Uploaded image for project: 'Traffic Server'
  1. Traffic Server
  2. TS-2569

ssl options are ignored if ssl_multicert.config does not contain an entry with dest_ip=*

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 4.2.0, 5.0.0
    • Component/s: SSL
    • Labels:
      None

      Description

      We discovered that the proxy.config.ssl.server.honor_cipher_order=1 setting was not working correctly. After investigating it was determined that if you do not have a dest_ip=* in the ssl_multicert.config file then the server cipher order setting will not be honored.

      ssl_multicert.config
      dest_ip=192.168.214.131 ssl_cert_name=cert.pem

      records.config
      CONFIG proxy.config.ssl.server.cipher_suite STRING RC4-SHA:AES128-SHA:DES-CBC3-SHA:AES256-SHA:ALL:!NULL
      CONFIG proxy.config.ssl.server.honor_cipher_order INT 1

      Result (client selection is honored):
      % echo | openssl s_client -connect 192.168.214.131:443 -cipher 'AES128-SHA:RC4-SHA' 2>&1 | grep 'Cipher is'
      New, TLSv1/SSLv3, Cipher is AES128-SHA
      % echo | openssl s_client -connect 192.168.214.131:443 -cipher 'RC4-SHA:AES128-SHA' 2>&1 | grep 'Cipher is'
      New, TLSv1/SSLv3, Cipher is RC4-SHA

        Attachments

        1. TS-2569.patch
          8 kB
          Ron Barber
        2. TS-2569_4.2.patch
          8 kB
          Ron Barber

          Issue Links

            Activity

              People

              • Assignee:
                rwbarber2 Ron Barber
                Reporter:
                rwbarber2 Ron Barber
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: