You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2016/11/02 18:36:58 UTC
[jira] [Work logged] (TS-4706) SSL hostname verification failed due
to truncated SNI name
[ https://issues.apache.org/jira/browse/TS-4706?focusedWorklogId=31458&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-31458 ]
ASF GitHub Bot logged work on TS-4706:
--------------------------------------
Author: ASF GitHub Bot
Created on: 02/Nov/16 18:36
Start Date: 02/Nov/16 18:36
Worklog Time Spent: 10m
Work Description: GitHub user gtenev opened a pull request:
https://github.com/apache/trafficserver/pull/1173
TS-4706 Truncated SNI name during escalation
SSL hostname verification failing due to truncated SNI name.
(cherry picked from commit 4d02d0e877e24b1dc94948c236462417bdd9bbf0)
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/gtenev/trafficserver TS-4706_backport
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/trafficserver/pull/1173.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #1173
----
----
Issue Time Tracking
-------------------
Worklog Id: (was: 31458)
Time Spent: 1.5h (was: 1h 20m)
> SSL hostname verification failed due to truncated SNI name
> ----------------------------------------------------------
>
> Key: TS-4706
> URL: https://issues.apache.org/jira/browse/TS-4706
> Project: Traffic Server
> Issue Type: Bug
> Components: Core
> Reporter: Gancho Tenev
> Assignee: Gancho Tenev
> Fix For: 7.0.0
>
> Time Spent: 1.5h
> Remaining Estimate: 0h
>
> SSL hostname verification fails due to truncated SNI name when escalation plugin is used to redirect a failed request (404) from a primary origin {{primary.com}} to a secondary origin {{secondary.com}}.
> {code:title=Excerpt from the ATS logs showing the error|borderStyle=solid}
> DEBUG: <SSLNetVConnection.cc:1258 (sslClientHandShakeEvent)> (ssl) using SNI name ‘secondary.c'’ for client handshake
> DEBUG: <SSLNetVConnection.cc:1303 (sslClientHandShakeEvent)> (ssl.error) SSLNetVConnection::sslClientHandShakeEvent, SSL_ERROR_WANT_READ
> DEBUG: <SSLNetVConnection.cc:1258 (sslClientHandShakeEvent)> (ssl) using SNI name 'secondary.c’’ for client handshake
> DEBUG: <SSLClientUtils.cc:83 (verify_callback)> (ssl) Hostname verification failed for (‘secondary.c')
> {code}
> One could see that the SNI name {{secondary.com}} is truncated to {{secondary.c}}
> {code:title=Test case to reproduce}
> $ cat etc/trafficserver/remap.config
> map http://example.com https://primary.com @plugin=escalate.so @pparam=404:secondary.com
> $ sudo ./bin/traffic_server -T ssl 2>&1 | egrep -e 'using SNI name .* for client handshake'
> DEBUG: <SSLNetVConnection.cc:1223 (sslClientHandShakeEvent)> (ssl) using SNI name 'primary.com' for client handshake
> DEBUG: <SSLNetVConnection.cc:1223 (sslClientHandShakeEvent)> (ssl) using SNI name 'secondary.c' for client handshake
> $ curl -x localhost:80 'http://example.com/path/to/object'
> {code}
> I have a fix available which produces the following log (SNI hostname no longer truncated)
> {code:title=Excerpt from ATS logs after applying the fix}
> $ sudo ./bin/traffic_server -T ssl 2>&1 | egrep -e 'using SNI name .* for client handshake'
> DEBUG: <SSLNetVConnection.cc:1223 (sslClientHandShakeEvent)> (ssl) using SNI name 'primary.com' for client handshake
> DEBUG: <SSLNetVConnection.cc:1223 (sslClientHandShakeEvent)> (ssl) using SNI name 'secondary.com' for client handshake
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)