[
https://issues.apache.org/jira/browse/TS-405?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12904111#action_12904111
]
Anirban Roy commented on TS-405:
--------------------------------
I checked out the code from trunk and compiled on a 64-bit RHEL before testing
the SSL termination, still no luck. Providing as much information as possible -
===========
records.config
===========
CONFIG proxy.config.ssl.enabled INT 1
CONFIG proxy.config.ssl.SSLv2 INT 1
CONFIG proxy.config.ssl.SSLv3 INT 1
CONFIG proxy.config.ssl.TLSv1 INT 1
CONFIG proxy.config.ssl.accelerator.type INT 0
CONFIG proxy.config.ssl.atalla.lib.path STRING /opt/atalla/lib
CONFIG proxy.config.ssl.ncipher.lib.path STRING /opt/nfast/toolkits/hwcrhk
CONFIG proxy.config.ssl.cswift.lib.path STRING /usr/lib
CONFIG proxy.config.ssl.server_port INT 8087
CONFIG proxy.config.ssl.client.certification_level INT 0
CONFIG proxy.config.ssl.server.cert.filename STRING server.pem
CONFIG proxy.config.ssl.server.cert_chain.filename STRING NULL
CONFIG proxy.config.ssl.server.cert.path STRING etc/trafficserver
CONFIG proxy.config.ssl.server.private_key.filename STRING NULL
CONFIG proxy.config.ssl.server.private_key.path STRING NULL
CONFIG proxy.config.ssl.CA.cert.filename STRING NULL
CONFIG proxy.config.ssl.CA.cert.path STRING NULL
CONFIG proxy.config.ssl.client.verify.server INT 0
CONFIG proxy.config.ssl.client.cert.filename STRING clientcert.pem
CONFIG proxy.config.ssl.client.cert.path STRING etc/trafficserver
CONFIG proxy.config.ssl.client.private_key.filename STRING NULL
CONFIG proxy.config.ssl.client.private_key.path STRING NULL
CONFIG proxy.config.ssl.client.CA.cert.filename STRING NULL
CONFIG proxy.config.ssl.client.CA.cert.path STRING NULL
=======
Request
=======
export https_proxy=localhost:8087
wget -d --no-check-certificate https://login.yahoo.com
============
Console output
============
Setting --check-certificate (checkcertificate) to 0
DEBUG output created by Wget 1.10.2 (Red Hat modified) on linux-gnu.
--08:43:16-- https://login.yahoo.com/
=> `index.html.2'
Resolving localhost... 127.0.0.1
Caching localhost => 127.0.0.1
Connecting to localhost|127.0.0.1|:8087... connected.
Created socket 3.
Releasing 0x0000000000552390 (new refcount 1).
---request begin---
CONNECT login.yahoo.com:443 HTTP/1.0
User-Agent: Wget/1.10.2 (Red Hat modified)
---request end---
Failed reading proxy response: Connection reset by peer
Closed fd 3
Retrying.
==============
/var/log/messages
==============
Aug 30 08:42:50 llf531130 traffic_cop[7074]: --- Cop Starting [Version: Apache
Traffic Server - traffic_cop - 2.1.2-unstable - (build # 72710 on Aug 27 2010
at 10:10:24)] ---
Aug 30 08:42:50 llf531130 traffic_cop[7074]: traffic_manager not running,
making sure traffic_server is dead
Aug 30 08:42:50 llf531130 traffic_cop[7074]: spawning traffic_manager
Aug 30 08:42:50 llf531130 traffic_manager[7075]: NOTE: --- Manager Starting ---
Aug 30 08:42:50 llf531130 traffic_manager[7075]: NOTE: Manager Version: Apache
Traffic Server - traffic_manager - 2.1.2-unstable - (build # 72710 on Aug 27
2010 at 10:11:50)
Aug 30 08:42:50 llf531130 traffic_manager[7075]: {182924636832} NOTE: updated
diags config
Aug 30 08:42:50 llf531130 traffic_manager[7075]: {182924636832} NOTE:
[ClusterCom::ClusterCom] Node running on OS: 'Linux' Release:
'2.6.9-67.0.22.ELsmp'
Aug 30 08:42:50 llf531130 traffic_manager[7075]: {182924636832} NOTE:
[LocalManager::listenForProxy] Listening on port: 8085
Aug 30 08:42:50 llf531130 traffic_manager[7075]: {182924636832} NOTE:
[LocalManager::listenForProxy] Listening on port: 8087
Aug 30 08:42:50 llf531130 traffic_manager[7075]: {182924636832} NOTE:
[TrafficManager] Setup complete
Aug 30 08:42:50 llf531130 traffic_manager[7075]: {1115699552} ERROR:
[WebHttpTreeInit]: unable to import file share/trafficserver/navigation_tree.xml
Aug 30 08:42:50 llf531130 traffic_manager[7075]: {1115699552} ERROR: (last
system error 2: No such file or directory)
Aug 30 08:42:51 llf531130 traffic_manager[7075]: {182924636832} NOTE:
[LocalManager::startProxy] Launching ts process
Aug 30 08:42:51 llf531130 traffic_manager[7075]: {182924636832} NOTE:
[LocalManager::pollMgmtProcessServer] New process connecting fd '10'
Aug 30 08:42:51 llf531130 traffic_manager[7075]: {182924636832} NOTE:
[Alarms::signalAlarm] Server Process born
Aug 30 08:42:52 llf531130 traffic_server[7085]: NOTE: --- Server Starting ---
Aug 30 08:42:52 llf531130 traffic_server[7085]: NOTE: Server Version: Apache
Traffic Server - traffic_server - 2.1.2-unstable - (build # 72710 on Aug 27
2010 at 10:12:33)
Aug 30 08:42:52 llf531130 traffic_server[7085]: {182924636544} NOTE: updated
diags config
Aug 30 08:42:52 llf531130 traffic_server[7085]: {182924636544} NOTE: cache
clustering disabled
Aug 30 08:42:52 llf531130 traffic_server[7085]: {182924636544} NOTE: cache
clustering disabled
Aug 30 08:42:53 llf531130 traffic_server[7085]: {182924636544} NOTE: logging
initialized[7], logging_mode = 1
Aug 30 08:42:53 llf531130 traffic_server[7085]: {182924636544} NOTE: traffic
server running
Aug 30 08:42:59 llf531130 traffic_server[7085]: {1080052064} NOTE: cache enabled
Aug 30 08:43:16 llf531130 traffic_server[7085]: {1190578528} ERROR: SSL ERROR:
SSL_ServerHandShake.
Aug 30 08:43:16 llf531130 traffic_server[7085]: {1190578528} ERROR:
SSL::40:error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy
request:s23_srvr.c:402:
Aug 30 08:43:19 llf531130 traffic_server[7085]: {1191631200} ERROR: SSL ERROR:
SSL_ServerHandShake.
Aug 30 08:43:19 llf531130 traffic_server[7085]: {1191631200} ERROR:
SSL::41:error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy
request:s23_srvr.c:402:
> SSL Termination not working
> ---------------------------
>
> Key: TS-405
> URL: https://issues.apache.org/jira/browse/TS-405
> Project: Traffic Server
> Issue Type: Bug
> Components: Core
> Affects Versions: 2.1.1
> Environment: Red Hat Enterprise Linux AS release 4 (Nahant Update 6)
> - x86_64
> Reporter: Anirban Roy
> Fix For: 2.1.3
>
>
> Turned on SSL termination with Apache TS-2.1.1 (proxy.config.ssl.enabled)
> with other config options left as the default settings. The packages is
> shipped with a certificate (server.pm) which is used for SSL session. With
> this default setting, the SSL termination does not seem to work. See the
> error below -
> [anirb...@llf531136 trafficserver]$ https_proxy=localhost:443 wget -d
> --no-check-certificate https://login/yahoo.com
> Setting --check-certificate (checkcertificate) to 0
> DEBUG output created by Wget 1.10.2 (Red Hat modified) on linux-gnu.
> --11:24:41-- https://login/yahoo.com
> => `yahoo.com'
> Resolving localhost... 127.0.0.1
> Caching localhost => 127.0.0.1
> Connecting to localhost|127.0.0.1|:443... connected.
> Created socket 3.
> Releasing 0x0000000000552380 (new refcount 1).
> ---request begin---
> CONNECT login:443 HTTP/1.0
> User-Agent: Wget/1.10.2 (Red Hat modified)
> ---request end---
> Failed reading proxy response: Connection reset by peer
> Closed fd 3
> Retrying.
