trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reindl Harald <h.rei...@thelounge.net>
Subject Re: Deprecation of SSL v2/3
Date Mon, 25 Apr 2016 10:47:59 GMT


Am 25.04.2016 um 11:33 schrieb Reindl Harald:
>
> Am 17.04.2016 um 01:26 schrieb Leif Hedstrom:
>>> On Apr 16, 2016, at 4:56 PM, Reindl Harald <h.reindl@thelounge.net
>>> <mailto:h.reindl@thelounge.net>> wrote:
>>>
>>> Am 17.04.2016 um 00:52 schrieb Leif Hedstrom:
>>>>> On Apr 16, 2016, at 4:44 PM, Reindl Harald <h.reindl@thelounge.net
>>>>> <mailto:h.reindl@thelounge.net>> wrote:
>>>>>
>>>>> Am 17.04.2016 um 00:38 schrieb Leif Hedstrom:
>>>>>>> so what gives you ab -c 5 -n 100https://www.thelounge.net/on
>>>>>>> <http://www.thelounge.net/on> your client?
>>>>>>
>>>>>> It fails too from that CentOS7 box to your box.
>>>>>>>
>>>>>>> [harry@srv-rhsoft:~]$ ab -c 5 -n
>>>>>>> 100https://docs.trafficserver.apache.org/
>>>>>>> <http://docs.trafficserver.apache.org/>
>>>>>>> This is ApacheBench, Version 2.3 <$Revision: 1706008 $>
>>>>>>> Copyright 1996 Adam Twiss, Zeus Technology
>>>>>>> Ltd,http://www.zeustech.net/
>>>>>>> Licensed to The Apache Software Foundation,http://www.apache.org/
>>>>>>>
>>>>>>> Benchmarkingdocs.trafficserver.apache.org
>>>>>>> <http://benchmarkingdocs.trafficserver.apache.org>
>>>>>>> <http://docs.trafficserver.apache.org/>(be patient)...^C
>>>>>>>
>>>>>>> Server Software:        ATS/6.2.0
>>>>>>> Server Hostname: docs.trafficserver.apache.org
>>>>>>> <http://docs.trafficserver.apache.org/>
>>>>>>> Server Port:            443
>>>>>>> SSL/TLS Protocol:       TLSv1.2,ECDHE-RSA-AES128-GCM-SHA256,2048,128
>>>>>>
>>>>>> So it seems your ab works against this CentOS7 box running ATS
>>>>>> v6.2.0 ?
>>>>>
>>>>> yes
>>>>>
>>>>>> What version of OpenSSL did you build ATS with? I am running
>>>>>> docs.trafficserver.a.o with OpenSSL v1.0.2g if I recall (latest
>>>>>> stable
>>>>>> release)
>>>>>
>>>>> seems not matter that much since i have this issue for years now and
>>>>> the httpd servers are built in the same environments with the same
>>>>> libraries and don't have that issue
>>>>
>>>> Wonder if it could be one of those -f compiler flags? I’m attaching
>>>> my config.nice that I run on docs.trafficserver, this compiles with
>>>> ASAN though, so you likely want to remove that at least (if you are
>>>> willing to try).
>>>
>>> i will give it a try ASAP, however the whole web and mail stack is
>>> built with that flags (based on the flags below which are %{optflags}
>>> and only ATS has the specific problem
>>
>> Yeah, it seems odd that it’d break like that because of compiler flags.
>> But I honestly have no other ideas as to why it breaks on your system,
>> and not mine :-/. Can anyone else confirm or deny this breakage on their
>> installs?
>
> just a notice again before i try to build with other flags
> _____________________________________________
>
> https://www.ssllabs.com/ssltest/
>
> docs.trafficserver.apache.org:
> SSL 2 handshake compatibility     Yes
>
> www.thelounge.net:
> SSL 2 handshake compatibility     No
> _____________________________________________
>
> CONFIG proxy.config.ssl.SSLv2 INT 0
> CONFIG proxy.config.ssl.SSLv3 INT 0
> CONFIG proxy.config.ssl.TLSv1 INT 1
> CONFIG proxy.config.ssl.TLSv1_1 INT 1
> CONFIG proxy.config.ssl.TLSv1_2 INT 1
> CONFIG proxy.config.ssl.client.certification_level INT 0
> CONFIG proxy.config.ssl.server.multicert.filename STRING
> ssl_multicert.config
> CONFIG proxy.config.ssl.server.cert.path STRING /etc/trafficserver/ssl/
> CONFIG proxy.config.ssl.server.private_key.path STRING
> /etc/trafficserver/ssl/
> CONFIG proxy.config.ssl.CA.cert.path STRING /etc/trafficserver/ssl/
> CONFIG proxy.config.ssl.server.cipher_suite STRING
> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECD$
>
> CONFIG proxy.config.ssl.server.honor_cipher_order INT 1
> CONFIG proxy.config.ssl.server.dhparams_file STRING
> /etc/trafficserver/ssl/dhparams.pem

no idea - same with the build below - with -fsanitize=address it becomes 
fat and unstable (no client connection at all)

#export CFLAGS="-g0 -fstack-protector -fsanitize=address 
-fno-omit-frame-pointer"
#export CXXFLAGS="-g0 -fstack-protector -fsanitize=address 
-fno-omit-frame-pointer"
#export CPPFLAGS="-D_FORTIFY_SOURCE=2"
#export LDFLAGS="-Wl,-z,relro -Wl,-z,now"

export CFLAGS="-m64 -O2 -g0 -pipe -fstack-protector -fno-strict-aliasing 
-fno-omit-frame-pointer -D_FORTIFY_SOURCE=2"
export CXXFLAGS="$CFLAGS"
export CPPFLAGS="-D_FORTIFY_SOURCE=2"
export LDFLAGS="-Wl,-z,relro -Wl,-z,now"


Mime
View raw message