You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by GitBox <gi...@apache.org> on 2021/02/25 21:49:44 UTC

[GitHub] [trafficserver] bneradt opened a new issue #7561: CI OpenSSL version needs 1.1.1e updates for SSL_set_tlsext_host_name

bneradt opened a new issue #7561:
URL: https://github.com/apache/trafficserver/issues/7561


   Traffic Dump retrieves the server-side TLS server name via SSL_get_servername:
   https://github.com/apache/trafficserver/blob/40de57b047a2b83e023404c3c64f7e3a81b38e64/plugins/experimental/traffic_dump/session_data.cc#L105
   
   With the patch in the following PR the traffic_dump test consistently fails because the SNI is not being retrieved:
   https://github.com/apache/trafficserver/pull/7537
   
   Locally, @duke8253 and I were not able to reproduce this failure. @duke8253 was able to reproduce this when he ran with OpenSSL 1.1.1d. The documentation mentions bug fixes that went into 1.1.1e SSL_get_servername:
   
   https://www.openssl.org/docs/man1.1.1/man3/SSL_set_tlsext_host_name.html
   
   Quoting:
   
   > HISTORY
   > 
   > SSL_get_servername() historically provided some unexpected results in certain corner cases. This has been fixed from OpenSSL 1.1.1e.
   > 
   > Prior to 1.1.1e, when the client requested a servername in an initial TLSv1.2 handshake, the server accepted it, and then the client successfully resumed but set a different explicit servername in the second handshake then when called by the client it returned the servername from the second handshake. This has now been changed to return the servername requested in the original handshake.
   > 
   > Also prior to 1.1.1e, if the client sent a servername in the first handshake but the server did not accept it, and then a second handshake occurred where TLSv1.2 resumption was successful then when called by the server it returned the servername requested in the original handshake. This has now been changed to NULL.
   
   It would be helpful if we could update CI's version of OpenSSL, which currently runs an older version of OpensSSL 3.0.0 master, to have these fixes.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [trafficserver] bneradt commented on issue #7561: CI OpenSSL version needs 1.1.1e updates for SSL_set_tlsext_host_name

Posted by GitBox <gi...@apache.org>.
bneradt commented on issue #7561:
URL: https://github.com/apache/trafficserver/issues/7561#issuecomment-788126288


   The latest version of OpenSSL-quic breaks the TLS handshake for AuTests when ATS is built against it. @duke8253  suggested I use a draft-29 version which worked fine locally. I deployed it to all the CI systems and all the AuTests passed for his PR:
   
   https://github.com/apache/trafficserver/pull/7537
   
   To record what I did:
   
   1. I copied the current versions of /opt/openssl-quic to /opt/openssl-quic_quic-draft-22, preserving the old version in case we need it and recording the branch from which it was built which I derived from a git search.
   2. @zwoop pointed me to https://github.com/apache/trafficserver/blob/master/tools/build_h3_tools.sh. I copied that onto the jenkins master box.
   2. I modified build_h3_tools.sh to just build and install openssl-quic using the OpenSSL_1_1_1g-quic-draft-29, installing to /opt/openssl-quic_OpenSSL_1_1_1g-quic-draft-29
   3. I then symbolic linked /opt/openssl-quic to the new /opt/openssl-quic_OpenSSL_1_1_1g-quic-draft-29
   4. I then applied these same changes to each of the CI agent machines (moving the old directory to the specified location, rsync'ed the new openssl-quic draft 29 version, and then symbolic linked /opt/openssl-quic).


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [trafficserver] duke8253 commented on issue #7561: CI OpenSSL version needs 1.1.1e updates for SSL_set_tlsext_host_name

Posted by GitBox <gi...@apache.org>.
duke8253 commented on issue #7561:
URL: https://github.com/apache/trafficserver/issues/7561#issuecomment-786260025


   It would be great if we can get this fixed soon.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [trafficserver] bneradt closed issue #7561: CI OpenSSL version needs 1.1.1e updates for SSL_set_tlsext_host_name

Posted by GitBox <gi...@apache.org>.
bneradt closed issue #7561:
URL: https://github.com/apache/trafficserver/issues/7561


   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org