[jira] [Commented] (TS-3314) SSL errors after upgrade from 5.1.2 - 5.2.0
[ https://issues.apache.org/jira/browse/TS-3314?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14287799#comment-14287799 ] Andre commented on TS-3314: --- Exactly. I have the 3 mentioned dhparams in the same folder as the certificates and it worked with 5.1.2. I could set proxy.config.ssl.server.dhparams_file to the certificates directory if that helps? here's the ciphers I accept which, in my humble opinion, represent a modern, sane default: proxy.config.ssl.server.cipher_suite STRING ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS:!aNULL:!eNULL SSL errors after upgrade from 5.1.2 - 5.2.0 Key: TS-3314 URL: https://issues.apache.org/jira/browse/TS-3314 Project: Traffic Server Issue Type: Bug Components: Core, SSL Reporter: Andre Assignee: Susan Hinrichs I upgraded my ATS from 5.1.2 to 5.2.0 by keeping all my config files. When I start the trafficserver, I do get errors in the diags.log and https sites do not work. Here is an extract of the diags.log: {code} [Jan 22 15:19:58.381] Server {0x2b42c3b03bc0} NOTE: loading SSL certificate configuration from /opt/trafficserver/etc/trafficserver/ssl_multicert.config [Jan 22 15:19:58.386] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source returned invalid parameters [Jan 22 15:19:58.386] Server {0x2b42c3b03bc0} ERROR: failed to load SSL certificate specification from /opt/trafficserver/etc/trafficserver/ssl_multicert.config line 57 [Jan 22 15:19:58.391] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source returned invalid parameters [Jan 22 15:19:58.392] Server {0x2b42c3b03bc0} ERROR: failed to load SSL certificate specification from /opt/trafficserver/etc/trafficserver/ssl_multicert.config line 58 [Jan 22 15:19:58.396] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source returned invalid parameters [Jan 22 15:19:58.397] Server {0x2b42c3b03bc0} ERROR: failed to load SSL certificate specification from /opt/trafficserver/etc/trafficserver/ssl_multicert.config line 59 [Jan 22 15:19:58.401] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source returned invalid parameters [Jan 22 15:19:58.413] Server {0x2b42c3b03bc0} NOTE: traffic server running [Jan 22 15:19:58.494] Server {0x2b42c9547700} NOTE: cache enabled [Jan 22 15:20:01.176] Server {0x2b42d4f17700} ERROR: SSL::47566040430336:error:140BA0C3:SSL routines:SSL_new:null ssl ctx:ssl_lib.c:281: peer address is 2a01:4f8:160:24ca::3 [Jan 22 15:20:01.176] Server {0x2b42d4f17700} ERROR: failed to create SSL server session [Jan 22 15:22:19.813] Server {0x2b42d5018700} ERROR: SSL::47566041483008:error:140BA0C3:SSL routines:SSL_new:null ssl ctx:ssl_lib.c:281: peer address is 66.249.64.77 [Jan 22 15:22:19.813] Server {0x2b42d5018700} ERROR: failed to create SSL server session [Jan 22 15:25:01.191] Server {0x2b42d5119700} ERROR: SSL::47566042535680:error:140BA0C3:SSL routines:SSL_new:null ssl ctx:ssl_lib.c:281: peer address is 2a01:4f8:160:24ca::3 [Jan 22 15:25:01.191] Server {0x2b42d5119700} ERROR: failed to create SSL server session {code} Here is what I have in my ssl_multicert.config: {code} ssl_cert_name=domain1.crt ssl_key_name=domain1.key ssl_cert_name=domain2.crt ssl_key_name=domain2.key dest_ip=* ssl_cert_name=domain3.crt ssl_key_name=domain3.key {code} the .crt files contain my certificate and the intermediate certificate, the ca is in the truststore. There are 3 possible dh params available in the configured certificate directory: dh512.pem, dh1024.pem and dh2048.pem why did it work in 5.1.2 and is no longer working in 5.2.0? -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3314) SSL errors after upgrade from 5.1.2 - 5.2.0
