You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "Leif Hedstrom (JIRA)" <ji...@apache.org> on 2010/09/21 22:37:34 UTC
[jira] Commented: (TS-346) ATS does not verify server certificate
and does not reuse session information
[ https://issues.apache.org/jira/browse/TS-346?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12913235#action_12913235 ]
Leif Hedstrom commented on TS-346:
----------------------------------
So, I looked at this some more, most of the code and configs are in place, but it's just not enforcing the certificate verification, I *think*. E.g. if I specify
CONFIG proxy.config.ssl.client.verify.server INT 1
CONFIG proxy.config.ssl.client.CA.cert.filename STRING /tmp/CA.pem
CONFIG proxy.config.ssl.client.CA.cert.path STRING /tmp
It will load the CA, and initialize the OpenSSL CTX etc. properly. But, it doesn't matter if the server certificate validates against the CA.pem or not, requests always passes (I tried two different origins signed by different CA's, and both succeeds even though I put in only one of the CAs).
> ATS does not verify server certificate and does not reuse session information
> -----------------------------------------------------------------------------
>
> Key: TS-346
> URL: https://issues.apache.org/jira/browse/TS-346
> Project: Traffic Server
> Issue Type: Improvement
> Components: Security
> Reporter: vijaya bhaskar mamidi
> Priority: Critical
> Fix For: 2.3.0
>
>
> ATS does not verify the certificates. We should do that based on a configuration
> SSL session resumption can reduce the load as in certain cases we can reuse the information from an already established SSL session to create a new SSL connection. We should have a ssl session cache .
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.