From aa5ccbc7795739367b8b43ca1935406f885cf943 Mon Sep 17 00:00:00 2001 From: Razvan Becheriu Date: Fri, 7 Feb 2025 14:35:47 +0200 Subject: [PATCH] [#3694] throw error when switching from/to TLS --- doc/sphinx/arm/agent.rst | 3 +++ doc/sphinx/arm/ddns.rst | 2 ++ doc/sphinx/arm/dhcp4-srv.rst | 2 ++ doc/sphinx/arm/dhcp6-srv.rst | 2 ++ src/bin/agent/ca_messages.cc | 8 +++---- src/bin/agent/ca_messages.h | 4 ++-- src/bin/agent/ca_messages.mes | 15 +++++++------ src/bin/agent/ca_process.cc | 8 +++++-- .../agent/tests/ca_controller_unittests.cc | 20 ++++++++--------- src/bin/d2/tests/d2_http_command_unittest.cc | 22 +++++++++---------- .../tests/http_control_socket_unittest.cc | 16 +++++++------- .../tests/http_control_socket_unittest.cc | 16 +++++++------- src/lib/config/config_messages.cc | 8 +++---- src/lib/config/config_messages.h | 4 ++-- src/lib/config/config_messages.mes | 15 +++++++------ src/lib/config/http_command_mgr.cc | 8 +++++-- 16 files changed, 86 insertions(+), 67 deletions(-) diff --git a/doc/sphinx/arm/agent.rst b/doc/sphinx/arm/agent.rst index 3519cb097d..231246d0ad 100644 --- a/doc/sphinx/arm/agent.rst +++ b/doc/sphinx/arm/agent.rst @@ -259,6 +259,9 @@ Configuring only one or two string parameters results in an error. mutually authenticated, but there is no proof they are the same as for the HTTP authentication. +A different address or port must be specified when using the "config-set" +command to switch from HTTP to HTTPS or from HTTPS to HTTP. + The :iscman:`kea-shell` tool also supports TLS. .. _agent-launch: diff --git a/doc/sphinx/arm/ddns.rst b/doc/sphinx/arm/ddns.rst index a6ee21fb91..4b2f141a75 100644 --- a/doc/sphinx/arm/ddns.rst +++ b/doc/sphinx/arm/ddns.rst @@ -428,6 +428,8 @@ password, these values can be read from files. The syntax is extended by: Since Kea-2.7.6 Kea supports multiple HTTP/HTTPS connections. Both IPv4 and IPv6 addresses can be used. +A different address or port must be specified when using the "config-set" +command to switch from HTTP to HTTPS or from HTTPS to HTTP. When files are used, they are read when the configuration is loaded, to detect configuration errors as soon as possible. diff --git a/doc/sphinx/arm/dhcp4-srv.rst b/doc/sphinx/arm/dhcp4-srv.rst index ff90fbbeb2..9939e36646 100644 --- a/doc/sphinx/arm/dhcp4-srv.rst +++ b/doc/sphinx/arm/dhcp4-srv.rst @@ -7922,6 +7922,8 @@ password, these values can be read from files. The syntax is extended by: Since Kea-2.7.6 Kea supports multiple HTTP/HTTPS connections. Both IPv4 and IPv6 addresses can be used. +A different address or port must be specified when using the "config-set" +command to switch from HTTP to HTTPS or from HTTPS to HTTP. When files are used, they are read when the configuration is loaded, to detect configuration errors as soon as possible. diff --git a/doc/sphinx/arm/dhcp6-srv.rst b/doc/sphinx/arm/dhcp6-srv.rst index 6eebcd3f97..ea7e3b878c 100644 --- a/doc/sphinx/arm/dhcp6-srv.rst +++ b/doc/sphinx/arm/dhcp6-srv.rst @@ -7723,6 +7723,8 @@ password, these values can be read from files. The syntax is extended by: Since Kea-2.7.6 Kea supports multiple HTTP/HTTPS connections. Both IPv4 and IPv6 addresses can be used. +A different address or port must be specified when using the "config-set" +command to switch from HTTP to HTTPS or from HTTPS to HTTP. When files are used, they are read when the configuration is loaded, to detect configuration errors as soon as possible. diff --git a/src/bin/agent/ca_messages.cc b/src/bin/agent/ca_messages.cc index b8cb1ec6af..d433ee08f9 100644 --- a/src/bin/agent/ca_messages.cc +++ b/src/bin/agent/ca_messages.cc @@ -15,10 +15,10 @@ extern const isc::log::MessageID CTRL_AGENT_CONFIG_CHECK_FAIL = "CTRL_AGENT_CONF extern const isc::log::MessageID CTRL_AGENT_CONFIG_FAIL = "CTRL_AGENT_CONFIG_FAIL"; extern const isc::log::MessageID CTRL_AGENT_CONFIG_SYNTAX_WARNING = "CTRL_AGENT_CONFIG_SYNTAX_WARNING"; extern const isc::log::MessageID CTRL_AGENT_FAILED = "CTRL_AGENT_FAILED"; -extern const isc::log::MessageID CTRL_AGENT_HTTPS_SERVICE_REUSED = "CTRL_AGENT_HTTPS_SERVICE_REUSED"; +extern const isc::log::MessageID CTRL_AGENT_HTTPS_SERVICE_REUSE_FAILED = "CTRL_AGENT_HTTPS_SERVICE_REUSE_FAILED"; extern const isc::log::MessageID CTRL_AGENT_HTTPS_SERVICE_STARTED = "CTRL_AGENT_HTTPS_SERVICE_STARTED"; extern const isc::log::MessageID CTRL_AGENT_HTTPS_SERVICE_UPDATED = "CTRL_AGENT_HTTPS_SERVICE_UPDATED"; -extern const isc::log::MessageID CTRL_AGENT_HTTP_SERVICE_REUSED = "CTRL_AGENT_HTTP_SERVICE_REUSED"; +extern const isc::log::MessageID CTRL_AGENT_HTTP_SERVICE_REUSE_FAILED = "CTRL_AGENT_HTTP_SERVICE_REUSE_FAILED"; extern const isc::log::MessageID CTRL_AGENT_HTTP_SERVICE_STARTED = "CTRL_AGENT_HTTP_SERVICE_STARTED"; extern const isc::log::MessageID CTRL_AGENT_RUN_EXIT = "CTRL_AGENT_RUN_EXIT"; extern const isc::log::MessageID CTRL_AGENT_STARTED = "CTRL_AGENT_STARTED"; @@ -37,10 +37,10 @@ const char* values[] = { "CTRL_AGENT_CONFIG_FAIL", "Control Agent configuration failed: %1", "CTRL_AGENT_CONFIG_SYNTAX_WARNING", "Control Agent configuration syntax warning: %1", "CTRL_AGENT_FAILED", "application experienced a fatal error: %1", - "CTRL_AGENT_HTTPS_SERVICE_REUSED", "reused HTTPS service bound to address %1:%2", + "CTRL_AGENT_HTTPS_SERVICE_REUSE_FAILED", "failed to reuse HTTPS service bound to address %1:%2", "CTRL_AGENT_HTTPS_SERVICE_STARTED", "HTTPS service bound to address %1:%2", "CTRL_AGENT_HTTPS_SERVICE_UPDATED", "reused HTTPS service bound to address %1:%2 and updated TLS settings", - "CTRL_AGENT_HTTP_SERVICE_REUSED", "reused HTTP service bound to address %1:%2", + "CTRL_AGENT_HTTP_SERVICE_REUSE_FAILED", "failed to reused HTTP service bound to address %1:%2", "CTRL_AGENT_HTTP_SERVICE_STARTED", "HTTP service bound to address %1:%2", "CTRL_AGENT_RUN_EXIT", "application is exiting the event loop", "CTRL_AGENT_STARTED", "Kea Control Agent version %1 started", diff --git a/src/bin/agent/ca_messages.h b/src/bin/agent/ca_messages.h index 24d97b3f61..898e6187f6 100644 --- a/src/bin/agent/ca_messages.h +++ b/src/bin/agent/ca_messages.h @@ -16,10 +16,10 @@ extern const isc::log::MessageID CTRL_AGENT_CONFIG_CHECK_FAIL; extern const isc::log::MessageID CTRL_AGENT_CONFIG_FAIL; extern const isc::log::MessageID CTRL_AGENT_CONFIG_SYNTAX_WARNING; extern const isc::log::MessageID CTRL_AGENT_FAILED; -extern const isc::log::MessageID CTRL_AGENT_HTTPS_SERVICE_REUSED; +extern const isc::log::MessageID CTRL_AGENT_HTTPS_SERVICE_REUSE_FAILED; extern const isc::log::MessageID CTRL_AGENT_HTTPS_SERVICE_STARTED; extern const isc::log::MessageID