You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@trafficserver.apache.org by Esmq <es...@163.com> on 2015/01/28 04:05:41 UTC
ts crash for whildcard ssl certificate with version 5.2.0
hi,all
i have just upgraded ts 5.1.1 to 5.2.0,
and make no change to the configuration (using the previous working config of version 5.1.1)
after toggle to 5.2.0, i found following warning message in diag.log, which all good in 5.1.1.
[Jan 28 10:35:13.128] Server {0x2b34fdd3b620} NOTE: loading SSL certificate configuration from /home/trafficserver/etc/ssl_multicert.config
[Jan 28 10:35:13.130] Server {0x2b34fdd3b620} WARNING: previously indexed 'daily.bb.test.com' with SSL_CTX 0x1, cannot index it with SSL_CTX #2 now
[Jan 28 10:35:13.130] Server {0x2b34fdd3b620} WARNING: previously indexed wildcard certificate for '*.sslbbs.example.com' as 'com.example.sslbbs.', cannot index it with SSL_CTX #4 now
furthermore, ts crash when processing the request that using whildcard ssl certificate...
Re:Re:Re: ts crash for whildcard ssl certificate with version 5.2.0
Posted by Esmq <es...@163.com>.
hi,all
i found that the configuration option that i used to compile v5.2.0 was different from v5.1.1,
after i recompile the v5.2.0 to used the same option as v5.1.1, the problem gone.
the differences compile option i used to compile v5.2.0 and v5.1.1 :
v5.1.1
./configure --prefix=/usr/local/trafficserver-5.1.1 --with-user=trafficserver --with-group=trafficserver --sysconfdir=/home/trafficserver/etc --enable-experimental-plugins --enable-reclaimable-freelist --enable-hwloc
v5.2.0
./configure --prefix=/usr/local/trafficserver-5.2.0 --with-user=trafficserver --with-group=trafficserver --sysconfdir=/home/trafficserver/etc --enable-experimental-plugins
i think the problem caused by i used reclaim feature when this feature not compiled in.
在 2015-01-29 13:39:59,"Esmq" <es...@163.com> 写道:
hi,
when not use whildcard certificated, it works fine just like v5.1.1, when i add the following to the ssl_multicert.config, ats coredump every time i access the ssl page.
dest_ip=* ssl_cert_name=ssl/sslbbs.example.com.ee.crt ssl_key_name=ssl/sslbbs.example.com.nopass.key
the certificate's CN=*.sslbbs.example.com,
when i open http://xxx.sslbbs.example.com/, it will cause ts to coredump and restarted.
####################################################################
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
61:9e:96:42:07:bb:5e:3d:af:43:96:f0:08:61:e5:99
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Secure Server CA - G3
Validity
Not Before: Apr 4 00:00:00 2014 GMT
Not After : May 3 23:59:59 2017 GMT
Subject: C=CN, ST=GuangDong, L=GuangZhou, O=Guangzhou Example Interactive Entertainment Co., Ltd., OU=Terms of use at www.verisign.com/rpa (c)05, CN=*.sslbbs.example.com
在 2015-01-28 21:59:00,"Susan Hinrichs" <sh...@network-geographics.com> 写道:
Hi,
The warning messages are likely harmless. They are probably complaints about conflicts if the main subject name is repeated as a subject alternative name. This has been addressed via TS-3243.
I've successfully tested a basic wildcard certificated in 5.2/master. But obviously we must be doing something different. Can you share your wildcard certificate so I better replicate your case?
Thanks,
Susan
On 1/27/2015 9:05 PM, Esmq wrote:
hi,all
i have just upgraded ts 5.1.1 to 5.2.0,
and make no change to the configuration (using the previous working config of version 5.1.1)
after toggle to 5.2.0, i found following warning message in diag.log, which all good in 5.1.1.
[Jan 28 10:35:13.128] Server {0x2b34fdd3b620} NOTE: loading SSL certificate configuration from /home/trafficserver/etc/ssl_multicert.config
[Jan 28 10:35:13.130] Server {0x2b34fdd3b620} WARNING: previously indexed 'daily.bb.test.com' with SSL_CTX 0x1, cannot index it with SSL_CTX #2 now
[Jan 28 10:35:13.130] Server {0x2b34fdd3b620} WARNING: previously indexed wildcard certificate for '*.sslbbs.example.com' as 'com.example.sslbbs.', cannot index it with SSL_CTX #4 now
furthermore, ts crash when processing the request that using whildcard ssl certificate...
