[
https://issues.apache.org/jira/browse/TS-346?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13911790#comment-13911790
]
Leif Hedstrom edited comment on TS-346 at 2/25/14 5:58 PM:
-----------------------------------------------------------
Hmmm, I tested this again (same setup, enable verify, and provide the CA that
comes with Fedora), I get a different crash now:
{code}
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff289d700 (LWP 1762)]
SSL_connect (s=0x0) at ssl_lib.c:945
945 if (s->handshake_func == 0)
Missing separate debuginfos, use: debuginfo-install tcl-8.5.7-6.el6.x86_64
(gdb) bt
#0 SSL_connect (s=0x0) at ssl_lib.c:945
#1 0x00000000006774c8 in SSLNetVConnection::sslClientHandShakeEvent
(this=0x7fffec19e580, err=@0x7ffff289cc5c)
at ../../../../iocore/net/SSLNetVConnection.cc:611
#2 0x0000000000679739 in SSLNetVConnection::sslStartHandShake
(this=0x7fffec19e580, event=<value optimized out>,
err=@0x7ffff289cc5c) at ../../../../iocore/net/SSLNetVConnection.cc:510
#3 0x0000000000689142 in write_to_net_io (nh=0x7ffff29a2c10,
vc=0x7fffec19e580, thread=0x7ffff299f010)
at ../../../../iocore/net/UnixNetVConnection.cc:374
#4 0x000000000067eb63 in NetHandler::mainNetEvent (this=0x7ffff29a2c10,
event=<value optimized out>,
e=<value optimized out>) at ../../../../iocore/net/UnixNet.cc:400
#5 0x00000000006ab89f in handleEvent (this=0x7ffff299f010, e=0x1013d20,
calling_code=5)
at ../../../../iocore/eventsystem/I_Continuation.h:146
#6 EThread::process_event (this=0x7ffff299f010, e=0x1013d20, calling_code=5)
at ../../../../iocore/eventsystem/UnixEThread.cc:145
#7 0x00000000006ac243 in EThread::execute (this=0x7ffff299f010) at
../../../../iocore/eventsystem/UnixEThread.cc:269
#8 0x00000000006aac4a in spawn_thread_internal (a=0xfe8cf0) at
../../../../iocore/eventsystem/Thread.cc:88
#9 0x00007ffff615a9d1 in start_thread (arg=0x7ffff289d700) at
pthread_create.c:301
#10 0x00007ffff51b1b6d in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:115
(gdb) frame 1
#1 0x00000000006774c8 in SSLNetVConnection::sslClientHandShakeEvent
(this=0x7fffec19e580, err=@0x7ffff289cc5c)
at ../../../../iocore/net/SSLNetVConnection.cc:611
warning: Source file is more recent than executable.
611 ret = SSL_connect(ssl);
(gdb) print ssl
$1 = (SSL *) 0x0
{code}
The only thing I did was to enable the verify feature:
{code}
CONFIG proxy.config.ssl.client.verify.server INT 1
CONFIG proxy.config.ssl.client.cert.filename STRING
/etc/pki/tls/certs/ca-bundle.crt
{code}
Is it possible that this verify.server feature does not do what it sounds like
it should?
was (Author: zwoop):
Hmmm, I tested this again (same setup, enable verify, and provide the CA that
comes with Fedora), I get a different crash now:
{code}
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff289d700 (LWP 1762)]
SSL_connect (s=0x0) at ssl_lib.c:945
945 if (s->handshake_func == 0)
Missing separate debuginfos, use: debuginfo-install tcl-8.5.7-6.el6.x86_64
(gdb) bt
#0 SSL_connect (s=0x0) at ssl_lib.c:945
#1 0x00000000006774c8 in SSLNetVConnection::sslClientHandShakeEvent
(this=0x7fffec19e580, err=@0x7ffff289cc5c)
at ../../../../iocore/net/SSLNetVConnection.cc:611
#2 0x0000000000679739 in SSLNetVConnection::sslStartHandShake
(this=0x7fffec19e580, event=<value optimized out>,
err=@0x7ffff289cc5c) at ../../../../iocore/net/SSLNetVConnection.cc:510
#3 0x0000000000689142 in write_to_net_io (nh=0x7ffff29a2c10,
vc=0x7fffec19e580, thread=0x7ffff299f010)
at ../../../../iocore/net/UnixNetVConnection.cc:374
#4 0x000000000067eb63 in NetHandler::mainNetEvent (this=0x7ffff29a2c10,
event=<value optimized out>,
e=<value optimized out>) at ../../../../iocore/net/UnixNet.cc:400
#5 0x00000000006ab89f in handleEvent (this=0x7ffff299f010, e=0x1013d20,
calling_code=5)
at ../../../../iocore/eventsystem/I_Continuation.h:146
#6 EThread::process_event (this=0x7ffff299f010, e=0x1013d20, calling_code=5)
at ../../../../iocore/eventsystem/UnixEThread.cc:145
#7 0x00000000006ac243 in EThread::execute (this=0x7ffff299f010) at
../../../../iocore/eventsystem/UnixEThread.cc:269
#8 0x00000000006aac4a in spawn_thread_internal (a=0xfe8cf0) at
../../../../iocore/eventsystem/Thread.cc:88
#9 0x00007ffff615a9d1 in start_thread (arg=0x7ffff289d700) at
pthread_create.c:301
#10 0x00007ffff51b1b6d in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:115
{code}
The only thing I did was to enable the verify feature:
{code}
CONFIG proxy.config.ssl.client.verify.server INT 1
CONFIG proxy.config.ssl.client.cert.filename STRING
/etc/pki/tls/certs/ca-bundle.crt
{code}
Is it possible that this verify.server feature does not do what it sounds like
it should?
> ATS does not verify server certificate
> --------------------------------------
>
> Key: TS-346
> URL: https://issues.apache.org/jira/browse/TS-346
> Project: Traffic Server
> Issue Type: Improvement
> Components: SSL
> Reporter: vijaya bhaskar mamidi
> Priority: Critical
> Labels: A
> Fix For: 5.2.0
>
>
> ATS does not verify the certificates correctly.
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
