You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "Leif Hedstrom (JIRA)" <ji...@apache.org> on 2011/05/09 04:04:03 UTC
[jira] [Updated] (TS-718) can not reuse SSL connections on
RHEL5/CentOS5
[ https://issues.apache.org/jira/browse/TS-718?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Leif Hedstrom updated TS-718:
-----------------------------
Fix Version/s: (was: 2.1.9)
3.1
Moving a few bugs out to 3.1, since either they need more work, or we need more information to reproduce.
> can not reuse SSL connections on RHEL5/CentOS5
> ----------------------------------------------
>
> Key: TS-718
> URL: https://issues.apache.org/jira/browse/TS-718
> Project: Traffic Server
> Issue Type: Bug
> Components: SSL
> Affects Versions: 2.1.7
> Environment: RHEL5 system with TS 2.1.6 2.1.7
> compared with Apache httpd
> Reporter: Zhao Yongming
> Assignee: qianshi
> Fix For: 3.1
>
> Attachments: TS-718-v2.patch, TS-718.patch
>
>
> when with apache httpd default mod_ssl:
> {noformat}
> [root@ts1 httpd]# echo | openssl s_client -reconnect -connect localhost:443 2>&1
> CONNECTED(00000003)
> depth=0 /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=ts1.test.cnz.alimama.com/emailAddress=root@ts1.test.cnz.alimama.com
> verify error:num=18:self signed certificate
> verify return:1
> depth=0 /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=ts1.test.cnz.alimama.com/emailAddress=root@ts1.test.cnz.alimama.com
> verify return:1
> ---
> Certificate chain
> 0 s:/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=ts1.test.cnz.alimama.com/emailAddress=root@ts1.test.cnz.alimama.com
> i:/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=ts1.test.cnz.alimama.com/emailAddress=root@ts1.test.cnz.alimama.com
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIIDSzCCArSgAwIBAgICUWcwDQYJKoZIhvcNAQEFBQAwgcExCzAJBgNVBAYTAi0t
> MRIwEAYDVQQIDAlTb21lU3RhdGUxETAPBgNVBAcMCFNvbWVDaXR5MRkwFwYDVQQK
> DBBTb21lT3JnYW5pemF0aW9uMR8wHQYDVQQLDBZTb21lT3JnYW5pemF0aW9uYWxV
> bml0MSEwHwYDVQQDDBh0czEudGVzdC5jbnouYWxpbWFtYS5jb20xLDAqBgkqhkiG
> 9w0BCQEWHXJvb3RAdHMxLnRlc3QuY256LmFsaW1hbWEuY29tMB4XDTExMDMyNDEw
> Mjk1MVoXDTEyMDMyMzEwMjk1MVowgcExCzAJBgNVBAYTAi0tMRIwEAYDVQQIDAlT
> b21lU3RhdGUxETAPBgNVBAcMCFNvbWVDaXR5MRkwFwYDVQQKDBBTb21lT3JnYW5p
> emF0aW9uMR8wHQYDVQQLDBZTb21lT3JnYW5pemF0aW9uYWxVbml0MSEwHwYDVQQD
> DBh0czEudGVzdC5jbnouYWxpbWFtYS5jb20xLDAqBgkqhkiG9w0BCQEWHXJvb3RA
> dHMxLnRlc3QuY256LmFsaW1hbWEuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
> iQKBgQDg0xr6MMfTUooenmxTyXiaSiHMfrkbGGhjgE0slP1iWfBf62Qal1daSSb8
> hSSFCZI78RWAp/bcadHGPo43xDWBmohLyTnlWksKKcbSJ9atdijC2L2CJNXiWgKC
> cu+2jOTLAw0YJVOufuJmm8QaqmHl4y3UGE626VDN8lPGBCrQcwIDAQABo1AwTjAd
> BgNVHQ4EFgQUIAfaVLkaRWgWp+zxPtp0bWfbbsgwHwYDVR0jBBgwFoAUIAfaVLka
> RWgWp+zxPtp0bWfbbsgwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQA1
> qYMZB0MuCQz2yCAx25C3+UtoZuxdmQxekmOPjtRAm2CRccW7r0ne57BcVU79Qk2s
> 6KTU4fO7lJ1tz49ZkX5zts5WuqsWDSb4cfyDb3ybubcZwUu+eSkqVkx/7GAuVgcl
> weoLXdgpQ779T45SovOR212BXQpYI0piMDNIB9p0mA==
> -----END CERTIFICATE-----
