You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@trafficserver.apache.org by Leif Hedstrom <zw...@apache.org> on 2018/12/29 19:50:08 UTC
ATS (master) + OpenSSL v1.1.1 + Wildcart cert == sad panda
Hi,
I have a “play” server, which I upgraded recently to F29, and ATS is having issues with one of my certificates. It’s a cert with a wildcard for *.ogre.com, and this was working fine up until the upgrade to OpenSSL v1.1.1. The other certs works fine.
Doing a diagnostics, I see
[Dec 29 11:42:39.856] [ET_NET 2] DEBUG: <SSLNetVConnection.cc:1555 (callHooks)> (ssl) callHooks sslHandshakeHookState=2 eventID=60204
[Dec 29 11:42:39.856] [ET_NET 2] DEBUG: <SSLNetVConnection.cc:1647 (callHooks)> (ssl) callHooks iterated to curHook=(nil)
[Dec 29 11:42:39.856] [ET_NET 2] DEBUG: <SSLUtils.cc:409 (PerformAction)> (ssl_sni) www.ogre.com not available in the map
[Dec 29 11:42:39.856] [ET_NET 2] DEBUG: <SSLUtils.cc:332 (set_context_cert)> (ssl) set_context_cert ssl=0x7f62a654b000 server=www.ogre.com handshake_complete=0
[Dec 29 11:42:39.856] [ET_NET 2] DEBUG: <SSLUtils.cc:381 (set_context_cert)> (ssl) ssl_cert_callback found SSL context 0x7f62a9150800 for requested name ‘www.ogre.com’
At which point, it fails the TLS handshake (since www.ogre.com is not available in the map). I can see it loading the certificate though:
[Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:2181 (SSLParseCertificateConfiguration)> (ssl) currently parsing dest_ip
[Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1636 (SSLInitServerContext)> (ssl.session_cache) ssl context=0x7f62a9150800: using session cache options, enabled=2, size=102400, num_buckets=256, skip_on_contention=0, timeout=0, auto_clear=1
[Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1658 (SSLInitServerContext)> (ssl.session_cache) enabling SSL session cache with ATS implementation
[Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1672 (SSLInitServerContext)> (ssl) enabling SSL_MODE_RELEASE_BUFFERS
[Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1844 (SSLInitServerContext)> (ssl) Using 'ogre.crt' in hash for session id context
[Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1929 (SSLInitServerContext)> (ssl) SSL OCSP Stapling is disabled
[Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1460 (SSLCheckServerCertNow)> (ssl) server certificate ogre.crt passed accessibility and date checks
[Dec 29 11:42:36.794] traffic_server DEBUG: <SSLCertLookup.cc:184 (ticket_block_create)> (ssl) Create 1 ticket key blocks
[Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:2004 (ssl_store_ssl_context)> (ssl) mapping '71.6.199.13' to certificate ogre.crt
[Dec 29 11:42:36.794] traffic_server DEBUG: <SSLCertLookup.cc:428 (insert)> (ssl) indexed '4706c70d' with SSL_CTX 0x7f62a9150800 [0]
[Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:2040 (ssl_store_ssl_context)> (ssl) SSL OCSP Stapling is disabled
[Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:2051 (ssl_store_ssl_context)> (ssl) importing SNI names from ogre.crt
[Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1505 (ssl_index_certificate)> (ssl) mapping '*.ogre.com' to certificate ogre.crt
[Dec 29 11:42:36.795] traffic_server DEBUG: <SSLCertLookup.cc:418 (insert)> (ssl) indexed '*.ogre.com' with SSL_CTX 0x7f62a9150800 [1]
[Dec 29 11:42:36.795] traffic_server DEBUG: <SSLUtils.cc:1525 (ssl_index_certificate)> (ssl) mapping 'ogre.com' to certificates ogre.crt
[Dec 29 11:42:36.795] traffic_server DEBUG: <SSLCertLookup.cc:428 (insert)> (ssl) indexed 'ogre.com' with SSL_CTX 0x7f62a9150800 [2]
[Dec 29 11:42:36.795] traffic_server DEBUG: <SSLUtils.cc:2181 (SSLParseCertificateConfiguration)> (ssl) currently parsing dest_ip
[Dec 29 11:42:36.795] traffic_server DEBUG: <SSLUtils.cc:1636 (SSLInitServerContext)> (ssl.session_cache) ssl context=0x7f62a9146000: using session cache options, enabled=2, size=102400, num_buckets=256, skip_on_contention=0, timeout=0, auto_clear=1
[Dec 29 11:42:36.795] traffic_server DEBUG: <SSLUtils.cc:1658 (SSLInitServerContext)> (ssl.session_cache) enabling SSL session cache with ATS implementation
[Dec 29 11:42:36.795] traffic_server DEBUG: <SSLUtils.cc:1672 (SSLInitServerContext)> (ssl) enabling SSL_MODE_RELEASE_BUFFERS
My multicast.config file has:
dest_ip=71.6.199.13 ssl_cert_name=ogre.crt ssl_key_name=ogre.key ssl_ca_name=gd_bundle-g2-g1.crt
DNS for www.ogre.com points to the IP above:
munin (12:42) 260/0 $ host www.ogre.com
www.ogre.com is an alias for cosmo.ogre.com.
cosmo.ogre.com has address 71.6.199.13
Did we break wildcard matching?? Or did OpenSSL v1.1.1 do it?? The SN in the certificate is *.ogre.com.
Cheers,
— Leif
Re: ATS (master) + OpenSSL v1.1.1 + Wildcart cert == sad panda
Posted by Leif Hedstrom <zw...@apache.org>.
> On Dec 29, 2018, at 2:36 PM, Leif Hedstrom <zw...@apache.org> wrote:
>
>
>
>> On Dec 29, 2018, at 1:06 PM, SUSAN HINRICHS <sh...@ieee.org> wrote:
>>
>> Hmm. We run with that configuration with our 7.1.x+. I will try to write
>> a test case for master.
>
>
> It seems to be related to the dest_ip=1.2.3.4, not the actual wild card. If I change it to dest_ip=*, then it works for the first rule but not the second. E.g. this works for www.ogre.com, but then other sites (matching the second line) fails:
>
> dest_ip=* ssl_cert_name=ogre.crt ssl_key_name=ogre.key ssl_ca_name=gd_bundle-g2-g1.crt
> dest_ip=* ssl_cert_name=mixed.crt ssl_key_name=mixed.key ssl_ca_name=gd_bundle-g2-g1.crt
Also, if I remove the dest_ip=* from these lines, it still fails :-/.
