Uploaded image for project: 'Traffic Server'
  1. Traffic Server
  2. TS-2593

HTTPS to origin fails on CentOS6.x

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 4.2.0, 5.0.0
    • Component/s: SSL
    • Labels:

      Description

      I'm having this problem where mapping to https:// URLs always fails to connect / communicate with the origin. I've tracked this down to TS-2355, and I suspect (but not sure) that setting the nonexistent OpenSSL option breaks something badly. I'd like to make the following changes:

      diff --git a/iocore/net/P_SSLUtils.h b/iocore/net/P_SSLUtils.h
      index 5ed2d82..289ff99 100644
      --- a/iocore/net/P_SSLUtils.h
      +++ b/iocore/net/P_SSLUtils.h
      @@ -33,15 +33,6 @@
       #error Traffic Server requires a OpenSSL library that support threads
       #endif
      
      -// if we are compiling against an early version of OpenSSL, define our own values
      -#ifndef SSL_OP_NO_TLSv1_1
      -#define SSL_OP_NO_TLSv1_1 0x10000000L
      -#endif
      -#ifndef SSL_OP_NO_TLSv1_2
      -#define SSL_OP_NO_TLSv1_2 0x08000000L
      -#endif
      -#define SSL_VERSION_1_0_1 0x010001000 // MMNNFFPPS: major minor fix patch status
      -
       struct SSLConfigParams;
       struct SSLCertLookup;
      
      diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc
      index 9a20883..f9df79e 100644
      --- a/iocore/net/SSLConfig.cc
      +++ b/iocore/net/SSLConfig.cc
      @@ -149,12 +149,19 @@ SSLConfigParams::initialize()
         REC_ReadConfigInteger(options, "proxy.config.ssl.TLSv1");
         if (!options)
           ssl_ctx_options |= SSL_OP_NO_TLSv1;
      +
      +  // These are not available in all, older versions of OpenSSL (e.g. CentOS6)
      +#ifdef SSL_OP_NO_TLSv1_1
         REC_ReadConfigInteger(options, "proxy.config.ssl.TLSv1_1");
         if (!options)
           ssl_ctx_options |= SSL_OP_NO_TLSv1_1;
      +#endif
      +#ifdef SSL_OP_NO_TLSv1_2
         REC_ReadConfigInteger(options, "proxy.config.ssl.TLSv1_2");
         if (!options)
           ssl_ctx_options |= SSL_OP_NO_TLSv1_2;
      +#endif
      +
       #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
         REC_ReadConfigInteger(options, "proxy.config.ssl.server.honor_cipher_order");
         if (options)
      diff --git a/mgmt/RecordsConfig.cc b/mgmt/RecordsConfig.cc
      index 41b876c..7f71243 100644
      --- a/mgmt/RecordsConfig.cc
      +++ b/mgmt/RecordsConfig.cc
      @@ -1227,7 +1227,8 @@ RecordElement RecordsConfig[] = {
         ,
         {RECT_CONFIG, "proxy.config.ssl.TLSv1_1", RECD_INT, "1", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
         ,
      -  {RECT_CONFIG, "proxy.config.ssl.TLSv1_2", RECD_INT, "0", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL} // default disabled for now.  OpenSSL v1.0.1e (and lower) have issue TS-2355
      +  // Disable this when using some versions of OpenSSL that causes crashes. See TS-2355.
      +  {RECT_CONFIG, "proxy.config.ssl.TLSv1_2", RECD_INT, "1", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
         ,
         {RECT_CONFIG, "proxy.config.ssl.compression", RECD_INT, "0", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
         ,
      

      That much said, I'm also wondering if we should make the defaults for the TLSv1_2 a little less draconian? For example, can we detect which versions this works in, and change the default to "1"? Or can we change the default to "1", and ask people that run into the crasher to either upgrade OpenSSL, or alternatively disable v1.2 ?

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                zwoop Leif Hedstrom
                Reporter:
                zwoop Leif Hedstrom
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: