[
https://issues.apache.org/jira/browse/TS-3451?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14367158#comment-14367158
]
Susan Hinrichs edited comment on TS-3451 at 3/18/15 2:40 PM:
-------------------------------------------------------------
Finally remembered that I needed to restart traffic_server to get sslv3 to
disable not just do traffic_line -x. So now I am really running in production
with SSLv3 disabled. Verified with "openssl s_client -ssl3". With the
debugging messages enabled in 5.2, I am seeing many SSL3_GET_CLIENT_HELLO:wrong
version number messages. They dominate the inappropriate fallback messages.
Running for 5 minutes, the ssl_error_ssl percentage for 5.2 is 0.05%. Before
really disabling SSLv3, we were seeing an error rate around 0.025%
Switching back to 5.0.x, with debugging messages enabled, I see a similar
distribution of ssl accept errors. Mostly wrong version number.
Running for 5 minutes, the ssl_error_ssl percentage for 5.0.x without SSLv3 is
0.25%. I never directly measured the ssl_error_ssl percentage in 5.0.x with
SSLv3 support.
Of course just getting numbers over 5 minutes with such small percentages is
pretty meaningless. I'm going to clear my counters and leave 5.0.x without
SSLv3 running for an hour or so this morning. Then flip over to 5.2.x for a
couple hours.
However, in both 5.0.x and 5.2 in my experience, if SSLv3 is disabled, you will
see most of the accept errors be "wrong version number" errors. [~briang] when
you run with the accept debug messages in 5.0.x are most of your errors "wrong
version number"?
The other caveat is that neither [~briang] nor I are running with vanilla
5.0.x. We are both running with 5.0.x plus cherry picked features from later
releases.
was (Author: shinrich):
Finally remembered that I needed to restart traffic_server to get sslv3 to
disable not just do traffic_line -x. So now I am really running in production
with SSLv3 disabled. Verified with "openssl s_client -ssl3". With the
debugging messages enabled in 5.2, I am seeing many SSL3_GET_CLIENT_HELLO:wrong
version number messages. They dominate the inappropriate fallback messages.
Running for 5 minutes, the ssl_error_ssl percentage for 5.2 is 0.05%. Before
really disabling SSLv3, we were seeing an error rate around 0.025%
> SSL_ERROR_SSL increases moving from 5.0 to 5.2
> ----------------------------------------------
>
> Key: TS-3451
> URL: https://issues.apache.org/jira/browse/TS-3451
> Project: Traffic Server
> Issue Type: Bug
> Components: SSL
> Reporter: Susan Hinrichs
> Assignee: Brian Geffon
>
> I'm creating a new bug to track the SSL_ERROR_SSL issues that [~briang] is
> seeing beyond the handshake buffer errors causing the "decryption failed or
> bad record mac" messages described in TS-3424.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
