You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "Leif Hedstrom (JIRA)" <ji...@apache.org> on 2014/02/27 03:45:20 UTC

[jira] [Updated] (TS-2593) HTTPS to origin fails on CentOS6.x

     [ https://issues.apache.org/jira/browse/TS-2593?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Leif Hedstrom updated TS-2593:
------------------------------

    Fix Version/s: 5.0.0

> HTTPS to origin fails on CentOS6.x
> ----------------------------------
>
>                 Key: TS-2593
>                 URL: https://issues.apache.org/jira/browse/TS-2593
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: SSL
>            Reporter: Leif Hedstrom
>             Fix For: 5.0.0
>
>
> I'm having this problem where mapping to https:// URLs always fails to connect / communicate with the origin. I've tracked this down to TS-2355, and I suspect (but not sure) that setting the nonexistent OpenSSL option breaks something badly. I'd like to make the following changes:
> {code}
> diff --git a/iocore/net/P_SSLUtils.h b/iocore/net/P_SSLUtils.h
> index 5ed2d82..289ff99 100644
> --- a/iocore/net/P_SSLUtils.h
> +++ b/iocore/net/P_SSLUtils.h
> @@ -33,15 +33,6 @@
>  #error Traffic Server requires a OpenSSL library that support threads
>  #endif
> -// if we are compiling against an early version of OpenSSL, define our own values
> -#ifndef SSL_OP_NO_TLSv1_1
> -#define SSL_OP_NO_TLSv1_1 0x10000000L
> -#endif
> -#ifndef SSL_OP_NO_TLSv1_2
> -#define SSL_OP_NO_TLSv1_2 0x08000000L
> -#endif
> -#define SSL_VERSION_1_0_1 0x010001000 // MMNNFFPPS: major minor fix patch status
> -
>  struct SSLConfigParams;
>  struct SSLCertLookup;
> diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc
> index 9a20883..f9df79e 100644
> --- a/iocore/net/SSLConfig.cc
> +++ b/iocore/net/SSLConfig.cc
> @@ -149,12 +149,19 @@ SSLConfigParams::initialize()
>    REC_ReadConfigInteger(options, "proxy.config.ssl.TLSv1");
>    if (!options)
>      ssl_ctx_options |= SSL_OP_NO_TLSv1;
> +
> +  // These are not available in all, older versions of OpenSSL (e.g. CentOS6)
> +#ifdef SSL_OP_NO_TLSv1_1
>    REC_ReadConfigInteger(options, "proxy.config.ssl.TLSv1_1");
>    if (!options)
>      ssl_ctx_options |= SSL_OP_NO_TLSv1_1;
> +#endif
> +#ifdef SSL_OP_NO_TLSv1_2
>    REC_ReadConfigInteger(options, "proxy.config.ssl.TLSv1_2");
>    if (!options)
>      ssl_ctx_options |= SSL_OP_NO_TLSv1_2;
> +#endif
> +
>  #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
>    REC_ReadConfigInteger(options, "proxy.config.ssl.server.honor_cipher_order");
>    if (options)
> {code}
> That much said, I'm also wondering if we should make the defaults for the TLSv1_2 a little less draconian? For example, can we detect which versions this works in, and change the default to "1"? Or can we change the default to "1", and ask people that run into the crasher to either upgrade OpenSSL, or alternatively disable v1.2 ?



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)