[jira] [Work logged] (TS-4856) Default SSL context fails to load.

Tue, 13 Sep 2016 13:35:29 -0700 

     [ 
https://issues.apache.org/jira/browse/TS-4856?focusedWorklogId=28991&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-28991
 ]

ASF GitHub Bot logged work on TS-4856:
--------------------------------------

                Author: ASF GitHub Bot
            Created on: 13/Sep/16 20:35
            Start Date: 13/Sep/16 20:35
    Worklog Time Spent: 10m 
      Work Description: Github user jpeach commented on a diff in the pull 
request:

    https://github.com/apache/trafficserver/pull/1013#discussion_r78638850
  
    --- Diff: iocore/net/SSLUtils.cc ---
    @@ -1629,7 +1629,8 @@ SSLInitServerContext(const SSLConfigParams *params, 
const ssl_user_config *sslMu
         }
     
         if (!sslMultCertSettings->cert) {
    -      if (sslMultCertSettings->opt != SSLCertContext::OPT_TUNNEL) {
    +      // There must be a certificate specified unless the tunnel action is 
set, or this is the default case
    +      if (sslMultCertSettings->opt != SSLCertContext::OPT_TUNNEL && 
strcmp(sslMultCertSettings->addr, "*") != 0) {
    --- End diff --
    
    In this case could "*" be the default destination configured by the 
operator? Is that required to have a certificate?
    
    Maybe this validation should be done after parsing a config file entry?


Issue Time Tracking
-------------------

    Worklog Id:     (was: 28991)
    Time Spent: 40m  (was: 0.5h)

> Default SSL context fails to load.
> ----------------------------------
>
>                 Key: TS-4856
>                 URL: https://issues.apache.org/jira/browse/TS-4856
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: SSL
>            Reporter: James Peach
>            Assignee: Susan Hinrichs
>             Fix For: 7.0.0
>
>          Time Spent: 40m
>  Remaining Estimate: 0h
>
> This error message appears at startup:
> {noformat}
> [Sep 12 21:07:16.700] Server {0x7f98127d9780} ERROR: failed set default 
> context
> {noformat}
> Out of source context, this error is not especially grammatical.
> The problem seems to be a regression from TS-4671, since the default {{*}} 
> certificate fails to be constructed in {{SSLInitServerContext}} due to the 
> tunnel options check. The default context has neither a certificate nor a 
> tunnel option.
> AFAIK we still need a default certificate to make the TLS negotiation fail 
> when we don't get an actual certificate match.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to