[ https://issues.apache.org/jira/browse/TS-3314?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14287702#comment-14287702 ] Susan Hinrichs commented on TS-3314: This was broken by TS-2417, adding support for DHE. This patch added a new entry for the dhparams file, proxy.config.ssl.server.dhparams_file. If the parameter is not set, it loads a built-in 2048 param. If it fails to load the built in or the one specified by the dhparams_file, it issues the error you are seeing. This still is a bit confusing, because I would assume that the built-in one would get successfully loaded in your case. That still isn't what you want, since you want choices on which dhparam to load I assume based on the cipher negotiated. I'm still figuring out how the old scheme worked. You just placed the dh files in the same directory as the certificates and the write DH param would get loaded depending on the version of cipher selected by the negotiation? SSL errors after upgrade from 5.1.2 - 5.2.0 Key: TS-3314 URL: https://issues.apache.org/jira/browse/TS-3314 Project: Traffic Server Issue Type: Bug Components: Core, SSL Reporter: Andre Assignee: Susan Hinrichs I upgraded my ATS from 5.1.2 to 5.2.0 by keeping all my config files. When I start the trafficserver, I do get errors in the diags.log and https sites do not work. Here is an extract of the diags.log: {code} [Jan 22 15:19:58.381] Server {0x2b42c3b03bc0} NOTE: loading SSL certificate configuration from /opt/trafficserver/etc/trafficserver/ssl_multicert.config [Jan 22 15:19:58.386] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source returned invalid parameters [Jan 22 15:19:58.386] Server {0x2b42c3b03bc0} ERROR: failed to load SSL certificate specification from /opt/trafficserver/etc/trafficserver/ssl_multicert.config line 57 [Jan 22 15:19:58.391] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source returned invalid parameters [Jan 22 15:19:58.392] Server {0x2b42c3b03bc0} ERROR: failed to load SSL certificate specification from /opt/trafficserver/etc/trafficserver/ssl_multicert.config line 58 [Jan 22 15:19:58.396] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source returned invalid parameters [Jan 22 15:19:58.397] Server {0x2b42c3b03bc0} ERROR: failed to load SSL certificate specification from /opt/trafficserver/etc/trafficserver/ssl_multicert.config line 59 [Jan 22 15:19:58.401] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source returned invalid parameters [Jan 22 15:19:58.413] Server {0x2b42c3b03bc0} NOTE: traffic server running [Jan 22 15:19:58.494] Server {0x2b42c9547700} NOTE: cache enabled [Jan 22 15:20:01.176] Server {0x2b42d4f17700} ERROR: SSL::47566040430336:error:140BA0C3:SSL routines:SSL_new:null ssl ctx:ssl_lib.c:281: peer address is 2a01:4f8:160:24ca::3 [Jan 22 15:20:01.176] Server {0x2b42d4f17700} ERROR: failed to create SSL server session [Jan 22 15:22:19.813] Server {0x2b42d5018700} ERROR: SSL::47566041483008:error:140BA0C3:SSL routines:SSL_new:null ssl ctx:ssl_lib.c:281: peer address is 66.249.64.77 [Jan 22 15:22:19.813] Server {0x2b42d5018700} ERROR: failed to create SSL server session [Jan 22 15:25:01.191] Server {0x2b42d5119700} ERROR: SSL::47566042535680:error:140BA0C3:SSL routines:SSL_new:null ssl ctx:ssl_lib.c:281: peer address is 2a01:4f8:160:24ca::3 [Jan 22 15:25:01.191] Server {0x2b42d5119700} ERROR: failed to create SSL server session {code} Here is what I have in my ssl_multicert.config: {code} ssl_cert_name=domain1.crt ssl_key_name=domain1.key ssl_cert_name=domain2.crt ssl_key_name=domain2.key dest_ip=* ssl_cert_name=domain3.crt ssl_key_name=domain3.key {code} the .crt files contain my certificate and the intermediate certificate, the ca is in the truststore. There are 3 possible dh params available in the configured certificate directory: dh512.pem, dh1024.pem and dh2048.pem why did it work in 5.1.2 and is no longer working in 5.2.0? -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3314) SSL errors after upgrade from 5.1.2 - 5.2.0
