This repository was archived by the owner on Jun 1, 2026. It is now read-only.
Implement host override of CN checking in the ASIO backend#832
Merged
Conversation
Add new function calc_cn_host which applies our host header override policy. Add the CN hostname used to asio_connection. Change the protocol such that the SSL upgrade request needs to come with the target hostname to use. Replace std::deque in connection pooling with a version that has constant amortized time per insertion. (std::deque is only constant amortized time for insertions in terms of element operations, not overall). Factor out the replacement policy from the overall pool machinery. Change release() to take shared_ptr&& to make sure the caller has let go. Enable verify_cert_chain_platform_specific on Windows; otherwise OpenSSL says that the root CAs are untrusted and all SSL tests fail on Windows. This accidentially repairs these test cases on Windows: **** outside_tests:outside_wikipedia_compressed_http_response FAILED **** **** outside_tests:multiple_https_requests FAILED **** **** outside_tests:outside_ssl_json FAILED ****
| } | ||
| m_ssl_stream = utility::details::make_unique<boost::asio::ssl::stream<boost::asio::ip::tcp::socket&>>( | ||
| m_socket, ssl_context); | ||
| m_cn_hostname = cn_hostname; |
| } | ||
| catch (...) | ||
| { | ||
| // if we didn't have enough memory to pool the connection, give up and drop it on the |
Contributor
There was a problem hiding this comment.
We don't handle OOM, so this is unneeded.
| { | ||
| start_epoch_interval(shared_from_this()); | ||
| is_timer_running = true; | ||
| return; |
Contributor
There was a problem hiding this comment.
Needs a auto dropped = std::move(connection);
| #ifdef CPPREST_PLATFORM_ASIO_CERT_VERIFICATION_AVAILABLE | ||
| , m_openssl_failed(false) | ||
| #endif | ||
| #endif // CPPREST_USE_PLATFORM_VERIFICATION |
Contributor
There was a problem hiding this comment.
Comment doesn't match #ifdef
| return verify_cert_chain_platform_specific(verifyCtx, m_connection->cn_hostname()); | ||
| } | ||
| #endif | ||
| #endif // CPPREST_USE_PLATFORM_VERIFICATION |
Contributor
There was a problem hiding this comment.
Comment doesn't match #ifdef
| #ifdef CPPREST_PLATFORM_ASIO_CERT_VERIFICATION_AVAILABLE | ||
| bool m_openssl_failed; | ||
| #endif | ||
| #endif // CPPREST_USE_PLATFORM_VERIFICATION |
Contributor
There was a problem hiding this comment.
Comment doesn't match #ifdef
| } | ||
|
|
||
| m_availableConnections.swap(m_returnedConnections); | ||
| std::reverse(m_availableConnections.begin(), m_availableConnections.end()); |
Contributor
There was a problem hiding this comment.
This should be LIFO to emphasize hot connections.
Contributor
There was a problem hiding this comment.
Consider renaming m_coldConnections to m_high_water_mark
| } | ||
|
|
||
| void release(const std::shared_ptr<asio_connection>& connection) | ||
| void release(std::shared_ptr<asio_connection>&& connection) |
Contributor
There was a problem hiding this comment.
The timer needs to be restarted if it isn't running.
zowers
reviewed
Aug 17, 2018
| const web::http::http_headers& requestHeaders) | ||
| { | ||
| std::string result; | ||
| if (secure) |
Member
Author
|
Yes, that's correct/intentional.
…On Fri, Aug 17, 2018 at 9:21 AM Alexander Petrov ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In Release/src/http/client/http_client_asio.cpp
<#832 (comment)>:
> @@ -81,7 +81,35 @@ using utility::conversions::details::to_string;
using std::to_string;
#endif
-static const std::string CRLF("\r\n");
+namespace
+{
+const std::string CRLF("\r\n");
+
+std::string calc_cn_host(const bool secure,
+ const web::http::uri& baseUri,
+ const web::http::http_headers& requestHeaders)
+{
+ std::string result;
+ if (secure)
returns empty string when !secure
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#832 (review)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABeS7-z6CeidxhKcp_r34pYfVJfnZTspks5uRu2SgaJpZM4V247i>
.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add new function calc_cn_host which applies our host header override policy.
Add the CN hostname used to asio_connection. Change the protocol such that the SSL upgrade request needs to come with the target hostname to use.
Replace std::deque in connection pooling with a version that has constant amortized time per insertion. (std::deque is only constant amortized time for insertions in terms of element operations, not overall). Factor out the replacement policy from the overall pool machinery.
Change release() to take shared_ptr&& to make sure the caller has let go.
Enable verify_cert_chain_platform_specific on Windows; otherwise OpenSSL says that the root CAs are untrusted and all SSL tests fail on Windows.
This accidentially repairs these test cases on Windows:
**** outside_tests:outside_wikipedia_compressed_http_response FAILED ****
**** outside_tests:multiple_https_requests FAILED ****
**** outside_tests:outside_ssl_json FAILED ****