[
https://issues.apache.org/jira/browse/TS-718?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13021817#comment-13021817
]
Leif Hedstrom commented on TS-718:
----------------------------------
So, I'm a little confused about this patch, and have some concerns.
1) First of all, I was never able to reproduce the problem with SSL sessions
not being reused. The default in OpenSSL seems to be to use the "internal"
server session handling. What's even more confusing is that even if I
explicitly try to turn off the session reuse cache, OpenSSL still seems to do
the reuse (according to that openssl s_client command at least). And even more
confusing is that I don't see it trigger the Debug() code (and I debugged it in
gdb too, I don't see the callbacks being called when doing the tests).
2) I'm attaching a slightly modified patch, which cleans up things a little bit
(but, see #3 and #4 for more fixes that I think needs to be done).
3) I don't think the usage of the ink_hash is correct. I do not think it's
atomic like the code seems to assume, i.e. you can't have two threads adding or
deleting from the hash at the same time. Some sort of locking would be required
around this, I'm pretty sure. I.e. we'd have to add a g_session_lock or
something like that, and do appropriate locking around all additions / deletes
from the hash.
4) I think we should add an additional configuration option, call it
proxy.config.ssl.session_reuse, and let it take the following values (for now,
can be added with more options later);
0 - Turn off all session reuse (SSL_SESS_CACHE_OFF)
1 - Turn on normal server cache (SSL_SESS_CACHE_SERVER). This should be the
default.
2 - Enable the hash based session cache
(SSL_SESS_CACHE_SERVER|SSL_SESS_CACHE_NO_INTERNAL)
I have not done any attempts to fix / implement #3 and #4 above, wanted to
discuss it here first.
> can not reuse SSL connections on RHEL5/CentOS5
> ----------------------------------------------
>
> Key: TS-718
> URL: https://issues.apache.org/jira/browse/TS-718
> Project: Traffic Server
> Issue Type: Bug
> Components: SSL
> Affects Versions: 2.1.7
> Environment: RHEL5 system with TS 2.1.6 2.1.7
> compared with Apache httpd
> Reporter: Zhao Yongming
> Assignee: qianshi
> Fix For: 2.1.8
>
> Attachments: TS-718-v2.patch, TS-718.patch
>
>
> when with apache httpd default mod_ssl:
> {noformat}
> [root@ts1 httpd]# echo | openssl s_client -reconnect -connect localhost:443
> 2>&1
> CONNECTED(00000003)
> depth=0
> /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=ts1.test.cnz.alimama.com/emailAddress=r...@ts1.test.cnz.alimama.com
> verify error:num=18:self signed certificate
> verify return:1
> depth=0
> /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=ts1.test.cnz.alimama.com/emailAddress=r...@ts1.test.cnz.alimama.com
> verify return:1
> ---
> Certificate chain
> 0
> s:/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=ts1.test.cnz.alimama.com/emailAddress=r...@ts1.test.cnz.alimama.com
>
> i:/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=ts1.test.cnz.alimama.com/emailAddress=r...@ts1.test.cnz.alimama.com
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIIDSzCCArSgAwIBAgICUWcwDQYJKoZIhvcNAQEFBQAwgcExCzAJBgNVBAYTAi0t
> MRIwEAYDVQQIDAlTb21lU3RhdGUxETAPBgNVBAcMCFNvbWVDaXR5MRkwFwYDVQQK
> DBBTb21lT3JnYW5pemF0aW9uMR8wHQYDVQQLDBZTb21lT3JnYW5pemF0aW9uYWxV
> bml0MSEwHwYDVQQDDBh0czEudGVzdC5jbnouYWxpbWFtYS5jb20xLDAqBgkqhkiG
