You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "James Peach (JIRA)" <ji...@apache.org> on 2013/08/11 04:43:47 UTC
[jira] [Commented] (TS-2096) Traffic server does not error on
loading bad ssl cert
[ https://issues.apache.org/jira/browse/TS-2096?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13736156#comment-13736156 ]
James Peach commented on TS-2096:
---------------------------------
For a file that does not exist:
{code}
[Aug 10 19:38:02.586] Server {0x7fff76992180} NOTE: loading SSL certificate configuration from /opt/ats/etc/trafficserver/ssl_multicert.config
[Aug 10 19:38:02.589] Server {0x7fff76992180} ERROR: SSL::0:error:02001002:system library:fopen:No such file or directory:/SourceCache/OpenSSL098/OpenSSL098-47.1/src/crypto/bio/bss_file.c:356:fopen('/opt/ats/etc/trafficserver/ssl/james.pem','r')
[Aug 10 19:38:02.590] Server {0x7fff76992180} ERROR: SSL::0:error:20074002:BIO routines:FILE_CTRL:system lib:/SourceCache/OpenSSL098/OpenSSL098-47.1/src/crypto/bio/bss_file.c:358:
[Aug 10 19:38:02.590] Server {0x7fff76992180} ERROR: SSL::0:error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib:/SourceCache/OpenSSL098/OpenSSL098-47.1/src/ssl/ssl_rsa.c:470:
{code}
For a file that is empty:
{code}
[Aug 10 19:40:15.550] Server {0x7fff76992180} NOTE: loading SSL certificate configuration from /opt/ats/etc/trafficserver/ssl_multicert.config
[Aug 10 19:40:15.552] Server {0x7fff76992180} ERROR: SSL::0:error:0906D06C:PEM routines:PEM_read_bio:no start line:/SourceCache/OpenSSL098/OpenSSL098-47.1/src/crypto/pem/pem_lib.c:648:Expecting: CERTIFICATE
[Aug 10 19:40:15.552] Server {0x7fff76992180} ERROR: SSL::0:error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib:/SourceCache/OpenSSL098/OpenSSL098-47.1/src/ssl/ssl_rsa.c:491:
{code}
For a file that is filled with random junk:
{code}
[Aug 10 19:42:03.358] Server {0x7fff76992180} NOTE: loading SSL certificate configuration from /opt/ats/etc/trafficserver/ssl_multicert.config
[Aug 10 19:42:03.360] Server {0x7fff76992180} ERROR: SSL::0:error:0906D06C:PEM routines:PEM_read_bio:no start line:/SourceCache/OpenSSL098/OpenSSL098-47.1/src/crypto/pem/pem_lib.c:648:Expecting: CERTIFICATE
[Aug 10 19:42:03.360] Server {0x7fff76992180} ERROR: SSL::0:error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib:/SourceCache/OpenSSL098/OpenSSL098-47.1/src/ssl/ssl_rsa.c:491:
{code}
So in all cases, we do log an error, though OpenSSL does not always include the filename, so we should add our of additional log message that includes the file name.
> Traffic server does not error on loading bad ssl cert
> -----------------------------------------------------
>
> Key: TS-2096
> URL: https://issues.apache.org/jira/browse/TS-2096
> Project: Traffic Server
> Issue Type: Bug
> Components: SSL
> Affects Versions: 3.3.4
> Reporter: Kris Lindgren
> Assignee: James Peach
> Fix For: 3.5.1
>
>
> In traffic server 3.3.4 when loading an SSL cert from ssl_multicert.config if the ssl cert is invalid or missing an error is not logged.
> Eg: dest_ip=10.0.0.1 ssl_cert_name=asdf ssl_ca_name=asdf-chain
> If asdf-chain is an empty file or doesn't exist the ssl cert will not get loaded - but no error will be logged.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira