Add allow-plain server ports attribute #9574
Conversation
|
Will all the data received be re-read by UnixNetVC? I'm wondering what happens if TLS handshake fails at the very late stage of it. Will SNI actions be triggered? If yes, will everything done on SNI actions be reset on the plain connection? If all the data will be re-read by UnixNetVC, parsing the "HTTP request" probably fails because the fake TLS data is invalid as an HTTP request format. |
| @@ -783,6 +786,9 @@ mptcp | |||
|
|
|||
| Requires custom Linux kernel available at https://multipath-tcp.org. | |||
|
|
|||
| allow-plain | |||
| For TLS ports, will fall back to non-TLS processing if the TLS handshake fails. | |||
There was a problem hiding this comment.
We may want to mention that this is for TLS over TCP (or ports configured with ssl), although plain QUIC connection does not exist in the first place. We could also say this is incompatible with quic like some other descriptors say.
There was a problem hiding this comment.
Fails for any reason, including say an expired certificate? Or does this require a protocol failure? Looking at the code it seems only a protocol error on the first read / packet will failover to plain text.
There was a problem hiding this comment.
Allow-plain only kicks in of the first packet fails to be recognized as a valid client-hello. Once packets are exchanged in the TLS path, it is no reasonable to try an reinterpret as HTTP.
There was a problem hiding this comment.
Will add comments to the effect that allow-plain does not make sense for quic. Could also implement an incompatible check.
|
[approve ci fedora] |
|
[approve ci centos] |
| @@ -33,7 +33,7 @@ | |||
| class SSLNextProtocolAccept : public SessionAccept | |||
| { | |||
| public: | |||
| SSLNextProtocolAccept(Continuation *, bool); | |||
| SSLNextProtocolAccept(Continuation *, bool, bool); | |||
There was a problem hiding this comment.
We might want to look at aliased boolean or enum values for clarity.
|
I also want to riff of @maskit and say the consistency checking in processing the server ports should be extended to generate an error if both |
The allow-plain will only kick in if there is a TLS parse failure on the first packet. No TLS-oriented hooks should be triggered. |
|
Added a warning if both allow-plain and quic are specified. Warnings seemed to be how the other checks went. |
iocore/net/SSLNetVConnection.cc
Outdated
| @@ -587,6 +587,10 @@ SSLNetVConnection::net_read_io(NetHandler *nh, EThread *lthread) | |||
| if (!getSSLHandShakeComplete()) { | |||
| int err = 0; | |||
|
|
|||
| // May get into logic that will clean up the current VC | |||
| // Increment the recursion to delay do_io_close cleaup. | |||
| this->recursion++; | |||
There was a problem hiding this comment.
Adding this recursion bump, other use after free ASAN error would trigger on the later if (this->handshakeReader) check because with addition of the _migrateSsl, the SSLNetVC object (this) may have been deleted.
By incrementing recursion and adding test_inline_close() on return, we ensure that the deletion of this does not occur until the end of the function.
shinrich
force-pushed
the
allow-plain
branch
from
a2fe5fe to
0652345
Compare
| if (ret == EVENT_RESTART) { | ||
| // VC migrated into a new object | ||
| // Just give up and go home. Events should trigger on the new vc | ||
| return; |
There was a problem hiding this comment.
Don't we need to decrement the recursion counter here?
If no, it's difficult to understand. Want a comment why we don't need it.
If yes, it's fragile. I don't like to use goto but we may need it use it.
There was a problem hiding this comment.
I tried the recursion counts then changed the return value. I think that just sending back a different return value will suffice. I'll back out the recursion could and verify that everything still works. And update the PR
There was a problem hiding this comment.
And you are exactly right. Should be dropping the recursion count here too. Should use the scoped pattern to deal with the decrement if we really need to manipulate the recursion counter.
shinrich
force-pushed
the
allow-plain
branch
from
72f0678 to
3de3260
Compare
iocore/net/SSLNextProtocolAccept.cc
Outdated
| netvc->do_io_close(); | ||
| if (netvc != nullptr) { | ||
| netvc->do_io_close(); | ||
| } else { // Try making a unix netvc |
There was a problem hiding this comment.
do_io_close() is a virtual function, so I think we can simply call vio->vc_server->do_io_close() without casting.
iocore/net/SSLNextProtocolAccept.cc
Outdated
| // This wasn't really a TLS connection | ||
| // Trying to process it as a TCP connection | ||
| if (netvc == nullptr) { | ||
| UnixNetVConnection *plain_netvc = dynamic_cast<UnixNetVConnection *>(vio->vc_server); |
There was a problem hiding this comment.
send_plugin_event receives void *. If we don't check nullptr, we can simply pass vio->vc_serve without casting.
* asf/master: (30 commits) add conveinience function to lookup name->IntType* (apache#10474) cmake: bigobj subdir has executables, not plugins (apache#10481) cmake: compile jsonrpc_protocol with -fPIC (apache#10478) Make sure new metrics are always considered (apache#10445) Refactor and rename restart metrics (apache#10472) Fix the SNI and HOST parsing properly (apache#10480) slice/Data.h: CID 1508924: Uninitialized scalar field (apache#10470) CID 1508882: initialize pointer (apache#10469) CID-1512726: Mute coverity, use explicit check for iterator use past end (apache#10467) Fix Coverity issue in inliner plugin. (apache#10442) Set the proper variable when find_package fails to find the package (apache#10468) CID1508860: double lock confusion (apache#10443) Stop using functions that are unavailable on the latest quiche (apache#10447) Add allow-plain server ports attribute (apache#9574) [Fuzzing] move build.sh in trafficserver (apache#10466) Some sort of "fix" to mute coverity. (apache#10451) CID-1512733: Fix coverity issue (apache#10452) Fix cmake autooptions (apache#10456) Cmake presets (apache#10457) This fixes CID 1518257 (apache#10404) ...
Description on matching issue.
Includes autest and document update.
This closes #9573