CTRL_AGENT_HTTPS_SERVICE_UPDATED; -extern const isc::log::MessageID CTRL_AGENT_HTTP_SERVICE_REUSED; +extern const isc::log::MessageID CTRL_AGENT_HTTP_SERVICE_REUSE_FAILED; extern const isc::log::MessageID CTRL_AGENT_HTTP_SERVICE_STARTED; extern const isc::log::MessageID CTRL_AGENT_RUN_EXIT; extern const isc::log::MessageID CTRL_AGENT_STARTED; diff --git a/src/bin/agent/ca_messages.mes b/src/bin/agent/ca_messages.mes index f2a73ad6e4..9818af2f8d 100644 --- a/src/bin/agent/ca_messages.mes +++ b/src/bin/agent/ca_messages.mes @@ -43,10 +43,10 @@ error. The error was displayed and the configuration parsing resumed. This is a fatal error message issued when the Control Agent application encounters an unrecoverable error from within the event loop. -% CTRL_AGENT_HTTPS_SERVICE_REUSED reused HTTPS service bound to address %1:%2 -This informational message indicates that the server has reused existing -HTTPS service on the specified address and port. Note that any change in -the TLS setup was ignored. +% CTRL_AGENT_HTTPS_SERVICE_REUSE_FAILED failed to reuse HTTPS service bound to address %1:%2 +This error message indicates that the server has failed reusing existing +HTTPS service on the specified address and port. The server can not swith from +HTTPS to HTTP sockets using the same address and port. % CTRL_AGENT_HTTPS_SERVICE_STARTED HTTPS service bound to address %1:%2 This informational message indicates that the server has started HTTPS service @@ -58,9 +58,10 @@ This informational message indicates that the server has reused existing HTTPS service on the specified address and port. Note that any change in the TLS setup has been applied. -% CTRL_AGENT_HTTP_SERVICE_REUSED reused HTTP service bound to address %1:%2 -This informational message indicates that the server has reused existing -HTTP service on the specified address and port. +% CTRL_AGENT_HTTP_SERVICE_REUSE_FAILED failed to reused HTTP service bound to address %1:%2 +This error message indicates that the server has failed reusing existing +HTTP service on the specified address and port. The server can not swith from +HTTP to HTTPS sockets using the same address and port. % CTRL_AGENT_HTTP_SERVICE_STARTED HTTP service bound to address %1:%2 This informational message indicates that the server has started HTTP service diff --git a/src/bin/agent/ca_process.cc b/src/bin/agent/ca_process.cc index 319bb67dbb..0594714a96 100644 --- a/src/bin/agent/ca_process.cc +++ b/src/bin/agent/ca_process.cc @@ -145,9 +145,11 @@ CtrlAgentProcess::configure(isc::data::ConstElementPtr config_set, if (listener->getTlsContext()) { if (ctx->getTrustAnchor().empty()) { // Can not switch from HTTPS to HTTP - LOG_ERROR(agent_logger, CTRL_AGENT_HTTPS_SERVICE_REUSED) + LOG_ERROR(agent_logger, CTRL_AGENT_HTTPS_SERVICE_REUSE_FAILED) .arg(server_address.toText()) .arg(server_port); + isc_throw(BadValue, + "Can not switch from HTTPS to HTTP sockets using the same address and port."); } else { // Apply TLS settings each time. TlsContextPtr tls_context; @@ -167,9 +169,11 @@ CtrlAgentProcess::configure(isc::data::ConstElementPtr config_set, } } else if (!ctx->getTrustAnchor().empty()) { // Can not switch from HTTP to HTTPS - LOG_ERROR(agent_logger, CTRL_AGENT_HTTP_SERVICE_REUSED) + LOG_ERROR(agent_logger, CTRL_AGENT_HTTP_SERVICE_REUSE_FAILED) .arg(server_address.toText()) .arg(server_port); + isc_throw(BadValue, + "Can not switch from HTTP to HTTPS sockets using the same address and port."); } } // If the connection can be reused, mark it as usable. diff --git a/src/bin/agent/tests/ca_controller_unittests.cc b/src/bin/agent/tests/ca_controller_unittests.cc index 3890606e63..c6da2b2488 100644 --- a/src/bin/agent/tests/ca_controller_unittests.cc +++ b/src/bin/agent/tests/ca_controller_unittests.cc @@ -583,8 +583,8 @@ TEST_F(CtrlAgentControllerTest, noListenerChangeHttps) { EXPECT_FALSE(process->isListening()); } -// Verify that the reload will reuse listener -TEST_F(CtrlAgentControllerTest, ignoreHttpToHttpsSwitch) { +// Verify that the reload will issue an error +TEST_F(CtrlAgentControllerTest, handleHttpToHttpsSwitch) { string ca_dir(string(TEST_CA_DIR)); // This configuration should be used to override the initial configuration. @@ -653,9 +653,9 @@ TEST_F(CtrlAgentControllerTest, ignoreHttpToHttpsSwitch) { EXPECT_EQ("127.0.0.1", ctx->getHttpHost()); EXPECT_EQ(8081, ctx->getHttpPort()); - // The forwarding configuration should have been updated. - testUnixSocketInfo("dhcp4", "/second/dhcp4/socket"); - testUnixSocketInfo("dhcp6", "/second/dhcp6/socket"); + // The forwarding configuration should have not been updated. + testUnixSocketInfo("dhcp4", "/first/dhcp4/socket"); + testUnixSocketInfo("dhcp6", "/first/dhcp6/socket"); CtrlAgentProcessPtr process = getCtrlAgentProcess(); ASSERT_TRUE(process); @@ -664,8 +664,8 @@ TEST_F(CtrlAgentControllerTest, ignoreHttpToHttpsSwitch) { EXPECT_FALSE(process->isListening()); } -// Verify that the reload will reuse listener -TEST_F(CtrlAgentControllerTest, ignoreHttpsToHttpSwitch) { +// Verify that the reload will issue an error +TEST_F(CtrlAgentControllerTest, handleHttpsToHttpSwitch) { string ca_dir(string(TEST_CA_DIR)); ostringstream agent_st; agent_st << "{" @@ -753,9 +753,9 @@ TEST_F(CtrlAgentControllerTest, ignoreHttpsToHttpSwitch) { EXPECT_EQ("127.0.0.1", ctx->getHttpHost()); EXPECT_EQ(8081, ctx->getHttpPort()); - // The forwarding configuration should have been updated. - testUnixSocketInfo("dhcp4", "/second/dhcp4/socket"); - testUnixSocketInfo("dhcp6", "/second/dhcp6/socket"); + // The forwarding configuration should have not been updated. + testUnixSocketInfo("dhcp4", "/first/dhcp4/socket"); + testUnixSocketInfo("dhcp6", "/first/dhcp6/socket"); CtrlAgentProcessPtr process = getCtrlAgentProcess(); ASSERT_TRUE(process); diff --git a/src/bin/d2/tests/d2_http_command_unittest.cc b/src/bin/d2/tests/d2_http_command_unittest.cc index 00c2afcbf9..2a570669af 100644 --- a/src/bin/d2/tests/d2_http_command_unittest.cc +++ b/src/bin/d2/tests/d2_http_command_unittest.cc @@ -2149,8 +2149,8 @@ TEST_F(HttpsCtrlChannelD2Test, noListenerChange) { EXPECT_EQ(1, keys->size()); } -// Verify that the "config-set" command will reuse listener -TEST_F(HttpCtrlChannelD2Test, ignoreHttpToHttpsSwitch) { +// Verify that the "config-set" command will exit with an error +TEST_F(HttpCtrlChannelD2Test, handleHttpToHttpsSwitch) { string d2_cfg_txt = " { \n" @@ -2235,20 +2235,20 @@ TEST_F(HttpCtrlChannelD2Test, ignoreHttpToHttpsSwitch) { EXPECT_EQ(listener, HttpCommandMgr::instance().getHttpListener().get()); ASSERT_FALSE(HttpCommandMgr::instance().getHttpListener()->getTlsContext()); - // Verify the configuration was successful. - EXPECT_NE(response.find("\"result\": 0"), std::string::npos); - EXPECT_NE(response.find("\"text\": \"Configuration applied successfully.