Skip to content

Add TLSCertSwitchSupport #9322

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
maskit merged 2 commits into from
Mar 14, 2023
Merged

Add TLSCertSwitchSupport #9322

maskit merged 2 commits into from
Mar 14, 2023

Conversation

@maskit
Copy link
Member

@maskit maskit commented Jan 19, 2023
edited
Loading

This is preparation for enabling cert switching (or enabling SNI action) on QUIC connections. Like other TLSSomethingSupport, there should be no logic change.

Code change around QUICNetVC will be made on 10-Dev separately. Changes for QUIC is on #9347

@maskit
Add TLSCertSwitchSupport
5f0d8e7 
This is a preparation for enabling cert switching on QUIC connections.
@maskit maskit added the TLS label Jan 19, 2023
@maskit maskit added this to the 10.0.0 milestone Jan 19, 2023
@maskit maskit self-assigned this Jan 19, 2023
@bryancall bryancall self-requested a review January 24, 2023 00:29
@maskit maskit mentioned this pull request Jan 31, 2023
Merged
bryancall
bryancall reviewed Mar 1, 2023
View reviewed changes
iocore/net/SSLUtils.cc
}

bool reenabled = netvc->callHooks(TS_EVENT_SSL_CLIENT_HELLO);
SSLNetVConnection *netvc = dynamic_cast<SSLNetVConnection *>(snis);
Copy link
Contributor

@bryancall bryancall Mar 1, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking over the PR - I am concerned that we are adding 3 dynamic casts. Dynamic casts seem to be expensive and have shown up in perf top.

Copy link
Member Author

@maskit maskit Mar 1, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We talked about the use of dynamic_cast several months ago. I think Alan suggested having T* NetVConnection::get_service<T>()). The function would return a pointer for a specified service (SomethingSupport) if the netvc supports it. The downside is that we'd have to maintain the function in addition to having the name in class declaration. And I already stated I'm ok with having the function if dynamic_cast costs much. It just don't have enough priority on anybody's list.

@maskit
Copy link
Member Author

maskit commented Mar 14, 2023

We'll continue the discussion about dynamic_cast on #9482 and resolve performance issue on it at once.

@maskit maskit merged commit 5bb8463 into apache:master Mar 14, 2023
cmcfarlen pushed a commit to cmcfarlen/trafficserver that referenced this pull request Jun 3, 2024
@maskit @zwoop
Add TLSCertSwitchSupport (apache#9322)
684c7a3 
* Add TLSCertSwitchSupport

This is a preparation for enabling cert switching on QUIC connections.

* Fix an invalid cast
cmcfarlen pushed a commit to cmcfarlen/trafficserver that referenced this pull request Jun 3, 2024
@zwoop
Merge commit 'c54a2e2b77151869ff014fbdc4c82cec0afcbb8c'
377f043 
* commit 'c54a2e2b77151869ff014fbdc4c82cec0afcbb8c': (37 commits)
  Slight performance improvements before calling APIHooks::clear (apache#9480)
  libswoc: Update to 1.4.5 (apache#9522)
  CryptoContext: Clean up to avoid compiler problem. (apache#9521)
  Add TLSCertSwitchSupport (apache#9322)
  Add clang-format-tests to clang-format target (apache#9456)
  Adds the AR env variable to config.nice (apache#9515)
  Fix .asf.yaml (apache#9519)
  Hugepage config cleanup (apache#9479)
  Separate io_uring into a separate library. AIO in io_uring mode uses new io_uring lib. (apache#9462)
  Avoid memory allocation in CryptoHash (apache#9474)
  UnitParser: add unit parser support. (apache#9485)
  autest - Minor fix on the verifier_client test ext to allow setting only the http3 ports. (apache#9517)
  Remove support for port event polling (apache#9476)
  QUIC: Add support to configure UDP max payload limit. (apache#9486)
  Reduce the size of the APIHooks, eliminating enum gap (apache#9509)
  Add support for CMCD-Request header nor field to prefetch plugin (apache#9232)
  Eliminates padding from some common structs (apache#9481)
  Enable external file loading for sni.yaml. (apache#9501)
  Remove inactive include of IpMapConf.h (apache#9512)
  Cleanup: Remove RecModeT from the code. (apache#9487)
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bryancall bryancall bryancall approved these changes

Assignees

@maskit maskit

Labels

TLS

Projects

None yet

Milestone

10.0.0

Development

Successfully merging this pull request may close these issues.

2 participants

@maskit @bryancall