> 9w0BCQEWHXJvb3RAdHMxLnRlc3QuY256LmFsaW1hbWEuY29tMB4XDTExMDMyNDEw
> Mjk1MVoXDTEyMDMyMzEwMjk1MVowgcExCzAJBgNVBAYTAi0tMRIwEAYDVQQIDAlT
> b21lU3RhdGUxETAPBgNVBAcMCFNvbWVDaXR5MRkwFwYDVQQKDBBTb21lT3JnYW5p
> emF0aW9uMR8wHQYDVQQLDBZTb21lT3JnYW5pemF0aW9uYWxVbml0MSEwHwYDVQQD
> DBh0czEudGVzdC5jbnouYWxpbWFtYS5jb20xLDAqBgkqhkiG9w0BCQEWHXJvb3RA
> dHMxLnRlc3QuY256LmFsaW1hbWEuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
> iQKBgQDg0xr6MMfTUooenmxTyXiaSiHMfrkbGGhjgE0slP1iWfBf62Qal1daSSb8
> hSSFCZI78RWAp/bcadHGPo43xDWBmohLyTnlWksKKcbSJ9atdijC2L2CJNXiWgKC
> cu+2jOTLAw0YJVOufuJmm8QaqmHl4y3UGE626VDN8lPGBCrQcwIDAQABo1AwTjAd
> BgNVHQ4EFgQUIAfaVLkaRWgWp+zxPtp0bWfbbsgwHwYDVR0jBBgwFoAUIAfaVLka
> RWgWp+zxPtp0bWfbbsgwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQA1
> qYMZB0MuCQz2yCAx25C3+UtoZuxdmQxekmOPjtRAm2CRccW7r0ne57BcVU79Qk2s
> 6KTU4fO7lJ1tz49ZkX5zts5WuqsWDSb4cfyDb3ybubcZwUu+eSkqVkx/7GAuVgcl
> weoLXdgpQ779T45SovOR212BXQpYI0piMDNIB9p0mA==
> -----END CERTIFICATE-----
> subject=/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=ts1.test.cnz.alimama.com/emailAddress=r...@ts1.test.cnz.alimama.com
> issuer=/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=ts1.test.cnz.alimama.com/emailAddress=r...@ts1.test.cnz.alimama.com
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 1418 bytes and written 319 bytes
> ---
> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> Server public key is 1024 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol : TLSv1
> Cipher : DHE-RSA-AES256-SHA
> Session-ID:
> 8A72957E09AF60AD3807C1D06CE3F9BD88914886B7F1F646B03E8BDA783FAB8B
> Session-ID-ctx:
> Master-Key:
> 42808C5CDF016480F1BC7FF6F764A4886886E430F8E23400D82A9E6A6DE377A30369541E52BA06E1DC878F18DAFC2ECA
> Key-Arg : None
> Krb5 Principal: None
> Start Time: 1300962675
> Timeout : 300 (sec)
> Verify return code: 18 (self signed certificate)
> ---
> drop connection and then reconnect
> CONNECTED(00000003)
> ---
> Reused, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> Secure Renegotiation IS supported
> Compression: zlib compression
> Expansion: zlib compression
> SSL-Session:
> Protocol : TLSv1
> Cipher : DHE-RSA-AES256-SHA
> Session-ID:
> 8A72957E09AF60AD3807C1D06CE3F9BD88914886B7F1F646B03E8BDA783FAB8B
> Session-ID-ctx:
> Master-Key:
> 42808C5CDF016480F1BC7FF6F764A4886886E430F8E23400D82A9E6A6DE377A30369541E52BA06E1DC878F18DAFC2ECA
> Key-Arg : None
> Krb5 Principal: None
> Compression: 1 (zlib compression)
> Start Time: 1300962675
> Timeout : 300 (sec)
> Verify return code: 18 (self signed certificate)
> ---
> drop connection and then reconnect
> CONNECTED(00000003)
> ---
> Reused, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> Secure Renegotiation IS supported
> Compression: zlib compression
> Expansion: zlib compression
> SSL-Session:
> Protocol : TLSv1
> Cipher : DHE-RSA-AES256-SHA
> Session-ID:
> 8A72957E09AF60AD3807C1D06CE3F9BD88914886B7F1F646B03E8BDA783FAB8B
> Session-ID-ctx:
> Master-Key:
> 42808C5CDF016480F1BC7FF6F764A4886886E430F8E23400D82A9E6A6DE377A30369541E52BA06E1DC878F18DAFC2ECA
> Key-Arg : None
> Krb5 Principal: None
> Compression: 1 (zlib compression)
> Start Time: 1300962675
> Timeout : 300 (sec)
> Verify return code: 18 (self signed certificate)
> ---
> drop connection and then reconnect
> CONNECTED(00000003)
> ---
> Reused, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> Secure Renegotiation IS supported
> Compression: zlib compression
