Major Description
When I testing from the patches from qianshi, for TS-718, the ssl session resumption looks perfect, but still can not pass the sslswamp testing, it looks like the second and later request will not be handled from the https connection. it may be a issue for https handler, here is some information
testing from sslswamp:
[root@unknown-10-62-163-x ~]# sslswamp -connect IP:10.32.21.75:443 -num 1 -count 4 -session srrr -update 10 -request "GET https://img02.taobaocdn.com/tps/i2/T1.SVEXcXJXXXXXXXX-770-300.jpg HTTP/1.0\r\n\r\n" -session_ids -nologo -expect 64000 -sslmeth tlsv1 No 'cacert' supplied, trying defaults ... '/usr/share/swamp/CA.pem' found. no client cert provided, continuing anyway. Certificate verification failed, probably a self-signed server cert *or* the signing CA cert is not trusted by us (hint: use '-CAfile'). This message will only be printed once session-id[conn:0]:04E7E83CD58E8D566673EDB244146C808ECF7AF517CF39282017E053C7A7D0CC session-id[conn:0]:04E7E83CD58E8D566673EDB244146C808ECF7AF517CF39282017E053C7A7D0CC 120 seconds since starting, 1 successful, 0 failed, resumes(+1,-0) 0.01 ops/sec 120 seconds since starting, 1 successful, 1 failed, resumes(+1,-0) 0.00 ops/sec 120 seconds since starting, 1 successful, 1 failed, resumes(+1,-0) 0.00 ops/sec session-id[conn:0]:04E7E83CD58E8D566673EDB244146C808ECF7AF517CF39282017E053C7A7D0CC 120 seconds since starting, 1 successful, 1 failed, resumes(+2,-0) 0.00 ops/sec 240 seconds since starting, 1 successful, 1 failed, resumes(+2,-0) 0.00 ops/sec 240 seconds since starting, 1 successful, 2 failed, resumes(+2,-0) 0.00 ops/sec 240 seconds since starting, 1 successful, 2 failed, resumes(+2,-0) 0.00 ops/sec session-id[conn:0]:04E7E83CD58E8D566673EDB244146C808ECF7AF517CF39282017E053C7A7D0CC 240 seconds since starting, 1 successful, 2 failed, resumes(+3,-0) 0.00 ops/sec 361 seconds since starting, 1 successful, 2 failed, resumes(+3,-0) 0.00 ops/sec 361 seconds since starting, 1 successful, 3 failed, resumes(+3,-0) 0.00 ops/sec
the log from traffic.out:
[May 20 18:30:59.544] Manager {140339380279072} NOTE: [LocalManager::pollMgmtProcessServer] New process connecting fd '10'
[May 20 18:30:59.544] Manager {140339380279072} NOTE: [Alarms::signalAlarm] Server Process born
[May 20 18:31:00.564] {47816222021376} STATUS: opened /var/log/trafficserver/diags.log
[May 20 18:31:00.613] {47816222021376} NOTE: updated diags config
[May 20 18:31:00.648] Server {47816222021376} NOTE: cache clustering disabled
[May 20 18:31:00.784] Server {47816222021376} NOTE: cache clustering disabled
[May 20 18:31:01.237] Server {47816222021376} DEBUG: (ssl) [SSLNetProcessor::initSSLServerCTX] set the callback for external session caching.
[May 20 18:31:01.412] Server {47816222021376} NOTE: logging initialized[7], logging_mode = 3
[May 20 18:31:01.669] Server {47816222021376} NOTE: traffic server running
[May 20 18:31:01.793] Server {47816237516544} NOTE: cache enabled
[May 20 18:31:57.001] Server {47816310503168} DEBUG: (ssl) [ssl_callback_NewSessionCacheEntry] store id [D91C5F59EB43C5E8864303B449B9B1673D3218300EE03FDC4790125A7BCB521D]'s session into cache.
