You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@trafficserver.apache.org by "Ron Barber (JIRA)" <ji...@apache.org> on 2014/02/11 23:37:23 UTC

[jira] [Commented] (TS-2569) ssl options are ignored if ssl_multicert.config does not contain an entry with dest_ip=*

    [ https://issues.apache.org/jira/browse/TS-2569?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13898424#comment-13898424 ] 

Ron Barber commented on TS-2569:
--------------------------------

I believe the issue is that the SSL_set_SSL_CTX function does not copy over the necessary options from the ctx* (existing bug/complaint: http://rt.openssl.org/Ticket/Display.html?id=3183) into the ssl* (in the ssl_servername_callback function).  It does appear that the ssl * being used was initialized from the "default" ctx which ats creates in the event there is no dest_ip=*.  The proposed fix (which works) is to initialize the default ctx with the necessary ssl options.

> ssl options are ignored if ssl_multicert.config does not contain an entry with dest_ip=* 
> -----------------------------------------------------------------------------------------
>
>                 Key: TS-2569
>                 URL: https://issues.apache.org/jira/browse/TS-2569
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: SSL
>            Reporter: Ron Barber
>
> We discovered that the proxy.config.ssl.server.honor_cipher_order=1 setting was not working correctly.  After investigating it was determined that if you do not have a dest_ip=* in the ssl_multicert.config file then the server cipher order setting will not be honored.
> ssl_multicert.config
> dest_ip=192.168.214.131 ssl_cert_name=cert.pem 
> records.config
> CONFIG proxy.config.ssl.server.cipher_suite STRING RC4-SHA:AES128-SHA:DES-CBC3-SHA:AES256-SHA:ALL:!NULL
> CONFIG proxy.config.ssl.server.honor_cipher_order INT 1
> Result (client selection is honored):
> % echo | openssl s_client -connect 192.168.214.131:443 -cipher 'AES128-SHA:RC4-SHA' 2>&1 | grep 'Cipher is'
> New, TLSv1/SSLv3, Cipher is AES128-SHA
> % echo | openssl s_client -connect 192.168.214.131:443 -cipher 'RC4-SHA:AES128-SHA' 2>&1 | grep 'Cipher is'
> New, TLSv1/SSLv3, Cipher is RC4-SHA



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)