> Expansion: zlib compression
> SSL-Session:
> Protocol : TLSv1
> Cipher : DHE-RSA-AES256-SHA
> Session-ID:
> 8A72957E09AF60AD3807C1D06CE3F9BD88914886B7F1F646B03E8BDA783FAB8B
> Session-ID-ctx:
> Master-Key:
> 42808C5CDF016480F1BC7FF6F764A4886886E430F8E23400D82A9E6A6DE377A30369541E52BA06E1DC878F18DAFC2ECA
> Key-Arg : None
> Krb5 Principal: None
> Compression: 1 (zlib compression)
> Start Time: 1300962675
> Timeout : 300 (sec)
> Verify return code: 18 (self signed certificate)
> ---
> drop connection and then reconnect
> CONNECTED(00000003)
> ---
> Reused, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> Secure Renegotiation IS supported
> Compression: zlib compression
> Expansion: zlib compression
> SSL-Session:
> Protocol : TLSv1
> Cipher : DHE-RSA-AES256-SHA
> Session-ID:
> 8A72957E09AF60AD3807C1D06CE3F9BD88914886B7F1F646B03E8BDA783FAB8B
> Session-ID-ctx:
> Master-Key:
> 42808C5CDF016480F1BC7FF6F764A4886886E430F8E23400D82A9E6A6DE377A30369541E52BA06E1DC878F18DAFC2ECA
> Key-Arg : None
> Krb5 Principal: None
> Compression: 1 (zlib compression)
> Start Time: 1300962675
> Timeout : 300 (sec)
> Verify return code: 18 (self signed certificate)
> ---
> drop connection and then reconnect
> CONNECTED(00000003)
> ---
> Reused, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> Secure Renegotiation IS supported
> Compression: zlib compression
> Expansion: zlib compression
> SSL-Session:
> Protocol : TLSv1
> Cipher : DHE-RSA-AES256-SHA
> Session-ID:
> 8A72957E09AF60AD3807C1D06CE3F9BD88914886B7F1F646B03E8BDA783FAB8B
> Session-ID-ctx:
> Master-Key:
> 42808C5CDF016480F1BC7FF6F764A4886886E430F8E23400D82A9E6A6DE377A30369541E52BA06E1DC878F18DAFC2ECA
> Key-Arg : None
> Krb5 Principal: None
> Compression: 1 (zlib compression)
> Start Time: 1300962675
> Timeout : 300 (sec)
> Verify return code: 18 (self signed certificate)
> ---
> DONE
> {noformat}
> it works fine, but when using TS:
> {noformat}
> [root@ts1 httpd]# echo | openssl s_client -reconnect -connect localhost:443
> 2>&1
> CONNECTED(00000003)
> depth=0
> /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0
> /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0
> /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ---
> Certificate chain
> 0
> s:/C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com
>
> i:/C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ca.ZYMLinux.net/emailAddress=c...@zymlinux.net
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIIGHTCCBAWgAwIBAgIBDDANBgkqhkiG9w0BAQUFADCBjzELMAkGA1UEBhMCQ04x
> EDAOBgNVBAgTB0JlaWppbmcxEDAOBgNVBAcTB0JlaWppbmcxFTATBgNVBAoTDFpZ
> TUxpbnV4Lm5ldDELMAkGA1UECxMCQ0ExGDAWBgNVBAMTD2NhLlpZTUxpbnV4Lm5l
> dDEeMBwGCSqGSIb3DQEJARYPY2FAWllNTGludXgubmV0MB4XDTExMDMwODAyNDMx
> MFoXDTEyMDMwNzAyNDMxMFowgaExCzAJBgNVBAYTAkNOMRAwDgYDVQQIEwdCZWlq
> aW5nMRAwDgYDVQQHEwdCZWlqaW5nMRUwEwYDVQQKEwxaWU1MaW51eC5uZXQxCzAJ
> BgNVBAsTAkNBMSEwHwYDVQQDExh0czMudGVzdC5jbnouYWxpbWFtYS5jb20xJzAl
> BgkqhkiG9w0BCQEWGHRzMy50ZXN0LmNuei5hbGltYW1hLmNvbTCCASIwDQYJKoZI
> hvcNAQEBBQADggEPADCCAQoCggEBAK1wb18KVJCJM0hdr4xzVIvoVwnWqn4MJ/Kl
> o9/FWARJDyymm0RRiU2Enfd+BS7Bj4SJZ8TAhS6PoPD9vK1Sua/Pt3IYPRF9CL89
> jIf5tAXwjCFZhnswhs1HskrtPnOzjbl7H/qFBdNGMvZytPrGxzCsBeXnJsn21M1U
> WVn4sgSSBx/vS2H4BZXSyKihq205seDUt6u6L7S0KuDWFRFmBvWkoeaJktS3vyc3
> o1e5B9emVa3scmnIYwrrznA5rNr+gd0EEwaCYNG8zamWF3WnWMMX/LPZhKddjwBh
> 5DrcfDEM+Io9gvzfjgc7httyNF4dJxUbQ1gyE9PvIlsQI15ClvcCAwEAAaOCAW4w
> ggFqMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMCsGCWCGSAGG+EIBDQQe
> FhxUaW55Q0EgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBSJmPPFTTmt
> BX9nH55uSiQ4eiCubTCBvAYDVR0jBIG0MIGxgBQbuyvDvYMO2DZ8QnANQf13Y2po
> PKGBlaSBkjCBjzELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaWppbmcxEDAOBgNV
> BAcTB0JlaWppbmcxFTATBgNVBAoTDFpZTUxpbnV4Lm5ldDELMAkGA1UECxMCQ0Ex
> GDAWBgNVBAMTD2NhLlpZTUxpbnV4Lm5ldDEeMBwGCSqGSIb3DQEJARYPY2FAWllN
> TGludXgubmV0ggEAMBoGA1UdEgQTMBGBD2NhQFpZTUxpbnV4Lm5ldDAjBgNVHREE
> HDAagRh0czMudGVzdC5jbnouYWxpbWFtYS5jb20wDQYJKoZIhvcNAQEFBQADggIB
> AAWHF+E7cQu37DSU2RA3aSEjKN0wixzCcDjQvBRl4lP+r56UcPbJSV264uKqIMRZ
> Vq4Sp0haE1NOYrS+vq7+Ws0hnuXaKysNOwcwia2Epi4AHcb81Ou6RLWP5ClVoL/o
> 2HCzx4wwJsVTP5dHktYYFjUk6rv9bvOl0ESyBtyGKHeG+Vuj+27ZshV3H1IRAgdE
> nfUx85hEjVbUmvuWFIE6sw92YnXTFFCSzMjpqU8+fHdd0KQ2z9UBY9KaRhjf57se
> oqcQzJGSV67qqJNiIuBLAQJC/5090m+LwDuAm9abRFF/Qz8MZp7ZoxEG8KoqBAXg
> 3qkNo1e4uQEhlDk9ttMR/BSi9iRxH95EBay0zWWKfrJ+S4zR2cI8/B0hTg42N/Ek
> rbeszX4NEu3MZTfxuOwDoQkStHl6Wwe9/DMrqXtn2LyFTSxSOZwTsQCGT0Gxdvvo
> e9DM/tTzwttwzWQhcgWv0rpv4T5amGckDtou2cAaSQtpUZ84+HUvIA/2PCUf8vs7
> gdkppnxUwemG/KDtqlX9MmTn6hNm3YgbQHPukNX8Mj8YCRAwP65yeZyxI/uysHtn
> yoW/dEVqfud0/KnkJD5Bxz3RlOvj0Bg6mqbCB3siDvaLA9TfMbMGnMCbkJ282Kdh
> TxeXEoP7oSznRJwTLeYaDBuz7TypMz/6FZ3DJXGjq00O
> -----END CERTIFICATE-----
> subject=/C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com
> issuer=/C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ca.ZYMLinux.net/emailAddress=c...@zymlinux.net
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 1738 bytes and written 447 bytes
> ---
> New, TLSv1/SSLv3, Cipher is AES256-SHA
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol : TLSv1
> Cipher : AES256-SHA
> Session-ID:
> 4655CB9C20336F697635D635BA10C454B4CAF65CE6965B74D88053A8930F49D7
> Session-ID-ctx:
> Master-Key:
> B570F0491201E31F6E69A9BD7B0308B628FEB841F2F296F67D48A74D539B54C617E31ACE9A8665893F07B7531908928F
> Key-Arg : None
> Krb5 Principal: None
> Start Time: 1300962759
> Timeout : 300 (sec)
> Verify return code: 21 (unable to verify the first certificate)
> ---
> drop connection and then reconnect
> CONNECTED(00000003)
> depth=0
> /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0
> /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0
> /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ---
> New, TLSv1/SSLv3, Cipher is AES256-SHA
> Secure Renegotiation IS supported
> Compression: zlib compression
> Expansion: zlib compression
> SSL-Session:
> Protocol : TLSv1
> Cipher : AES256-SHA
> Session-ID:
> 9A2259F250116E51D7E02D6930EA66F597955A9817B50D902FD60A146884B89E
> Session-ID-ctx:
> Master-Key:
> 786BC54F416400E75D3817883618579FADE6EC2654DF97E8D6E862920198641EBE0BA5C3C71831972FC5A5286D4CE983
> Key-Arg : None
> Krb5 Principal: None
> Compression: 1 (zlib compression)
> Start Time: 1300962759
> Timeout : 300 (sec)
> Verify return code: 21 (unable to verify the first certificate)
> ---
> drop connection and then reconnect
> CONNECTED(00000003)
> depth=0
> /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0
> /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0
> /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ---
> New, TLSv1/SSLv3, Cipher is AES256-SHA
> Secure Renegotiation IS supported
> Compression: zlib compression
> Expansion: zlib compression
> SSL-Session:
> Protocol : TLSv1
> Cipher : AES256-SHA
> Session-ID:
