeeds, const std::vector< std::string > ¤tSeeds, const std::vector< std::string > &newSeeds) |
void | setSSLStats (SSLStats *stats) |
void | setClientHelloExtStats (ClientHelloExtStats *stats) |
void | setClientVerifyCallback (std::unique_ptr< ClientCertVerifyCallback > cb) |
Protected Member Functions | |
virtual void | loadCertKeyPairExternal (const std::shared_ptr< folly::SSLContext > &, const SSLContextConfig &, const std::string &) |
virtual void | overrideConfiguration (const std::shared_ptr< folly::SSLContext > &, const SSLContextConfig &) |
void | insertSSLCtxByDomainName (const char *dn, size_t len, std::shared_ptr< folly::SSLContext > sslCtx, SslContexts &contexts, CertCrypto certCrypto=CertCrypto::BEST_AVAILABLE) |
void | insertSSLCtxByDomainName (const char *dn, size_t len, std::shared_ptr< folly::SSLContext > sslCtx, CertCrypto certCrypto=CertCrypto::BEST_AVAILABLE) |
Protected Attributes | |
std::string | vipName_ |
SSLStats * | stats_ {nullptr} |
Private Member Functions | |
SSLContextManager (const SSLContextManager &)=delete | |
void | ctxSetupByOpensslFeature (std::shared_ptr< ServerSSLContext > sslCtx, const SSLContextConfig &ctxConfig, SslContexts &contexts) |
void | insert (std::shared_ptr< ServerSSLContext > sslCtx, bool defaultFallback, SslContexts &contexts) |
void | insertSSLCtxByDomainNameImpl (const char *dn, size_t len, std::shared_ptr< folly::SSLContext > sslCtx, SslContexts &contexts, CertCrypto certCrypto) |
void | insertIntoDnMap (SSLContextKey key, std::shared_ptr< folly::SSLContext > sslCtx, bool overwrite, SslContexts &contexts) |
Private Attributes | |
SslContexts | contexts_ |
folly::EventBase * | eventBase_ |
ClientHelloExtStats * | clientHelloTLSExtStats_ {nullptr} |
SSLContextConfig::SNINoMatchFn | noMatchFn_ |
bool | strict_ {true} |
std::unique_ptr< ClientCertVerifyCallback > | clientCertVerifyCallback_ {nullptr} |
Definition at line 47 of file SSLContextManager.h.
|
explicit |
Definition at line 186 of file SSLContextManager.cpp.
|
virtualdefault |
|
privatedelete |
void wangle::SSLContextManager::addSSLContextConfig | ( | const SSLContextConfig & | ctxConfig, |
const SSLCacheOptions & | cacheOptions, | ||
const TLSTicketKeySeeds * | ticketSeeds, | ||
const folly::SocketAddress & | vipAddress, | ||
const std::shared_ptr< SSLCacheProvider > & | externalCache, | ||
SslContexts * | contexts = nullptr |
||
) |
Add a new X509 to SSLContextManager. The details of a X509 is passed as a SSLContextConfig object.
ctxConfig | Details of a X509, its private key, password, etc. |
cacheOptions | Options for how to do session caching. |
ticketSeeds | If non-null, the initial ticket key seeds to use. |
vipAddress | Which VIP are the X509(s) used for? It is only for for user friendly log message |
externalCache | Optional external provider for the session cache; may be null |
Definition at line 248 of file SSLContextManager.cpp.
