[
https://issues.apache.org/jira/browse/TS-3597?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14544361#comment-14544361
]
Susan Hinrichs commented on TS-3597:
------------------------------------
I'm seeing an issue in the no accept thread case where the value of
sslHandshakeHookState is not HANDSHAKE_HOOKS_PRE in the sni callback, even
though this appears to be the first time through the callback for that vc.
It looks like sometimes the VC pointer is reused (reallocated) without having
its values returned to the initial value.
This means that the correct cert is not selected. Instead the default
certificate is used. Not clear this is the error case that you are seeing, but
certainly it is a bad indicator. Must take a break for now. Will press on
later this evening.
> TLS can fail accept / handshake since commit 2a8bb593fd
> -------------------------------------------------------
>
> Key: TS-3597
> URL: https://issues.apache.org/jira/browse/TS-3597
> Project: Traffic Server
> Issue Type: Bug
> Components: SSL
> Reporter: Leif Hedstrom
> Assignee: Susan Hinrichs
> Priority: Critical
> Fix For: 6.0.0
>
>
> At least under certain conditions (slightly unclear,but possible a race with
> multiple NUMA nodes), we fail to accept / TLS handshake. I've tracked this
> down to the commit from 2a8bb593fdd7ca9125efad76e27f3f17f5bca794.
> The commit prior to this does not expose the problem. [~gancho] also
> discovered that this problem is only triggered when accept thread is off (0).
> Also from [~gancho], when this reproduces, a command like e.g. this will fail
> the handshake completely (no ciphers):
> {code}
> openssl s_client -connect 10.1.2.3:443 -tls1 -servername some.host.com
> {code}
> Also, since this only happens with accept thread off (0), which implies
> accept on every ET_NET thread, maybe there's some sort of race condition
> going on here? That's just a wild speculation though.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
