From a7bb3fb40ed9caf07ddb3f348eaaa2582577aedd Mon Sep 17 00:00:00 2001 From: Francis Dupont Date: Tue, 12 Nov 2024 10:04:02 +0100 Subject: [PATCH 1/3] [#3255] Added a note --- doc/sphinx/arm/security.rst | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/doc/sphinx/arm/security.rst b/doc/sphinx/arm/security.rst index 8ceb4f12ec..b6cf3fccf1 100644 --- a/doc/sphinx/arm/security.rst +++ b/doc/sphinx/arm/security.rst @@ -36,6 +36,13 @@ protection possible: the two security mechanisms, and therefore no proof that the TLS client and server are the same as the HTTP authentication client and server. +.. note:: + + On reconfiguration a new listener HTTP socket is opened only when the + address or the port was changed so to apply a TLS setup change, e.g. + a certificate update, Kea must be restarted (i.e. stopped and started + vs reloaded). + .. _tls_config: Building Kea with TLS/HTTPS Support From d542b047949be7df0c3b386a0b5e86e96e64a41e Mon Sep 17 00:00:00 2001 From: Francis Dupont Date: Fri, 29 Nov 2024 10:36:54 +0100 Subject: [PATCH 2/3] [#3255] Added a getTlsContext to HTTP listener --- src/lib/http/listener.cc | 5 +++++ src/lib/http/listener.h | 3 +++ src/lib/http/listener_impl.cc | 5 +++++ src/lib/http/listener_impl.h | 3 +++ src/lib/http/tests/http_server_test.h | 1 + 5 files changed, 17 insertions(+) diff --git a/src/lib/http/listener.cc b/src/lib/http/listener.cc index 18f81f529c..9c05e99689 100644 --- a/src/lib/http/listener.cc +++ b/src/lib/http/listener.cc @@ -42,6 +42,11 @@ HttpListener::getLocalPort() const { return (impl_->getEndpoint().getPort()); } +const TlsContextPtr& +HttpListener::getTlsContext() const { + return (impl_->getTlsContext()); +} + int HttpListener::getNative() const { return (impl_->getNative()); diff --git a/src/lib/http/listener.h b/src/lib/http/listener.h index b842d7f18d..9f35e62642 100644 --- a/src/lib/http/listener.h +++ b/src/lib/http/listener.h @@ -115,6 +115,9 @@ class HttpListener { /// @brief Returns local port on which server is listening. uint16_t getLocalPort() const; + /// @brief Returns reference to the current TLS context. + const asiolink::TlsContextPtr& getTlsContext() const; + /// @brief file descriptor of the underlying acceptor socket. int getNative() const; diff --git a/src/lib/http/listener_impl.cc b/src/lib/http/listener_impl.cc index 70535ef7e5..85fd74ee3d 100644 --- a/src/lib/http/listener_impl.cc +++ b/src/lib/http/listener_impl.cc @@ -70,6 +70,11 @@ HttpListenerImpl::getEndpoint() const { return (*endpoint_); } +const TlsContextPtr& +HttpListenerImpl::getTlsContext() const { + return (tls_context_); +} + int HttpListenerImpl::getNative() const { return (acceptor_ ? acceptor_->getNative() : -1); diff --git a/src/lib/http/listener_impl.h b/src/lib/http/listener_impl.h index 73f70dc507..f36a1330b8 100644 --- a/src/lib/http/listener_impl.h +++ b/src/lib/http/listener_impl.h @@ -60,6 +60,9 @@ class HttpListenerImpl : public boost::enable_shared_from_this /// @brief Returns reference to the current listener endpoint. const asiolink::TCPEndpoint& getEndpoint() const; + /// @brief Returns reference to the current TLS context. + const