> ==========================================================================================
> syslog output
> ==========================================================================================
> [anirb...@llf531136 ats-test]$ tail -f /var/log/messages | grep traffic
> Jul 27 11:02:22 llf531136 traffic_manager[20264]: {182924636832} ERROR:
> (last system error 9: Bad file descriptor)
> Jul 27 11:24:18 llf531136 traffic_cop[25036]: --- Cop Starting [Version:
> Apache Traffic Server - traffic_cop - 2.1.1-unstable - (build # 62010 on Jul
> 20 2010 at 10:17:13)] ---
> Jul 27 11:24:18 llf531136 traffic_cop[25036]: traffic_manager not running,
> making sure traffic_server is dead
> Jul 27 11:24:18 llf531136 traffic_cop[25036]: spawning traffic_manager
> Jul 27 11:24:18 llf531136 traffic_manager[25037]: NOTE: --- Manager Starting
> ---
> Jul 27 11:24:18 llf531136 traffic_manager[25037]: NOTE: Manager Version:
> Apache Traffic Server - traffic_manager - 2.1.1-unstable - (build # 62010 on
> Jul 20 2010 at 10:17:39)
> Jul 27 11:24:18 llf531136 traffic_manager[25037]: {182924636832} NOTE:
> updated diags config
> Jul 27 11:24:18 llf531136 traffic_manager[25037]: {182924636832} NOTE:
> [Rollback::openFile] Open of cache.config failed: Permission denied
> Jul 27 11:24:18 llf531136 traffic_manager[25037]: {182924636832} NOTE:
> [Rollback::Rollback] Config file is read-only : cache.config
> Jul 27 11:24:18 llf531136 traffic_manager[25037]: {182924636832} NOTE:
> [ClusterCom::ClusterCom] Node running on OS: 'Linux' Release:
> '2.6.9-67.0.22.ELsmp'
> Jul 27 11:24:18 llf531136 traffic_manager[25037]: {182924636832} NOTE:
> [LocalManager::listenForProxy] Listening on port: 8085
> Jul 27 11:24:18 llf531136 traffic_manager[25037]: {182924636832} NOTE:
> [LocalManager::listenForProxy] Listening on port: 443
> Jul 27 11:24:18 llf531136 traffic_manager[25037]: {182924636832} NOTE:
> [TrafficManager] Setup complete
> Jul 27 11:24:19 llf531136 traffic_manager[25037]: {182924636832} NOTE:
> [LocalManager::startProxy] Launching ts process
> Jul 27 11:24:19 llf531136 traffic_manager[25037]: {182924636832} NOTE:
> [LocalManager::pollMgmtProcessServer] New process connecting fd '10'
> Jul 27 11:24:19 llf531136 traffic_manager[25037]: {182924636832} NOTE:
> [Alarms::signalAlarm] Server Process born
> Jul 27 11:24:20 llf531136 traffic_server[25049]: NOTE: --- Server Starting ---
> Jul 27 11:24:20 llf531136 traffic_server[25049]: NOTE: Server Version: Apache
> Traffic Server - traffic_server - 2.1.1-unstable - (build # 62010 on Jul 20
> 2010 at 10:17:53)
> Jul 27 11:24:20 llf531136 traffic_server[25049]: {182924636544} NOTE: updated
> diags config
> Jul 27 11:24:20 llf531136 traffic_server[25049]: {182924636544} NOTE: cache
> clustering disabled
> Jul 27 11:24:20 llf531136 traffic_server[25049]: {182924636544} NOTE: cache
> clustering disabled
> Jul 27 11:24:20 llf531136 traffic_server[25049]: {182924636544} NOTE: logging
> initialized[7], logging_mode = 3
> Jul 27 11:24:20 llf531136 traffic_server[25049]: {182924636544} NOTE: traffic
> server running
> Jul 27 11:24:32 llf531136 traffic_server[25049]: {1095842144} NOTE: cache
> enabled
> Jul 27 11:24:41 llf531136 traffic_server[25049]: {1140050272} ERROR: SSL
> ERROR: SSL_ServerHandShake.
> Jul 27 11:24:41 llf531136 traffic_server[25049]: {1140050272} ERROR:
> SSL::39:error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy
> request:s23_srvr.c:402:
> Jul 27 11:24:42 llf531136 traffic_server[25049]: {1137944928} ERROR: SSL
> ERROR: SSL_ServerHandShake.
> Jul 27 11:24:42 llf531136 traffic_server[25049]: {1137944928} ERROR:
> SSL::37:error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy
> request:s23_srvr.c:402:
> Jul 27 11:24:44 llf531136 traffic_server[25049]: {1142155616} ERROR: SSL
> ERROR: SSL_ServerHandShake.
> Jul 27 11:24:44 llf531136 traffic_server[25049]: {1142155616} ERROR:
> SSL::41:error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy
> request:s23_srvr.c:402:
> ==========================================================================================
> traffic.out output
> ==========================================================================================
> [E. Mgmt] log ==> [TrafficManager] using root directory
> '/export/crawlspace/packages/ats-2.1.1'
> [Jul 27 11:24:18.353] {182924636832} STATUS: opened
> /export/crawlspace/packages/ats-2.1.1/var/log/trafficserver/manager.log
> [TrafficServer] using root directory '/export/crawlspace/packages/ats-2.1.1'
> [Jul 27 11:24:20.506] {182924636544} STATUS: opened
> /export/crawlspace/packages/ats-2.1.1/var/log/trafficserver/diags.log
> [Jul 27 11:24:41.676] Server {1140050272} ERROR: SSL ERROR:
> SSL_ServerHandShake.
> [Jul 27 11:24:41.676] Server {1140050272} ERROR: SSL::39:error:1407609B:SSL
> routines:SSL23_GET_CLIENT_HELLO:https proxy request:s23_srvr.c:402:
> [Jul 27 11:24:42.679] Server {1137944928} ERROR: SSL ERROR:
> SSL_ServerHandShake.
> [Jul 27 11:24:42.679] Server {1137944928} ERROR: SSL::37:error:1407609B:SSL
> routines:SSL23_GET_CLIENT_HELLO:https proxy request:s23_srvr.c:402:
> [Jul 27 11:24:44.681] Server {1142155616} ERROR: SSL ERROR:
> SSL_ServerHandShake.
> [Jul 27 11:24:44.681] Server {1142155616} ERROR: SSL::41:error:1407609B:SSL
> routines:SSL23_GET_CLIENT_HELLO:https proxy request:s23_srvr.c:402:
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
