[jira] [Created] (TS-4706) SSL hostname verification failed due to truncated SNI name

Fri, 29 Jul 2016 16:34:23 -0700 

Gancho Tenev created TS-4706:
--------------------------------

             Summary: SSL hostname verification failed due to truncated SNI name
                 Key: TS-4706
                 URL: https://issues.apache.org/jira/browse/TS-4706
             Project: Traffic Server
          Issue Type: Bug
          Components: Core
            Reporter: Gancho Tenev


SSL hostname verification fails due to truncated SNI name when escalation 
plugin is used to redirect a failed request (404) from a primary origin 
{{primary.com}} to a secondary origin {{secondary.com}}.

{code:title=Excerpt from the ATS logs showing the error|borderStyle=solid}
DEBUG: <SSLNetVConnection.cc:1258 (sslClientHandShakeEvent)> (ssl) using SNI 
name ‘secondary.c'’ for client handshake
DEBUG: <SSLNetVConnection.cc:1303 (sslClientHandShakeEvent)> (ssl.error) 
SSLNetVConnection::sslClientHandShakeEvent, SSL_ERROR_WANT_READ
DEBUG: <SSLNetVConnection.cc:1258 (sslClientHandShakeEvent)> (ssl) using SNI 
name 'secondary.c’’ for client handshake
DEBUG: <SSLClientUtils.cc:83 (verify_callback)> (ssl) Hostname verification 
failed for (‘secondary.c')
{code}

One could see that the SNI name {{secondary.com}} is truncated to 
{{secondary.c}}

{code:title=Test case to reproduce}
$ cat etc/trafficserver/remap.config
map http://example.com https://primary.com @plugin=escalate.so 
@pparam=404:secondary.com

$ sudo ./bin/traffic_server -T ssl 2>&1 | egrep -e 'using SNI name .* for 
client handshake'
DEBUG: <SSLNetVConnection.cc:1223 (sslClientHandShakeEvent)> (ssl) using SNI 
name 'primary.com' for client handshake
DEBUG: <SSLNetVConnection.cc:1223 (sslClientHandShakeEvent)> (ssl) using SNI 
name 'secondary.c' for client handshake

$ curl -x localhost:80 'http://example.com/path/to/object'
{code}

I have a fix available which produces the following log (SNI hostname no longer 
truncated)

{code:title=Excerpt from ATS logs after applying the fix}
$ sudo ./bin/traffic_server -T ssl 2>&1 | egrep -e 'using SNI name .* for 
client handshake'
DEBUG: <SSLNetVConnection.cc:1223 (sslClientHandShakeEvent)> (ssl) using SNI 
name 'primary.com' for client handshake
DEBUG: <SSLNetVConnection.cc:1223 (sslClientHandShakeEvent)> (ssl) using SNI 
name 'secondary.com' for client handshake
{code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to