trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Leif Hedstrom <zw...@apache.org>
Subject Re: Deprecation of SSL v2/3
Date Sat, 16 Apr 2016 22:43:19 GMT

> On Apr 16, 2016, at 4:38 PM, Leif Hedstrom <zwoop@apache.org> wrote:
> 
>> 
>> On Apr 16, 2016, at 4:33 PM, Reindl Harald <h.reindl@thelounge.net <mailto:h.reindl@thelounge.net>>
wrote:
>> 
>> 
>> 
>> Am 17.04.2016 um 00:24 schrieb Leif Hedstrom:
>>> 
>>>> On Apr 16, 2016, at 11:16 AM, Reindl Harald <h.reindl@thelounge.net <mailto:h.reindl@thelounge.net>>
wrote:
>>>> 
>>>> 
>>>> Am 16.04.2016 um 18:46 schrieb Phil Sorber:
>>>>> Ok, here is my final plan then. I am going to mark them all deprecated
>>>>> for 6.2.x.
>>>> 
>>>> when you are at it fix the problem that ATS is the only TLS webserver out
there which can't be benchmarked with "ab" reported by my *over years* multiple times while
none of the httpd-servers with TLS have SSL2/SSL3 enabled becuas efrankly our openssl has
no support für anything below TLS1.0 at all
>>> 
>>> I’m not sure what problem exactly you are pointing at here.  Is it a bug in
ab? Is it a bug in your OpenSSL implementation?  Fwiw, I’ve never been able to reproduce
this, e.g. this works just fine on CentOS7 (and I have SSL v2 and v3 disabled, of course):
>>> 
>>> $ ab -c 5 -n 100 https://docs.trafficserver.apache.org/ <https://docs.trafficserver.apache.org/>
>>> 
>>> Server Software:        ATS/6.2.0
>>> Server Hostname:        docs.trafficserver.apache.org <http://docs.trafficserver.apache.org/>
>>> Server Port:            443
>>> SSL/TLS Protocol:       TLSv1.2,ECDHE-RSA-AES128-GCM-SHA256,2048,128
>>> 
>>> Document Path:          /
>>> Document Length:        229 bytes
>>> 
>>> Concurrency Level:      5
>>> Time taken for tests:   2.758 seconds
>>> …
>>> 
>>> Looking at your error messages, it sounds like your ab is trying to use SSL v3,
which (hopefully?) is disabled on your ATS box?
>> 
>> i *never* was able to benchmark my ATS box in the last 4 years and SSL 3 is for sure
disabled - as said: openssl on Fedora even don't support it any longer at all
>> 
>> i *never* had a problem to benchmark of any httpd box the last 13 years
>> 
>> so what gives you ab -c 5 -n 100 https://www.thelounge.net/ <https://www.thelounge.net/>
on your client?
> 
> It fails too from that CentOS7 box to your box.
> 
>> 
>> 
>> [harry@srv-rhsoft:~]$ ab -c 5 -n 100 https://docs.trafficserver.apache.org/ <https://docs.trafficserver.apache.org/>
>> This is ApacheBench, Version 2.3 <$Revision: 1706008 $>
>> Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/ <http://www.zeustech.net/>
>> Licensed to The Apache Software Foundation, http://www.apache.org/ <http://www.apache.org/>
>> 
>> Benchmarking docs.trafficserver.apache.org <http://docs.trafficserver.apache.org/>
(be patient)...^C
>> 
>> Server Software:        ATS/6.2.0
>> Server Hostname:        docs.trafficserver.apache.org <http://docs.trafficserver.apache.org/>
>> Server Port:            443
>> SSL/TLS Protocol:       TLSv1.2,ECDHE-RSA-AES128-GCM-SHA256,2048,128
> 


I did the same test against https://www.ogre.com/ as well, which also runs ATS 6.2, on Fedora
22 (stock OpenSSL). It does not reproduce your problem either :/.

— leif
Mime
View raw message