You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "vijaya bhaskar mamidi (JIRA)" <ji...@apache.org> on 2010/05/12 01:33:41 UTC
[jira] Created: (TS-346) ATS does not verify server certificate and
does not reuse session information
ATS does not verify server certificate and does not reuse session information
-----------------------------------------------------------------------------
Key: TS-346
URL: https://issues.apache.org/jira/browse/TS-346
Project: Traffic Server
Issue Type: Improvement
Reporter: vijaya bhaskar mamidi
Priority: Minor
ATS does not verify the certificates. We should do that based on a configuration
SSL session resumption can reduce the load as in certain cases we can reuse the information from an already established SSL session to create a new SSL connection. We should have a ssl session cache .
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TS-346) ATS does not verify server certificate
and does not reuse session information
Posted by "Leif Hedstrom (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TS-346?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12913235#action_12913235 ]
Leif Hedstrom commented on TS-346:
----------------------------------
So, I looked at this some more, most of the code and configs are in place, but it's just not enforcing the certificate verification, I *think*. E.g. if I specify
CONFIG proxy.config.ssl.client.verify.server INT 1
CONFIG proxy.config.ssl.client.CA.cert.filename STRING /tmp/CA.pem
CONFIG proxy.config.ssl.client.CA.cert.path STRING /tmp
It will load the CA, and initialize the OpenSSL CTX etc. properly. But, it doesn't matter if the server certificate validates against the CA.pem or not, requests always passes (I tried two different origins signed by different CA's, and both succeeds even though I put in only one of the CAs).
> ATS does not verify server certificate and does not reuse session information
> -----------------------------------------------------------------------------
>
> Key: TS-346
> URL: https://issues.apache.org/jira/browse/TS-346
> Project: Traffic Server
> Issue Type: Improvement
> Components: Security
> Reporter: vijaya bhaskar mamidi
> Priority: Critical
> Fix For: 2.3.0
>
>
> ATS does not verify the certificates. We should do that based on a configuration
> SSL session resumption can reduce the load as in certain cases we can reuse the information from an already established SSL session to create a new SSL connection. We should have a ssl session cache .
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (TS-346) ATS does not verify server certificate and
does not reuse session information
Posted by "Leif Hedstrom (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TS-346?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Leif Hedstrom updated TS-346:
-----------------------------
Priority: Critical (was: Minor)
> ATS does not verify server certificate and does not reuse session information
> -----------------------------------------------------------------------------
>
> Key: TS-346
> URL: https://issues.apache.org/jira/browse/TS-346
> Project: Traffic Server
> Issue Type: Improvement
> Components: Security
> Reporter: vijaya bhaskar mamidi
> Priority: Critical
> Fix For: 2.1.2
>
>
> ATS does not verify the certificates. We should do that based on a configuration
> SSL session resumption can reduce the load as in certain cases we can reuse the information from an already established SSL session to create a new SSL connection. We should have a ssl session cache .
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TS-346) ATS does not verify server certificate
and does not reuse session information
Posted by "Leif Hedstrom (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TS-346?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12884529#action_12884529 ]
Leif Hedstrom commented on TS-346:
----------------------------------
VJ: is there any chance you'll be able to work on this in the near future, for the v2.2.0 release ? If not, unless someone else wants to dig into the SSL tar pit, we should move this to 2.3.0.
> ATS does not verify server certificate and does not reuse session information
> -----------------------------------------------------------------------------
>
> Key: TS-346
> URL: https://issues.apache.org/jira/browse/TS-346
> Project: Traffic Server
> Issue Type: Improvement
> Reporter: vijaya bhaskar mamidi
> Priority: Minor
> Fix For: 2.1.2
>
>
> ATS does not verify the certificates. We should do that based on a configuration
> SSL session resumption can reduce the load as in certain cases we can reuse the information from an already established SSL session to create a new SSL connection. We should have a ssl session cache .
