[
https://issues.apache.org/jira/browse/TS-2569?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ron Barber updated TS-2569:
---------------------------
Attachment: TS-2569_logic.patch
TS-2569_indent.patch
Previous patch missed some ctx initialization, specifically where the following
get setup:
* Allow client renegotiation
* TLS NPN
* Session ticket settings
Two patches provided:
1. TS-2569_logic.patch - this is the actual fix but without indenting so the
diff is easy to see.
2. TS-2569_indent.patch - is a patch to the logic patch to indent as needed.
To apply, apply TS-2569_logic.patch, then apply TS-2569_indent.patch.
> ssl options are ignored if ssl_multicert.config does not contain an entry
> with dest_ip=*
> -----------------------------------------------------------------------------------------
>
> Key: TS-2569
> URL: https://issues.apache.org/jira/browse/TS-2569
> Project: Traffic Server
> Issue Type: Bug
> Components: SSL
> Reporter: Ron Barber
> Labels: Review
> Fix For: 5.0.0
>
> Attachments: TS-2569_indent.patch, TS-2569_logic.patch
>
>
> We discovered that the proxy.config.ssl.server.honor_cipher_order=1 setting
> was not working correctly. After investigating it was determined that if you
> do not have a dest_ip=* in the ssl_multicert.config file then the server
> cipher order setting will not be honored.
> ssl_multicert.config
> dest_ip=192.168.214.131 ssl_cert_name=cert.pem
> records.config
> CONFIG proxy.config.ssl.server.cipher_suite STRING
> RC4-SHA:AES128-SHA:DES-CBC3-SHA:AES256-SHA:ALL:!NULL
> CONFIG proxy.config.ssl.server.honor_cipher_order INT 1
> Result (client selection is honored):
> % echo | openssl s_client -connect 192.168.214.131:443 -cipher
> 'AES128-SHA:RC4-SHA' 2>&1 | grep 'Cipher is'
> New, TLSv1/SSLv3, Cipher is AES128-SHA
> % echo | openssl s_client -connect 192.168.214.131:443 -cipher
> 'RC4-SHA:AES128-SHA' 2>&1 | grep 'Cipher is'
> New, TLSv1/SSLv3, Cipher is RC4-SHA
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
