Hi,
I have a “play” server, which I upgraded recently to F29, and ATS is having
issues with one of my certificates. It’s a cert with a wildcard for *.ogre.com,
and this was working fine up until the upgrade to OpenSSL v1.1.1. The other
certs works fine.
Doing a diagnostics, I see
[Dec 29 11:42:39.856] [ET_NET 2] DEBUG: <SSLNetVConnection.cc:1555 (callHooks)>
(ssl) callHooks sslHandshakeHookState=2 eventID=60204
[Dec 29 11:42:39.856] [ET_NET 2] DEBUG: <SSLNetVConnection.cc:1647 (callHooks)>
(ssl) callHooks iterated to curHook=(nil)
[Dec 29 11:42:39.856] [ET_NET 2] DEBUG: <SSLUtils.cc:409 (PerformAction)>
(ssl_sni) www.ogre.com not available in the map
[Dec 29 11:42:39.856] [ET_NET 2] DEBUG: <SSLUtils.cc:332 (set_context_cert)>
(ssl) set_context_cert ssl=0x7f62a654b000 server=www.ogre.com
handshake_complete=0
[Dec 29 11:42:39.856] [ET_NET 2] DEBUG: <SSLUtils.cc:381 (set_context_cert)>
(ssl) ssl_cert_callback found SSL context 0x7f62a9150800 for requested name
‘www.ogre.com’
At which point, it fails the TLS handshake (since www.ogre.com is not available
in the map). I can see it loading the certificate though:
[Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:2181
(SSLParseCertificateConfiguration)> (ssl) currently parsing dest_ip
[Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1636
(SSLInitServerContext)> (ssl.session_cache) ssl context=0x7f62a9150800: using
session cache options, enabled=2, size=102400, num_buckets=256,
skip_on_contention=0, timeout=0, auto_clear=1
[Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1658
(SSLInitServerContext)> (ssl.session_cache) enabling SSL session cache with ATS
implementation
[Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1672
(SSLInitServerContext)> (ssl) enabling SSL_MODE_RELEASE_BUFFERS
[Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1844
(SSLInitServerContext)> (ssl) Using 'ogre.crt' in hash for session id context
[Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1929
(SSLInitServerContext)> (ssl) SSL OCSP Stapling is disabled
[Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1460
(SSLCheckServerCertNow)> (ssl) server certificate ogre.crt passed accessibility
and date checks
[Dec 29 11:42:36.794] traffic_server DEBUG: <SSLCertLookup.cc:184
(ticket_block_create)> (ssl) Create 1 ticket key blocks
[Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:2004
(ssl_store_ssl_context)> (ssl) mapping '71.6.199.13' to certificate ogre.crt
[Dec 29 11:42:36.794] traffic_server DEBUG: <SSLCertLookup.cc:428 (insert)>
(ssl) indexed '4706c70d' with SSL_CTX 0x7f62a9150800 [0]
[Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:2040
(ssl_store_ssl_context)> (ssl) SSL OCSP Stapling is disabled
[Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:2051
(ssl_store_ssl_context)> (ssl) importing SNI names from ogre.crt
[Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1505
(ssl_index_certificate)> (ssl) mapping '*.ogre.com' to certificate ogre.crt
[Dec 29 11:42:36.795] traffic_server DEBUG: <SSLCertLookup.cc:418 (insert)>
(ssl) indexed '*.ogre.com' with SSL_CTX 0x7f62a9150800 [1]
[Dec 29 11:42:36.795] traffic_server DEBUG: <SSLUtils.cc:1525
(ssl_index_certificate)> (ssl) mapping 'ogre.com' to certificates ogre.crt
[Dec 29 11:42:36.795] traffic_server DEBUG: <SSLCertLookup.cc:428 (insert)>
(ssl) indexed 'ogre.com' with SSL_CTX 0x7f62a9150800 [2]
[Dec 29 11:42:36.795] traffic_server DEBUG: <SSLUtils.cc:2181
(SSLParseCertificateConfiguration)> (ssl) currently parsing dest_ip
[Dec 29 11:42:36.795] traffic_server DEBUG: <SSLUtils.cc:1636
(SSLInitServerContext)> (ssl.session_cache) ssl context=0x7f62a9146000: using
session cache options, enabled=2, size=102400, num_buckets=256,
skip_on_contention=0, timeout=0, auto_clear=1
[Dec 29 11:42:36.795] traffic_server DEBUG: <SSLUtils.cc:1658
(SSLInitServerContext)> (ssl.session_cache) enabling SSL session cache with ATS
implementation
[Dec 29 11:42:36.795] traffic_server DEBUG: <SSLUtils.cc:1672
(SSLInitServerContext)> (ssl) enabling SSL_MODE_RELEASE_BUFFERS
My multicast.config file has:
dest_ip=71.6.199.13 ssl_cert_name=ogre.crt ssl_key_name=ogre.key
ssl_ca_name=gd_bundle-g2-g1.crt
DNS for www.ogre.com points to the IP above:
munin (12:42) 260/0 $ host www.ogre.com
www.ogre.com is an alias for cosmo.ogre.com.
cosmo.ogre.com has address 71.6.199.13
Did we break wildcard matching?? Or did OpenSSL v1.1.1 do it?? The SN in the
certificate is *.ogre.com.
Cheers,
— Leif