\""), + // Verify the configuration was rejected. + EXPECT_NE(response.find("\"result\": 1"), std::string::npos); + EXPECT_NE(response.find("\"text\": \"Can not switch from HTTP to HTTPS sockets using the same address and port.\""), std::string::npos); - // Check that the config was applied. + // Check that the config was not applied. d2_context = cfg_mgr->getD2CfgContext(); keys = d2_context->getKeys(); ASSERT_TRUE(keys); EXPECT_EQ(1, keys->size()); } -// Verify that the "config-set" command will reuse listener -TEST_F(HttpsCtrlChannelD2Test, ignoreHttpsToHttpSwitch) { +// Verify that the "config-set" command will exit with an error +TEST_F(HttpsCtrlChannelD2Test, handleHttpsToHttpSwitch) { string ca_dir(string(TEST_CA_DIR)); ostringstream d2_st; @@ -2343,11 +2343,11 @@ TEST_F(HttpsCtrlChannelD2Test, ignoreHttpsToHttpSwitch) { // The TLS settings have not changed EXPECT_EQ(context, HttpCommandMgr::instance().getHttpListener()->getTlsContext().get()); - // Verify the configuration was successful. - EXPECT_EQ("[ { \"arguments\": { \"hash\": \"029AE1208415D6911B5651A6F82D054F55B7877D2589CFD1DCEB5BFFCD3B13A3\" }, \"result\": 0, \"text\": \"Configuration applied successfully.\" } ]", + // Verify the configuration was rejected. + EXPECT_EQ("[ { \"result\": 1, \"text\": \"Can not switch from HTTPS to HTTP sockets using the same address and port.\" } ]", response); - // Check that the config was applied. + // Check that the config was not applied. d2_context = cfg_mgr->getD2CfgContext(); keys = d2_context->getKeys(); ASSERT_TRUE(keys); diff --git a/src/bin/dhcp4/tests/http_control_socket_unittest.cc b/src/bin/dhcp4/tests/http_control_socket_unittest.cc index 1a43c8205e..6b88213c9b 100644 --- a/src/bin/dhcp4/tests/http_control_socket_unittest.cc +++ b/src/bin/dhcp4/tests/http_control_socket_unittest.cc @@ -3654,8 +3654,8 @@ TEST_F(HttpsCtrlChannelDhcpv4Test, noListenerChange) { CfgMgr::instance().clear(); } -// Verify that the "config-set" command will reuse listener -TEST_F(HttpCtrlChannelDhcpv4Test, ignoredHttpToHttpsSwitch) { +// Verify that the "config-set" command will exit with an error +TEST_F(HttpCtrlChannelDhcpv4Test, handleHttpToHttpsSwitch) { createHttpChannelServer(); // Define strings to permutate the config arguments @@ -3788,8 +3788,8 @@ TEST_F(HttpCtrlChannelDhcpv4Test, ignoredHttpToHttpsSwitch) { EXPECT_EQ(listener, HttpCommandMgr::instance().getHttpListener().get()); ASSERT_FALSE(HttpCommandMgr::instance().getHttpListener()->getTlsContext()); - EXPECT_NE(response.find("\"result\": 0"), std::string::npos); - EXPECT_NE(response.find("\"text\": \"Configuration successful.\""), + EXPECT_NE(response.find("\"result\": 1"), std::string::npos); + EXPECT_NE(response.find("\"text\": \"Can not switch from HTTP to HTTPS sockets using the same address and port.\""), std::string::npos); // Check that the config was not lost @@ -3800,8 +3800,8 @@ TEST_F(HttpCtrlChannelDhcpv4Test, ignoredHttpToHttpsSwitch) { CfgMgr::instance().clear(); } -// Verify that the "config-set" command will reuse listener -TEST_F(HttpsCtrlChannelDhcpv4Test, ignoreHttpsToHttpSwitch) { +// Verify that the "config-set" command will exit with an error +TEST_F(HttpsCtrlChannelDhcpv4Test, handleHttpsToHttpSwitch) { createHttpChannelServer(); // Define strings to permutate the config arguments @@ -3943,8 +3943,8 @@ TEST_F(HttpsCtrlChannelDhcpv4Test, ignoreHttpsToHttpSwitch) { ASSERT_TRUE(HttpCommandMgr::instance().getHttpListener()->getTlsContext()); EXPECT_EQ(context, HttpCommandMgr::instance().getHttpListener()->getTlsContext().get()); - EXPECT_NE(response.find("\"result\": 0"), std::string::npos); - EXPECT_NE(response.find("\"text\": \"Configuration successful.\""), + EXPECT_NE(response.find("\"result\": 1"), std::string::npos); + EXPECT_NE(response.find("\"text\": \"Can not switch from HTTPS to HTTP sockets using the same address and port.\""), std::string::npos); // Check that the config was not lost diff --git a/src/bin/dhcp6/tests/http_control_socket_unittest.cc b/src/bin/dhcp6/tests/http_control_socket_unittest.cc index b2cc74ef26..2a6b4f49ec 100644 --- a/src/bin/dhcp6/tests/http_control_socket_unittest.cc +++ b/src/bin/dhcp6/tests/http_control_socket_unittest.cc @@ -3665,8 +3665,8 @@ TEST_F(HttpsCtrlChannelDhcpv6Test, noListenerChange) { CfgMgr::instance().clear(); } -// Verify that the "config-set" command will reuse listener -TEST_F(HttpCtrlChannelDhcpv6Test, ignoreHttpToHttpsSwitch) { +// Verify that the "config-set" command will exit with an error +TEST_F(HttpCtrlChannelDhcpv6Test, handleHttpToHttpsSwitch) { createHttpChannelServer(); // Define strings to permutate the config arguments @@ -3800,8 +3800,8 @@ TEST_F(HttpCtrlChannelDhcpv6Test, ignoreHttpToHttpsSwitch) { EXPECT_EQ(listener, HttpCommandMgr::instance().getHttpListener().get()); ASSERT_FALSE(HttpCommandMgr::instance().getHttpListener()->getTlsContext()); - EXPECT_NE(response.find("\"result\": 0"), std::string::npos); - EXPECT_NE(response.find("\"text\": \"Configuration successful.\""), + EXPECT_NE(response.find("\"result\": 1"), std::string::npos); + EXPECT_NE(response.find("\"text\": \"Can not switch from HTTP to HTTPS sockets using the same address and port.\""), std::string::npos); // Check that the config was not lost @@ -3812,8 +3812,8 @@ TEST_F(HttpCtrlChannelDhcpv6Test, ignoreHttpToHttpsSwitch) { CfgMgr::instance().clear(); } -// Verify that the "config-set" command will reuse listener -TEST_F(HttpsCtrlChannelDhcpv6Test, ignoreHttpsToHttpSwitch) { +// Verify that the "config-set" command will exit with an error +TEST_F(HttpsCtrlChannelDhcpv6Test, handleHttpsToHttpSwitch) { createHttpChannelServer(); // Define strings to permutate the config arguments @@ -3956,8 +3956,8 @@ TEST_F(HttpsCtrlChannelDhcpv6Test, ignoreHttpsToHttpSwitch) { ASSERT_TRUE(HttpCommandMgr::instance().getHttpListener()->getTlsContext()); EXPECT_EQ(context, HttpCommandMgr::instance().getHttpListener()->getTlsContext().get()); - EXPECT_NE(response.find("\"result\": 0"), std::string::npos); - EXPECT_NE(response.find("\"text\": \"Configuration successful.\""), + EXPECT_NE(response.find("\"result\": 1"), std::string::npos); + EXPECT_NE(response.find("\"text\": \"Can not switch from HTTPS to HTTP sockets using the same address and port.