— Leif
>
>
> If I flip the order, it fails as well. This is with OpenSSL v1.1.1, Bryan mentioned that maybe this is related to the fixes that went in for v1.1.1a ?
>
> Cheers
>
> — leif
>
>
>
>>
>> On Sat, Dec 29, 2018, 1:50 PM Leif Hedstrom <zwoop@apache.org wrote:
>>
>>> Hi,
>>>
>>> I have a “play” server, which I upgraded recently to F29, and ATS is
>>> having issues with one of my certificates. It’s a cert with a wildcard for
>>> *.ogre.com, and this was working fine up until the upgrade to OpenSSL
>>> v1.1.1. The other certs works fine.
>>>
>>> Doing a diagnostics, I see
>>>
>>> [Dec 29 11:42:39.856] [ET_NET 2] DEBUG: <SSLNetVConnection.cc:1555
>>> (callHooks)> (ssl) callHooks sslHandshakeHookState=2 eventID=60204
>>> [Dec 29 11:42:39.856] [ET_NET 2] DEBUG: <SSLNetVConnection.cc:1647
>>> (callHooks)> (ssl) callHooks iterated to curHook=(nil)
>>> [Dec 29 11:42:39.856] [ET_NET 2] DEBUG: <SSLUtils.cc:409 (PerformAction)>
>>> (ssl_sni) www.ogre.com not available in the map
>>> [Dec 29 11:42:39.856] [ET_NET 2] DEBUG: <SSLUtils.cc:332
>>> (set_context_cert)> (ssl) set_context_cert ssl=0x7f62a654b000 server=
>>> www.ogre.com handshake_complete=0
>>> [Dec 29 11:42:39.856] [ET_NET 2] DEBUG: <SSLUtils.cc:381
>>> (set_context_cert)> (ssl) ssl_cert_callback found SSL context
>>> 0x7f62a9150800 for requested name ‘www.ogre.com’
>>>
>>>
>>> At which point, it fails the TLS handshake (since www.ogre.com is not
>>> available in the map). I can see it loading the certificate though:
>>>
>>> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:2181
>>> (SSLParseCertificateConfiguration)> (ssl) currently parsing dest_ip
>>> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1636
>>> (SSLInitServerContext)> (ssl.session_cache) ssl context=0x7f62a9150800:
>>> using session cache options, enabled=2, size=102400, num_buckets=256,
>>> skip_on_contention=0, timeout=0, auto_clear=1
>>> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1658
>>> (SSLInitServerContext)> (ssl.session_cache) enabling SSL session cache with
>>> ATS implementation
>>> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1672
>>> (SSLInitServerContext)> (ssl) enabling SSL_MODE_RELEASE_BUFFERS
>>> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1844
>>> (SSLInitServerContext)> (ssl) Using 'ogre.crt' in hash for session id
>>> context
>>> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1929
>>> (SSLInitServerContext)> (ssl) SSL OCSP Stapling is disabled
>>> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1460
>>> (SSLCheckServerCertNow)> (ssl) server certificate ogre.crt passed
>>> accessibility and date checks
>>> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLCertLookup.cc:184
>>> (ticket_block_create)> (ssl) Create 1 ticket key blocks
>>> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:2004
>>> (ssl_store_ssl_context)> (ssl) mapping '71.6.199.13' to certificate ogre.crt
>>> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLCertLookup.cc:428
>>> (insert)> (ssl) indexed '4706c70d' with SSL_CTX 0x7f62a9150800 [0]
>>> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:2040
>>> (ssl_store_ssl_context)> (ssl) SSL OCSP Stapling is disabled
>>> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:2051
>>> (ssl_store_ssl_context)> (ssl) importing SNI names from ogre.crt
>>> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1505
>>> (ssl_index_certificate)> (ssl) mapping '*.ogre.com' to certificate
>>> ogre.crt
>>> [Dec 29 11:42:36.795] traffic_server DEBUG: <SSLCertLookup.cc:418
>>> (insert)> (ssl) indexed '*.ogre.com' with SSL_CTX 0x7f62a9150800 [1]
>>> [Dec 29 11:42:36.795] traffic_server DEBUG: <SSLUtils.cc:1525
>>> (ssl_index_certificate)> (ssl) mapping 'ogre.com' to certificates ogre.crt
>>> [Dec 29 11:42:36.795] traffic_server DEBUG: <SSLCertLookup.cc:428
>>> (insert)> (ssl) indexed 'ogre.com' with SSL_CTX 0x7f62a9150800 [2]
>>> [Dec 29 11:42:36.795] traffic_server DEBUG: <SSLUtils.cc:2181
>>> (SSLParseCertificateConfiguration)> (ssl) currently parsing dest_ip
>>> [Dec 29 11:42:36.795] traffic_server DEBUG: <SSLUtils.cc:1636
>>> (SSLInitServerContext)> (ssl.session_cache) ssl context=0x7f62a9146000:
>>> using session cache options, enabled=2, size=102400, num_buckets=256,
>>> skip_on_contention=0, timeout=0, auto_clear=1
>>> [Dec 29 11:42:36.795] traffic_server DEBUG: <SSLUtils.cc:1658
>>> (SSLInitServerContext)> (ssl.session_cache) enabling SSL session cache with
>>> ATS implementation
>>> [Dec 29 11:42:36.795] traffic_server DEBUG: <SSLUtils.cc:1672
>>> (SSLInitServerContext)> (ssl) enabling SSL_MODE_RELEASE_BUFFERS
>>>
>>>
>>> My multicast.config file has:
>>>
>>> dest_ip=71.6.199.13 ssl_cert_name=ogre.crt ssl_key_name=ogre.key
>>> ssl_ca_name=gd_bundle-g2-g1.crt
>>>
>>>
>>> DNS for www.ogre.com points to the IP above:
>>>
>>> munin (12:42) 260/0 $ host www.ogre.com
>>> www.ogre.com is an alias for cosmo.ogre.com.
>>> cosmo.ogre.com has address 71.6.199.13
>>>
>>>
>>> Did we break wildcard matching?? Or did OpenSSL v1.1.1 do it?? The SN in
>>> the certificate is *.ogre.com.
>>>
>>> Cheers,
>>>
>>> — Leif
>>>
>>>
>
Re: ATS (master) + OpenSSL v1.1.1 + Wildcart cert == sad panda
Posted by Susan Hinrichs <sh...@oath.com.INVALID>.
Upgraded test in PR https://github.com/apache/trafficserver/pull/4751
On Fri, Jan 4, 2019 at 9:12 AM Susan Hinrichs <sh...@oath.com> wrote:
> I added two more tests in the tls_check_cert_selection autest to exercise
> ssl_multicert with a specific dest_ip set in addition to the SNI select.
> That test passes for me with openssl-1.1.1a and the current master. It has
> previously failed for me with openssl-1.1.1 because the laster cert
> selection does not work, so only the default certificate will ever be used.
>
> Leif, did upgrading to openssl-1.1.1a fix things for you?
>
> On Sat, Dec 29, 2018 at 5:41 PM SUSAN HINRICHS <sh...@ieee.org> wrote:
>
>> If you use the non-default cert, you need 1.1.1a or the original 1.1.1
>> release with the fix.
>>
>> On Sat, Dec 29, 2018, 3:36 PM Leif Hedstrom <zwoop@apache.org wrote:
>>
>> >
>> >
>> > > On Dec 29, 2018, at 1:06 PM, SUSAN HINRICHS <sh...@ieee.org>
>> wrote:
>> > >
>> > > Hmm. We run with that configuration with our 7.1.x+. I will try to
>> > write
>> > > a test case for master.
>> >
>> >
>> > It seems to be related to the dest_ip=1.2.3.4, not the actual wild card.
>> > If I change it to dest_ip=*, then it works for the first rule but not
>> the
>> > second. E.g. this works for www.ogre.com, but then other sites
>> (matching
>> > the second line) fails:
>> >
>> > dest_ip=* ssl_cert_name=ogre.crt ssl_key_name=ogre.key
>> > ssl_ca_name=gd_bundle-g2-g1.crt
>> > dest_ip=* ssl_cert_name=mixed.crt ssl_key_name=mixed.key
>> > ssl_ca_name=gd_bundle-g2-g1.crt
>> >
>> >
>> > If I flip the order, it fails as well. This is with OpenSSL v1.1.1,
>> Bryan
>> > mentioned that maybe this is related to the fixes that went in for
>> v1.1.1a ?
>> >
>> > Cheers
>> >
>> > — leif
>> >
>> >
>> >
>> > >
>> > > On Sat, Dec 29, 2018, 1:50 PM Leif Hedstrom <zwoop@apache.org wrote:
>> > >
>> > >> Hi,
>> > >>
>> > >> I have a “play” server, which I upgraded recently to F29, and ATS is
>> > >> having issues with one of my certificates. It’s a cert with a
>> wildcard
>> > for
>> > >> *.ogre.com, and this was working fine up until the upgrade to
>> OpenSSL
>> > >> v1.1.1. The other certs works fine.
>> > >>
>> > >> Doing a diagnostics, I see
>> > >>
>> > >> [Dec 29 11:42:39.856] [ET_NET 2] DEBUG: <SSLNetVConnection.cc:1555
>> > >> (callHooks)> (ssl) callHooks sslHandshakeHookState=2 eventID=60204
>> > >> [Dec 29 11:42:39.856] [ET_NET 2] DEBUG: <SSLNetVConnection.cc:1647
>> > >> (callHooks)> (ssl) callHooks iterated to curHook=(nil)
>> > >> [Dec 29 11:42:39.856] [ET_NET 2] DEBUG: <SSLUtils.cc:409
>> > (PerformAction)>
>> > >> (ssl_sni) www.ogre.com not available in the map
>> > >> [Dec 29 11:42:39.856] [ET_NET 2] DEBUG: <SSLUtils.cc:332
>> > >> (set_context_cert)> (ssl) set_context_cert ssl=0x7f62a654b000 server=
>> > >> www.ogre.com handshake_complete=0
>> > >> [Dec 29 11:42:39.856] [ET_NET 2] DEBUG: <SSLUtils.cc:381
>> > >> (set_context_cert)> (ssl) ssl_cert_callback found SSL context
>> > >> 0x7f62a9150800 for requested name ‘www.ogre.com’
>> > >>
>> > >>
>> > >> At which point, it fails the TLS handshake (since www.ogre.com is
>> not
>> > >> available in the map). I can see it loading the certificate though:
>> > >>
>> > >> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:2181
>> > >> (SSLParseCertificateConfiguration)> (ssl) currently parsing dest_ip
>> > >> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1636
>> > >> (SSLInitServerContext)> (ssl.session_cache) ssl
>> context=0x7f62a9150800:
>> > >> using session cache options, enabled=2, size=102400, num_buckets=256,
>> > >> skip_on_contention=0, timeout=0, auto_clear=1
>> > >> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1658
>> > >> (SSLInitServerContext)> (ssl.session_cache) enabling SSL session
>> cache
>> > with
>> > >> ATS implementation
>> > >> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1672
>> > >> (SSLInitServerContext)> (ssl) enabling SSL_MODE_RELEASE_BUFFERS
>> > >> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1844
>> > >> (SSLInitServerContext)> (ssl) Using 'ogre.crt' in hash for session id
>> > >> context
>> > >> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1929
>> > >> (SSLInitServerContext)> (ssl) SSL OCSP Stapling is disabled
>> > >> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1460
>> > >> (SSLCheckServerCertNow)> (ssl) server certificate ogre.crt passed
>> > >> accessibility and date checks
