[
https://issues.apache.org/jira/browse/TS-718?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13021836#comment-13021836
]
Leif Hedstrom commented on TS-718:
----------------------------------
One more suggestions: Lets rename proxy.config.ssl.max.sessions to be
proxy.config.ssl.session_cache.size .
So, we'll have
proxy.config.ssl.session_cache
proxy.config.ssl.session_cache.lifetime
proxy.config.ssl.session_cache.size
Where the first option is the new option to control which mode session cache is
in (so ignore my previous suggestion above). This makes all the session related
option grouped together nicely.
> can not reuse SSL connections on RHEL5/CentOS5
> ----------------------------------------------
>
> Key: TS-718
> URL: https://issues.apache.org/jira/browse/TS-718
> Project: Traffic Server
> Issue Type: Bug
> Components: SSL
> Affects Versions: 2.1.7
> Environment: RHEL5 system with TS 2.1.6 2.1.7
> compared with Apache httpd
> Reporter: Zhao Yongming
> Assignee: qianshi
> Fix For: 2.1.8
>
> Attachments: TS-718-v2.patch, TS-718.patch
>
>
> when with apache httpd default mod_ssl:
> {noformat}
> [root@ts1 httpd]# echo | openssl s_client -reconnect -connect localhost:443
> 2>&1
> CONNECTED(00000003)
> depth=0
> /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=ts1.test.cnz.alimama.com/[email protected]
> verify error:num=18:self signed certificate
> verify return:1
> depth=0
> /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=ts1.test.cnz.alimama.com/[email protected]
> verify return:1
> ---
> Certificate chain
> 0
> s:/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=ts1.test.cnz.alimama.com/[email protected]
>
> i:/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=ts1.test.cnz.alimama.com/[email protected]
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIIDSzCCArSgAwIBAgICUWcwDQYJKoZIhvcNAQEFBQAwgcExCzAJBgNVBAYTAi0t
> MRIwEAYDVQQIDAlTb21lU3RhdGUxETAPBgNVBAcMCFNvbWVDaXR5MRkwFwYDVQQK
> DBBTb21lT3JnYW5pemF0aW9uMR8wHQYDVQQLDBZTb21lT3JnYW5pemF0aW9uYWxV
> bml0MSEwHwYDVQQDDBh0czEudGVzdC5jbnouYWxpbWFtYS5jb20xLDAqBgkqhkiG
> 9w0BCQEWHXJvb3RAdHMxLnRlc3QuY256LmFsaW1hbWEuY29tMB4XDTExMDMyNDEw
> Mjk1MVoXDTEyMDMyMzEwMjk1MVowgcExCzAJBgNVBAYTAi0tMRIwEAYDVQQIDAlT
> b21lU3RhdGUxETAPBgNVBAcMCFNvbWVDaXR5MRkwFwYDVQQKDBBTb21lT3JnYW5p
> emF0aW9uMR8wHQYDVQQLDBZTb21lT3JnYW5pemF0aW9uYWxVbml0MSEwHwYDVQQD
> DBh0czEudGVzdC5jbnouYWxpbWFtYS5jb20xLDAqBgkqhkiG9w0BCQEWHXJvb3RA
> dHMxLnRlc3QuY256LmFsaW1hbWEuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
> iQKBgQDg0xr6MMfTUooenmxTyXiaSiHMfrkbGGhjgE0slP1iWfBf62Qal1daSSb8
> hSSFCZI78RWAp/bcadHGPo43xDWBmohLyTnlWksKKcbSJ9atdijC2L2CJNXiWgKC
> cu+2jOTLAw0YJVOufuJmm8QaqmHl4y3UGE626VDN8lPGBCrQcwIDAQABo1AwTjAd
> BgNVHQ4EFgQUIAfaVLkaRWgWp+zxPtp0bWfbbsgwHwYDVR0jBBgwFoAUIAfaVLka
> RWgWp+zxPtp0bWfbbsgwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQA1
> qYMZB0MuCQz2yCAx25C3+UtoZuxdmQxekmOPjtRAm2CRccW7r0ne57BcVU79Qk2s
> 6KTU4fO7lJ1tz49ZkX5zts5WuqsWDSb4cfyDb3ybubcZwUu+eSkqVkx/7GAuVgcl
> weoLXdgpQ779T45SovOR212BXQpYI0piMDNIB9p0mA==
> -----END CERTIFICATE-----
> subject=/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=ts1.test.cnz.alimama.com/[email protected]
> issuer=/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=ts1.test.cnz.alimama.com/[email protected]
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 1418 bytes and written 319 bytes
> ---
> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> Server public key is 1024 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol : TLSv1
> Cipher : DHE-RSA-AES256-SHA
> Session-ID:
> 8A72957E09AF60AD3807C1D06CE3F9BD88914886B7F1F646B03E8BDA783FAB8B
> Session-ID-ctx:
> Master-Key:
> 42808C5CDF016480F1BC7FF6F764A4886886E430F8E23400D82A9E6A6DE377A30369541E52BA06E1DC878F18DAFC2ECA
> Key-Arg : None
> Krb5 Principal: None
> Start Time: 1300962675
> Timeout : 300 (sec)
> Verify return code: 18 (self signed certificate)
> ---
> drop connection and then reconnect
> CONNECTED(00000003)
> ---
> Reused, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> Secure Renegotiation IS supported
> Compression: zlib compression
> Expansion: zlib compression
> SSL-Session:
> Protocol : TLSv1
> Cipher : DHE-RSA-AES256-SHA
> Session-ID:
> 8A72957E09AF60AD3807C1D06CE3F9BD88914886B7F1F646B03E8BDA783FAB8B
> Session-ID-ctx:
> Master-Key:
> 42808C5CDF016480F1BC7FF6F764A4886886E430F8E23400D82A9E6A6DE377A30369541E52BA06E1DC878F18DAFC2ECA
> Key-Arg : None
> Krb5 Principal: None
> Compression: 1 (zlib compression)
> Start Time: 1300962675
> Timeout : 300 (sec)
> Verify return code: 18 (self signed certificate)
> ---
> drop connection and then reconnect
> CONNECTED(00000003)
> ---
> Reused, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> Secure Renegotiation IS supported
> Compression: zlib compression
> Expansion: zlib compression
> SSL-Session:
> Protocol : TLSv1
> Cipher : DHE-RSA-AES256-SHA
> Session-ID:
> 8A72957E09AF60AD3807C1D06CE3F9BD88914886B7F1F646B03E8BDA783FAB8B
> Session-ID-ctx:
> Master-Key:
> 42808C5CDF016480F1BC7FF6F764A4886886E430F8E23400D82A9E6A6DE377A30369541E52BA06E1DC878F18DAFC2ECA
> Key-Arg : None
> Krb5 Principal: None
> Compression: 1 (zlib compression)
> Start Time: 1300962675
> Timeout : 300 (sec)
> Verify return code: 18 (self signed certificate)
> ---
> drop connection and then reconnect
> CONNECTED(00000003)
> ---
> Reused, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> Secure Renegotiation IS supported
> Compression: zlib compression
> Expansion: zlib compression
> SSL-Session:
> Protocol : TLSv1
> Cipher : DHE-RSA-AES256-SHA
> Session-ID:
> 8A72957E09AF60AD3807C1D06CE3F9BD88914886B7F1F646B03E8BDA783FAB8B
> Session-ID-ctx:
> Master-Key:
> 42808C5CDF016480F1BC7FF6F764A4886886E430F8E23400D82A9E6A6DE377A30369541E52BA06E1DC878F18DAFC2ECA
> Key-Arg : None
> Krb5 Principal: None
> Compression: 1 (zlib compression)
> Start Time: 1300962675
> Timeout : 300 (sec)
> Verify return code: 18 (self signed certificate)
> ---
> drop connection and then reconnect
> CONNECTED(00000003)
> ---
> Reused, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> Secure Renegotiation IS supported
> Compression: zlib compression
> Expansion: zlib compression
> SSL-Session:
> Protocol : TLSv1
> Cipher : DHE-RSA-AES256-SHA
> Session-ID:
> 8A72957E09AF60AD3807C1D06CE3F9BD88914886B7F1F646B03E8BDA783FAB8B
> Session-ID-ctx:
> Master-Key:
> 42808C5CDF016480F1BC7FF6F764A4886886E430F8E23400D82A9E6A6DE377A30369541E52BA06E1DC878F18DAFC2ECA
> Key-Arg : None
> Krb5 Principal: None
> Compression: 1 (zlib compression)
> Start Time: 1300962675
> Timeout : 300 (sec)
> Verify return code: 18 (self signed certificate)
> ---
> drop connection and then reconnect
> CONNECTED(00000003)
> ---
> Reused, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> Secure Renegotiation IS supported
> Compression: zlib compression
> Expansion: zlib compression
> SSL-Session:
> Protocol : TLSv1
> Cipher : DHE-RSA-AES256-SHA
> Session-ID:
> 8A72957E09AF60AD3807C1D06CE3F9BD88914886B7F1F646B03E8BDA783FAB8B
> Session-ID-ctx:
> Master-Key:
> 42808C5CDF016480F1BC7FF6F764A4886886E430F8E23400D82A9E6A6DE377A30369541E52BA06E1DC878F18DAFC2ECA
> Key-Arg : None
> Krb5 Principal: None
> Compression: 1 (zlib compression)
> Start Time: 1300962675
> Timeout : 300 (sec)
> Verify return code: 18 (self signed certificate)
> ---
> DONE
> {noformat}
> it works fine, but when using TS:
> {noformat}
> [root@ts1 httpd]# echo | openssl s_client -reconnect -connect localhost:443
> 2>&1
> CONNECTED(00000003)
> depth=0
> /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0
> /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0
> /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ---
> Certificate chain
> 0
> s:/C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com
>
> i:/C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ca.ZYMLinux.net/[email protected]
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIIGHTCCBAWgAwIBAgIBDDANBgkqhkiG9w0BAQUFADCBjzELMAkGA1UEBhMCQ04x
> EDAOBgNVBAgTB0JlaWppbmcxEDAOBgNVBAcTB0JlaWppbmcxFTATBgNVBAoTDFpZ
> TUxpbnV4Lm5ldDELMAkGA1UECxMCQ0ExGDAWBgNVBAMTD2NhLlpZTUxpbnV4Lm5l
> dDEeMBwGCSqGSIb3DQEJARYPY2FAWllNTGludXgubmV0MB4XDTExMDMwODAyNDMx
> MFoXDTEyMDMwNzAyNDMxMFowgaExCzAJBgNVBAYTAkNOMRAwDgYDVQQIEwdCZWlq
> aW5nMRAwDgYDVQQHEwdCZWlqaW5nMRUwEwYDVQQKEwxaWU1MaW51eC5uZXQxCzAJ
> BgNVBAsTAkNBMSEwHwYDVQQDExh0czMudGVzdC5jbnouYWxpbWFtYS5jb20xJzAl
> BgkqhkiG9w0BCQEWGHRzMy50ZXN0LmNuei5hbGltYW1hLmNvbTCCASIwDQYJKoZI
> hvcNAQEBBQADggEPADCCAQoCggEBAK1wb18KVJCJM0hdr4xzVIvoVwnWqn4MJ/Kl
> o9/FWARJDyymm0RRiU2Enfd+BS7Bj4SJZ8TAhS6PoPD9vK1Sua/Pt3IYPRF9CL89
> jIf5tAXwjCFZhnswhs1HskrtPnOzjbl7H/qFBdNGMvZytPrGxzCsBeXnJsn21M1U
> WVn4sgSSBx/vS2H4BZXSyKihq205seDUt6u6L7S0KuDWFRFmBvWkoeaJktS3vyc3
> o1e5B9emVa3scmnIYwrrznA5rNr+gd0EEwaCYNG8zamWF3WnWMMX/LPZhKddjwBh
> 5DrcfDEM+Io9gvzfjgc7httyNF4dJxUbQ1gyE9PvIlsQI15ClvcCAwEAAaOCAW4w
> ggFqMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMCsGCWCGSAGG+EIBDQQe
> FhxUaW55Q0EgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBSJmPPFTTmt
> BX9nH55uSiQ4eiCubTCBvAYDVR0jBIG0MIGxgBQbuyvDvYMO2DZ8QnANQf13Y2po
> PKGBlaSBkjCBjzELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaWppbmcxEDAOBgNV
> BAcTB0JlaWppbmcxFTATBgNVBAoTDFpZTUxpbnV4Lm5ldDELMAkGA1UECxMCQ0Ex
> GDAWBgNVBAMTD2NhLlpZTUxpbnV4Lm5ldDEeMBwGCSqGSIb3DQEJARYPY2FAWllN
> TGludXgubmV0ggEAMBoGA1UdEgQTMBGBD2NhQFpZTUxpbnV4Lm5ldDAjBgNVHREE
> HDAagRh0czMudGVzdC5jbnouYWxpbWFtYS5jb20wDQYJKoZIhvcNAQEFBQADggIB
> AAWHF+E7cQu37DSU2RA3aSEjKN0wixzCcDjQvBRl4lP+r56UcPbJSV264uKqIMRZ
> Vq4Sp0haE1NOYrS+vq7+Ws0hnuXaKysNOwcwia2Epi4AHcb81Ou6RLWP5ClVoL/o
> 2HCzx4wwJsVTP5dHktYYFjUk6rv9bvOl0ESyBtyGKHeG+Vuj+27ZshV3H1IRAgdE
> nfUx85hEjVbUmvuWFIE6sw92YnXTFFCSzMjpqU8+fHdd0KQ2z9UBY9KaRhjf57se
> oqcQzJGSV67qqJNiIuBLAQJC/5090m+LwDuAm9abRFF/Qz8MZp7ZoxEG8KoqBAXg
> 3qkNo1e4uQEhlDk9ttMR/BSi9iRxH95EBay0zWWKfrJ+S4zR2cI8/B0hTg42N/Ek
> rbeszX4NEu3MZTfxuOwDoQkStHl6Wwe9/DMrqXtn2LyFTSxSOZwTsQCGT0Gxdvvo
> e9DM/tTzwttwzWQhcgWv0rpv4T5amGckDtou2cAaSQtpUZ84+HUvIA/2PCUf8vs7
> gdkppnxUwemG/KDtqlX9MmTn6hNm3YgbQHPukNX8Mj8YCRAwP65yeZyxI/uysHtn
> yoW/dEVqfud0/KnkJD5Bxz3RlOvj0Bg6mqbCB3siDvaLA9TfMbMGnMCbkJ282Kdh
> TxeXEoP7oSznRJwTLeYaDBuz7TypMz/6FZ3DJXGjq00O
> -----END CERTIFICATE-----
> subject=/C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com
> issuer=/C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ca.ZYMLinux.net/[email protected]
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 1738 bytes and written 447 bytes
> ---
> New, TLSv1/SSLv3, Cipher is AES256-SHA
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol : TLSv1
> Cipher : AES256-SHA
> Session-ID:
> 4655CB9C20336F697635D635BA10C454B4CAF65CE6965B74D88053A8930F49D7
> Session-ID-ctx:
> Master-Key:
> B570F0491201E31F6E69A9BD7B0308B628FEB841F2F296F67D48A74D539B54C617E31ACE9A8665893F07B7531908928F
> Key-Arg : None
> Krb5 Principal: None
> Start Time: 1300962759
> Timeout : 300 (sec)
> Verify return code: 21 (unable to verify the first certificate)
> ---
> drop connection and then reconnect
> CONNECTED(00000003)
> depth=0
> /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0
> /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0
> /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ---
> New, TLSv1/SSLv3, Cipher is AES256-SHA
> Secure Renegotiation IS supported
> Compression: zlib compression
> Expansion: zlib compression
> SSL-Session:
> Protocol : TLSv1
> Cipher : AES256-SHA
> Session-ID:
> 9A2259F250116E51D7E02D6930EA66F597955A9817B50D902FD60A146884B89E
> Session-ID-ctx:
> Master-Key:
> 786BC54F416400E75D3817883618579FADE6EC2654DF97E8D6E862920198641EBE0BA5C3C71831972FC5A5286D4CE983
> Key-Arg : None
> Krb5 Principal: None
> Compression: 1 (zlib compression)
> Start Time: 1300962759
> Timeout : 300 (sec)
> Verify return code: 21 (unable to verify the first certificate)
> ---
> drop connection and then reconnect
> CONNECTED(00000003)
> depth=0
> /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0
> /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0
> /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ---
> New, TLSv1/SSLv3, Cipher is AES256-SHA
> Secure Renegotiation IS supported
> Compression: zlib compression
> Expansion: zlib compression
> SSL-Session:
> Protocol : TLSv1
> Cipher : AES256-SHA
> Session-ID:
> 1D0DD5DD06E9C2D1190EA13D89D7C5908E82A7DBEC96CFA85975A5643BC7F7AB
> Session-ID-ctx:
> Master-Key:
> A409F56F9AD1155B4D194B7B42B4A3E93A65F75E44B38C1A33A8A51EBA747FF6E6BF9E36241C8422DC5F414E21183F3E
> Key-Arg : None
> Krb5 Principal: None
> Compression: 1 (zlib compression)
> Start Time: 1300962759
> Timeout : 300 (sec)
> Verify return code: 21 (unable to verify the first certificate)
> ---
> drop connection and then reconnect
> CONNECTED(00000003)
> depth=0
> /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0
> /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0
> /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ---
> New, TLSv1/SSLv3, Cipher is AES256-SHA
> Secure Renegotiation IS supported
> Compression: zlib compression
> Expansion: zlib compression
> SSL-Session:
> Protocol : TLSv1
> Cipher : AES256-SHA
> Session-ID:
> A6FF45E425461DEB031419FE72EC5674A448450BA197FECE8CC27A58CAD0ED55
> Session-ID-ctx:
> Master-Key:
> 3C5696BCC95BE15B2352F157340F70E7AA13CE6AA5A07D1F606A617380603D72FB856907511DF168A919ED023FF76BD0
> Key-Arg : None
> Krb5 Principal: None
> Compression: 1 (zlib compression)
> Start Time: 1300962759
> Timeout : 300 (sec)
> Verify return code: 21 (unable to verify the first certificate)
> ---
> drop connection and then reconnect
> CONNECTED(00000003)
> depth=0
> /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0
> /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0
> /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ---
> New, TLSv1/SSLv3, Cipher is AES256-SHA
> Secure Renegotiation IS supported
> Compression: zlib compression
> Expansion: zlib compression
> SSL-Session:
> Protocol : TLSv1
> Cipher : AES256-SHA
> Session-ID:
> 90A1D6EE36998F47A335578819698EE57933DB788C430D617C8B07E7872D011E
> Session-ID-ctx:
> Master-Key:
> 87ED7181AFE13C8A36A5A6A2A9E9912C1E4AADED0053C3F03ADC9E01D9548A4D791A1B4EACB20851585F730E455677E4
> Key-Arg : None
> Krb5 Principal: None
> Compression: 1 (zlib compression)
> Start Time: 1300962759
> Timeout : 300 (sec)
> Verify return code: 21 (unable to verify the first certificate)
> ---
> drop connection and then reconnect
> CONNECTED(00000003)
> depth=0
> /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0
> /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0
> /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ---
> New, TLSv1/SSLv3, Cipher is AES256-SHA
> Secure Renegotiation IS supported
> Compression: zlib compression
> Expansion: zlib compression
> SSL-Session:
> Protocol : TLSv1
> Cipher : AES256-SHA
> Session-ID:
> DB52C8DA3A369E05DB5E8A21ED0B7A931AC235651EDF6FFE85F21D5F0452CBF2
> Session-ID-ctx:
> Master-Key:
> 90E093DB76E39DA4A534EE73F2EB87CA48B1BC5B2E1D017C0D0ADED02F151A80802729ADEA0DAF54EF6F271413B1E522
> Key-Arg : None
> Krb5 Principal: None
> Compression: 1 (zlib compression)
> Start Time: 1300962759
> Timeout : 300 (sec)
> Verify return code: 21 (unable to verify the first certificate)
> ---
> DONE
> {noformat}
> also tested TS on other distribution, works without error:
> gentoo:
> {noformat}
> zymtest1 trafficserver # echo | openssl s_client -reconnect -connect
> zymtest1.corp.aliyk.com:443 2>&1 | grep Reused
> Reused, TLSv1/SSLv3, Cipher is AES256-SHA
> Reused, TLSv1/SSLv3, Cipher is AES256-SHA
> Reused, TLSv1/SSLv3, Cipher is AES256-SHA
> Reused, TLSv1/SSLv3, Cipher is AES256-SHA
> Reused, TLSv1/SSLv3, Cipher is AES256-SHA
> {noformat}
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
