trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reindl Harald <h.rei...@thelounge.net>
Subject Re: Deprecation of SSL v2/3
Date Mon, 25 Apr 2016 09:33:14 GMT

Am 17.04.2016 um 01:26 schrieb Leif Hedstrom:
>> On Apr 16, 2016, at 4:56 PM, Reindl Harald <h.reindl@thelounge.net
>> <mailto:h.reindl@thelounge.net>> wrote:
>>
>> Am 17.04.2016 um 00:52 schrieb Leif Hedstrom:
>>>> On Apr 16, 2016, at 4:44 PM, Reindl Harald <h.reindl@thelounge.net
>>>> <mailto:h.reindl@thelounge.net>> wrote:
>>>>
>>>> Am 17.04.2016 um 00:38 schrieb Leif Hedstrom:
>>>>>> so what gives you ab -c 5 -n 100https://www.thelounge.net/on
>>>>>> <http://www.thelounge.net/on> your client?
>>>>>
>>>>> It fails too from that CentOS7 box to your box.
>>>>>>
>>>>>> [harry@srv-rhsoft:~]$ ab -c 5 -n
>>>>>> 100https://docs.trafficserver.apache.org/
>>>>>> <http://docs.trafficserver.apache.org/>
>>>>>> This is ApacheBench, Version 2.3 <$Revision: 1706008 $>
>>>>>> Copyright 1996 Adam Twiss, Zeus Technology
>>>>>> Ltd,http://www.zeustech.net/
>>>>>> Licensed to The Apache Software Foundation,http://www.apache.org/
>>>>>>
>>>>>> Benchmarkingdocs.trafficserver.apache.org
>>>>>> <http://benchmarkingdocs.trafficserver.apache.org>
>>>>>> <http://docs.trafficserver.apache.org/>(be patient)...^C
>>>>>>
>>>>>> Server Software:        ATS/6.2.0
>>>>>> Server Hostname: docs.trafficserver.apache.org
>>>>>> <http://docs.trafficserver.apache.org/>
>>>>>> Server Port:            443
>>>>>> SSL/TLS Protocol:       TLSv1.2,ECDHE-RSA-AES128-GCM-SHA256,2048,128
>>>>>
>>>>> So it seems your ab works against this CentOS7 box running ATS v6.2.0
?
>>>>
>>>> yes
>>>>
>>>>> What version of OpenSSL did you build ATS with? I am running
>>>>> docs.trafficserver.a.o with OpenSSL v1.0.2g if I recall (latest stable
>>>>> release)
>>>>
>>>> seems not matter that much since i have this issue for years now and
>>>> the httpd servers are built in the same environments with the same
>>>> libraries and don't have that issue
>>>
>>> Wonder if it could be one of those -f compiler flags? I’m attaching
>>> my config.nice that I run on docs.trafficserver, this compiles with
>>> ASAN though, so you likely want to remove that at least (if you are
>>> willing to try).
>>
>> i will give it a try ASAP, however the whole web and mail stack is
>> built with that flags (based on the flags below which are %{optflags}
>> and only ATS has the specific problem
>
> Yeah, it seems odd that it’d break like that because of compiler flags.
> But I honestly have no other ideas as to why it breaks on your system,
> and not mine :-/. Can anyone else confirm or deny this breakage on their
> installs?

just a notice again before i try to build with other flags
_____________________________________________

https://www.ssllabs.com/ssltest/

docs.trafficserver.apache.org:
SSL 2 handshake compatibility 	Yes

www.thelounge.net:
SSL 2 handshake compatibility 	No
_____________________________________________

CONFIG proxy.config.ssl.SSLv2 INT 0
CONFIG proxy.config.ssl.SSLv3 INT 0
CONFIG proxy.config.ssl.TLSv1 INT 1
CONFIG proxy.config.ssl.TLSv1_1 INT 1
CONFIG proxy.config.ssl.TLSv1_2 INT 1
CONFIG proxy.config.ssl.client.certification_level INT 0
CONFIG proxy.config.ssl.server.multicert.filename STRING 
ssl_multicert.config
CONFIG proxy.config.ssl.server.cert.path STRING /etc/trafficserver/ssl/
CONFIG proxy.config.ssl.server.private_key.path STRING 
/etc/trafficserver/ssl/
CONFIG proxy.config.ssl.CA.cert.path STRING /etc/trafficserver/ssl/
CONFIG proxy.config.ssl.server.cipher_suite STRING 
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECD$
CONFIG proxy.config.ssl.server.honor_cipher_order INT 1
CONFIG proxy.config.ssl.server.dhparams_file STRING 
/etc/trafficserver/ssl/dhparams.pem


Mime
View raw message