> subject=/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=ts1.test.cnz.alimama.com/emailAddress=root@ts1.test.cnz.alimama.com
> issuer=/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=ts1.test.cnz.alimama.com/emailAddress=root@ts1.test.cnz.alimama.com
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 1418 bytes and written 319 bytes
> ---
> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> Server public key is 1024 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol : TLSv1
> Cipher : DHE-RSA-AES256-SHA
> Session-ID: 8A72957E09AF60AD3807C1D06CE3F9BD88914886B7F1F646B03E8BDA783FAB8B
> Session-ID-ctx:
> Master-Key: 42808C5CDF016480F1BC7FF6F764A4886886E430F8E23400D82A9E6A6DE377A30369541E52BA06E1DC878F18DAFC2ECA
> Key-Arg : None
> Krb5 Principal: None
> Start Time: 1300962675
> Timeout : 300 (sec)
> Verify return code: 18 (self signed certificate)
> ---
> drop connection and then reconnect
> CONNECTED(00000003)
> ---
> Reused, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> Secure Renegotiation IS supported
> Compression: zlib compression
> Expansion: zlib compression
> SSL-Session:
> Protocol : TLSv1
> Cipher : DHE-RSA-AES256-SHA
> Session-ID: 8A72957E09AF60AD3807C1D06CE3F9BD88914886B7F1F646B03E8BDA783FAB8B
> Session-ID-ctx:
> Master-Key: 42808C5CDF016480F1BC7FF6F764A4886886E430F8E23400D82A9E6A6DE377A30369541E52BA06E1DC878F18DAFC2ECA
> Key-Arg : None
> Krb5 Principal: None
> Compression: 1 (zlib compression)
> Start Time: 1300962675
> Timeout : 300 (sec)
> Verify return code: 18 (self signed certificate)
> ---
> drop connection and then reconnect
> CONNECTED(00000003)
> ---
> Reused, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> Secure Renegotiation IS supported
> Compression: zlib compression
> Expansion: zlib compression
> SSL-Session:
> Protocol : TLSv1
> Cipher : DHE-RSA-AES256-SHA
> Session-ID: 8A72957E09AF60AD3807C1D06CE3F9BD88914886B7F1F646B03E8BDA783FAB8B
> Session-ID-ctx:
> Master-Key: 42808C5CDF016480F1BC7FF6F764A4886886E430F8E23400D82A9E6A6DE377A30369541E52BA06E1DC878F18DAFC2ECA
> Key-Arg : None
> Krb5 Principal: None
> Compression: 1 (zlib compression)
> Start Time: 1300962675
> Timeout : 300 (sec)
> Verify return code: 18 (self signed certificate)
> ---
> drop connection and then reconnect
> CONNECTED(00000003)
> ---
> Reused, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> Secure Renegotiation IS supported
> Compression: zlib compression
> Expansion: zlib compression
> SSL-Session:
> Protocol : TLSv1
> Cipher : DHE-RSA-AES256-SHA
> Session-ID: 8A72957E09AF60AD3807C1D06CE3F9BD88914886B7F1F646B03E8BDA783FAB8B
> Session-ID-ctx:
> Master-Key: 42808C5CDF016480F1BC7FF6F764A4886886E430F8E23400D82A9E6A6DE377A30369541E52BA06E1DC878F18DAFC2ECA
> Key-Arg : None
> Krb5 Principal: None
> Compression: 1 (zlib compression)
> Start Time: 1300962675
> Timeout : 300 (sec)
> Verify return code: 18 (self signed certificate)
> ---
> drop connection and then reconnect
> CONNECTED(00000003)
> ---
> Reused, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> Secure Renegotiation IS supported