> 1D0DD5DD06E9C2D1190EA13D89D7C5908E82A7DBEC96CFA85975A5643BC7F7AB
> Session-ID-ctx:
> Master-Key:
> A409F56F9AD1155B4D194B7B42B4A3E93A65F75E44B38C1A33A8A51EBA747FF6E6BF9E36241C8422DC5F414E21183F3E
> Key-Arg : None
> Krb5 Principal: None
> Compression: 1 (zlib compression)
> Start Time: 1300962759
> Timeout : 300 (sec)
> Verify return code: 21 (unable to verify the first certificate)
> ---
> drop connection and then reconnect
> CONNECTED(00000003)
> depth=0
> /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0
> /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0
> /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ---
> New, TLSv1/SSLv3, Cipher is AES256-SHA
> Secure Renegotiation IS supported
> Compression: zlib compression
> Expansion: zlib compression
> SSL-Session:
> Protocol : TLSv1
> Cipher : AES256-SHA
> Session-ID:
> A6FF45E425461DEB031419FE72EC5674A448450BA197FECE8CC27A58CAD0ED55
> Session-ID-ctx:
> Master-Key:
> 3C5696BCC95BE15B2352F157340F70E7AA13CE6AA5A07D1F606A617380603D72FB856907511DF168A919ED023FF76BD0
> Key-Arg : None
> Krb5 Principal: None
> Compression: 1 (zlib compression)
> Start Time: 1300962759
> Timeout : 300 (sec)
> Verify return code: 21 (unable to verify the first certificate)
> ---
> drop connection and then reconnect
> CONNECTED(00000003)
> depth=0
> /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0
> /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0
> /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ---
> New, TLSv1/SSLv3, Cipher is AES256-SHA
> Secure Renegotiation IS supported
> Compression: zlib compression
> Expansion: zlib compression
> SSL-Session:
> Protocol : TLSv1
> Cipher : AES256-SHA
> Session-ID:
> 90A1D6EE36998F47A335578819698EE57933DB788C430D617C8B07E7872D011E
> Session-ID-ctx:
> Master-Key:
> 87ED7181AFE13C8A36A5A6A2A9E9912C1E4AADED0053C3F03ADC9E01D9548A4D791A1B4EACB20851585F730E455677E4
> Key-Arg : None
> Krb5 Principal: None
> Compression: 1 (zlib compression)
> Start Time: 1300962759
> Timeout : 300 (sec)
> Verify return code: 21 (unable to verify the first certificate)
> ---
> drop connection and then reconnect
> CONNECTED(00000003)
> depth=0
> /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0
> /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0
> /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ---
> New, TLSv1/SSLv3, Cipher is AES256-SHA
> Secure Renegotiation IS supported
> Compression: zlib compression
> Expansion: zlib compression
> SSL-Session:
> Protocol : TLSv1
> Cipher : AES256-SHA
> Session-ID:
> DB52C8DA3A369E05DB5E8A21ED0B7A931AC235651EDF6FFE85F21D5F0452CBF2
> Session-ID-ctx:
> Master-Key:
> 90E093DB76E39DA4A534EE73F2EB87CA48B1BC5B2E1D017C0D0ADED02F151A80802729ADEA0DAF54EF6F271413B1E522
> Key-Arg : None
> Krb5 Principal: None
> Compression: 1 (zlib compression)
> Start Time: 1300962759
> Timeout : 300 (sec)
> Verify return code: 21 (unable to verify the first certificate)
> ---
> DONE
> {noformat}
> also tested TS on other distribution, works without error:
> gentoo:
> {noformat}
> zymtest1 trafficserver # echo | openssl s_client -reconnect -connect
> zymtest1.corp.aliyk.com:443 2>&1 | grep Reused
> Reused, TLSv1/SSLv3, Cipher is AES256-SHA
> Reused, TLSv1/SSLv3, Cipher is AES256-SHA
> Reused, TLSv1/SSLv3, Cipher is AES256-SHA
> Reused, TLSv1/SSLv3, Cipher is AES256-SHA
> Reused, TLSv1/SSLv3, Cipher is AES256-SHA
> {noformat}
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
