[
https://issues.apache.org/jira/browse/TS-3314?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14287839#comment-14287839
]
Susan Hinrichs commented on TS-3314:
------------------------------------
Are you certain your dh2048.pem file was being used? The dhparams_file does
not appear until 5.2. Just doubled checked that in the 5.1.2 source.
If you add an unrecognized config entry, ATS does not complain. And ATS is
setting the SSL_OP_SINGLE_DH_USE and SSL_OP_SINGLE_ECDH_USE which I think means
that you do not need to specify the DH parameters.
In any case, thanks for your records.config entries. I'll get the 5.2 behavior
tracked down.
> SSL errors after upgrade from 5.1.2 -> 5.2.0
> --------------------------------------------
>
> Key: TS-3314
> URL: https://issues.apache.org/jira/browse/TS-3314
> Project: Traffic Server
> Issue Type: Bug
> Components: Core, SSL
> Reporter: Andre
> Assignee: Susan Hinrichs
>
> I upgraded my ATS from 5.1.2 to 5.2.0 by keeping all my config files.
> When I start the trafficserver, I do get errors in the diags.log and https
> sites do not work. Here is an extract of the diags.log:
> {code}
> [Jan 22 15:19:58.381] Server {0x2b42c3b03bc0} NOTE: loading SSL certificate
> configuration from /opt/trafficserver/etc/trafficserver/ssl_multicert.config
> [Jan 22 15:19:58.386] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source
> returned invalid parameters
> [Jan 22 15:19:58.386] Server {0x2b42c3b03bc0} ERROR: failed to load SSL
> certificate specification from
> /opt/trafficserver/etc/trafficserver/ssl_multicert.config line 57
> [Jan 22 15:19:58.391] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source
> returned invalid parameters
> [Jan 22 15:19:58.392] Server {0x2b42c3b03bc0} ERROR: failed to load SSL
> certificate specification from
> /opt/trafficserver/etc/trafficserver/ssl_multicert.config line 58
> [Jan 22 15:19:58.396] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source
> returned invalid parameters
> [Jan 22 15:19:58.397] Server {0x2b42c3b03bc0} ERROR: failed to load SSL
> certificate specification from
> /opt/trafficserver/etc/trafficserver/ssl_multicert.config line 59
> [Jan 22 15:19:58.401] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source
> returned invalid parameters
> [Jan 22 15:19:58.413] Server {0x2b42c3b03bc0} NOTE: traffic server running
> [Jan 22 15:19:58.494] Server {0x2b42c9547700} NOTE: cache enabled
> [Jan 22 15:20:01.176] Server {0x2b42d4f17700} ERROR:
> SSL::47566040430336:error:140BA0C3:SSL routines:SSL_new:null ssl
> ctx:ssl_lib.c:281: peer address is 2a01:4f8:160:24ca::3
> [Jan 22 15:20:01.176] Server {0x2b42d4f17700} ERROR: failed to create SSL
> server session
> [Jan 22 15:22:19.813] Server {0x2b42d5018700} ERROR:
> SSL::47566041483008:error:140BA0C3:SSL routines:SSL_new:null ssl
> ctx:ssl_lib.c:281: peer address is 66.249.64.77
> [Jan 22 15:22:19.813] Server {0x2b42d5018700} ERROR: failed to create SSL
> server session
> [Jan 22 15:25:01.191] Server {0x2b42d5119700} ERROR:
> SSL::47566042535680:error:140BA0C3:SSL routines:SSL_new:null ssl
> ctx:ssl_lib.c:281: peer address is 2a01:4f8:160:24ca::3
> [Jan 22 15:25:01.191] Server {0x2b42d5119700} ERROR: failed to create SSL
> server session
> {code}
> Here is what I have in my ssl_multicert.config:
> {code}
> ssl_cert_name=domain1.crt ssl_key_name=domain1.key
> ssl_cert_name=domain2.crt ssl_key_name=domain2.key
> dest_ip=* ssl_cert_name=domain3.crt ssl_key_name=domain3.key
> {code}
> the .crt files contain my certificate and the intermediate certificate, the
> ca is in the truststore.
> There are 3 possible dh params available in the configured certificate
> directory: dh512.pem, dh1024.pem and dh2048.pem
> why did it work in 5.1.2 and is no longer working in 5.2.0?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