>> > >> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLCertLookup.cc:184
>> > >> (ticket_block_create)> (ssl) Create 1 ticket key blocks
>> > >> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:2004
>> > >> (ssl_store_ssl_context)> (ssl) mapping '71.6.199.13' to certificate
>> > ogre.crt
>> > >> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLCertLookup.cc:428
>> > >> (insert)> (ssl) indexed '4706c70d' with SSL_CTX 0x7f62a9150800 [0]
>> > >> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:2040
>> > >> (ssl_store_ssl_context)> (ssl) SSL OCSP Stapling is disabled
>> > >> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:2051
>> > >> (ssl_store_ssl_context)> (ssl) importing SNI names from ogre.crt
>> > >> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1505
>> > >> (ssl_index_certificate)> (ssl) mapping '*.ogre.com' to certificate
>> > >> ogre.crt
>> > >> [Dec 29 11:42:36.795] traffic_server DEBUG: <SSLCertLookup.cc:418
>> > >> (insert)> (ssl) indexed '*.ogre.com' with SSL_CTX 0x7f62a9150800 [1]
>> > >> [Dec 29 11:42:36.795] traffic_server DEBUG: <SSLUtils.cc:1525
>> > >> (ssl_index_certificate)> (ssl) mapping 'ogre.com' to certificates
>> > ogre.crt
>> > >> [Dec 29 11:42:36.795] traffic_server DEBUG: <SSLCertLookup.cc:428
>> > >> (insert)> (ssl) indexed 'ogre.com' with SSL_CTX 0x7f62a9150800 [2]
>> > >> [Dec 29 11:42:36.795] traffic_server DEBUG: <SSLUtils.cc:2181
>> > >> (SSLParseCertificateConfiguration)> (ssl) currently parsing dest_ip
>> > >> [Dec 29 11:42:36.795] traffic_server DEBUG: <SSLUtils.cc:1636
>> > >> (SSLInitServerContext)> (ssl.session_cache) ssl
>> context=0x7f62a9146000:
>> > >> using session cache options, enabled=2, size=102400, num_buckets=256,
>> > >> skip_on_contention=0, timeout=0, auto_clear=1
>> > >> [Dec 29 11:42:36.795] traffic_server DEBUG: <SSLUtils.cc:1658
>> > >> (SSLInitServerContext)> (ssl.session_cache) enabling SSL session
>> cache
>> > with
>> > >> ATS implementation
>> > >> [Dec 29 11:42:36.795] traffic_server DEBUG: <SSLUtils.cc:1672
>> > >> (SSLInitServerContext)> (ssl) enabling SSL_MODE_RELEASE_BUFFERS
>> > >>
>> > >>
>> > >> My multicast.config file has:
>> > >>
>> > >> dest_ip=71.6.199.13 ssl_cert_name=ogre.crt ssl_key_name=ogre.key
>> > >> ssl_ca_name=gd_bundle-g2-g1.crt
>> > >>
>> > >>
>> > >> DNS for www.ogre.com points to the IP above:
>> > >>
>> > >> munin (12:42) 260/0 $ host www.ogre.com
>> > >> www.ogre.com is an alias for cosmo.ogre.com.
>> > >> cosmo.ogre.com has address 71.6.199.13
>> > >>
>> > >>
>> > >> Did we break wildcard matching?? Or did OpenSSL v1.1.1 do it?? The
>> SN in
>> > >> the certificate is *.ogre.com.
>> > >>
>> > >> Cheers,
>> > >>
>> > >> — Leif
>> > >>
>> > >>
>> >
>> >
>>
>
Re: ATS (master) + OpenSSL v1.1.1 + Wildcart cert == sad panda
Posted by Susan Hinrichs <sh...@oath.com.INVALID>.
I added two more tests in the tls_check_cert_selection autest to exercise
ssl_multicert with a specific dest_ip set in addition to the SNI select.
That test passes for me with openssl-1.1.1a and the current master. It has
previously failed for me with openssl-1.1.1 because the laster cert
selection does not work, so only the default certificate will ever be used.
Leif, did upgrading to openssl-1.1.1a fix things for you?
On Sat, Dec 29, 2018 at 5:41 PM SUSAN HINRICHS <sh...@ieee.org> wrote:
> If you use the non-default cert, you need 1.1.1a or the original 1.1.1
> release with the fix.
>
> On Sat, Dec 29, 2018, 3:36 PM Leif Hedstrom <zwoop@apache.org wrote:
>
> >
> >
> > > On Dec 29, 2018, at 1:06 PM, SUSAN HINRICHS <sh...@ieee.org> wrote:
> > >
> > > Hmm. We run with that configuration with our 7.1.x+. I will try to
> > write
> > > a test case for master.
> >
> >
> > It seems to be related to the dest_ip=1.2.3.4, not the actual wild card.
> > If I change it to dest_ip=*, then it works for the first rule but not the
> > second. E.g. this works for www.ogre.com, but then other sites (matching
> > the second line) fails:
> >
> > dest_ip=* ssl_cert_name=ogre.crt ssl_key_name=ogre.key
> > ssl_ca_name=gd_bundle-g2-g1.crt
> > dest_ip=* ssl_cert_name=mixed.crt ssl_key_name=mixed.key
> > ssl_ca_name=gd_bundle-g2-g1.crt
> >
> >
> > If I flip the order, it fails as well. This is with OpenSSL v1.1.1, Bryan
> > mentioned that maybe this is related to the fixes that went in for
> v1.1.1a ?
> >
> > Cheers
> >
> > — leif
> >
> >
> >
> > >
> > > On Sat, Dec 29, 2018, 1:50 PM Leif Hedstrom <zwoop@apache.org wrote:
> > >
> > >> Hi,
> > >>
> > >> I have a “play” server, which I upgraded recently to F29, and ATS is
> > >> having issues with one of my certificates. It’s a cert with a wildcard
> > for
> > >> *.ogre.com, and this was working fine up until the upgrade to OpenSSL
> > >> v1.1.1. The other certs works fine.
