You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@trafficserver.apache.org by "Leif Hedstrom (JIRA)" <ji...@apache.org> on 2015/05/13 15:01:59 UTC

[jira] [Comment Edited] (TS-3597) TLS can fail accept / handshake since commit 2a8bb593fd

    [ https://issues.apache.org/jira/browse/TS-3597?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14541862#comment-14541862 ] 

Leif Hedstrom edited comment on TS-3597 at 5/13/15 1:01 PM:
------------------------------------------------------------

More from [~gancho]

It seems that this problem reproduces only if don't use a specific dest_ip=. It does not reproduce with dest_ip=*, which explains why we are not seeing it on e.g. docs.trafficserver.apache.org. To recap, the reproducible case includes:

1) Turn off accept threads (0)

2) No dest_ip=  specified in ssl_multicert.config


I haven't tested this yet, hope to do so soon.


was (Author: zwoop):
More from [~gancho]

It seems that this problem reproduces only if you use a specific dest_ip=, e.g.  dest_ip=1.2.3.4. It does not reproduce with dest_ip=*, which explains why we are not seeing it on e.g. docs.trafficserver.apache.org. To recap, the reproducible case includes:

1) Turn off accept threads (0)

2) Use a specific dest_ip= specified in ssl_multicert.config

> TLS can fail accept / handshake since commit 2a8bb593fd
> -------------------------------------------------------
>
>                 Key: TS-3597
>                 URL: https://issues.apache.org/jira/browse/TS-3597
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: SSL
>            Reporter: Leif Hedstrom
>            Assignee: Susan Hinrichs
>            Priority: Critical
>             Fix For: 6.0.0
>
>
> At least under certain conditions (slightly unclear,but possible a race with multiple NUMA nodes), we fail to accept / TLS handshake. I've tracked this down to the commit from 2a8bb593fdd7ca9125efad76e27f3f17f5bca794.
> The commit prior to this does not expose the problem. [~gancho] also discovered that this problem is only triggered when accept thread is off (0).
> Also from [~gancho], when this reproduces, a command like e.g. this will fail the handshake completely (no ciphers):
> {code}
> openssl s_client -connect 10.1.2.3:443 -tls1 -servername some.host.com
> {code}
> Also, since this only happens with accept thread off (0), which implies accept on every ET_NET thread, maybe there's some sort of race condition going on here? That's just a wild speculation though.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)