References wangle::BEST_AVAILABLE, wangle::SSLContextConfig::certificates, wangle::SSLContextConfig::clientCAFile, clientCertVerifyCallback_, clientHelloTLSExtStats_, wangle::SSLContextConfig::clientVerification, contexts_, count, ctxSetupByOpensslFeature(), wangle::SSLContextManager::SslContexts::defaultCtxDomainName, folly::SocketAddress::describe(), wangle::SSLContextConfig::eccCurveName, folly::exceptionStr(), folly::AsyncSSLSocket::getClientHelloInfo(), wangle::SSLUtil::getCommonName(), folly::AsyncSSLSocket::getFromSSL(), getSSLCtx(), wangle::SSLUtil::getSubjectAltName(), folly::gen::guard(), insert(), wangle::SSLContextConfig::isDefault, wangle::SSLContextConfig::keyOffloadParams, loadCertKeyPairExternal(), folly::makeGuard(), folly::gen::move, noMatchFn_, wangle::SSLContextConfig::KeyOffloadParams::offloadType, overrideConfiguration(), wangle::ClientHelloExtStats::recordAbsentHostname(), wangle::ClientHelloExtStats::recordCertCrypto(), wangle::ClientHelloExtStats::recordMatch(), wangle::ClientHelloExtStats::recordNotMatch(), folly::ssl::SERVER_NAME, wangle::SSLContextConfig::sessionContext, wangle::SHA1_SIGNATURE, folly::ssl::SHA256, wangle::SSLContextConfig::sslCiphers, wangle::SSLContextConfig::sslVersion, stats_, string, folly::stringPrintf(), uint32_t, and vipName_.
Referenced by resetSSLContextConfigs(), and wangle::TEST().
void wangle::SSLContextManager::clear | ( | ) |
Clears all ssl contexts
Definition at line 751 of file SSLContextManager.cpp.
References wangle::SSLContextManager::SslContexts::clear(), and contexts_.
|
private |
Definition at line 526 of file SSLContextManager.cpp.
References folly::netops::bind(), wangle::SSLContextManager::SslContexts::ctxs, wangle::SSLContextManager::SslContexts::defaultCtx, wangle::SSLContextConfig::isDefault, wangle::SSLContextConfig::nextProtocols, noMatchFn_, OPENSSL_MISSING_FEATURE, and wangle::SSLContextConfig::sniNoMatchFn.
Referenced by addSSLContextConfig().
shared_ptr< SSLContext > wangle::SSLContextManager::getDefaultSSLCtx | ( | ) | const |
Get the default SSL_CTX for a VIP
Definition at line 803 of file SSLContextManager.cpp.
References contexts_, and wangle::SSLContextManager::SslContexts::defaultCtx.
shared_ptr< SSLContext > wangle::SSLContextManager::getSSLCtx | ( | const SSLContextKey & | key | ) | const |
Search first by exact domain, then by one level up
Definition at line 756 of file SSLContextManager.cpp.
References getSSLCtxByExactDomain(), and getSSLCtxBySuffix().
Referenced by addSSLContextConfig(), and wangle::TEST().
shared_ptr< SSLContext > wangle::SSLContextManager::getSSLCtxByExactDomain | ( | const SSLContextKey & | key | ) | const |
Search by the full-string domain name
Definition at line 788 of file SSLContextManager.cpp.
References contexts_, wangle::SSLContextManager::SslContexts::dnMap, wangle::SSLContextKey::dnString, and folly::stringPrintf().
Referenced by getSSLCtx(), and wangle::TEST().
shared_ptr< SSLContext > wangle::SSLContextManager::getSSLCtxBySuffix | ( | const SSLContextKey & | key | ) | const |
Search by the one level up subdomain
Definition at line 766 of file SSLContextManager.cpp.
References wangle::SSLContextKey::certCrypto, contexts_, wangle::SSLContextManager::SslContexts::dnMap, wangle::SSLContextKey::dnString, GCC61971::dot, and folly::stringPrintf().
Referenced by getSSLCtx(), and wangle::TEST().
|
private |
Callback function from openssl to find the right X509 to use during SSL handshake The following functions help to maintain the data structure for domain name matching in SNI. Some notes:
Some notes from RFC 2818. Only for future quick references in case of bugs
RFC 2818 section 3.1: "...... If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead. ...... In some cases, the URI is specified as an IP address rather than a hostname. In this case, the iPAddress subjectAltName must be present in the certificate and must exactly match the IP in the URI. ......"
Definition at line 587 of file SSLContextManager.cpp.
References wangle::BEST_AVAILABLE, wangle::SSLContextManager::SslContexts::ctxs, wangle::SSLUtil::getCommonName(), wangle::SSLUtil::getSubjectAltName(), folly::gen::guard(), insertSSLCtxByDomainName(), folly::makeGuard(), name, and wangle::SHA1_SIGNATURE.
Referenced by addSSLContextConfig().
|
private |
Definition at line 731 of file SSLContextManager.cpp.
References wangle::SSLContextManager::SslContexts::dnMap.
Referenced by insertSSLCtxByDomainNameImpl().
|
protected |
Insert a SSLContext by domain name.
Definition at line 666 of file SSLContextManager.cpp.
References insertSSLCtxByDomainNameImpl(), and strict_.
Referenced by insert(), and wangle::TEST().
|
inlineprotected |
Definition at line 198 of file SSLContextManager.h.
|
private |
Definition at line 682 of file SSLContextManager.cpp.
References wangle::BEST_AVAILABLE, insertIntoDnMap(), string, and folly::stringPrintf().
Referenced by insertSSLCtxByDomainName().
|
inlineprotectedvirtual |
Definition at line 174 of file SSLContextManager.h.
References folly::FATAL.
Referenced by addSSLContextConfig().
|
inlineprotectedvirtual |
void wangle::SSLContextManager::reloadTLSTicketKeys | ( | const std::vector< std::string > & | oldSeeds, |
const std::vector< std::string > & | currentSeeds, | ||
const std::vector< std::string > & | newSeeds | ||
) |
Definition at line 808 of file SSLContextManager.cpp.
References contexts_, and wangle::SSLContextManager::SslContexts::ctxs.
void wangle::SSLContextManager::resetSSLContextConfigs | ( | const std::vector< SSLContextConfig > & | ctxConfig, |
const SSLCacheOptions & | cacheOptions, | ||
const TLSTicketKeySeeds * | ticketSeeds, | ||
const folly::SocketAddress & | vipAddress, | ||
const std::shared_ptr< SSLCacheProvider > & | externalCache | ||
) |
Resets SSLContextManager with new X509s
ctxConfigs | Details of a X509s, private key, password, etc. |
cacheOptions | Options for how to do session caching. |
ticketSeeds | If non-null, the initial ticket key seeds to use. |
vipAddress | Which VIP are the X509(s) used for? It is only for for user friendly log message |
externalCache | Optional external provider for the session cache; may be null |
Definition at line 212 of file SSLContextManager.cpp.
References addSSLContextConfig(), contexts_, wangle::SSLContextManager::SslContexts::ctxs, wangle::TLSTicketKeySeeds::currentSeeds, wangle::TLSTicketKeySeeds::newSeeds, wangle::TLSTicketKeySeeds::oldSeeds, and wangle::SSLContextManager::SslContexts::swap().
|
inline |
SSLContextManager only collects SNI stats now
Definition at line 165 of file SSLContextManager.h.
|
inline |
Definition at line 169 of file SSLContextManager.h.
References folly::gen::move.
|
inline |
Definition at line 158 of file SSLContextManager.h.
|
private |
Definition at line 267 of file SSLContextManager.h.
Referenced by addSSLContextConfig().
|
private |
Definition at line 264 of file SSLContextManager.h.
Referenced by addSSLContextConfig().
|
private |
Definition at line 262 of file SSLContextManager.h.
Referenced by addSSLContextConfig(), clear(), getDefaultSSLCtx(), getSSLCtxByExactDomain(), getSSLCtxBySuffix(), reloadTLSTicketKeys(), and resetSSLContextConfigs().
|
private |
Definition at line 263 of file SSLContextManager.h.
|
private |
Definition at line 265 of file SSLContextManager.h.
Referenced by addSSLContextConfig(), and ctxSetupByOpensslFeature().
Definition at line 186 of file SSLContextManager.h.
Referenced by addSSLContextConfig().
|
private |
Definition at line 266 of file SSLContextManager.h.
Referenced by insertSSLCtxByDomainName().
|
protected |
Definition at line 185 of file SSLContextManager.h.
Referenced by addSSLContextConfig().