> > >>
> > >> Doing a diagnostics, I see
> > >>
> > >> [Dec 29 11:42:39.856] [ET_NET 2] DEBUG: <SSLNetVConnection.cc:1555
> > >> (callHooks)> (ssl) callHooks sslHandshakeHookState=2 eventID=60204
> > >> [Dec 29 11:42:39.856] [ET_NET 2] DEBUG: <SSLNetVConnection.cc:1647
> > >> (callHooks)> (ssl) callHooks iterated to curHook=(nil)
> > >> [Dec 29 11:42:39.856] [ET_NET 2] DEBUG: <SSLUtils.cc:409
> > (PerformAction)>
> > >> (ssl_sni) www.ogre.com not available in the map
> > >> [Dec 29 11:42:39.856] [ET_NET 2] DEBUG: <SSLUtils.cc:332
> > >> (set_context_cert)> (ssl) set_context_cert ssl=0x7f62a654b000 server=
> > >> www.ogre.com handshake_complete=0
> > >> [Dec 29 11:42:39.856] [ET_NET 2] DEBUG: <SSLUtils.cc:381
> > >> (set_context_cert)> (ssl) ssl_cert_callback found SSL context
> > >> 0x7f62a9150800 for requested name ‘www.ogre.com’
> > >>
> > >>
> > >> At which point, it fails the TLS handshake (since www.ogre.com is not
> > >> available in the map). I can see it loading the certificate though:
> > >>
> > >> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:2181
> > >> (SSLParseCertificateConfiguration)> (ssl) currently parsing dest_ip
> > >> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1636
> > >> (SSLInitServerContext)> (ssl.session_cache) ssl
> context=0x7f62a9150800:
> > >> using session cache options, enabled=2, size=102400, num_buckets=256,
> > >> skip_on_contention=0, timeout=0, auto_clear=1
> > >> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1658
> > >> (SSLInitServerContext)> (ssl.session_cache) enabling SSL session cache
> > with
> > >> ATS implementation
> > >> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1672
> > >> (SSLInitServerContext)> (ssl) enabling SSL_MODE_RELEASE_BUFFERS
> > >> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1844
> > >> (SSLInitServerContext)> (ssl) Using 'ogre.crt' in hash for session id
> > >> context
> > >> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1929
> > >> (SSLInitServerContext)> (ssl) SSL OCSP Stapling is disabled
> > >> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1460
> > >> (SSLCheckServerCertNow)> (ssl) server certificate ogre.crt passed
> > >> accessibility and date checks
> > >> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLCertLookup.cc:184
> > >> (ticket_block_create)> (ssl) Create 1 ticket key blocks
> > >> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:2004
> > >> (ssl_store_ssl_context)> (ssl) mapping '71.6.199.13' to certificate
> > ogre.crt
> > >> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLCertLookup.cc:428
> > >> (insert)> (ssl) indexed '4706c70d' with SSL_CTX 0x7f62a9150800 [0]
> > >> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:2040
> > >> (ssl_store_ssl_context)> (ssl) SSL OCSP Stapling is disabled
> > >> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:2051
> > >> (ssl_store_ssl_context)> (ssl) importing SNI names from ogre.crt
> > >> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1505
> > >> (ssl_index_certificate)> (ssl) mapping '*.ogre.com' to certificate
> > >> ogre.crt
> > >> [Dec 29 11:42:36.795] traffic_server DEBUG: <SSLCertLookup.cc:418
> > >> (insert)> (ssl) indexed '*.ogre.com' with SSL_CTX 0x7f62a9150800 [1]
> > >> [Dec 29 11:42:36.795] traffic_server DEBUG: <SSLUtils.cc:1525
> > >> (ssl_index_certificate)> (ssl) mapping 'ogre.com' to certificates
> > ogre.crt
> > >> [Dec 29 11:42:36.795] traffic_server DEBUG: <SSLCertLookup.cc:428
> > >> (insert)> (ssl) indexed 'ogre.com' with SSL_CTX 0x7f62a9150800 [2]
> > >> [Dec 29 11:42:36.795] traffic_server DEBUG: <SSLUtils.cc:2181
> > >> (SSLParseCertificateConfiguration)> (ssl) currently parsing dest_ip
> > >> [Dec 29 11:42:36.795] traffic_server DEBUG: <SSLUtils.cc:1636
> > >> (SSLInitServerContext)> (ssl.session_cache) ssl
> context=0x7f62a9146000:
> > >> using session cache options, enabled=2, size=102400, num_buckets=256,
> > >> skip_on_contention=0, timeout=0, auto_clear=1
> > >> [Dec 29 11:42:36.795] traffic_server DEBUG: <SSLUtils.cc:1658
> > >> (SSLInitServerContext)> (ssl.session_cache) enabling SSL session cache
> > with
> > >> ATS implementation
> > >> [Dec 29 11:42:36.795] traffic_server DEBUG: <SSLUtils.cc:1672
> > >> (SSLInitServerContext)> (ssl) enabling SSL_MODE_RELEASE_BUFFERS
> > >>
> > >>
> > >> My multicast.config file has:
> > >>
> > >> dest_ip=71.6.199.13 ssl_cert_name=ogre.crt ssl_key_name=ogre.key
> > >> ssl_ca_name=gd_bundle-g2-g1.crt
> > >>
> > >>
> > >> DNS for www.ogre.com points to the IP above:
> > >>
> > >> munin (12:42) 260/0 $ host www.ogre.com
> > >> www.ogre.com is an alias for cosmo.ogre.com.
> > >> cosmo.ogre.com has address 71.6.199.13
> > >>
> > >>
> > >> Did we break wildcard matching?? Or did OpenSSL v1.1.1 do it?? The SN
> in
> > >> the certificate is *.ogre.com.
> > >>
> > >> Cheers,
> > >>
> > >> — Leif
> > >>
> > >>
> >
> >
>
Re: ATS (master) + OpenSSL v1.1.1 + Wildcart cert == sad panda
Posted by SUSAN HINRICHS <sh...@ieee.org>.
If you use the non-default cert, you need 1.1.1a or the original 1.1.1
release with the fix.
On Sat, Dec 29, 2018, 3:36 PM Leif Hedstrom <zwoop@apache.org wrote:
>
>
> > On Dec 29, 2018, at 1:06 PM, SUSAN HINRICHS <sh...@ieee.org> wrote:
> >
> > Hmm. We run with that configuration with our 7.1.x+. I will try to
> write
> > a test case for master.
>
>
> It seems to be related to the dest_ip=1.2.3.4, not the actual wild card.
> If I change it to dest_ip=*, then it works for the first rule but not the
> second. E.g. this works for www.ogre.com, but then other sites (matching
> the second line) fails:
>
> dest_ip=* ssl_cert_name=ogre.crt ssl_key_name=ogre.key
> ssl_ca_name=gd_bundle-g2-g1.crt
> dest_ip=* ssl_cert_name=mixed.crt ssl_key_name=mixed.key
> ssl_ca_name=gd_bundle-g2-g1.crt
>
>
> If I flip the order, it fails as well. This is with OpenSSL v1.1.1, Bryan
> mentioned that maybe this is related to the fixes that went in for v1.1.1a ?
