[
https://issues.apache.org/jira/browse/TS-4706?focusedWorklogId=26160&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-26160
]
ASF GitHub Bot logged work on TS-4706:
--------------------------------------
Author: ASF GitHub Bot
Created on: 02/Aug/16 20:20
Start Date: 02/Aug/16 20:20
Worklog Time Spent: 10m
Work Description: Github user zwoop commented on the issue:
https://github.com/apache/trafficserver/pull/837
I'm generally ok with this for the immediate fixage. My only concern here
is that there's now an invariant (it seems) between the client and server
HttpHdr, where the caches should be invalidated together for both. That sort of
feels like it then could be lifted up in the stack a bit maybe, or at least
assertion that the invariant is never broken again.
Alternatively, if there's improvements that can be done here (later) such
that the invalidation can be disjoint again, safely, for better performance
etc., that'd be cool too. Maybe file a separate lira for this cleanup for later?
Issue Time Tracking
-------------------
Worklog Id: (was: 26160)
Time Spent: 0.5h (was: 20m)
> SSL hostname verification failed due to truncated SNI name
> ----------------------------------------------------------
>
> Key: TS-4706
> URL: https://issues.apache.org/jira/browse/TS-4706
> Project: Traffic Server
> Issue Type: Bug
> Components: Core
> Reporter: Gancho Tenev
> Assignee: Gancho Tenev
> Fix For: 7.0.0
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> SSL hostname verification fails due to truncated SNI name when escalation
> plugin is used to redirect a failed request (404) from a primary origin
> {{primary.com}} to a secondary origin {{secondary.com}}.
> {code:title=Excerpt from the ATS logs showing the error|borderStyle=solid}
> DEBUG: <SSLNetVConnection.cc:1258 (sslClientHandShakeEvent)> (ssl) using SNI
> name ‘secondary.c'’ for client handshake
> DEBUG: <SSLNetVConnection.cc:1303 (sslClientHandShakeEvent)> (ssl.error)
> SSLNetVConnection::sslClientHandShakeEvent, SSL_ERROR_WANT_READ
> DEBUG: <SSLNetVConnection.cc:1258 (sslClientHandShakeEvent)> (ssl) using SNI
> name 'secondary.c’’ for client handshake
> DEBUG: <SSLClientUtils.cc:83 (verify_callback)> (ssl) Hostname verification
> failed for (‘secondary.c')
> {code}
> One could see that the SNI name {{secondary.com}} is truncated to
> {{secondary.c}}
> {code:title=Test case to reproduce}
> $ cat etc/trafficserver/remap.config
> map http://example.com https://primary.com @plugin=escalate.so
> @pparam=404:secondary.com
> $ sudo ./bin/traffic_server -T ssl 2>&1 | egrep -e 'using SNI name .* for
> client handshake'
> DEBUG: <SSLNetVConnection.cc:1223 (sslClientHandShakeEvent)> (ssl) using SNI
> name 'primary.com' for client handshake
> DEBUG: <SSLNetVConnection.cc:1223 (sslClientHandShakeEvent)> (ssl) using SNI
> name 'secondary.c' for client handshake
> $ curl -x localhost:80 'http://example.com/path/to/object'
> {code}
> I have a fix available which produces the following log (SNI hostname no
> longer truncated)
> {code:title=Excerpt from ATS logs after applying the fix}
> $ sudo ./bin/traffic_server -T ssl 2>&1 | egrep -e 'using SNI name .* for
> client handshake'
> DEBUG: <SSLNetVConnection.cc:1223 (sslClientHandShakeEvent)> (ssl) using SNI
> name 'primary.com' for client handshake
> DEBUG: <SSLNetVConnection.cc:1223 (sslClientHandShakeEvent)> (ssl) using SNI
> name 'secondary.com' for client handshake
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