Re:Re: ts crash for whildcard ssl certificate with version 5.2.0
Posted by Esmq <es...@163.com>.
hi,
when not use whildcard certificated, it works fine just like v5.1.1, when i add the following to the ssl_multicert.config, ats coredump every time i access the ssl page.
dest_ip=* ssl_cert_name=ssl/sslbbs.example.com.ee.crt ssl_key_name=ssl/sslbbs.example.com.nopass.key
the certificate's CN=*.sslbbs.example.com,
when i open http://xxx.sslbbs.example.com/, it will cause ts to coredump and restarted.
####################################################################
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
61:9e:96:42:07:bb:5e:3d:af:43:96:f0:08:61:e5:99
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Secure Server CA - G3
Validity
Not Before: Apr 4 00:00:00 2014 GMT
Not After : May 3 23:59:59 2017 GMT
Subject: C=CN, ST=GuangDong, L=GuangZhou, O=Guangzhou Example Interactive Entertainment Co., Ltd., OU=Terms of use at www.verisign.com/rpa (c)05, CN=*.sslbbs.example.com
在 2015-01-28 21:59:00,"Susan Hinrichs" <sh...@network-geographics.com> 写道:
Hi,
The warning messages are likely harmless. They are probably complaints about conflicts if the main subject name is repeated as a subject alternative name. This has been addressed via TS-3243.
I've successfully tested a basic wildcard certificated in 5.2/master. But obviously we must be doing something different. Can you share your wildcard certificate so I better replicate your case?
Thanks,
Susan
On 1/27/2015 9:05 PM, Esmq wrote:
hi,all
i have just upgraded ts 5.1.1 to 5.2.0,
and make no change to the configuration (using the previous working config of version 5.1.1)
after toggle to 5.2.0, i found following warning message in diag.log, which all good in 5.1.1.
[Jan 28 10:35:13.128] Server {0x2b34fdd3b620} NOTE: loading SSL certificate configuration from /home/trafficserver/etc/ssl_multicert.config
[Jan 28 10:35:13.130] Server {0x2b34fdd3b620} WARNING: previously indexed 'daily.bb.test.com' with SSL_CTX 0x1, cannot index it with SSL_CTX #2 now
[Jan 28 10:35:13.130] Server {0x2b34fdd3b620} WARNING: previously indexed wildcard certificate for '*.sslbbs.example.com' as 'com.example.sslbbs.', cannot index it with SSL_CTX #4 now
furthermore, ts crash when processing the request that using whildcard ssl certificate...
Re: ts crash for whildcard ssl certificate with version 5.2.0
Posted by Susan Hinrichs <sh...@network-geographics.com>.
Hi,
The warning messages are likely harmless. They are probably complaints
about conflicts if the main subject name is repeated as a subject
alternative name. This has been addressed via TS-3243.
I've successfully tested a basic wildcard certificated in 5.2/master.
But obviously we must be doing something different. Can you share your
wildcard certificate so I better replicate your case?
Thanks,
Susan
On 1/27/2015 9:05 PM, Esmq wrote:
> hi,all
>
> i have just upgraded ts 5.1.1 to 5.2.0,
> and make no change to the configuration (using the previous working
> config of version 5.1.1)
>
> after toggle to 5.2.0, i found following warning message in diag.log,
> which all good in 5.1.1.
>
> [Jan 28 10:35:13.128] Server {0x2b34fdd3b620} NOTE: loading SSL
> certificate configuration from
> /home/trafficserver/etc/ssl_multicert.config
> [Jan 28 10:35:13.130] Server {0x2b34fdd3b620} WARNING: previously
> indexed 'daily.bb.test.com' with SSL_CTX 0x1, cannot index it with
> SSL_CTX #2 now
> [Jan 28 10:35:13.130] Server {0x2b34fdd3b620} WARNING: previously
> indexed wildcard certificate for '*.sslbbs.example.com' as
> 'com.example.sslbbs.', cannot index it with SSL_CTX #4 now
>
> furthermore, ts crash when processing the request that using
> whildcard ssl certificate...
>
>