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (TS-346) ATS does not verify server certificate and
does not reuse session information
Posted by "Leif Hedstrom (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TS-346?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Leif Hedstrom updated TS-346:
-----------------------------
Fix Version/s: 2.3.0
(was: 2.1.3)
Moving this out to v2.3.0, since no one seems to want to work on this right now.
> ATS does not verify server certificate and does not reuse session information
> -----------------------------------------------------------------------------
>
> Key: TS-346
> URL: https://issues.apache.org/jira/browse/TS-346
> Project: Traffic Server
> Issue Type: Improvement
> Components: Security
> Reporter: vijaya bhaskar mamidi
> Priority: Critical
> Fix For: 2.3.0
>
>
> ATS does not verify the certificates. We should do that based on a configuration
> SSL session resumption can reduce the load as in certain cases we can reuse the information from an already established SSL session to create a new SSL connection. We should have a ssl session cache .
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (TS-346) ATS does not verify server certificate and
does not reuse session information
Posted by "Leif Hedstrom (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TS-346?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Leif Hedstrom updated TS-346:
-----------------------------
Fix Version/s: 2.1.2
> ATS does not verify server certificate and does not reuse session information
> -----------------------------------------------------------------------------
>
> Key: TS-346
> URL: https://issues.apache.org/jira/browse/TS-346
> Project: Traffic Server
> Issue Type: Improvement
> Reporter: vijaya bhaskar mamidi
> Priority: Minor
> Fix For: 2.1.2
>
>
> ATS does not verify the certificates. We should do that based on a configuration
> SSL session resumption can reduce the load as in certain cases we can reuse the information from an already established SSL session to create a new SSL connection. We should have a ssl session cache .
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (TS-346) ATS does not verify server certificate
Posted by "Leif Hedstrom (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TS-346?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Leif Hedstrom updated TS-346:
-----------------------------
Summary: ATS does not verify server certificate (was: ATS does not verify server certificate and does not reuse session information)
Description: ATS does not verify the certificates correctly. (was: ATS does not verify the certificates. We should do that based on a configuration
SSL session resumption can reduce the load as in certain cases we can reuse the information from an already established SSL session to create a new SSL connection. We should have a ssl session cache .)
Changing this to be a separate bug for the two "issues" originally described.
> ATS does not verify server certificate
> --------------------------------------
>
> Key: TS-346
> URL: https://issues.apache.org/jira/browse/TS-346
> Project: Traffic Server
> Issue Type: Improvement
> Components: Security
> Reporter: vijaya bhaskar mamidi
> Priority: Critical
> Fix For: 2.3.0
>
>
> ATS does not verify the certificates correctly.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TS-346) ATS does not verify server certificate
and does not reuse session information
Posted by "Leif Hedstrom (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TS-346?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12913241#action_12913241 ]
Leif Hedstrom commented on TS-346:
----------------------------------
Actually, I take that back, I configured it with a CA bundle provided with my OS (Fedora Core 13), and it mostly works. My configs are
CONFIG proxy.config.ssl.client.verify.server INT 1
CONFIG proxy.config.ssl.client.CA.cert.filename STRING /etc/pki/tls/certs/ca-bundle.crt
CONFIG proxy.config.ssl.client.CA.cert.path STRING /etc/pki/tls/certs
With this, it'll actually refuse proxying to an HTTPS server if the certificate doesn't verify, e.g.
Sep 21 14:47:26.728] Server {140737254536976} ERROR: SSL ERROR: sslClientHandShakeEvent.
[Sep 21 14:47:26.728] Server {140737254536976} ERROR: SSL::13:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1060:
[Sep 21 14:47:26.846] Server {140737254536976} ERROR: SSL ERROR: sslClientHandShakeEvent.
