[jira] [Comment Edited] (TS-3597) TLS can fail accept / handshake since commit 2a8bb593fd

Wed, 13 May 2015 06:03:16 -0700 

    [ 
https://issues.apache.org/jira/browse/TS-3597?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14541862#comment-14541862
 ] 

Leif Hedstrom edited comment on TS-3597 at 5/13/15 1:01 PM:
------------------------------------------------------------

More from [~gancho]

It seems that this problem reproduces only if don't use a specific dest_ip=. It 
does not reproduce with dest_ip=*, which explains why we are not seeing it on 
e.g. docs.trafficserver.apache.org. To recap, the reproducible case includes:

1) Turn off accept threads (0)

2) No dest_ip=  specified in ssl_multicert.config


I haven't tested this yet, hope to do so soon.


was (Author: zwoop):
More from [~gancho]

It seems that this problem reproduces only if you use a specific dest_ip=, e.g. 
 dest_ip=1.2.3.4. It does not reproduce with dest_ip=*, which explains why we 
are not seeing it on e.g. docs.trafficserver.apache.org. To recap, the 
reproducible case includes:

1) Turn off accept threads (0)

2) Use a specific dest_ip= specified in ssl_multicert.config

> TLS can fail accept / handshake since commit 2a8bb593fd
> -------------------------------------------------------
>
>                 Key: TS-3597
>                 URL: https://issues.apache.org/jira/browse/TS-3597
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: SSL
>            Reporter: Leif Hedstrom
>            Assignee: Susan Hinrichs
>            Priority: Critical
>             Fix For: 6.0.0
>
>
> At least under certain conditions (slightly unclear,but possible a race with 
> multiple NUMA nodes), we fail to accept / TLS handshake. I've tracked this 
> down to the commit from 2a8bb593fdd7ca9125efad76e27f3f17f5bca794.
> The commit prior to this does not expose the problem. [~gancho] also 
> discovered that this problem is only triggered when accept thread is off (0).
> Also from [~gancho], when this reproduces, a command like e.g. this will fail 
> the handshake completely (no ciphers):
> {code}
> openssl s_client -connect 10.1.2.3:443 -tls1 -servername some.host.com
> {code}
> Also, since this only happens with accept thread off (0), which implies 
> accept on every ET_NET thread, maybe there's some sort of race condition 
> going on here? That's just a wild speculation though.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to