You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "Leif Hedstrom (JIRA)" <ji...@apache.org> on 2015/05/13 15:01:59 UTC
[jira] [Comment Edited] (TS-3597) TLS can fail accept / handshake
since commit 2a8bb593fd
[ https://issues.apache.org/jira/browse/TS-3597?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14541862#comment-14541862 ]
Leif Hedstrom edited comment on TS-3597 at 5/13/15 1:01 PM:
------------------------------------------------------------
More from [~gancho]
It seems that this problem reproduces only if don't use a specific dest_ip=. It does not reproduce with dest_ip=*, which explains why we are not seeing it on e.g. docs.trafficserver.apache.org. To recap, the reproducible case includes:
1) Turn off accept threads (0)
2) No dest_ip= specified in ssl_multicert.config
I haven't tested this yet, hope to do so soon.
was (Author: zwoop):
More from [~gancho]
It seems that this problem reproduces only if you use a specific dest_ip=, e.g. dest_ip=1.2.3.4. It does not reproduce with dest_ip=*, which explains why we are not seeing it on e.g. docs.trafficserver.apache.org. To recap, the reproducible case includes:
1) Turn off accept threads (0)
2) Use a specific dest_ip= specified in ssl_multicert.config
> TLS can fail accept / handshake since commit 2a8bb593fd
> -------------------------------------------------------
>
> Key: TS-3597
> URL: https://issues.apache.org/jira/browse/TS-3597
> Project: Traffic Server
> Issue Type: Bug
> Components: SSL
> Reporter: Leif Hedstrom
> Assignee: Susan Hinrichs
> Priority: Critical
> Fix For: 6.0.0
>
>
> At least under certain conditions (slightly unclear,but possible a race with multiple NUMA nodes), we fail to accept / TLS handshake. I've tracked this down to the commit from 2a8bb593fdd7ca9125efad76e27f3f17f5bca794.
> The commit prior to this does not expose the problem. [~gancho] also discovered that this problem is only triggered when accept thread is off (0).
> Also from [~gancho], when this reproduces, a command like e.g. this will fail the handshake completely (no ciphers):
> {code}
> openssl s_client -connect 10.1.2.3:443 -tls1 -servername some.host.com
> {code}
> Also, since this only happens with accept thread off (0), which implies accept on every ET_NET thread, maybe there's some sort of race condition going on here? That's just a wild speculation though.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)