[jira] [Commented] (TS-2569) ssl options are ignored if ssl_multicert.config does not contain an entry with dest_ip=*

Fri, 07 Mar 2014 16:33:12 -0800 

    [ 
https://issues.apache.org/jira/browse/TS-2569?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13924562#comment-13924562
 ] 

ASF subversion and git services commented on TS-2569:
-----------------------------------------------------

Commit b262f4b34def13bf16db32810da8766d83a59451 in trafficserver's branch 
refs/heads/4.2.x from [~rwbarber2]
[ https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;h=b262f4b ]

TS-2569: set the default SSL options correctly

We discovered that the proxy.config.ssl.server.honor_cipher_order=1
setting was not working correctly. After investigating it was
determined that if you do not have a dest_ip=* in the ssl_multicert.config
file then the server cipher order setting will not be honored.  The
proposed fix (which works) is to initialize the default context with
the necessary SSL options.

(cherry picked from commit 963982e432a6fa5ef0f1968904c75571a3f6befb)

Conflicts:
        CHANGES
        iocore/net/SSLUtils.cc


> ssl options are ignored if ssl_multicert.config does not contain an entry 
> with dest_ip=* 
> -----------------------------------------------------------------------------------------
>
>                 Key: TS-2569
>                 URL: https://issues.apache.org/jira/browse/TS-2569
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: SSL
>            Reporter: Ron Barber
>            Assignee: Ron Barber
>             Fix For: 5.0.0
>
>         Attachments: TS-2569.patch, TS-2569_4.2.patch
>
>
> We discovered that the proxy.config.ssl.server.honor_cipher_order=1 setting 
> was not working correctly.  After investigating it was determined that if you 
> do not have a dest_ip=* in the ssl_multicert.config file then the server 
> cipher order setting will not be honored.
> ssl_multicert.config
> dest_ip=192.168.214.131 ssl_cert_name=cert.pem 
> records.config
> CONFIG proxy.config.ssl.server.cipher_suite STRING 
> RC4-SHA:AES128-SHA:DES-CBC3-SHA:AES256-SHA:ALL:!NULL
> CONFIG proxy.config.ssl.server.honor_cipher_order INT 1
> Result (client selection is honored):
> % echo | openssl s_client -connect 192.168.214.131:443 -cipher 
> 'AES128-SHA:RC4-SHA' 2>&1 | grep 'Cipher is'
> New, TLSv1/SSLv3, Cipher is AES128-SHA
> % echo | openssl s_client -connect 192.168.214.131:443 -cipher 
> 'RC4-SHA:AES128-SHA' 2>&1 | grep 'Cipher is'
> New, TLSv1/SSLv3, Cipher is RC4-SHA



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to