diff options
author | Ingela Anderton Andin <[email protected]> | 2017-01-31 16:57:57 +0100 |
---|---|---|
committer | Ingela Anderton Andin <[email protected]> | 2017-02-01 12:22:34 +0100 |
commit | 2db05402f6b81e312ea268dd56483d0b3ca15941 (patch) | |
tree | 0ce48bfc8f96766dbd2a51fd14df8244e3a96d44 /lib/ssl | |
parent | 21d21786abdaae2ae0a601baf5102412399d7af6 (diff) | |
download | otp-2db05402f6b81e312ea268dd56483d0b3ca15941.tar.gz otp-2db05402f6b81e312ea268dd56483d0b3ca15941.tar.bz2 otp-2db05402f6b81e312ea268dd56483d0b3ca15941.zip |
ssl: Make sure PEM cache works as intended
Move of PEM cache to own process was flawed and not all PEM files
where cached properly. We must properly handle both the ditributed
and the normal mode of the ssl application.
Diffstat (limited to 'lib/ssl')
-rw-r--r-- | lib/ssl/src/ssl_config.erl | 4 | ||||
-rw-r--r-- | lib/ssl/src/ssl_manager.erl | 4 | ||||
-rw-r--r-- | lib/ssl/src/ssl_pem_cache.erl | 2 | ||||
-rw-r--r-- | lib/ssl/src/ssl_pkix_db.erl | 17 |
4 files changed, 15 insertions, 12 deletions
diff --git a/lib/ssl/src/ssl_config.erl b/lib/ssl/src/ssl_config.erl index 54f83928ee..4926a146fe 100644 --- a/lib/ssl/src/ssl_config.erl +++ b/lib/ssl/src/ssl_config.erl @@ -42,10 +42,10 @@ init(SslOpts, Role) -> init_manager_name(false) -> put(ssl_manager, ssl_manager:name(normal)), - put(ssl_cache, ssl_pem_cache:name(normal)); + put(ssl_pem_cache, ssl_pem_cache:name(normal)); init_manager_name(true) -> put(ssl_manager, ssl_manager:name(dist)), - put(ssl_cache, ssl_pem_cache:name(dist)). + put(ssl_pem_cache, ssl_pem_cache:name(dist)). init_certificates(#ssl_options{cacerts = CaCerts, cacertfile = CACertFile, diff --git a/lib/ssl/src/ssl_manager.erl b/lib/ssl/src/ssl_manager.erl index 29b15f843f..3b2ddeaa56 100644 --- a/lib/ssl/src/ssl_manager.erl +++ b/lib/ssl/src/ssl_manager.erl @@ -128,7 +128,7 @@ cache_pem_file(File, DbHandle) -> [Content] -> {ok, Content}; undefined -> - ssl_pem_cache:insert(File) + ssl_pem_cache:insert(File) end. %%-------------------------------------------------------------------- @@ -224,7 +224,7 @@ init([ManagerName, PemCacheName, Opts]) -> CacheCb = proplists:get_value(session_cb, Opts, ssl_session_cache), SessionLifeTime = proplists:get_value(session_lifetime, Opts, ?'24H_in_sec'), - CertDb = ssl_pkix_db:create(), + CertDb = ssl_pkix_db:create(PemCacheName), ClientSessionCache = CacheCb:init([{role, client} | proplists:get_value(session_cb_init_args, Opts, [])]), diff --git a/lib/ssl/src/ssl_pem_cache.erl b/lib/ssl/src/ssl_pem_cache.erl index 2b31374bcc..f63a301f69 100644 --- a/lib/ssl/src/ssl_pem_cache.erl +++ b/lib/ssl/src/ssl_pem_cache.erl @@ -133,7 +133,7 @@ invalidate_pem(File) -> init([Name]) -> put(ssl_pem_cache, Name), process_flag(trap_exit, true), - PemCache = ssl_pkix_db:create_pem_cache(), + PemCache = ssl_pkix_db:create_pem_cache(Name), Interval = pem_check_interval(), erlang:send_after(Interval, self(), clear_pem_cache), {ok, #state{pem_cache = PemCache, diff --git a/lib/ssl/src/ssl_pkix_db.erl b/lib/ssl/src/ssl_pkix_db.erl index 961a555873..cde05bb16f 100644 --- a/lib/ssl/src/ssl_pkix_db.erl +++ b/lib/ssl/src/ssl_pkix_db.erl @@ -28,7 +28,7 @@ -include_lib("public_key/include/public_key.hrl"). -include_lib("kernel/include/file.hrl"). --export([create/0, create_pem_cache/0, +-export([create/1, create_pem_cache/1, add_crls/3, remove_crls/2, remove/1, add_trusted_certs/3, extract_trusted_certs/1, remove_trusted_certs/2, insert/3, remove/2, clear/1, db_size/1, @@ -40,13 +40,13 @@ %%==================================================================== %%-------------------------------------------------------------------- --spec create() -> [db_handle(),...]. +-spec create(atom()) -> [db_handle(),...]. %% %% Description: Creates a new certificate db. %% Note: lookup_trusted_cert/4 may be called from any process but only %% the process that called create may call the other functions. %%-------------------------------------------------------------------- -create() -> +create(PEMCacheName) -> [%% Let connection process delete trusted certs %% that can only belong to one connection. (Supplied directly %% on DER format to ssl:connect/listen.) @@ -56,14 +56,14 @@ create() -> ets:new(ssl_otp_ca_ref_file_mapping, [set, protected]) }, %% Lookups in named table owned by ssl_pem_cache process - ssl_otp_pem_cache, + PEMCacheName, %% Default cache {ets:new(ssl_otp_crl_cache, [set, protected]), ets:new(ssl_otp_crl_issuer_mapping, [bag, protected])} ]. -create_pem_cache() -> - ets:new(ssl_otp_pem_cache, [named_table, set, protected]). +create_pem_cache(Name) -> + ets:new(Name, [named_table, set, protected]). %%-------------------------------------------------------------------- -spec remove([db_handle()]) -> ok. @@ -76,7 +76,9 @@ remove(Dbs) -> true = ets:delete(Db1); (undefined) -> ok; - (ssl_otp_pem_cache) -> + (ssl_pem_cache) -> + ok; + (ssl_pem_cache_dist) -> ok; (Db) -> true = ets:delete(Db) @@ -341,3 +343,4 @@ crl_issuer(DerCRL) -> CRL = public_key:der_decode('CertificateList', DerCRL), TBSCRL = CRL#'CertificateList'.tbsCertList, TBSCRL#'TBSCertList'.issuer. + |