[May 20 18:31:57.001] Server {47816310503168} DEBUG: (ssl) SSLNetVConnection::sslServerHandShakeEvent, handshake completed successfully
[May 20 18:31:57.004] Server {47816310503168} DEBUG: (ssl) [SSL_NetVConnection::ssl_read_from_net] b->write_avail()=4096
[May 20 18:31:57.004] Server {47816310503168} DEBUG: (ssl) [SSL_NetVConnection::ssl_read_from_net] rres=82
SSL Read
GET https://img02.taobaocdn.com/tps/i2/T1.SVEXcXJXXXXXXXX-770-300.jpg HTTP/1.0
[May 20 18:31:57.004] Server {47816310503168} DEBUG: (ssl) [SSL_NetVConnection::ssl_read_from_net] rres=-1
[May 20 18:31:57.004] Server {47816310503168} DEBUG: (ssl) [SSL_NetVConnection::ssl_read_from_net] SSL_ERROR_WOULD_BLOCK
[May 20 18:31:57.004] Server {47816310503168} DEBUG: (ssl) [SSL_NetVConnection::ssl_read_from_net] bytes_read=82
[May 20 18:31:57.004] Server {47816310503168} DEBUG: (ssl) [SSL_NetVConnection::ssl_read_from_net] b->write_avail()=4014
[May 20 18:31:57.004] Server {47816310503168} DEBUG: (ssl) [SSL_NetVConnection::ssl_read_from_net] rres=-1
[May 20 18:31:57.004] Server {47816310503168} DEBUG: (ssl) [SSL_NetVConnection::ssl_read_from_net] SSL_ERROR_WOULD_BLOCK
[May 20 18:31:57.004] Server {47816310503168} DEBUG: (ssl) [SSL_NetVConnection::ssl_read_from_net] bytes_read == 0
[May 20 18:31:57.021] Server {47816310503168} DEBUG: (ssl) read_from_net, read finished - would block
[May 20 18:31:57.107] Server {47816310503168} DEBUG: (ssl) SSLNetVConnection::loadBufferAndCallWrite, before do_SSL_write, l = 351, towrite = 77440, b = f4e7d0
[May 20 18:31:57.107] Server {47816310503168} DEBUG: (ssl) SSLNetVConnection::loadBufferAndCallWrite,Number of bytes written =351 , total =351
[May 20 18:31:57.107] Server {47816310503168} DEBUG: (ssl) SSLNetVConnection::loadBufferAndCallWrite, before do_SSL_write, l = 77089, towrite = 77440, b = f4e790
[May 20 18:31:57.109] Server {47816310503168} DEBUG: (ssl) SSLNetVConnection::loadBufferAndCallWrite,Number of bytes written =-11 , total =77440
[May 20 18:31:57.109] Server {47816310503168} DEBUG: (ssl) SSL_write-SSL_ERROR_WANT_WRITE
[May 20 18:31:57.109] Server {47816310503168} DEBUG: (ssl) SSLNetVConnection::loadBufferAndCallWrite, before do_SSL_write, l = 77089, towrite = 77089, b = f4e790
[May 20 18:31:57.109] Server {47816310503168} DEBUG: (ssl) SSLNetVConnection::loadBufferAndCallWrite,Number of bytes written =-11 , total =77089
[May 20 18:31:57.109] Server {47816310503168} DEBUG: (ssl) SSL_write-SSL_ERROR_WANT_WRITE
[May 20 18:31:57.111] Server {47816310503168} DEBUG: (ssl) SSLNetVConnection::loadBufferAndCallWrite, before do_SSL_write, l = 77089, towrite = 77089, b = f4e790
[May 20 18:31:57.114] Server {47816310503168} DEBUG: (ssl) SSLNetVConnection::loadBufferAndCallWrite,Number of bytes written =77089 , total =77089
[May 20 18:31:57.114] Server {47816310503168} DEBUG: (ssl) SSLNetVConnection::loadBufferAndCallWrite, write successful.
[May 20 18:31:57.118] Server {47816311555840} DEBUG: (ssl) [ssl_callback_GetSessionCacheEntry] lookup id [D91C5F59EB43C5E8864303B449B9B1673D3218300EE03FDC4790125A7BCB521D] successfully.
[May 20 18:31:57.121] Server {47816311555840} DEBUG: (ssl) SSLNetVConnection::sslServerHandShakeEvent, handshake completed successfully
[May 20 18:33:57.567] Server {47816310503168} DEBUG: (ssl) [ssl_callback_GetSessionCacheEntry] lookup id [D91C5F59EB43C5E8864303B449B9B1673D3218300EE03FDC4790125A7BCB521D] successfully.