> Compression: zlib compression
> Expansion: zlib compression
> SSL-Session:
> Protocol : TLSv1
> Cipher : DHE-RSA-AES256-SHA
> Session-ID: 8A72957E09AF60AD3807C1D06CE3F9BD88914886B7F1F646B03E8BDA783FAB8B
> Session-ID-ctx:
> Master-Key: 42808C5CDF016480F1BC7FF6F764A4886886E430F8E23400D82A9E6A6DE377A30369541E52BA06E1DC878F18DAFC2ECA
> Key-Arg : None
> Krb5 Principal: None
> Compression: 1 (zlib compression)
> Start Time: 1300962675
> Timeout : 300 (sec)
> Verify return code: 18 (self signed certificate)
> ---
> drop connection and then reconnect
> CONNECTED(00000003)
> ---
> Reused, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> Secure Renegotiation IS supported
> Compression: zlib compression
> Expansion: zlib compression
> SSL-Session:
> Protocol : TLSv1
> Cipher : DHE-RSA-AES256-SHA
> Session-ID: 8A72957E09AF60AD3807C1D06CE3F9BD88914886B7F1F646B03E8BDA783FAB8B
> Session-ID-ctx:
> Master-Key: 42808C5CDF016480F1BC7FF6F764A4886886E430F8E23400D82A9E6A6DE377A30369541E52BA06E1DC878F18DAFC2ECA
> Key-Arg : None
> Krb5 Principal: None
> Compression: 1 (zlib compression)
> Start Time: 1300962675
> Timeout : 300 (sec)
> Verify return code: 18 (self signed certificate)
> ---
> DONE
> {noformat}
> it works fine, but when using TS:
> {noformat}
> [root@ts1 httpd]# echo | openssl s_client -reconnect -connect localhost:443 2>&1
> CONNECTED(00000003)
> depth=0 /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0 /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ---
> Certificate chain
> 0 s:/C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com
> i:/C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ca.ZYMLinux.net/emailAddress=ca@ZYMLinux.net
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIIGHTCCBAWgAwIBAgIBDDANBgkqhkiG9w0BAQUFADCBjzELMAkGA1UEBhMCQ04x
> EDAOBgNVBAgTB0JlaWppbmcxEDAOBgNVBAcTB0JlaWppbmcxFTATBgNVBAoTDFpZ
> TUxpbnV4Lm5ldDELMAkGA1UECxMCQ0ExGDAWBgNVBAMTD2NhLlpZTUxpbnV4Lm5l
> dDEeMBwGCSqGSIb3DQEJARYPY2FAWllNTGludXgubmV0MB4XDTExMDMwODAyNDMx
> MFoXDTEyMDMwNzAyNDMxMFowgaExCzAJBgNVBAYTAkNOMRAwDgYDVQQIEwdCZWlq
> aW5nMRAwDgYDVQQHEwdCZWlqaW5nMRUwEwYDVQQKEwxaWU1MaW51eC5uZXQxCzAJ
> BgNVBAsTAkNBMSEwHwYDVQQDExh0czMudGVzdC5jbnouYWxpbWFtYS5jb20xJzAl
> BgkqhkiG9w0BCQEWGHRzMy50ZXN0LmNuei5hbGltYW1hLmNvbTCCASIwDQYJKoZI
> hvcNAQEBBQADggEPADCCAQoCggEBAK1wb18KVJCJM0hdr4xzVIvoVwnWqn4MJ/Kl
> o9/FWARJDyymm0RRiU2Enfd+BS7Bj4SJZ8TAhS6PoPD9vK1Sua/Pt3IYPRF9CL89
> jIf5tAXwjCFZhnswhs1HskrtPnOzjbl7H/qFBdNGMvZytPrGxzCsBeXnJsn21M1U
> WVn4sgSSBx/vS2H4BZXSyKihq205seDUt6u6L7S0KuDWFRFmBvWkoeaJktS3vyc3
> o1e5B9emVa3scmnIYwrrznA5rNr+gd0EEwaCYNG8zamWF3WnWMMX/LPZhKddjwBh
> 5DrcfDEM+Io9gvzfjgc7httyNF4dJxUbQ1gyE9PvIlsQI15ClvcCAwEAAaOCAW4w
> ggFqMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMCsGCWCGSAGG+EIBDQQe
> FhxUaW55Q0EgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBSJmPPFTTmt
> BX9nH55uSiQ4eiCubTCBvAYDVR0jBIG0MIGxgBQbuyvDvYMO2DZ8QnANQf13Y2po
> PKGBlaSBkjCBjzELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaWppbmcxEDAOBgNV
> BAcTB0JlaWppbmcxFTATBgNVBAoTDFpZTUxpbnV4Lm5ldDELMAkGA1UECxMCQ0Ex
> GDAWBgNVBAMTD2NhLlpZTUxpbnV4Lm5ldDEeMBwGCSqGSIb3DQEJARYPY2FAWllN
> TGludXgubmV0ggEAMBoGA1UdEgQTMBGBD2NhQFpZTUxpbnV4Lm5ldDAjBgNVHREE
> HDAagRh0czMudGVzdC5jbnouYWxpbWFtYS5jb20wDQYJKoZIhvcNAQEFBQADggIB
> AAWHF+E7cQu37DSU2RA3aSEjKN0wixzCcDjQvBRl4lP+r56UcPbJSV264uKqIMRZ
> Vq4Sp0haE1NOYrS+vq7+Ws0hnuXaKysNOwcwia2Epi4AHcb81Ou6RLWP5ClVoL/o
> 2HCzx4wwJsVTP5dHktYYFjUk6rv9bvOl0ESyBtyGKHeG+Vuj+27ZshV3H1IRAgdE
> nfUx85hEjVbUmvuWFIE6sw92YnXTFFCSzMjpqU8+fHdd0KQ2z9UBY9KaRhjf57se
> oqcQzJGSV67qqJNiIuBLAQJC/5090m+LwDuAm9abRFF/Qz8MZp7ZoxEG8KoqBAXg
> 3qkNo1e4uQEhlDk9ttMR/BSi9iRxH95EBay0zWWKfrJ+S4zR2cI8/B0hTg42N/Ek
> rbeszX4NEu3MZTfxuOwDoQkStHl6Wwe9/DMrqXtn2LyFTSxSOZwTsQCGT0Gxdvvo
> e9DM/tTzwttwzWQhcgWv0rpv4T5amGckDtou2cAaSQtpUZ84+HUvIA/2PCUf8vs7
> gdkppnxUwemG/KDtqlX9MmTn6hNm3YgbQHPukNX8Mj8YCRAwP65yeZyxI/uysHtn
> yoW/dEVqfud0/KnkJD5Bxz3RlOvj0Bg6mqbCB3siDvaLA9TfMbMGnMCbkJ282Kdh
> TxeXEoP7oSznRJwTLeYaDBuz7TypMz/6FZ3DJXGjq00O
> -----END CERTIFICATE-----
> subject=/C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com
> issuer=/C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ca.ZYMLinux.net/emailAddress=ca@ZYMLinux.net
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 1738 bytes and written 447 bytes
> ---
> New, TLSv1/SSLv3, Cipher is AES256-SHA
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol : TLSv1
> Cipher : AES256-SHA
> Session-ID: 4655CB9C20336F697635D635BA10C454B4CAF65CE6965B74D88053A8930F49D7
> Session-ID-ctx:
> Master-Key: B570F0491201E31F6E69A9BD7B0308B628FEB841F2F296F67D48A74D539B54C617E31ACE9A8665893F07B7531908928F
> Key-Arg : None
> Krb5 Principal: None
> Start Time: 1300962759
> Timeout : 300 (sec)
> Verify return code: 21 (unable to verify the first certificate)
> ---
> drop connection and then reconnect
> CONNECTED(00000003)
> depth=0 /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0 /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ---
> New, TLSv1/SSLv3, Cipher is AES256-SHA
> Secure Renegotiation IS supported
> Compression: zlib compression
> Expansion: zlib compression
> SSL-Session:
> Protocol : TLSv1
> Cipher : AES256-SHA
> Session-ID: 9A2259F250116E51D7E02D6930EA66F597955A9817B50D902FD60A146884B89E
> Session-ID-ctx:
> Master-Key: 786BC54F416400E75D3817883618579FADE6EC2654DF97E8D6E862920198641EBE0BA5C3C71831972FC5A5286D4CE983
> Key-Arg : None
> Krb5 Principal: None
> Compression: 1 (zlib compression)
> Start Time: 1300962759
> Timeout : 300 (sec)
> Verify return code: 21 (unable to verify the first certificate)
> ---
> drop connection and then reconnect
> CONNECTED(00000003)
> depth=0 /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0 /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ---
> New, TLSv1/SSLv3, Cipher is AES256-SHA
> Secure Renegotiation IS supported
> Compression: zlib compression
> Expansion: zlib compression
> SSL-Session:
> Protocol : TLSv1
> Cipher : AES256-SHA
> Session-ID: 1D0DD5DD06E9C2D1190EA13D89D7C5908E82A7DBEC96CFA85975A5643BC7F7AB
> Session-ID-ctx:
> Master-Key: A409F56F9AD1155B4D194B7B42B4A3E93A65F75E44B38C1A33A8A51EBA747FF6E6BF9E36241C8422DC5F414E21183F3E