>
> Cheers
>
> — leif
>
>
>
> >
> > On Sat, Dec 29, 2018, 1:50 PM Leif Hedstrom <zwoop@apache.org wrote:
> >
> >> Hi,
> >>
> >> I have a “play” server, which I upgraded recently to F29, and ATS is
> >> having issues with one of my certificates. It’s a cert with a wildcard
> for
> >> *.ogre.com, and this was working fine up until the upgrade to OpenSSL
> >> v1.1.1. The other certs works fine.
> >>
> >> Doing a diagnostics, I see
> >>
> >> [Dec 29 11:42:39.856] [ET_NET 2] DEBUG: <SSLNetVConnection.cc:1555
> >> (callHooks)> (ssl) callHooks sslHandshakeHookState=2 eventID=60204
> >> [Dec 29 11:42:39.856] [ET_NET 2] DEBUG: <SSLNetVConnection.cc:1647
> >> (callHooks)> (ssl) callHooks iterated to curHook=(nil)
> >> [Dec 29 11:42:39.856] [ET_NET 2] DEBUG: <SSLUtils.cc:409
> (PerformAction)>
> >> (ssl_sni) www.ogre.com not available in the map
> >> [Dec 29 11:42:39.856] [ET_NET 2] DEBUG: <SSLUtils.cc:332
> >> (set_context_cert)> (ssl) set_context_cert ssl=0x7f62a654b000 server=
> >> www.ogre.com handshake_complete=0
> >> [Dec 29 11:42:39.856] [ET_NET 2] DEBUG: <SSLUtils.cc:381
> >> (set_context_cert)> (ssl) ssl_cert_callback found SSL context
> >> 0x7f62a9150800 for requested name ‘www.ogre.com’
> >>
> >>
> >> At which point, it fails the TLS handshake (since www.ogre.com is not
> >> available in the map). I can see it loading the certificate though:
> >>
> >> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:2181
> >> (SSLParseCertificateConfiguration)> (ssl) currently parsing dest_ip
> >> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1636
> >> (SSLInitServerContext)> (ssl.session_cache) ssl context=0x7f62a9150800:
> >> using session cache options, enabled=2, size=102400, num_buckets=256,
> >> skip_on_contention=0, timeout=0, auto_clear=1
> >> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1658
> >> (SSLInitServerContext)> (ssl.session_cache) enabling SSL session cache
> with
> >> ATS implementation
> >> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1672
> >> (SSLInitServerContext)> (ssl) enabling SSL_MODE_RELEASE_BUFFERS
> >> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1844
> >> (SSLInitServerContext)> (ssl) Using 'ogre.crt' in hash for session id
> >> context
> >> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1929
> >> (SSLInitServerContext)> (ssl) SSL OCSP Stapling is disabled
> >> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1460
> >> (SSLCheckServerCertNow)> (ssl) server certificate ogre.crt passed
> >> accessibility and date checks
> >> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLCertLookup.cc:184
> >> (ticket_block_create)> (ssl) Create 1 ticket key blocks
> >> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:2004
> >> (ssl_store_ssl_context)> (ssl) mapping '71.6.199.13' to certificate
> ogre.crt
> >> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLCertLookup.cc:428
> >> (insert)> (ssl) indexed '4706c70d' with SSL_CTX 0x7f62a9150800 [0]
> >> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:2040
> >> (ssl_store_ssl_context)> (ssl) SSL OCSP Stapling is disabled
> >> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:2051
> >> (ssl_store_ssl_context)> (ssl) importing SNI names from ogre.crt
> >> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1505
> >> (ssl_index_certificate)> (ssl) mapping '*.ogre.com' to certificate
> >> ogre.crt
> >> [Dec 29 11:42:36.795] traffic_server DEBUG: <SSLCertLookup.cc:418
> >> (insert)> (ssl) indexed '*.ogre.com' with SSL_CTX 0x7f62a9150800 [1]
> >> [Dec 29 11:42:36.795] traffic_server DEBUG: <SSLUtils.cc:1525
> >> (ssl_index_certificate)> (ssl) mapping 'ogre.com' to certificates
> ogre.crt
> >> [Dec 29 11:42:36.795] traffic_server DEBUG: <SSLCertLookup.cc:428
> >> (insert)> (ssl) indexed 'ogre.com' with SSL_CTX 0x7f62a9150800 [2]
> >> [Dec 29 11:42:36.795] traffic_server DEBUG: <SSLUtils.cc:2181
> >> (SSLParseCertificateConfiguration)> (ssl) currently parsing dest_ip
> >> [Dec 29 11:42:36.795] traffic_server DEBUG: <SSLUtils.cc:1636
> >> (SSLInitServerContext)> (ssl.session_cache) ssl context=0x7f62a9146000:
> >> using session cache options, enabled=2, size=102400, num_buckets=256,
> >> skip_on_contention=0, timeout=0, auto_clear=1
> >> [Dec 29 11:42:36.795] traffic_server DEBUG: <SSLUtils.cc:1658
> >> (SSLInitServerContext)> (ssl.session_cache) enabling SSL session cache
> with
> >> ATS implementation
> >> [Dec 29 11:42:36.795] traffic_server DEBUG: <SSLUtils.cc:1672
> >> (SSLInitServerContext)> (ssl) enabling SSL_MODE_RELEASE_BUFFERS
> >>
> >>
> >> My multicast.config file has:
> >>
> >> dest_ip=71.6.199.13 ssl_cert_name=ogre.crt ssl_key_name=ogre.key
> >> ssl_ca_name=gd_bundle-g2-g1.crt
> >>
> >>
> >> DNS for www.ogre.com points to the IP above:
> >>
> >> munin (12:42) 260/0 $ host www.ogre.com
> >> www.ogre.com is an alias for cosmo.ogre.com.
> >> cosmo.ogre.com has address 71.6.199.13
> >>
> >>
> >> Did we break wildcard matching?? Or did OpenSSL v1.1.1 do it?? The SN in
> >> the certificate is *.ogre.com.