asiolink::TlsContextPtr& getTlsContext() const; + /// @brief file descriptor of the underlying acceptor socket. int getNative() const; diff --git a/src/lib/http/tests/http_server_test.h b/src/lib/http/tests/http_server_test.h index 48c0671400..bd59d61ce3 100644 --- a/src/lib/http/tests/http_server_test.h +++ b/src/lib/http/tests/http_server_test.h @@ -392,6 +392,7 @@ class BaseListenerTest : public ::testing::Test { ASSERT_NO_THROW(listener.start()); ASSERT_EQ(SERVER_ADDRESS, listener.getLocalAddress().toText()); ASSERT_EQ(SERVER_PORT, listener.getLocalPort()); + ASSERT_EQ(server_context_, listener.getTlsContext()); ASSERT_NO_THROW(startRequest(request)); ASSERT_NO_THROW(runIOService()); ASSERT_EQ(1, clients_.size()); From e138afba296189fa3614638fc55d6418b26dcefa Mon Sep 17 00:00:00 2001 From: Francis Dupont Date: Fri, 29 Nov 2024 11:34:37 +0100 Subject: [PATCH 3/3] [#3255] Added CA reuse logs --- src/bin/agent/ca_messages.cc | 4 ++++ src/bin/agent/ca_messages.h | 2 ++ src/bin/agent/ca_messages.mes | 9 +++++++++ src/bin/agent/ca_process.cc | 18 ++++++++++++++++-- 4 files changed, 31 insertions(+), 2 deletions(-) diff --git a/src/bin/agent/ca_messages.cc b/src/bin/agent/ca_messages.cc index 4c9df2bb8d..7c511012bd 100644 --- a/src/bin/agent/ca_messages.cc +++ b/src/bin/agent/ca_messages.cc @@ -15,7 +15,9 @@ extern const isc::log::MessageID CTRL_AGENT_CONFIG_CHECK_FAIL = "CTRL_AGENT_CONF extern const isc::log::MessageID CTRL_AGENT_CONFIG_FAIL = "CTRL_AGENT_CONFIG_FAIL"; extern const isc::log::MessageID CTRL_AGENT_CONFIG_SYNTAX_WARNING = "CTRL_AGENT_CONFIG_SYNTAX_WARNING"; extern const isc::log::MessageID CTRL_AGENT_FAILED = "CTRL_AGENT_FAILED"; +extern const isc::log::MessageID CTRL_AGENT_HTTPS_SERVICE_REUSED = "CTRL_AGENT_HTTPS_SERVICE_REUSED"; extern const isc::log::MessageID CTRL_AGENT_HTTPS_SERVICE_STARTED = "CTRL_AGENT_HTTPS_SERVICE_STARTED"; +extern const isc::log::MessageID CTRL_AGENT_HTTP_SERVICE_REUSED = "CTRL_AGENT_HTTP_SERVICE_REUSED"; extern const isc::log::MessageID CTRL_AGENT_HTTP_SERVICE_STARTED = "CTRL_AGENT_HTTP_SERVICE_STARTED"; extern const isc::log::MessageID CTRL_AGENT_RUN_EXIT = "CTRL_AGENT_RUN_EXIT"; extern const isc::log::MessageID CTRL_AGENT_STARTED = "CTRL_AGENT_STARTED"; @@ -34,7 +36,9 @@ const char* values[] = { "CTRL_AGENT_CONFIG_FAIL", "Control Agent configuration failed: %1", "CTRL_AGENT_CONFIG_SYNTAX_WARNING", "Control Agent configuration syntax warning: %1", "CTRL_AGENT_FAILED", "application experienced a fatal error: %1", + "CTRL_AGENT_HTTPS_SERVICE_REUSED", "reused HTTPS service bound to address %1:%2", "CTRL_AGENT_HTTPS_SERVICE_STARTED", "HTTPS service bound to address %1:%2", + "CTRL_AGENT_HTTP_SERVICE_REUSED", "reused HTTP service bound to address %1:%2", "CTRL_AGENT_HTTP_SERVICE_STARTED", "HTTP service bound to address %1:%2", "CTRL_AGENT_RUN_EXIT", "application is exiting the event loop", "CTRL_AGENT_STARTED", "Kea Control Agent version %1 started", diff --git a/src/bin/agent/ca_messages.h b/src/bin/agent/ca_messages.h index dda48661fc..59ad772807 100644 --- a/src/bin/agent/ca_messages.h +++ b/src/bin/agent/ca_messages.h @@ -16,7 +16,9 @@ extern const isc::log::MessageID