However, it'll also hang the client connection, and when the client exits, we segfault with a stack like
#0 0x0000000000000000 in ?? ()
#1 0x0000000000529787 in HttpServerSession::do_io_close (this=0x7fffd403b850,
alerrno=<value optimized out>) at HttpServerSession.cc:147
#2 0x000000000053e3a6 in cleanup_entry (this=0x7fffdbf7b400) at HttpSM.cc:272
#3 cleanup_all (this=0x7fffdbf7b400) at HttpSM.cc:283
#4 HttpSM::kill_this (this=0x7fffdbf7b400) at HttpSM.cc:6351
#5 0x000000000053eed8 in HttpSM::main_handler (this=0x7fffdbf7b400, event=104,
data=0x7fffe0013748) at HttpSM.cc:2606
#6 0x00000000006aaaf1 in handleEvent (event=<value optimized out>, nh=
0x7ffff2f13638, vc=0x7fffe0013660)
at ../../iocore/eventsystem/I_Continuation.h:149
#7 read_signal_and_update (event=<value optimized out>, nh=0x7ffff2f13638,
vc=0x7fffe0013660) at UnixNetVConnection.cc:146
#8 read_signal_done (event=<value optimized out>, nh=0x7ffff2f13638,
vc=0x7fffe0013660) at UnixNetVConnection.cc:176
#9 0x00000000006abe95 in read_from_net (nh=0x7ffff2f13638, vc=0x7fffe0013660,
thread=<value optimized out>) at UnixNetVConnection.cc:308
#10 0x00000000006a4fb0 in NetHandler::mainNetEvent (this=0x7ffff2f13638,
event=<value optimized out>, e=<value optimized out>) at UnixNet.cc:414
#11 0x00000000006cdd84 in handleEvent (this=0x7ffff2f12010, e=0x1029030,
calling_code=5) at I_Continuation.h:149
#12 EThread::process_event (this=0x7ffff2f12010, e=0x1029030, calling_code=5)
at UnixEThread.cc:143
#13 0x00000000006ce713 in EThread::execute (this=0x7ffff2f12010) at UnixEThread.cc:265
#14 0x00000000006cc83a in spawn_thread_internal (a=0xf7f550) at Thread.cc:85
#15 0x00007ffff7bc9761 in start_thread (arg=0x7ffff2103710) at pthread_create.c:301
#16 0x00007ffff57494ed in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115
> ATS does not verify server certificate and does not reuse session information
> -----------------------------------------------------------------------------
>
> Key: TS-346
> URL: https://issues.apache.org/jira/browse/TS-346
> Project: Traffic Server
> Issue Type: Improvement
> Components: Security
> Reporter: vijaya bhaskar mamidi
> Priority: Critical
> Fix For: 2.3.0
>
>
> ATS does not verify the certificates. We should do that based on a configuration
> SSL session resumption can reduce the load as in certain cases we can reuse the information from an already established SSL session to create a new SSL connection. We should have a ssl session cache .
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (TS-346) ATS does not verify server certificate and
does not reuse session information
Posted by "Leif Hedstrom (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TS-346?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Leif Hedstrom updated TS-346:
-----------------------------
Component/s: Security
> ATS does not verify server certificate and does not reuse session information
> -----------------------------------------------------------------------------
>
> Key: TS-346
> URL: https://issues.apache.org/jira/browse/TS-346
> Project: Traffic Server
> Issue Type: Improvement
> Components: Security
> Reporter: vijaya bhaskar mamidi
> Priority: Minor
> Fix For: 2.1.2
>
>
> ATS does not verify the certificates. We should do that based on a configuration
> SSL session resumption can reduce the load as in certain cases we can reuse the information from an already established SSL session to create a new SSL connection. We should have a ssl session cache .
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (TS-346) ATS does not verify server certificate
Posted by "Leif Hedstrom (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TS-346?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Leif Hedstrom updated TS-346:
-----------------------------
Component/s: SSL
(was: Security)
> ATS does not verify server certificate
> --------------------------------------
>
> Key: TS-346
> URL: https://issues.apache.org/jira/browse/TS-346
> Project: Traffic Server
> Issue Type: Improvement
> Components: SSL
> Reporter: vijaya bhaskar mamidi
> Priority: Critical
> Fix For: 2.3.0
>
>
> ATS does not verify the certificates correctly.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.