> Key-Arg : None
> Krb5 Principal: None
> Compression: 1 (zlib compression)
> Start Time: 1300962759
> Timeout : 300 (sec)
> Verify return code: 21 (unable to verify the first certificate)
> ---
> drop connection and then reconnect
> CONNECTED(00000003)
> depth=0 /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0 /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ---
> New, TLSv1/SSLv3, Cipher is AES256-SHA
> Secure Renegotiation IS supported
> Compression: zlib compression
> Expansion: zlib compression
> SSL-Session:
> Protocol : TLSv1
> Cipher : AES256-SHA
> Session-ID: A6FF45E425461DEB031419FE72EC5674A448450BA197FECE8CC27A58CAD0ED55
> Session-ID-ctx:
> Master-Key: 3C5696BCC95BE15B2352F157340F70E7AA13CE6AA5A07D1F606A617380603D72FB856907511DF168A919ED023FF76BD0
> Key-Arg : None
> Krb5 Principal: None
> Compression: 1 (zlib compression)
> Start Time: 1300962759
> Timeout : 300 (sec)
> Verify return code: 21 (unable to verify the first certificate)
> ---
> drop connection and then reconnect
> CONNECTED(00000003)
> depth=0 /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0 /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ---
> New, TLSv1/SSLv3, Cipher is AES256-SHA
> Secure Renegotiation IS supported
> Compression: zlib compression
> Expansion: zlib compression
> SSL-Session:
> Protocol : TLSv1
> Cipher : AES256-SHA
> Session-ID: 90A1D6EE36998F47A335578819698EE57933DB788C430D617C8B07E7872D011E
> Session-ID-ctx:
> Master-Key: 87ED7181AFE13C8A36A5A6A2A9E9912C1E4AADED0053C3F03ADC9E01D9548A4D791A1B4EACB20851585F730E455677E4
> Key-Arg : None
> Krb5 Principal: None
> Compression: 1 (zlib compression)
> Start Time: 1300962759
> Timeout : 300 (sec)
> Verify return code: 21 (unable to verify the first certificate)
> ---
> drop connection and then reconnect
> CONNECTED(00000003)
> depth=0 /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0 /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ---
> New, TLSv1/SSLv3, Cipher is AES256-SHA
> Secure Renegotiation IS supported
> Compression: zlib compression
> Expansion: zlib compression
> SSL-Session:
> Protocol : TLSv1
> Cipher : AES256-SHA
> Session-ID: DB52C8DA3A369E05DB5E8A21ED0B7A931AC235651EDF6FFE85F21D5F0452CBF2
> Session-ID-ctx:
> Master-Key: 90E093DB76E39DA4A534EE73F2EB87CA48B1BC5B2E1D017C0D0ADED02F151A80802729ADEA0DAF54EF6F271413B1E522
> Key-Arg : None
> Krb5 Principal: None
> Compression: 1 (zlib compression)
> Start Time: 1300962759
> Timeout : 300 (sec)
> Verify return code: 21 (unable to verify the first certificate)
> ---
> DONE
> {noformat}
> also tested TS on other distribution, works without error:
> gentoo:
> {noformat}
> zymtest1 trafficserver # echo | openssl s_client -reconnect -connect zymtest1.corp.aliyk.com:443 2>&1 | grep Reused
> Reused, TLSv1/SSLv3, Cipher is AES256-SHA
> Reused, TLSv1/SSLv3, Cipher is AES256-SHA
> Reused, TLSv1/SSLv3, Cipher is AES256-SHA
> Reused, TLSv1/SSLv3, Cipher is AES256-SHA
> Reused, TLSv1/SSLv3, Cipher is AES256-SHA
> {noformat}
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira