You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@trafficserver.apache.org by Reindl Harald <h....@thelounge.net> on 2014/10/20 17:49:21 UTC
ssl questions
HTTPD: SSL 2 handshake compatibility Yes
TS: SSL 2 handshake compatibility No
can that be the reason "ab -c 100 -n 100000" fails to a ATS?
keep in mind that don't mean sslv3 or even sslv2 are enabled!
HTTPD: Heartbeat (extension) Yes
TS: Heartbeat (extension) No
how does ATS that using the same openssl binaries?
"OPENSSL_NO_HEARTBEATS=1" as ENV don't disable it for httpd
Re: ssl questions
Posted by Reindl Harald <h....@thelounge.net>.
Am 20.10.2014 um 21:50 schrieb James Peach:
>> On Oct 20, 2014, at 8:49 AM, Reindl Harald <h....@thelounge.net> wrote:
>>
>> HTTPD: SSL 2 handshake compatibility Yes
>> TS: SSL 2 handshake compatibility No
>
> We disabled SSLv2 by default on TS-787, Tue May 17 15:34:41 2011.
that is *not* the same and frankly that breaks not only "ab", also older
browsers - please look at the thread below, handshake compatibility !=
protocol
i have disabled sslv2 *asnd* sslv3 on any httpd without breaking older
clients and combined with the fact that ATS don't support DHE ciphers
"ssllabs" lists *a lot* of clients not able to talk with ATS over TLS
http://comments.gmane.org/gmane.comp.apache.devel/54510
>> can that be the reason "ab -c 100 -n 100000" fails to a ATS?
>> keep in mind that don't mean sslv3 or even sslv2 are enabled!
>
> Not really sure about that, but should be easy to test when I get a minute.
see above
>> HTTPD: Heartbeat (extension) Yes
>> TS: Heartbeat (extension) No
>>
>> how does ATS that using the same openssl binaries?
>> "OPENSSL_NO_HEARTBEATS=1" as ENV don't disable it for httpd
>
> You need to set OPENSSL_NO_HEARTBEATS=1 at OpenSSL build time
i know but.....
> I don't know why we would not be vulnerable to heartbleed with a vulnerable OpenSSL version. I poked around in OpenSSL and mod_ssl for a while and AFAICT heart beats are enabled by default. I didn't see any special knob that would turn it on.
but https://www.ssllabs.com/ssltest/ says "Heartbeat (extension) No" on
a Fedora 20 machine with ATS and the same OS and SSL binaries than httpd
Re: ssl questions
Posted by Reindl Harald <h....@thelounge.net>.
Am 20.10.2014 um 21:50 schrieb James Peach:
>
>> On Oct 20, 2014, at 8:49 AM, Reindl Harald <h....@thelounge.net> wrote:
>>
>> HTTPD: SSL 2 handshake compatibility Yes
>> TS: SSL 2 handshake compatibility No
>>
>
> We disabled SSLv2 by default on TS-787, Tue May 17 15:34:41 2011.
but that has nothing to do with "SSL 2 handshake compatibility" i guess
https://www.ssllabs.com/ssltest/
compare the results of HTTPD / ATS
both with no SSLv2 and SSLv3
>> can that be the reason "ab -c 100 -n 100000" fails to a ATS?
>> keep in mind that don't mean sslv3 or even sslv2 are enabled!
>
> Not really sure about that, but should be easy to test when I get a minute.
thanks!
>> HTTPD: Heartbeat (extension) Yes
>> TS: Heartbeat (extension) No
>>
>> how does ATS that using the same openssl binaries?
>> "OPENSSL_NO_HEARTBEATS=1" as ENV don't disable it for httpd
>
> You need to set OPENSSL_NO_HEARTBEATS=1 at OpenSSL build time
i am aware of that
sadly
"OPENSSL_NO_DEFAULT_ZLIB=1" works as env-var for other historical issues
> I don't know why we would not be vulnerable to heartbleed with a vulnerable OpenSSL version. I poked around in OpenSSL and mod_ssl for a while and AFAICT heart beats are enabled by default. I didn't see any special knob that would turn it on.
well, i just compared https://www.ssllabs.com/ssltest/ aginst a pure
HTTPD server and a ATS server on the same patch level with Fedora 20 and
wondered that ATS is listed as "Heartbeat (extension) No" while HTTPD
shows a yes
Re: ssl questions
Posted by James Peach <jp...@apache.org>.
> On Oct 20, 2014, at 8:49 AM, Reindl Harald <h....@thelounge.net> wrote:
>
> HTTPD: SSL 2 handshake compatibility Yes
> TS: SSL 2 handshake compatibility No
>
We disabled SSLv2 by default on TS-787, Tue May 17 15:34:41 2011.
> can that be the reason "ab -c 100 -n 100000" fails to a ATS?
> keep in mind that don't mean sslv3 or even sslv2 are enabled!
Not really sure about that, but should be easy to test when I get a minute.
>
> HTTPD: Heartbeat (extension) Yes
> TS: Heartbeat (extension) No
>
> how does ATS that using the same openssl binaries?
> "OPENSSL_NO_HEARTBEATS=1" as ENV don't disable it for httpd
You need to set OPENSSL_NO_HEARTBEATS=1 at OpenSSL build time. I don't know why we would not be vulnerable to heartbleed with a vulnerable OpenSSL version. I poked around in OpenSSL and mod_ssl for a while and AFAICT heart beats are enabled by default. I didn't see any special knob that would turn it on.
J