Remove premature context updates in TSSslSecretSet().#9528
Closed
ywkaras wants to merge 1 commit intoapache:masterfrom
Closed
Remove premature context updates in TSSslSecretSet().#9528ywkaras wants to merge 1 commit intoapache:masterfrom
ywkaras wants to merge 1 commit intoapache:masterfrom
Conversation
This PR partially reverts PR apache#8368. SSL contexts (SSL_CTX) should only be updated by TSSslSecretUpdate() (which is only called for the main, not the related secret). The update in TSSslSecretSet() is not merely redundant, it causes errors. When an update is done, OpenSSL will check that the cert public key matches the private key. Since TSSslSecretSet() can only set one at time, if it also updates, they will not match. Contexts for a loading confguration never have to be updated, becasue no SSL_CTX's have been created using it yet.
Contributor
Author
|
Waiting on a confirmation for a Yahoo prod engineer that this fixes the problem they're having with one of our plugins. |
Contributor
Author
|
Leaving this as a draft, until the TSSslSecretXxx functions are fixed ( see #9562 ). |
Contributor
|
[approve ci cmake] |
Member
|
[approve ci centos] |
|
This pull request has been automatically marked as stale because it has not had recent activity. Marking it stale to flag it for further consideration by the community. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR partially reverts PR #8368. SSL contexts (SSL_CTX) should only be updated by TSSslSecretUpdate() (which is only called for the main, not the related secret). The update in TSSslSecretSet() is not merely redundant, it causes errors. When an update is done, OpenSSL will check that the cert public key matches the private key. Since TSSslSecretSet() can only set one at time, if it also updates, they will not match.
Contexts for a loading confguration never have to be updated, becasue no SSL_CTX's have been created using it yet.