diff options
author | Andrew Hauck <[email protected]> | 2024-03-04 09:20:50 -0800 |
---|---|---|
committer | Edward Wang <[email protected]> | 2024-03-15 14:37:56 -0700 |
commit | d19ae74563bbabb6cf5a7473d0227d7c560840df (patch) | |
tree | b65b844fa632acb20ab09f8cac5c411feec7877c | |
parent | a39694899fc048661b6fdb34931dbedf87586169 (diff) | |
download | pingora-d19ae74563bbabb6cf5a7473d0227d7c560840df.tar.gz pingora-d19ae74563bbabb6cf5a7473d0227d7c560840df.zip |
Revert "Fix verify_result() in ssl client for boringssl"
This reverts commit 9f410d52221da26c0651a99d071daf9b7acf87a2.
-rw-r--r-- | .bleep | 2 | ||||
-rw-r--r-- | pingora-core/src/protocols/ssl/client.rs | 34 |
2 files changed, 12 insertions, 24 deletions
@@ -1 +1 @@ -8e6a08593def12f43d50e83c0d35f9f6f9aca630
\ No newline at end of file +f5828844181647e13067b3578ea7333c70ab671c
\ No newline at end of file diff --git a/pingora-core/src/protocols/ssl/client.rs b/pingora-core/src/protocols/ssl/client.rs index 6fd6462..abb6da6 100644 --- a/pingora-core/src/protocols/ssl/client.rs +++ b/pingora-core/src/protocols/ssl/client.rs @@ -17,7 +17,11 @@ use super::SslStream; use crate::protocols::raw_connect::ProxyDigest; use crate::protocols::{GetProxyDigest, GetTimingDigest, TimingDigest, IO}; -use crate::tls::{ssl, ssl::ConnectConfiguration, ssl_sys::X509_V_ERR_INVALID_CALL}; +use crate::tls::{ + ssl, + ssl::ConnectConfiguration, + ssl_sys::{X509_V_ERR_INVALID_CALL, X509_V_OK}, +}; use pingora_error::{Error, ErrorType::*, OrErr, Result}; use std::sync::Arc; @@ -39,29 +43,13 @@ pub async fn handshake<S: IO>( Err(e) => { let context = format!("TLS connect() failed: {e}, SNI: {domain}"); match e.code() { - ssl::ErrorCode::SSL => { - // Unify the return type of `verify_result` for openssl - #[cfg(not(feature = "boringssl"))] - fn verify_result<S>(stream: SslStream<S>) -> Result<(), i32> { - match stream.ssl().verify_result().as_raw() { - crate::tls::ssl_sys::X509_V_OK => Ok(()), - e => Err(e), - } + ssl::ErrorCode::SSL => match stream.ssl().verify_result().as_raw() { + // X509_V_ERR_INVALID_CALL in case verify result was never set + X509_V_OK | X509_V_ERR_INVALID_CALL => { + Error::e_explain(TLSHandshakeFailure, context) } - // Unify the return type of `verify_result` for boringssl - #[cfg(feature = "boringssl")] - fn verify_result<S>(stream: SslStream<S>) -> Result<(), i32> { - stream.ssl().verify_result().map_err(|e| e.as_raw()) - } - match verify_result(stream) { - Ok(()) => Error::e_explain(TLSHandshakeFailure, context), - // X509_V_ERR_INVALID_CALL in case verify result was never set - Err(X509_V_ERR_INVALID_CALL) => { - Error::e_explain(TLSHandshakeFailure, context) - } - _ => Error::e_explain(InvalidCert, context), - } - } + _ => Error::e_explain(InvalidCert, context), + }, /* likely network error, but still mark as TLS error */ _ => Error::e_explain(TLSHandshakeFailure, context), } |