Skip to content

Updated testing and fixed bug in SSLSNIConfig #12248

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
bryancall merged 5 commits into from
May 21, 2025
Merged

Updated testing and fixed bug in SSLSNIConfig #12248

bryancall merged 5 commits into from
May 21, 2025

Conversation

@bryancall
Copy link
Contributor

@bryancall bryancall commented May 16, 2025
edited
Loading

If the sni.yaml configuration file contained multiple wildcard entries, an incorrect wildcard entry could be matched instead of the exact match listed first in the file.

This issue occurred because the rank for wildcard entries was set to 0 (the default value) and was not updated in the move constructor when the list was resized to accommodate a new entry.

PR that caused the bug: #9736

TODO:

  • Write a capture group test

@bryancall bryancall added this to the 10.2.0 milestone May 16, 2025
@bryancall bryancall self-assigned this May 16, 2025
@bryancall
Copy link
Contributor Author

bryancall commented May 16, 2025

Looking at the updated docs globs in the middle are no longer supported. It adds the entry with the asterisk in the middle to the exact match list with no warning.

bryancall
bryancall commented May 16, 2025
View reviewed changes
src/iocore/net/SSLSNIConfig.cc
if (this != &other) {
match = std::move(other.match);
inbound_port_ranges = std::move(other.inbound_port_ranges);
rank = other.rank;
Copy link
Contributor Author

@bryancall bryancall May 16, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the bug fix. ⬆️

The rest of the changes are more tests and an updated config.

Copy link
Contributor

@masaori335 masaori335 May 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This makes sense

@bryancall bryancall requested a review from masaori335 May 16, 2025 21:04
@bryancall
Copy link
Contributor Author

bryancall commented May 16, 2025
edited
Loading

Hey @masaori335, you added in the performance enhancements and ranking to begin with, so you should know more about this code than anyone else. Can you please review the bug fix and the added tests?

If you can think of more tests I can add them too. I have another PR #12219 to change the PCRE regexes to use the Regex class (PCRE2 wrapper) and I want to make sure the tests will catch any new bugs.

I have to check to see if we are covering case were we verify the capture group.

@bryancall
Copy link
Contributor Author

bryancall commented May 21, 2025

@masaori335 Can you take a look at this? I would like to get it merged in, I have another PR that relies on this one.

masaori335
masaori335 reviewed May 21, 2025
View reviewed changes
src/iocore/net/unit_tests/sni_conf_test.yaml
http2: false

# test glob in the middle, this will be an exact match
- fqdn: "cat.*.com"
Copy link
Contributor

@masaori335 masaori335 May 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Discussion around the #9736, we concluded don't allow this. This should be error.

  1. Allow single left-most * in the fqdn field

https://docs.trafficserver.apache.org/en/latest/admin-guide/files/sni.yaml.en.html

Copy link
Contributor

@masaori335 masaori335 May 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is for these tests for invalid?
https://github.com/apache/trafficserver/pull/12248/files#diff-40f6583cfe88d8e4ea494c95bf3dbceed8a172c40836afe607f9ff7c1981e3a8R160-R171

@masaori335
Copy link
Contributor

masaori335 commented May 21, 2025

The main change seems reasonable, but the wildcard in middle is we don't support. If you rush, we can merge this and deal with the issue later.

@bryancall bryancall merged commit 4d12805 into apache:master May 21, 2025
15 checks passed
@github-project-automation github-project-automation bot moved this to For v10.1.0 in ATS v10.1.x May 21, 2025
@bryancall bryancall mentioned this pull request May 21, 2025
Merged
@cmcfarlen cmcfarlen moved this from For v10.1.0 to picked v10.1.0 in ATS v10.1.x May 27, 2025
@cmcfarlen cmcfarlen modified the milestones: 10.2.0, 10.1.0 May 27, 2025
@cmcfarlen
Copy link
Contributor

cmcfarlen commented May 27, 2025

Cherry-picked to 10.1.x branch

cmcfarlen pushed a commit that referenced this pull request May 27, 2025
@bryancall @cmcfarlen
Updated testing and fixed bug in SSLSNIConfig (#12248)
d6bed95 
(cherry picked from commit 4d12805)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@masaori335 masaori335 masaori335 approved these changes

Assignees

@bryancall bryancall

Labels

Bug Tests

Projects

ATS v10.1.x
Status: picked v10.1.0

Milestone

10.1.0

Development

Successfully merging this pull request may close these issues.

3 participants

@bryancall @masaori335 @cmcfarlen