@randall found that latest ATS master branch requires `dest_ip` in
ssl_multicert.config. The `dest_ip` is a option, ATS should work without it. I
tried some tests and found `ssl_callback_info` got some error.
## client
```
$ ~/opt/openssl/bin/openssl s_client -connect 127.0.0.1:4443
CONNECTED(00000005)
140736171307904:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert
handshake failure:ssl/record/rec_layer_s3.c:1528:SSL alert number 40
```
## debug logs
with `dest_ip=*`
```
[Aug 24 11:37:37.003] {0xb000c000} DEBUG: <SSLUtils.cc:454
(ssl_servername_only_callback)> (ssl) Requested servername is 127.0.0.1
[Aug 24 11:37:37.003] {0xb000c000} DEBUG: <SNIActionPerformer.cc:46
(PerformAction)> (ssl_sni) 127.0.0.1 not available in the map
[Aug 24 11:37:37.003] {0xb000c000} DEBUG: <SSLNetVConnection.cc:1558
(callHooks)> (ssl) callHooks sslHandshakeHookState=2
[Aug 24 11:37:37.003] {0xb000c000} DEBUG: <SSLNetVConnection.cc:1630
(callHooks)> (ssl) callHooks iterated to curHook=0x0
[Aug 24 11:37:37.003] {0xb000c000} DEBUG: <SSLUtils.cc:333 (set_context_cert)>
(ssl) set_context_cert ssl=0x2825200 server=127.0.0.1 handshake_complete=0
[Aug 24 11:37:37.003] {0xb000c000} DEBUG: <SSLUtils.cc:387 (set_context_cert)>
(ssl) ssl_cert_callback using SSL context 0x4815400 for requested name
'127.0.0.1'
[Aug 24 11:37:37.003] {0xb000c000} DEBUG: <SSLNetVConnection.cc:1558
(callHooks)> (ssl) callHooks sslHandshakeHookState=3
[Aug 24 11:37:37.003] {0xb000c000} DEBUG: <SSLNetVConnection.cc:1630
(callHooks)> (ssl) callHooks iterated to curHook=0x0
[Aug 24 11:37:37.003] {0xb000c000} DEBUG: <SSLUtils.cc:1510
(ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x2825200 where: 8193 ret: 1
State: SSLv3/TLS read client hello
```
without `dest_ip=*`
```
[Aug 24 11:36:05.335] {0xb000c000} DEBUG: <SSLUtils.cc:454
(ssl_servername_only_callback)> (ssl) Requested servername is 127.0.0.1
[Aug 24 11:36:05.335] {0xb000c000} DEBUG: <SNIActionPerformer.cc:46
(PerformAction)> (ssl_sni) 127.0.0.1 not available in the map
[Aug 24 11:36:05.335] {0xb000c000} DEBUG: <SSLNetVConnection.cc:1558
(callHooks)> (ssl) callHooks sslHandshakeHookState=2
[Aug 24 11:36:05.335] {0xb000c000} DEBUG: <SSLNetVConnection.cc:1630
(callHooks)> (ssl) callHooks iterated to curHook=0x0
[Aug 24 11:36:05.336] {0xb000c000} DEBUG: <SSLUtils.cc:333 (set_context_cert)>
(ssl) set_context_cert ssl=0x1012000 server=127.0.0.1 handshake_complete=0
[Aug 24 11:36:05.336] {0xb000c000} DEBUG: <SSLUtils.cc:387 (set_context_cert)>
(ssl) ssl_cert_callback using SSL context 0x2001c00 for requested name
'127.0.0.1'
[Aug 24 11:36:05.336] {0xb000c000} DEBUG: <SSLNetVConnection.cc:1558
(callHooks)> (ssl) callHooks sslHandshakeHookState=3
[Aug 24 11:36:05.336] {0xb000c000} DEBUG: <SSLNetVConnection.cc:1630
(callHooks)> (ssl) callHooks iterated to curHook=0x0
[Aug 24 11:36:05.336] {0xb000c000} DEBUG: <SSLUtils.cc:1510
(ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x1012000 where: 16392 ret:
552 State: error
[Aug 24 11:36:05.336] {0xb000c000} DEBUG: <SSLUtils.cc:2334 (SSLAccept)>
(ssl.error.accept) SSL accept returned -1, ssl_error=1, ERR_get_error=337092801
(error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher)
[Aug 24 11:36:05.336] {0xb000c000} DEBUG: <SSLNetVConnection.cc:1168
(sslServerHandShakeEvent)> (ssl-diag) SSL::2952839168:error:1417A0C1:SSL
routines:tls_post_process_client_hello:no shared cipher:ssl
```
[ Full content available at:
https://github.com/apache/trafficserver/issues/4160 ]
This message was relayed via gitbox.apache.org for [email protected]
