Ron Barber created TS-2569:
------------------------------
Summary: ssl options are ignored if ssl_multicert.config does not
contain an entry with dest_ip=*
Key: TS-2569
URL: https://issues.apache.org/jira/browse/TS-2569
Project: Traffic Server
Issue Type: Bug
Components: SSL
Reporter: Ron Barber
We discovered that the proxy.config.ssl.server.honor_cipher_order=1 setting was
not working correctly. After investigating it was determined that if you do
not have a dest_ip=* in the ssl_multicert.config file then the server cipher
order setting will not be honored.
ssl_multicert.config
dest_ip=192.168.214.131 ssl_cert_name=cert.pem
records.config
CONFIG proxy.config.ssl.server.cipher_suite STRING
RC4-SHA:AES128-SHA:DES-CBC3-SHA:AES256-SHA:ALL:!NULL
CONFIG proxy.config.ssl.server.honor_cipher_order INT 1
Result (client selection is honored):
% echo | openssl s_client -connect 192.168.214.131:443 -cipher
'AES128-SHA:RC4-SHA' 2>&1 | grep 'Cipher is'
New, TLSv1/SSLv3, Cipher is AES128-SHA
% echo | openssl s_client -connect 192.168.214.131:443 -cipher
'RC4-SHA:AES128-SHA' 2>&1 | grep 'Cipher is'
New, TLSv1/SSLv3, Cipher is RC4-SHA
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