> >>
> >> Cheers,
> >>
> >> — Leif
> >>
> >>
>
>
Re: ATS (master) + OpenSSL v1.1.1 + Wildcart cert == sad panda
Posted by Leif Hedstrom <zw...@apache.org>.
> On Dec 29, 2018, at 1:06 PM, SUSAN HINRICHS <sh...@ieee.org> wrote:
>
> Hmm. We run with that configuration with our 7.1.x+. I will try to write
> a test case for master.
It seems to be related to the dest_ip=1.2.3.4, not the actual wild card. If I change it to dest_ip=*, then it works for the first rule but not the second. E.g. this works for www.ogre.com, but then other sites (matching the second line) fails:
dest_ip=* ssl_cert_name=ogre.crt ssl_key_name=ogre.key ssl_ca_name=gd_bundle-g2-g1.crt
dest_ip=* ssl_cert_name=mixed.crt ssl_key_name=mixed.key ssl_ca_name=gd_bundle-g2-g1.crt
If I flip the order, it fails as well. This is with OpenSSL v1.1.1, Bryan mentioned that maybe this is related to the fixes that went in for v1.1.1a ?
Cheers
— leif
>
> On Sat, Dec 29, 2018, 1:50 PM Leif Hedstrom <zwoop@apache.org wrote:
>
>> Hi,
>>
>> I have a “play” server, which I upgraded recently to F29, and ATS is
>> having issues with one of my certificates. It’s a cert with a wildcard for
>> *.ogre.com, and this was working fine up until the upgrade to OpenSSL
>> v1.1.1. The other certs works fine.
>>
>> Doing a diagnostics, I see
>>
>> [Dec 29 11:42:39.856] [ET_NET 2] DEBUG: <SSLNetVConnection.cc:1555
>> (callHooks)> (ssl) callHooks sslHandshakeHookState=2 eventID=60204
>> [Dec 29 11:42:39.856] [ET_NET 2] DEBUG: <SSLNetVConnection.cc:1647
>> (callHooks)> (ssl) callHooks iterated to curHook=(nil)
>> [Dec 29 11:42:39.856] [ET_NET 2] DEBUG: <SSLUtils.cc:409 (PerformAction)>
>> (ssl_sni) www.ogre.com not available in the map
>> [Dec 29 11:42:39.856] [ET_NET 2] DEBUG: <SSLUtils.cc:332
>> (set_context_cert)> (ssl) set_context_cert ssl=0x7f62a654b000 server=
>> www.ogre.com handshake_complete=0
>> [Dec 29 11:42:39.856] [ET_NET 2] DEBUG: <SSLUtils.cc:381
>> (set_context_cert)> (ssl) ssl_cert_callback found SSL context
>> 0x7f62a9150800 for requested name ‘www.ogre.com’
>>
>>
>> At which point, it fails the TLS handshake (since www.ogre.com is not
>> available in the map). I can see it loading the certificate though:
>>
>> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:2181
>> (SSLParseCertificateConfiguration)> (ssl) currently parsing dest_ip
>> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1636
>> (SSLInitServerContext)> (ssl.session_cache) ssl context=0x7f62a9150800:
>> using session cache options, enabled=2, size=102400, num_buckets=256,
>> skip_on_contention=0, timeout=0, auto_clear=1
>> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1658
>> (SSLInitServerContext)> (ssl.session_cache) enabling SSL session cache with
>> ATS implementation
>> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1672
>> (SSLInitServerContext)> (ssl) enabling SSL_MODE_RELEASE_BUFFERS
>> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1844
>> (SSLInitServerContext)> (ssl) Using 'ogre.crt' in hash for session id
>> context
>> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1929
>> (SSLInitServerContext)> (ssl) SSL OCSP Stapling is disabled
>> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1460
>> (SSLCheckServerCertNow)> (ssl) server certificate ogre.crt passed
>> accessibility and date checks
>> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLCertLookup.cc:184
>> (ticket_block_create)> (ssl) Create 1 ticket key blocks
>> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:2004
>> (ssl_store_ssl_context)> (ssl) mapping '71.6.199.13' to certificate ogre.crt
>> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLCertLookup.cc:428
>> (insert)> (ssl) indexed '4706c70d' with SSL_CTX 0x7f62a9150800 [0]
>> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:2040
>> (ssl_store_ssl_context)> (ssl) SSL OCSP Stapling is disabled
>> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:2051
>> (ssl_store_ssl_context)> (ssl) importing SNI names from ogre.crt
>> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1505
>> (ssl_index_certificate)> (ssl) mapping '*.ogre.com' to certificate
>> ogre.crt
>> [Dec 29 11:42:36.795] traffic_server DEBUG: <SSLCertLookup.cc:418
>> (insert)> (ssl) indexed '*.ogre.com' with SSL_CTX 0x7f62a9150800 [1]
>> [Dec 29 11:42:36.795] traffic_server DEBUG: <SSLUtils.cc:1525
>> (ssl_index_certificate)> (ssl) mapping 'ogre.com' to certificates ogre.crt
>> [Dec 29 11:42:36.795] traffic_server DEBUG: <SSLCertLookup.cc:428
>> (insert)> (ssl) indexed 'ogre.com' with SSL_CTX 0x7f62a9150800 [2]
>> [Dec 29 11:42:36.795] traffic_server DEBUG: <SSLUtils.cc:2181
>> (SSLParseCertificateConfiguration)> (ssl) currently parsing dest_ip
>> [Dec 29 11:42:36.795] traffic_server DEBUG: <SSLUtils.cc:1636
>> (SSLInitServerContext)> (ssl.session_cache) ssl context=0x7f62a9146000:
>> using session cache options, enabled=2, size=102400, num_buckets=256,
>> skip_on_contention=0, timeout=0, auto_clear=1
>> [Dec 29 11:42:36.795] traffic_server DEBUG: <SSLUtils.cc:1658
>> (SSLInitServerContext)> (ssl.session_cache) enabling SSL session cache with
>> ATS implementation
>> [Dec 29 11:42:36.795] traffic_server DEBUG: <SSLUtils.cc:1672
>> (SSLInitServerContext)> (ssl) enabling SSL_MODE_RELEASE_BUFFERS
>>
>>
>> My multicast.config file has:
>>
>> dest_ip=71.6.199.13 ssl_cert_name=ogre.crt ssl_key_name=ogre.key
>> ssl_ca_name=gd_bundle-g2-g1.crt
>>
>>
>> DNS for www.ogre.com points to the IP above:
>>
>> munin (12:42) 260/0 $ host www.ogre.com
>> www.ogre.com is an alias for cosmo.ogre.com.
>> cosmo.ogre.com has address 71.6.199.13
>>
>>
>> Did we break wildcard matching?? Or did OpenSSL v1.1.1 do it?? The SN in
>> the certificate is *.ogre.com.
>>
>> Cheers,
>>
>> — Leif
>>
>>
Re: ATS (master) + OpenSSL v1.1.1 + Wildcart cert == sad panda
Posted by SUSAN HINRICHS <sh...@ieee.org>.
Hmm. We run with that configuration with our 7.1.x+. I will try to write
a test case for master.
On Sat, Dec 29, 2018, 1:50 PM Leif Hedstrom <zwoop@apache.org wrote:
> Hi,
>
> I have a “play” server, which I upgraded recently to F29, and ATS is
> having issues with one of my certificates. It’s a cert with a wildcard for
> *.ogre.com, and this was working fine up until the upgrade to OpenSSL
> v1.1.1. The other certs works fine.
>
> Doing a diagnostics, I see
>
> [Dec 29 11:42:39.856] [ET_NET 2] DEBUG: <SSLNetVConnection.cc:1555
> (callHooks)> (ssl) callHooks sslHandshakeHookState=2 eventID=60204
> [Dec 29 11:42:39.856] [ET_NET 2] DEBUG: <SSLNetVConnection.cc:1647
> (callHooks)> (ssl) callHooks iterated to curHook=(nil)
> [Dec 29 11:42:39.856] [ET_NET 2] DEBUG: <SSLUtils.cc:409 (PerformAction)>
> (ssl_sni) www.ogre.com not available in the map
> [Dec 29 11:42:39.856] [ET_NET 2] DEBUG: <SSLUtils.cc:332
> (set_context_cert)> (ssl) set_context_cert ssl=0x7f62a654b000 server=
> www.ogre.com handshake_complete=0
> [Dec 29 11:42:39.856] [ET_NET 2] DEBUG: <SSLUtils.cc:381
> (set_context_cert)> (ssl) ssl_cert_callback found SSL context
> 0x7f62a9150800 for requested name ‘www.ogre.com’
>
>
> At which point, it fails the TLS handshake (since www.ogre.com is not
> available in the map). I can see it loading the certificate though:
>
> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:2181
> (SSLParseCertificateConfiguration)> (ssl) currently parsing dest_ip
> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1636
> (SSLInitServerContext)> (ssl.session_cache) ssl context=0x7f62a9150800:
> using session cache options, enabled=2, size=102400, num_buckets=256,
> skip_on_contention=0, timeout=0, auto_clear=1
> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1658
> (SSLInitServerContext)> (ssl.session_cache) enabling SSL session cache with
> ATS implementation
> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1672
> (SSLInitServerContext)> (ssl) enabling SSL_MODE_RELEASE_BUFFERS
> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1844
> (SSLInitServerContext)> (ssl) Using 'ogre.crt' in hash for session id
> context
> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1929
> (SSLInitServerContext)> (ssl) SSL OCSP Stapling is disabled
> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1460
> (SSLCheckServerCertNow)> (ssl) server certificate ogre.crt passed
> accessibility and date checks
> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLCertLookup.cc:184
> (ticket_block_create)> (ssl) Create 1 ticket key blocks
> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:2004
> (ssl_store_ssl_context)> (ssl) mapping '71.6.199.13' to certificate ogre.crt
> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLCertLookup.cc:428
> (insert)> (ssl) indexed '4706c70d' with SSL_CTX 0x7f62a9150800 [0]
> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:2040
> (ssl_store_ssl_context)> (ssl) SSL OCSP Stapling is disabled
> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:2051
> (ssl_store_ssl_context)> (ssl) importing SNI names from ogre.crt
> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1505
> (ssl_index_certificate)> (ssl) mapping '*.ogre.com' to certificate
> ogre.crt
> [Dec 29 11:42:36.795] traffic_server DEBUG: <SSLCertLookup.cc:418
> (insert)> (ssl) indexed '*.ogre.com' with SSL_CTX 0x7f62a9150800 [1]
> [Dec 29 11:42:36.795] traffic_server DEBUG: <SSLUtils.cc:1525
> (ssl_index_certificate)> (ssl) mapping 'ogre.com' to certificates ogre.crt
> [Dec 29 11:42:36.795] traffic_server DEBUG: <SSLCertLookup.cc:428
> (insert)> (ssl) indexed 'ogre.com' with SSL_CTX 0x7f62a9150800 [2]
> [Dec 29 11:42:36.795] traffic_server DEBUG: <SSLUtils.cc:2181
> (SSLParseCertificateConfiguration)> (ssl) currently parsing dest_ip
> [Dec 29 11:42:36.795] traffic_server DEBUG: <SSLUtils.cc:1636
> (SSLInitServerContext)> (ssl.session_cache) ssl context=0x7f62a9146000:
> using session cache options, enabled=2, size=102400, num_buckets=256,
> skip_on_contention=0, timeout=0, auto_clear=1
> [Dec 29 11:42:36.795] traffic_server DEBUG: <SSLUtils.cc:1658
> (SSLInitServerContext)> (ssl.session_cache) enabling SSL session cache with
> ATS implementation
> [Dec 29 11:42:36.795] traffic_server DEBUG: <SSLUtils.cc:1672
> (SSLInitServerContext)> (ssl) enabling SSL_MODE_RELEASE_BUFFERS
>
>
> My multicast.config file has:
>
> dest_ip=71.6.199.13 ssl_cert_name=ogre.crt ssl_key_name=ogre.key
> ssl_ca_name=gd_bundle-g2-g1.crt
>
>
> DNS for www.ogre.com points to the IP above:
>
> munin (12:42) 260/0 $ host www.ogre.com
> www.ogre.com is an alias for cosmo.ogre.com.
> cosmo.ogre.com has address 71.6.199.13
>
>
> Did we break wildcard matching?? Or did OpenSSL v1.1.1 do it?? The SN in
> the certificate is *.ogre.com.
>
> Cheers,
>
> — Leif
>
>