\""), std::string::npos); // Check that the config was not lost diff --git a/src/lib/config/config_messages.cc b/src/lib/config/config_messages.cc index ffb64212c8..446f742102 100644 --- a/src/lib/config/config_messages.cc +++ b/src/lib/config/config_messages.cc @@ -34,9 +34,9 @@ extern const isc::log::MessageID COMMAND_SOCKET_WRITE_FAIL = "COMMAND_SOCKET_WRI extern const isc::log::MessageID COMMAND_WATCH_SOCKET_CLEAR_ERROR = "COMMAND_WATCH_SOCKET_CLEAR_ERROR"; extern const isc::log::MessageID COMMAND_WATCH_SOCKET_CLOSE_ERROR = "COMMAND_WATCH_SOCKET_CLOSE_ERROR"; extern const isc::log::MessageID COMMAND_WATCH_SOCKET_MARK_READY_ERROR = "COMMAND_WATCH_SOCKET_MARK_READY_ERROR"; -extern const isc::log::MessageID HTTP_COMMAND_MGR_HTTPS_SERVICE_REUSED = "HTTP_COMMAND_MGR_HTTPS_SERVICE_REUSED"; +extern const isc::log::MessageID HTTP_COMMAND_MGR_HTTPS_SERVICE_REUSE_FAILED = "HTTP_COMMAND_MGR_HTTPS_SERVICE_REUSE_FAILED"; extern const isc::log::MessageID HTTP_COMMAND_MGR_HTTPS_SERVICE_UPDATED = "HTTP_COMMAND_MGR_HTTPS_SERVICE_UPDATED"; -extern const isc::log::MessageID HTTP_COMMAND_MGR_HTTP_SERVICE_REUSED = "HTTP_COMMAND_MGR_HTTP_SERVICE_REUSED"; +extern const isc::log::MessageID HTTP_COMMAND_MGR_HTTP_SERVICE_REUSE_FAILED = "HTTP_COMMAND_MGR_HTTP_SERVICE_REUSE_FAILED"; extern const isc::log::MessageID HTTP_COMMAND_MGR_SERVICE_STARTED = "HTTP_COMMAND_MGR_SERVICE_STARTED"; extern const isc::log::MessageID HTTP_COMMAND_MGR_SERVICE_STOPPING = "HTTP_COMMAND_MGR_SERVICE_STOPPING"; @@ -73,9 +73,9 @@ const char* values[] = { "COMMAND_WATCH_SOCKET_CLEAR_ERROR", "watch socket failed to clear: %1", "COMMAND_WATCH_SOCKET_CLOSE_ERROR", "watch socket failed to close: %1", "COMMAND_WATCH_SOCKET_MARK_READY_ERROR", "watch socket failed to mark ready: %1", - "HTTP_COMMAND_MGR_HTTPS_SERVICE_REUSED", "reused HTTPS service bound to address %1:%2", + "HTTP_COMMAND_MGR_HTTPS_SERVICE_REUSE_FAILED", "failed to reused HTTPS service bound to address %1:%2", "HTTP_COMMAND_MGR_HTTPS_SERVICE_UPDATED", "reused HTTPS service bound to address %1:%2 and updated TLS settings", - "HTTP_COMMAND_MGR_HTTP_SERVICE_REUSED", "reused HTTP service bound to address %1:%2", + "HTTP_COMMAND_MGR_HTTP_SERVICE_REUSE_FAILED", "failed to reused HTTP service bound to address %1:%2", "HTTP_COMMAND_MGR_SERVICE_STARTED", "started %1 service bound to address %2 port %3", "HTTP_COMMAND_MGR_SERVICE_STOPPING", "Server is stopping %1 service %2", NULL diff --git a/src/lib/config/config_messages.h b/src/lib/config/config_messages.h index 7c05eb95fe..446bd00add 100644 --- a/src/lib/config/config_messages.h +++ b/src/lib/config/config_messages.h @@ -35,9 +35,9 @@ extern const isc::log::MessageID COMMAND_SOCKET_WRITE_FAIL; extern const isc::log::MessageID COMMAND_WATCH_SOCKET_CLEAR_ERROR; extern const isc::log::MessageID COMMAND_WATCH_SOCKET_CLOSE_ERROR; extern const isc::log::MessageID COMMAND_WATCH_SOCKET_MARK_READY_ERROR; -extern const isc::log::MessageID HTTP_COMMAND_MGR_HTTPS_SERVICE_REUSED; +extern const isc::log::MessageID HTTP_COMMAND_MGR_HTTPS_SERVICE_REUSE_FAILED; extern const isc::log::MessageID HTTP_COMMAND_MGR_HTTPS_SERVICE_UPDATED; -extern const isc::log::MessageID HTTP_COMMAND_MGR_HTTP_SERVICE_REUSED; +extern const isc::log::MessageID HTTP_COMMAND_MGR_HTTP_SERVICE_REUSE_FAILED; extern const isc::log::MessageID HTTP_COMMAND_MGR_SERVICE_STARTED; extern const