Gancho Tenev created TS-4706: -------------------------------- Summary: SSL hostname verification failed due to truncated SNI name Key: TS-4706 URL: https://issues.apache.org/jira/browse/TS-4706 Project: Traffic Server Issue Type: Bug Components: Core Reporter: Gancho Tenev
SSL hostname verification fails due to truncated SNI name when escalation plugin is used to redirect a failed request (404) from a primary origin {{primary.com}} to a secondary origin {{secondary.com}}. {code:title=Excerpt from the ATS logs showing the error|borderStyle=solid} DEBUG: <SSLNetVConnection.cc:1258 (sslClientHandShakeEvent)> (ssl) using SNI name ‘secondary.c'’ for client handshake DEBUG: <SSLNetVConnection.cc:1303 (sslClientHandShakeEvent)> (ssl.error) SSLNetVConnection::sslClientHandShakeEvent, SSL_ERROR_WANT_READ DEBUG: <SSLNetVConnection.cc:1258 (sslClientHandShakeEvent)> (ssl) using SNI name 'secondary.c’’ for client handshake DEBUG: <SSLClientUtils.cc:83 (verify_callback)> (ssl) Hostname verification failed for (‘secondary.c') {code} One could see that the SNI name {{secondary.com}} is truncated to {{secondary.c}} {code:title=Test case to reproduce} $ cat etc/trafficserver/remap.config map http://example.com https://primary.com @plugin=escalate.so @pparam=404:secondary.com $ sudo ./bin/traffic_server -T ssl 2>&1 | egrep -e 'using SNI name .* for client handshake' DEBUG: <SSLNetVConnection.cc:1223 (sslClientHandShakeEvent)> (ssl) using SNI name 'primary.com' for client handshake DEBUG: <SSLNetVConnection.cc:1223 (sslClientHandShakeEvent)> (ssl) using SNI name 'secondary.c' for client handshake $ curl -x localhost:80 'http://example.com/path/to/object' {code} I have a fix available which produces the following log (SNI hostname no longer truncated) {code:title=Excerpt from ATS logs after applying the fix} $ sudo ./bin/traffic_server -T ssl 2>&1 | egrep -e 'using SNI name .* for client handshake' DEBUG: <SSLNetVConnection.cc:1223 (sslClientHandShakeEvent)> (ssl) using SNI name 'primary.com' for client handshake DEBUG: <SSLNetVConnection.cc:1223 (sslClientHandShakeEvent)> (ssl) using SNI name 'secondary.com' for client handshake {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)