CTRL_AGENT_CONFIG_CHECK_FAIL; extern const isc::log::MessageID CTRL_AGENT_CONFIG_FAIL; extern const isc::log::MessageID CTRL_AGENT_CONFIG_SYNTAX_WARNING; extern const isc::log::MessageID CTRL_AGENT_FAILED; +extern const isc::log::MessageID CTRL_AGENT_HTTPS_SERVICE_REUSED; extern const isc::log::MessageID CTRL_AGENT_HTTPS_SERVICE_STARTED; +extern const isc::log::MessageID CTRL_AGENT_HTTP_SERVICE_REUSED; extern const isc::log::MessageID CTRL_AGENT_HTTP_SERVICE_STARTED; extern const isc::log::MessageID CTRL_AGENT_RUN_EXIT; extern const isc::log::MessageID CTRL_AGENT_STARTED; diff --git a/src/bin/agent/ca_messages.mes b/src/bin/agent/ca_messages.mes index 70df329bd1..f592955f3d 100644 --- a/src/bin/agent/ca_messages.mes +++ b/src/bin/agent/ca_messages.mes @@ -43,11 +43,20 @@ error. The error was displayed and the configuration parsing resumed. This is a fatal error message issued when the Control Agent application encounters an unrecoverable error from within the event loop. +% CTRL_AGENT_HTTPS_SERVICE_REUSED reused HTTPS service bound to address %1:%2 +This informational message indicates that the server has reused existing +HTTPS service on the specified address and port. Note that any change in +the TLS setup was ignored. + % CTRL_AGENT_HTTPS_SERVICE_STARTED HTTPS service bound to address %1:%2 This informational message indicates that the server has started HTTPS service on the specified address and port. All control commands should be sent to this address and port over a TLS channel. +% CTRL_AGENT_HTTP_SERVICE_REUSED reused HTTP service bound to address %1:%2 +This informational message indicates that the server has reused existing +HTTPS service on the specified address and port. + % CTRL_AGENT_HTTP_SERVICE_STARTED HTTP service bound to address %1:%2 This informational message indicates that the server has started HTTP service on the specified address and port. All control commands should be sent to this diff --git a/src/bin/agent/ca_process.cc b/src/bin/agent/ca_process.cc index 2403eedb1a..86dec95e36 100644 --- a/src/bin/agent/ca_process.cc +++ b/src/bin/agent/ca_process.cc @@ -181,15 +181,29 @@ CtrlAgentProcess::configure(isc::data::ConstElementPtr config_set, // active listeners. The next step will be to remove all other // active listeners, but we do it inside the main process loop. http_listeners_.push_back(http_listener); + } else if (!http_listeners_.empty()) { + // Reconfig keeping the same address and port. + if (http_listeners_.back()->getTlsContext()) { + LOG_INFO(agent_logger, CTRL_AGENT_HTTPS_SERVICE_REUSED) + .arg(server_address.toText()) + .arg(server_port); + } else { + LOG_INFO(agent_logger, CTRL_AGENT_HTTP_SERVICE_REUSED) + .arg(server_address.toText()) + .arg(server_port); + } + return; } // Ok, seems we're good to go. if (use_https) { LOG_INFO(agent_logger, CTRL_AGENT_HTTPS_SERVICE_STARTED) - .arg(server_address.toText()).arg(server_port); + .arg(server_address.toText()) + .arg(server_port); } else { LOG_INFO(agent_logger, CTRL_AGENT_HTTP_SERVICE_STARTED) - .arg(server_address.toText()).arg(server_port); + .arg(server_address.toText()) + .arg(server_port); } });