isc::log::MessageID HTTP_COMMAND_MGR_SERVICE_STOPPING; diff --git a/src/lib/config/config_messages.mes b/src/lib/config/config_messages.mes index d2df251dee..731b8178d6 100644 --- a/src/lib/config/config_messages.mes +++ b/src/lib/config/config_messages.mes @@ -153,19 +153,20 @@ ready status after scheduling asynchronous send. This is programmatic error that should be reported. The command manager may or may not continue to operate correctly. -% HTTP_COMMAND_MGR_HTTPS_SERVICE_REUSED reused HTTPS service bound to address %1:%2 -This informational message indicates that the server has reused existing -HTTPS service on the specified address and port. Note that any change in -the TLS setup was ignored. +% HTTP_COMMAND_MGR_HTTPS_SERVICE_REUSE_FAILED failed to reused HTTPS service bound to address %1:%2 +This error message indicates that the server has failed reusing existing +HTTPS service on the specified address and port. The server can not swith from +HTTPS to HTTP sockets using the same address and port. % HTTP_COMMAND_MGR_HTTPS_SERVICE_UPDATED reused HTTPS service bound to address %1:%2 and updated TLS settings This informational message indicates that the server has reused existing HTTPS service on the specified address and port. Note that any change in the TLS setup has been applied. -% HTTP_COMMAND_MGR_HTTP_SERVICE_REUSED reused HTTP service bound to address %1:%2 -This informational message indicates that the server has reused existing -HTTP service on the specified address and port. +% HTTP_COMMAND_MGR_HTTP_SERVICE_REUSE_FAILED failed to reused HTTP service bound to address %1:%2 +This error message indicates that the server has failed reusing existing +HTTP service on the specified address and port. The server can not swith from +HTTP to HTTPS sockets using the same address and port. % HTTP_COMMAND_MGR_SERVICE_STARTED started %1 service bound to address %2 port %3 This informational message indicates that the server has started diff --git a/src/lib/config/http_command_mgr.cc b/src/lib/config/http_command_mgr.cc index d2b8f5bbd7..f1271c7d3f 100644 --- a/src/lib/config/http_command_mgr.cc +++ b/src/lib/config/http_command_mgr.cc @@ -135,9 +135,11 @@ HttpCommandMgrImpl::openCommandSocket(const isc::data::ConstElementPtr config) { if (listener->getTlsContext()) { if (cmd_config->getTrustAnchor().empty()) { // Can not switch from HTTPS to HTTP - LOG_ERROR(command_logger, HTTP_COMMAND_MGR_HTTPS_SERVICE_REUSED) + LOG_ERROR(command_logger, HTTP_COMMAND_MGR_HTTPS_SERVICE_REUSE_FAILED) .arg(server_address.toText()) .arg(server_port); + isc_throw(BadValue, + "Can not switch from HTTPS to HTTP sockets using the same address and port."); } else { // Apply TLS settings each time. TlsContextPtr tls_context; @@ -159,9 +161,11 @@ HttpCommandMgrImpl::openCommandSocket(const isc::data::ConstElementPtr config) { } } else if (!cmd_config->getTrustAnchor().empty()) { // Can not switch from HTTP to HTTPS - LOG_ERROR(command_logger, HTTP_COMMAND_MGR_HTTP_SERVICE_REUSED) + LOG_ERROR(command_logger, HTTP_COMMAND_MGR_HTTP_SERVICE_REUSE_FAILED) .arg(server_address.toText()) .arg(server_port); + isc_throw(BadValue, + "Can not switch from HTTP to HTTPS sockets using the same address and port."); } } // If the connection can be reused, mark it as usable.