[May 20 18:33:57.570] Server {47816310503168} DEBUG: (ssl) SSLNetVConnection::sslServerHandShakeEvent, handshake completed successfully
the logs from squid.blog:
1305887517.114 211 10.62.163.251 TCP_HIT/200 77440 GET http://img02.taobaocdn.com/tps/i2/T1.SVEXcXJXXXXXXXX-770-300.jpg - NONE/- image/jpeg -
1305887637.564 120445 10.62.163.251 ERROR_UNKNOWN(90)/000 0 - / - EMPTY/- - -
1305887757.811 120243 10.62.163.251 ERROR_UNKNOWN(90)/000 0 - / - EMPTY/- - -
when the netstat show:
zym6400 trafficserver # netstat -lantp | grep 443 tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 27937/traffic_manag tcp 154 0 10.32.21.75:443 10.62.163.251:41718 ESTABLISHED 27948/traffic_serve
while the s_client testing just cool:
[root@unknown-10-62-163-x ~]# echo | openssl s_client -ssl3 -no_comp -reconnect -connect 10.32.21.75:443 2>&1CONNECTED(00000003) depth=0 C = CN, ST = Beijing, L = Beijing, O = ZYMLinux.net, OU = CA, CN = zym.zymlinux.net verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 C = CN, ST = Beijing, L = Beijing, O = ZYMLinux.net, OU = CA, CN = zym.zymlinux.net verify error:num=27:certificate not trusted verify return:1 depth=0 C = CN, ST = Beijing, L = Beijing, O = ZYMLinux.net, OU = CA, CN = zym.zymlinux.net verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=zym.zymlinux.net i:/C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ca.ZYMLinux.net/emailAddress=ca@ZYMLinux.net --- Server certificate -----BEGIN CERTIFICATE----- MIIG6DCCBNCgAwIBAgIBDzANBgkqhkiG9w0BAQUFADCBjzELMAkGA1UEBhMCQ04x EDAOBgNVBAgTB0JlaWppbmcxEDAOBgNVBAcTB0JlaWppbmcxFTATBgNVBAoTDFpZ TUxpbnV4Lm5ldDELMAkGA1UECxMCQ0ExGDAWBgNVBAMTD2NhLlpZTUxpbnV4Lm5l dDEeMBwGCSqGSIb3DQEJARYPY2FAWllNTGludXgubmV0MB4XDTExMDMwODA4MDAy N1oXDTExMDQwNzA4MDAyN1owcDELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaWpp bmcxEDAOBgNVBAcTB0JlaWppbmcxFTATBgNVBAoTDFpZTUxpbnV4Lm5ldDELMAkG A1UECxMCQ0ExGTAXBgNVBAMTEHp5bS56eW1saW51eC5uZXQwggIiMA0GCSqGSIb3 DQEBAQUAA4ICDwAwggIKAoICAQDVT3uLJwvIP+4t0hFmcjOBHEcj5CviX4cWHwkA jCnX8EPJBCkBWemebaYNWT7MHfbKKb0tXpF19kHNpq3uCpa/AtDpYj0662Lr1xTw Qbw8v38lCv7FxcbQXMUuyMvA+DoYdYocVGCrk/7lBzvURGtuEiMWC18R/nNMXiYZ PvfYTiyC8FojhXLBLW+EdXBoRfBHBejePhbULiQlYHuHudD2v6boAb2ptNuv3hjT ed5PR2dskmg8US1tUwBSAmcFNoHzbvb1rNa2IaOjRGbipU0dQDAlzT6dVz2I6uGm R66eJXGNTCtbPDmKm9oddIAL2YtdzIriIsrZmXD68iUYoDlWk1n4k7LCo1tMhB/S yeIXTgjqeXlhOpExTx/KAd4KNBRgBobmkMNBmi2k3VQRQGoUPfZPy6/G/9NsAIgK kRNJ3Je7b5V21xFUNAxL7GkdcJKRnfy3jT8fQhvWU714wTc10SPQInxioCwxwiyn LSo3MQUIzQfxwvNvYGiSyKirIzqlSrZQKNzNE4LCW73glMJWwhMyxLZ6PkJfZaDG psXqCTfqLEQf7FsyGFBOqB/X+VKfp9WD/oboDGei++wL4bpaqLR7fF1iDhxS3FTz BTZtz6Aphpj5MvzFG0/N3ShbT/dubaHJwKf1vZV6uCMc6k8prLgjB9JtMuaC5+Kp dQcMLQIDAQABo4IBazCCAWcwCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBkAw KwYJYIZIAYb4QgENBB4WHFRpbnlDQSBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYD VR0OBBYEFGAuZv/WvnUTG+Jro4Ge59/tJ/xeMIG8BgNVHSMEgbQwgbGAFBu7K8O9 gw7YNnxCcA1B/Xdjamg8oYGVpIGSMIGPMQswCQYDVQQGEwJDTjEQMA4GA1UECBMH QmVpamluZzEQMA4GA1UEBxMHQmVpamluZzEVMBMGA1UEChMMWllNTGludXgubmV0 MQswCQYDVQQLEwJDQTEYMBYGA1UEAxMPY2EuWllNTGludXgubmV0MR4wHAYJKoZI hvcNAQkBFg9jYUBaWU1MaW51eC5uZXSCAQAwGgYDVR0SBBMwEYEPY2FAWllNTGlu dXgubmV0MCAGA1UdEQQZMBeBFW1pbmdfenltQHlhaG9vLmNvbS5jbjANBgkqhkiG 9w0BAQUFAAOCAgEAMVdS3+/g6DlGj5gmEY8ySkq4ccc3Jpe3lcNjw178bylxdNVE m1aKlOGEH8I90BaPG9kDTy2hj3E302ianLtFUREOzza3MAplGvXnWYZT4gn9KTQ9 bqNnR424NZivW1rxy31REF10wyF7wPnFBvR6bLtFl/UdXXMvaW2fkOQO9wKMLi8j 6EQsUwYlD9t9pghCD/dVhcaPGrLn9/06Tlaiw3TywutZ+V/qNpGOxunIXS1bWFFI 9IrEHVYQVXuGFuofV8C2J6wic27lpVxalFQGU1poL/fDSKQY3E5OMJWNt3sDX7bD 