[ 
https://issues.apache.org/jira/browse/TS-346?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13911790#comment-13911790
 ] 

Leif Hedstrom edited comment on TS-346 at 2/25/14 5:58 PM:
-----------------------------------------------------------

Hmmm, I tested this again (same setup, enable verify, and provide the CA that 
comes with Fedora), I get a different crash now:

{code}
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff289d700 (LWP 1762)]
SSL_connect (s=0x0) at ssl_lib.c:945
945             if (s->handshake_func == 0)
Missing separate debuginfos, use: debuginfo-install tcl-8.5.7-6.el6.x86_64
(gdb) bt
#0  SSL_connect (s=0x0) at ssl_lib.c:945
#1  0x00000000006774c8 in SSLNetVConnection::sslClientHandShakeEvent 
(this=0x7fffec19e580, err=@0x7ffff289cc5c)
    at ../../../../iocore/net/SSLNetVConnection.cc:611
#2  0x0000000000679739 in SSLNetVConnection::sslStartHandShake 
(this=0x7fffec19e580, event=<value optimized out>,
    err=@0x7ffff289cc5c) at ../../../../iocore/net/SSLNetVConnection.cc:510
#3  0x0000000000689142 in write_to_net_io (nh=0x7ffff29a2c10, 
vc=0x7fffec19e580, thread=0x7ffff299f010)
    at ../../../../iocore/net/UnixNetVConnection.cc:374
#4  0x000000000067eb63 in NetHandler::mainNetEvent (this=0x7ffff29a2c10, 
event=<value optimized out>,
    e=<value optimized out>) at ../../../../iocore/net/UnixNet.cc:400
#5  0x00000000006ab89f in handleEvent (this=0x7ffff299f010, e=0x1013d20, 
calling_code=5)
    at ../../../../iocore/eventsystem/I_Continuation.h:146
#6  EThread::process_event (this=0x7ffff299f010, e=0x1013d20, calling_code=5)
    at ../../../../iocore/eventsystem/UnixEThread.cc:145
#7  0x00000000006ac243 in EThread::execute (this=0x7ffff299f010) at 
../../../../iocore/eventsystem/UnixEThread.cc:269
#8  0x00000000006aac4a in spawn_thread_internal (a=0xfe8cf0) at 
../../../../iocore/eventsystem/Thread.cc:88
#9  0x00007ffff615a9d1 in start_thread (arg=0x7ffff289d700) at 
pthread_create.c:301
#10 0x00007ffff51b1b6d in clone () at 
../sysdeps/unix/sysv/linux/x86_64/clone.S:115

(gdb) frame 1
#1  0x00000000006774c8 in SSLNetVConnection::sslClientHandShakeEvent 
(this=0x7fffec19e580, err=@0x7ffff289cc5c)
    at ../../../../iocore/net/SSLNetVConnection.cc:611
warning: Source file is more recent than executable.
611       ret = SSL_connect(ssl);
(gdb) print ssl
$1 = (SSL *) 0x0
{code}

The only thing I did was to enable the verify feature:

{code}
CONFIG proxy.config.ssl.client.verify.server INT 1
CONFIG proxy.config.ssl.client.cert.filename STRING  
/etc/pki/tls/certs/ca-bundle.crt
{code}

Is it possible that this verify.server feature does not do what it sounds like 
it should?


was (Author: zwoop):
Hmmm, I tested this again (same setup, enable verify, and provide the CA that 
comes with Fedora), I get a different crash now:

{code}
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff289d700 (LWP 1762)]
SSL_connect (s=0x0) at ssl_lib.c:945
945             if (s->handshake_func == 0)
Missing separate debuginfos, use: debuginfo-install tcl-8.5.7-6.el6.x86_64
(gdb) bt
#0  SSL_connect (s=0x0) at ssl_lib.c:945
#1  0x00000000006774c8 in SSLNetVConnection::sslClientHandShakeEvent 
(this=0x7fffec19e580, err=@0x7ffff289cc5c)
    at ../../../../iocore/net/SSLNetVConnection.cc:611
#2  0x0000000000679739 in SSLNetVConnection::sslStartHandShake 
(this=0x7fffec19e580, event=<value optimized out>,
    err=@0x7ffff289cc5c) at ../../../../iocore/net/SSLNetVConnection.cc:510
#3  0x0000000000689142 in write_to_net_io (nh=0x7ffff29a2c10, 
vc=0x7fffec19e580, thread=0x7ffff299f010)
    at ../../../../iocore/net/UnixNetVConnection.cc:374
#4  0x000000000067eb63 in NetHandler::mainNetEvent (this=0x7ffff29a2c10, 
event=<value optimized out>,
    e=<value optimized out>) at ../../../../iocore/net/UnixNet.cc:400
#5  0x00000000006ab89f in handleEvent (this=0x7ffff299f010, e=0x1013d20, 
calling_code=5)
    at ../../../../iocore/eventsystem/I_Continuation.h:146
#6  EThread::process_event (this=0x7ffff299f010, e=0x1013d20, calling_code=5)
    at ../../../../iocore/eventsystem/UnixEThread.cc:145
#7  0x00000000006ac243 in EThread::execute (this=0x7ffff299f010) at 
../../../../iocore/eventsystem/UnixEThread.cc:269
#8  0x00000000006aac4a in spawn_thread_internal (a=0xfe8cf0) at 
../../../../iocore/eventsystem/Thread.cc:88
#9  0x00007ffff615a9d1 in start_thread (arg=0x7ffff289d700) at 
pthread_create.c:301
#10 0x00007ffff51b1b6d in clone () at 
../sysdeps/unix/sysv/linux/x86_64/clone.S:115
{code}

The only thing I did was to enable the verify feature:

{code}
CONFIG proxy.config.ssl.client.verify.server INT 1
CONFIG proxy.config.ssl.client.cert.filename STRING  
/etc/pki/tls/certs/ca-bundle.crt
{code}

Is it possible that this verify.server feature does not do what it sounds like 
it should?

> ATS does not verify server certificate
> --------------------------------------
>
>                 Key: TS-346
>                 URL: https://issues.apache.org/jira/browse/TS-346
>             Project: Traffic Server
>          Issue Type: Improvement
>          Components: SSL
>            Reporter: vijaya bhaskar mamidi
>            Priority: Critical
>              Labels: A
>             Fix For: 5.2.0
>
>
> ATS does not verify the certificates correctly.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Reply via email to