aboutsummaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorAndrew Hauck <[email protected]>2024-03-04 09:20:50 -0800
committerEdward Wang <[email protected]>2024-03-15 14:37:56 -0700
commitd19ae74563bbabb6cf5a7473d0227d7c560840df (patch)
treeb65b844fa632acb20ab09f8cac5c411feec7877c
parenta39694899fc048661b6fdb34931dbedf87586169 (diff)
downloadpingora-d19ae74563bbabb6cf5a7473d0227d7c560840df.tar.gz
pingora-d19ae74563bbabb6cf5a7473d0227d7c560840df.zip
Revert "Fix verify_result() in ssl client for boringssl"
This reverts commit 9f410d52221da26c0651a99d071daf9b7acf87a2.
-rw-r--r--.bleep2
-rw-r--r--pingora-core/src/protocols/ssl/client.rs34
2 files changed, 12 insertions, 24 deletions
diff --git a/.bleep b/.bleep
index 193a797..7092101 100644
--- a/.bleep
+++ b/.bleep
@@ -1 +1 @@
-8e6a08593def12f43d50e83c0d35f9f6f9aca630 \ No newline at end of file
+f5828844181647e13067b3578ea7333c70ab671c \ No newline at end of file
diff --git a/pingora-core/src/protocols/ssl/client.rs b/pingora-core/src/protocols/ssl/client.rs
index 6fd6462..abb6da6 100644
--- a/pingora-core/src/protocols/ssl/client.rs
+++ b/pingora-core/src/protocols/ssl/client.rs
@@ -17,7 +17,11 @@
use super::SslStream;
use crate::protocols::raw_connect::ProxyDigest;
use crate::protocols::{GetProxyDigest, GetTimingDigest, TimingDigest, IO};
-use crate::tls::{ssl, ssl::ConnectConfiguration, ssl_sys::X509_V_ERR_INVALID_CALL};
+use crate::tls::{
+ ssl,
+ ssl::ConnectConfiguration,
+ ssl_sys::{X509_V_ERR_INVALID_CALL, X509_V_OK},
+};
use pingora_error::{Error, ErrorType::*, OrErr, Result};
use std::sync::Arc;
@@ -39,29 +43,13 @@ pub async fn handshake<S: IO>(
Err(e) => {
let context = format!("TLS connect() failed: {e}, SNI: {domain}");
match e.code() {
- ssl::ErrorCode::SSL => {
- // Unify the return type of `verify_result` for openssl
- #[cfg(not(feature = "boringssl"))]
- fn verify_result<S>(stream: SslStream<S>) -> Result<(), i32> {
- match stream.ssl().verify_result().as_raw() {
- crate::tls::ssl_sys::X509_V_OK => Ok(()),
- e => Err(e),
- }
+ ssl::ErrorCode::SSL => match stream.ssl().verify_result().as_raw() {
+ // X509_V_ERR_INVALID_CALL in case verify result was never set
+ X509_V_OK | X509_V_ERR_INVALID_CALL => {
+ Error::e_explain(TLSHandshakeFailure, context)
}
- // Unify the return type of `verify_result` for boringssl
- #[cfg(feature = "boringssl")]
- fn verify_result<S>(stream: SslStream<S>) -> Result<(), i32> {
- stream.ssl().verify_result().map_err(|e| e.as_raw())
- }
- match verify_result(stream) {
- Ok(()) => Error::e_explain(TLSHandshakeFailure, context),
- // X509_V_ERR_INVALID_CALL in case verify result was never set
- Err(X509_V_ERR_INVALID_CALL) => {
- Error::e_explain(TLSHandshakeFailure, context)
- }
- _ => Error::e_explain(InvalidCert, context),
- }
- }
+ _ => Error::e_explain(InvalidCert, context),
+ },
/* likely network error, but still mark as TLS error */
_ => Error::e_explain(TLSHandshakeFailure, context),
}