[
https://issues.apache.org/jira/browse/TS-2924?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14055823#comment-14055823
]
Wei Sun commented on TS-2924:
-----------------------------
Thanks for jumping in.
{quote}
While it may be desirable to have ATS support configurable cipher list for the
client context, as far as I understand, the root cause for the second case (SSL
connection hang) is not related to whether the origin supports latest ssl
protocols. The issue is mainly caused by some origins not correctly handling
long Client Hello messages.
{quote}
For the second case, yes. I said some origins didn't have a good support for
newer protocol (that presents more data in ClientHello).
{quote}
Disabling TLS may help in most cases, but, the issue may still happen if SNI is
used and the origin's hostname is long enough.
{quote}
I presume you recommended downgrading to sslv3, and I think it might not be a
good idea since SNI would not be supported any more and that is required by
some origins in production.
There is a possibility that the hostname might be long enough and exceeds the
origin's capacity, that's reason we also need cipher suite to be configured as
well. For OpenSSL 1.0.2, the test shows that default cipher suite brings 208
bytes to ClientHello.
{quote}
Openssl seems to have a fix for this issue:
http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=0467ea686244
{quote}
I think the latest workaround is:
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=4fcdd66fff5fea0cfa1055c6680a76a4303f28a2;hp=102302b05b2ea9c46a29be8a1451b7d1d6e3aa78,
and others
(https://github.com/openssl/openssl/commit/89bd25eb26bbc2ebceb4cd892e7453337804820c),
they need to update openssl to be used.
httpd provides {{SSLProxyProtocol}}, {{SSLProxyCipherSuite}} directives in
addition to {{SSLProtocol}}, {{SSLCipherSuite}}. If there's further case that
is not resolved by the configurable setting, openssl workarounds might be an
option.
> Configurable client's ssl protocols and cipher suite
> ----------------------------------------------------
>
> Key: TS-2924
> URL: https://issues.apache.org/jira/browse/TS-2924
> Project: Traffic Server
> Issue Type: Improvement
> Components: SSL
> Reporter: Wei Sun
> Labels: yahoo
>
> A few old origins cannot support the latest ssl protocols well, ats is
> expected to be able to configure dedicated cipher suite and protocols for SSL
> client context.
> {code}
> e.g. Enable SSLv3/TLSv1/TLSv1_1/TLSv1_2
> map http://foo1.com https://www.bankadviser.com/scbteod/scbteod_logo.GIF
> map http://foo2.com
> https://applications.bancopopular.com/images/emails/fb-share-button.jpg
> curl -H 'Host: foo1.com' http://localhost:8080/ -v // failed to setup ssl
> connection to origin
> curl -H 'Host: foo2.com' http://localhost:8080/ -v //SSL connection hang
> {code}
--
This message was sent by Atlassian JIRA
(v6.2#6252)
