trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Leif Hedstrom <zw...@apache.org>
Subject Re: Deprecation of SSL v2/3
Date Sat, 16 Apr 2016 22:38:47 GMT

> On Apr 16, 2016, at 4:33 PM, Reindl Harald <h.reindl@thelounge.net> wrote:
> 
> 
> 
> Am 17.04.2016 um 00:24 schrieb Leif Hedstrom:
>> 
>>> On Apr 16, 2016, at 11:16 AM, Reindl Harald <h.reindl@thelounge.net> wrote:
>>> 
>>> 
>>> Am 16.04.2016 um 18:46 schrieb Phil Sorber:
>>>> Ok, here is my final plan then. I am going to mark them all deprecated
>>>> for 6.2.x.
>>> 
>>> when you are at it fix the problem that ATS is the only TLS webserver out there
which can't be benchmarked with "ab" reported by my *over years* multiple times while none
of the httpd-servers with TLS have SSL2/SSL3 enabled becuas efrankly our openssl has no support
für anything below TLS1.0 at all
>> 
>> I’m not sure what problem exactly you are pointing at here.  Is it a bug in ab?
Is it a bug in your OpenSSL implementation?  Fwiw, I’ve never been able to reproduce this,
e.g. this works just fine on CentOS7 (and I have SSL v2 and v3 disabled, of course):
>> 
>> $ ab -c 5 -n 100 https://docs.trafficserver.apache.org/
>> 
>> Server Software:        ATS/6.2.0
>> Server Hostname:        docs.trafficserver.apache.org
>> Server Port:            443
>> SSL/TLS Protocol:       TLSv1.2,ECDHE-RSA-AES128-GCM-SHA256,2048,128
>> 
>> Document Path:          /
>> Document Length:        229 bytes
>> 
>> Concurrency Level:      5
>> Time taken for tests:   2.758 seconds
>> …
>> 
>> Looking at your error messages, it sounds like your ab is trying to use SSL v3, which
(hopefully?) is disabled on your ATS box?
> 
> i *never* was able to benchmark my ATS box in the last 4 years and SSL 3 is for sure
disabled - as said: openssl on Fedora even don't support it any longer at all
> 
> i *never* had a problem to benchmark of any httpd box the last 13 years
> 
> so what gives you ab -c 5 -n 100 https://www.thelounge.net/ <https://www.thelounge.net/>
on your client?

It fails too from that CentOS7 box to your box.

> 
> 
> [harry@srv-rhsoft:~]$ ab -c 5 -n 100 https://docs.trafficserver.apache.org/ <https://docs.trafficserver.apache.org/>
> This is ApacheBench, Version 2.3 <$Revision: 1706008 $>
> Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/ <http://www.zeustech.net/>
> Licensed to The Apache Software Foundation, http://www.apache.org/ <http://www.apache.org/>
> 
> Benchmarking docs.trafficserver.apache.org <http://docs.trafficserver.apache.org/>
(be patient)...^C
> 
> Server Software:        ATS/6.2.0
> Server Hostname:        docs.trafficserver.apache.org <http://docs.trafficserver.apache.org/>
> Server Port:            443
> SSL/TLS Protocol:       TLSv1.2,ECDHE-RSA-AES128-GCM-SHA256,2048,128

So it seems your ab works against this CentOS7 box running ATS v6.2.0 ?


What version of OpenSSL did you build ATS with? I am running docs.trafficserver.a.o with OpenSSL
v1.0.2g if I recall (latest stable release).

Ciao,

— leif


Mime
View raw message