8x4iL76KoDe3q0Y0Mc2UDtt2Stwyh15Y1mFJuA10uT7OSmQJeyqk7byeqXgIzyGf MJX3AoBCZ2ffwfJ/fiLtyR7Bw0ZKwwGuYCXot0UrPPWDHVV/CR2r6W5BQnytuFfQ sMVtA38fcSOpiHFBqkPR+YmMSSKdkjImZYjjwa2TY9fSSoGVJox0ek759vo6JIyw 6S0b9tvIejYlGqTHGVU5FdQTIbFpHWZTex28wDpVY89E15ZDAPhqzl5gKtEnA4Cl 7qN2bHTOKKyYo7ccBxlBc6rKmEFLou/KOgLXK2aonus+MMLc1NmKDiS1mVXFj0dE QBidn73JeQoidtLVWNDOCgDX+x5K4tMfrcgjRTb0ZlpL8kw8QfDyA9dPwqU= -----END CERTIFICATE----- subject=/C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=zym.zymlinux.net issuer=/C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ca.ZYMLinux.net/emailAddress=ca@ZYMLinux.net --- No client certificate CA names sent --- SSL handshake has read 1957 bytes and written 702 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv3 Cipher : AES256-SHA Session-ID: 98E7B8CBE086C1B576B221751A6DE65D9B2D54CAE5CC7D9F5941B03616EF2ED2 Session-ID-ctx: Master-Key: E7ED18A3C9994CCD3B394E932478527983C1E31AA59FDEBD2D6C305806ADF866B67338B89C4613636A41BF13582AE960 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1305859243 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) --- drop connection and then reconnect CONNECTED(00000003) --- Reused, TLSv1/SSLv3, Cipher is AES256-SHA Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv3 Cipher : AES256-SHA Session-ID: 98E7B8CBE086C1B576B221751A6DE65D9B2D54CAE5CC7D9F5941B03616EF2ED2 Session-ID-ctx: Master-Key: E7ED18A3C9994CCD3B394E932478527983C1E31AA59FDEBD2D6C305806ADF866B67338B89C4613636A41BF13582AE960 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1305859243 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) --- drop connection and then reconnect CONNECTED(00000003) --- Reused, TLSv1/SSLv3, Cipher is AES256-SHA Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv3 Cipher : AES256-SHA Session-ID: 98E7B8CBE086C1B576B221751A6DE65D9B2D54CAE5CC7D9F5941B03616EF2ED2 Session-ID-ctx: Master-Key: E7ED18A3C9994CCD3B394E932478527983C1E31AA59FDEBD2D6C305806ADF866B67338B89C4613636A41BF13582AE960 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1305859243 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) --- drop connection and then reconnect CONNECTED(00000003) --- Reused, TLSv1/SSLv3, Cipher is AES256-SHA Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv3 Cipher : AES256-SHA Session-ID: 98E7B8CBE086C1B576B221751A6DE65D9B2D54CAE5CC7D9F5941B03616EF2ED2 Session-ID-ctx: Master-Key: E7ED18A3C9994CCD3B394E932478527983C1E31AA59FDEBD2D6C305806ADF866B67338B89C4613636A41BF13582AE960 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1305859243 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) --- drop connection and then reconnect CONNECTED(00000003) --- Reused, TLSv1/SSLv3, Cipher is AES256-SHA Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv3 Cipher : AES256-SHA Session-ID: 98E7B8CBE086C1B576B221751A6DE65D9B2D54CAE5CC7D9F5941B03616EF2ED2 Session-ID-ctx: Master-Key: E7ED18A3C9994CCD3B394E932478527983C1E31AA59FDEBD2D6C305806ADF866B67338B89C4613636A41BF13582AE960 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1305859243 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) --- drop connection and then reconnect CONNECTED(00000003) --- Reused, TLSv1/SSLv3, Cipher is AES256-SHA Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv3 Cipher : AES256-SHA Session-ID: 98E7B8CBE086C1B576B221751A6DE65D9B2D54CAE5CC7D9F5941B03616EF2ED2 Session-ID-ctx: Master-Key: E7ED18A3C9994CCD3B394E932478527983C1E31AA59FDEBD2D6C305806ADF866B67338B89C4613636A41BF13582AE960 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1305859243 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) --- DONE