trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Phil Sorber <sor...@apache.org>
Subject Re: Deprecation of SSL v2/3
Date Mon, 25 Apr 2016 15:55:49 GMT
On Mon, Apr 25, 2016 at 3:33 AM Reindl Harald <h.reindl@thelounge.net>
wrote:

>
> Am 17.04.2016 um 01:26 schrieb Leif Hedstrom:
> >> On Apr 16, 2016, at 4:56 PM, Reindl Harald <h.reindl@thelounge.net
> >> <mailto:h.reindl@thelounge.net>> wrote:
> >>
> >> Am 17.04.2016 um 00:52 schrieb Leif Hedstrom:
> >>>> On Apr 16, 2016, at 4:44 PM, Reindl Harald <h.reindl@thelounge.net
> >>>> <mailto:h.reindl@thelounge.net>> wrote:
> >>>>
> >>>> Am 17.04.2016 um 00:38 schrieb Leif Hedstrom:
> >>>>>> so what gives you ab -c 5 -n 100https://www.thelounge.net/on
> >>>>>> <http://www.thelounge.net/on> your client?
> >>>>>
> >>>>> It fails too from that CentOS7 box to your box.
> >>>>>>
> >>>>>> [harry@srv-rhsoft:~]$ ab -c 5 -n
> >>>>>> 100https://docs.trafficserver.apache.org/
> >>>>>> <http://docs.trafficserver.apache.org/>
> >>>>>> This is ApacheBench, Version 2.3 <$Revision: 1706008 $>
> >>>>>> Copyright 1996 Adam Twiss, Zeus Technology
> >>>>>> Ltd,http://www.zeustech.net/
> >>>>>> Licensed to The Apache Software Foundation,http://www.apache.org/
> >>>>>>
> >>>>>> Benchmarkingdocs.trafficserver.apache.org
> >>>>>> <http://benchmarkingdocs.trafficserver.apache.org>
> >>>>>> <http://docs.trafficserver.apache.org/>(be patient)...^C
> >>>>>>
> >>>>>> Server Software:        ATS/6.2.0
> >>>>>> Server Hostname: docs.trafficserver.apache.org
> >>>>>> <http://docs.trafficserver.apache.org/>
> >>>>>> Server Port:            443
> >>>>>> SSL/TLS Protocol:       TLSv1.2,ECDHE-RSA-AES128-GCM-SHA256,2048,128
> >>>>>
> >>>>> So it seems your ab works against this CentOS7 box running ATS
> v6.2.0 ?
> >>>>
> >>>> yes
> >>>>
> >>>>> What version of OpenSSL did you build ATS with? I am running
> >>>>> docs.trafficserver.a.o with OpenSSL v1.0.2g if I recall (latest
> stable
> >>>>> release)
> >>>>
> >>>> seems not matter that much since i have this issue for years now and
> >>>> the httpd servers are built in the same environments with the same
> >>>> libraries and don't have that issue
> >>>
> >>> Wonder if it could be one of those -f compiler flags? I’m attaching
> >>> my config.nice that I run on docs.trafficserver, this compiles with
> >>> ASAN though, so you likely want to remove that at least (if you are
> >>> willing to try).
> >>
> >> i will give it a try ASAP, however the whole web and mail stack is
> >> built with that flags (based on the flags below which are %{optflags}
> >> and only ATS has the specific problem
> >
> > Yeah, it seems odd that it’d break like that because of compiler flags.
> > But I honestly have no other ideas as to why it breaks on your system,
> > and not mine :-/. Can anyone else confirm or deny this breakage on their
> > installs?
>
> just a notice again before i try to build with other flags
> _____________________________________________
>
> https://www.ssllabs.com/ssltest/
>
> docs.trafficserver.apache.org:
> SSL 2 handshake compatibility   Yes
>

I believe what is going on here is that we use SSLv23_server_method() which
will negotiate the highest version of TLS supported by both sides, but does
so with the SSLv2Hello handshake. This does not mean we necessarily support
SSLv2/3.


>
> www.thelounge.net:
> SSL 2 handshake compatibility   No
>

It is my understanding that HTTPD matches the server method to only
negotiate the version configured. This means it is using something like
TLSv1_2_server_method() which only supports the TLS1.2 handshake. What is
your HTTPD config?


> _____________________________________________
>
> CONFIG proxy.config.ssl.SSLv2 INT 0
> CONFIG proxy.config.ssl.SSLv3 INT 0
> CONFIG proxy.config.ssl.TLSv1 INT 1
> CONFIG proxy.config.ssl.TLSv1_1 INT 1
> CONFIG proxy.config.ssl.TLSv1_2 INT 1
> CONFIG proxy.config.ssl.client.certification_level INT 0
> CONFIG proxy.config.ssl.server.multicert.filename STRING
> ssl_multicert.config
> CONFIG proxy.config.ssl.server.cert.path STRING /etc/trafficserver/ssl/
> CONFIG proxy.config.ssl.server.private_key.path STRING
> /etc/trafficserver/ssl/
> CONFIG proxy.config.ssl.CA.cert.path STRING /etc/trafficserver/ssl/
> CONFIG proxy.config.ssl.server.cipher_suite STRING
>
> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECD$
> CONFIG proxy.config.ssl.server.honor_cipher_order INT 1
> CONFIG proxy.config.ssl.server.dhparams_file STRING
> /etc/trafficserver/ssl/dhparams.pem
>
>

Mime
View raw message