[
https://issues.apache.org/jira/browse/TS-2593?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Phil Sorber updated TS-2593:
----------------------------
Backport to Version: (was: 4.2.0)
> HTTPS to origin fails on CentOS6.x
> ----------------------------------
>
> Key: TS-2593
> URL: https://issues.apache.org/jira/browse/TS-2593
> Project: Traffic Server
> Issue Type: Bug
> Components: SSL
> Reporter: Leif Hedstrom
> Assignee: Leif Hedstrom
> Priority: Blocker
> Labels: A
> Fix For: 4.2.0, 5.0.0
>
>
> I'm having this problem where mapping to https:// URLs always fails to
> connect / communicate with the origin. I've tracked this down to TS-2355, and
> I suspect (but not sure) that setting the nonexistent OpenSSL option breaks
> something badly. I'd like to make the following changes:
> {code}
> diff --git a/iocore/net/P_SSLUtils.h b/iocore/net/P_SSLUtils.h
> index 5ed2d82..289ff99 100644
> --- a/iocore/net/P_SSLUtils.h
> +++ b/iocore/net/P_SSLUtils.h
> @@ -33,15 +33,6 @@
> #error Traffic Server requires a OpenSSL library that support threads
> #endif
> -// if we are compiling against an early version of OpenSSL, define our own
> values
> -#ifndef SSL_OP_NO_TLSv1_1
> -#define SSL_OP_NO_TLSv1_1 0x10000000L
> -#endif
> -#ifndef SSL_OP_NO_TLSv1_2
> -#define SSL_OP_NO_TLSv1_2 0x08000000L
> -#endif
> -#define SSL_VERSION_1_0_1 0x010001000 // MMNNFFPPS: major minor fix patch
> status
> -
> struct SSLConfigParams;
> struct SSLCertLookup;
> diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc
> index 9a20883..f9df79e 100644
> --- a/iocore/net/SSLConfig.cc
> +++ b/iocore/net/SSLConfig.cc
> @@ -149,12 +149,19 @@ SSLConfigParams::initialize()
> REC_ReadConfigInteger(options, "proxy.config.ssl.TLSv1");
> if (!options)
> ssl_ctx_options |= SSL_OP_NO_TLSv1;
> +
> + // These are not available in all, older versions of OpenSSL (e.g. CentOS6)
> +#ifdef SSL_OP_NO_TLSv1_1
> REC_ReadConfigInteger(options, "proxy.config.ssl.TLSv1_1");
> if (!options)
> ssl_ctx_options |= SSL_OP_NO_TLSv1_1;
> +#endif
> +#ifdef SSL_OP_NO_TLSv1_2
> REC_ReadConfigInteger(options, "proxy.config.ssl.TLSv1_2");
> if (!options)
> ssl_ctx_options |= SSL_OP_NO_TLSv1_2;
> +#endif
> +
> #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
> REC_ReadConfigInteger(options,
> "proxy.config.ssl.server.honor_cipher_order");
> if (options)
> diff --git a/mgmt/RecordsConfig.cc b/mgmt/RecordsConfig.cc
> index 41b876c..7f71243 100644
> --- a/mgmt/RecordsConfig.cc
> +++ b/mgmt/RecordsConfig.cc
> @@ -1227,7 +1227,8 @@ RecordElement RecordsConfig[] = {
> ,
> {RECT_CONFIG, "proxy.config.ssl.TLSv1_1", RECD_INT, "1", RECU_RESTART_TS,
> RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
> ,
> - {RECT_CONFIG, "proxy.config.ssl.TLSv1_2", RECD_INT, "0", RECU_RESTART_TS,
> RR_NULL, RECC_INT, "[0-1]", RECA_NULL} // default disabled for now. OpenSSL
> v1.0.1e (and lower) have issue TS-2355
> + // Disable this when using some versions of OpenSSL that causes crashes.
> See TS-2355.
> + {RECT_CONFIG, "proxy.config.ssl.TLSv1_2", RECD_INT, "1", RECU_RESTART_TS,
> RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
> ,
> {RECT_CONFIG, "proxy.config.ssl.compression", RECD_INT, "0",
> RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
> ,
> {code}
> That much said, I'm also wondering if we should make the defaults for the
> TLSv1_2 a little less draconian? For example, can we detect which versions
> this works in, and change the default to "1"? Or can we change the default to
> "1", and ask people that run into the crasher to either upgrade OpenSSL, or
> alternatively disable v1.2 ?
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