[ https://issues.apache.org/jira/browse/TS-3314?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14287917#comment-14287917 ] Andre commented on TS-3314: --- That could be true :) SSL errors after upgrade from 5.1.2 - 5.2.0 Key: TS-3314 URL: https://issues.apache.org/jira/browse/TS-3314 Project: Traffic Server Issue Type: Bug Components: Core, SSL Reporter: Andre Assignee: Susan Hinrichs I upgraded my ATS from 5.1.2 to 5.2.0 by keeping all my config files. When I start the trafficserver, I do get errors in the diags.log and https sites do not work. Here is an extract of the diags.log: {code} [Jan 22 15:19:58.381] Server {0x2b42c3b03bc0} NOTE: loading SSL certificate configuration from /opt/trafficserver/etc/trafficserver/ssl_multicert.config [Jan 22 15:19:58.386] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source returned invalid parameters [Jan 22 15:19:58.386] Server {0x2b42c3b03bc0} ERROR: failed to load SSL certificate specification from /opt/trafficserver/etc/trafficserver/ssl_multicert.config line 57 [Jan 22 15:19:58.391] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source returned invalid parameters [Jan 22 15:19:58.392] Server {0x2b42c3b03bc0} ERROR: failed to load SSL certificate specification from /opt/trafficserver/etc/trafficserver/ssl_multicert.config line 58 [Jan 22 15:19:58.396] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source returned invalid parameters [Jan 22 15:19:58.397] Server {0x2b42c3b03bc0} ERROR: failed to load SSL certificate specification from /opt/trafficserver/etc/trafficserver/ssl_multicert.config line 59 [Jan 22 15:19:58.401] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source returned invalid parameters [Jan 22 15:19:58.413] Server {0x2b42c3b03bc0} NOTE: traffic server running [Jan 22 15:19:58.494] Server {0x2b42c9547700} NOTE: cache enabled [Jan 22 15:20:01.176] Server {0x2b42d4f17700} ERROR: SSL::47566040430336:error:140BA0C3:SSL routines:SSL_new:null ssl ctx:ssl_lib.c:281: peer address is 2a01:4f8:160:24ca::3 [Jan 22 15:20:01.176] Server {0x2b42d4f17700} ERROR: failed to create SSL server session [Jan 22 15:22:19.813] Server {0x2b42d5018700} ERROR: SSL::47566041483008:error:140BA0C3:SSL routines:SSL_new:null ssl ctx:ssl_lib.c:281: peer address is 66.249.64.77 [Jan 22 15:22:19.813] Server {0x2b42d5018700} ERROR: failed to create SSL server session [Jan 22 15:25:01.191] Server {0x2b42d5119700} ERROR: SSL::47566042535680:error:140BA0C3:SSL routines:SSL_new:null ssl ctx:ssl_lib.c:281: peer address is 2a01:4f8:160:24ca::3 [Jan 22 15:25:01.191] Server {0x2b42d5119700} ERROR: failed to create SSL server session {code} Here is what I have in my ssl_multicert.config: {code} ssl_cert_name=domain1.crt ssl_key_name=domain1.key ssl_cert_name=domain2.crt ssl_key_name=domain2.key dest_ip=* ssl_cert_name=domain3.crt ssl_key_name=domain3.key {code} the .crt files contain my certificate and the intermediate certificate, the ca is in the truststore. There are 3 possible dh params available in the configured certificate directory: dh512.pem, dh1024.pem and dh2048.pem why did it work in 5.1.2 and is no longer working in 5.2.0? -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3314) SSL errors after upgrade from 5.1.2 - 5.2.0
[ https://issues.apache.org/jira/browse/TS-3314?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14287884#comment-14287884 ] Susan Hinrichs commented on TS-3314: The dhparams_file path is calculated relative to the path in proxy.config.config_dir So where is your certs directory? When I got the relative path wrong in my build, I see the same behavior that you describe. Try putting an absolute path to your .pem file. Or try adjusting the relative path so it will be correct when combined with the value of your config_dir parameter. SSL errors after upgrade from 5.1.2 - 5.2.0 Key: TS-3314 URL: https://issues.apache.org/jira/browse/TS-3314 Project: Traffic Server Issue Type: Bug Components: Core, SSL Reporter: Andre Assignee: Susan Hinrichs I upgraded my ATS from 5.1.2 to 5.2.0 by keeping all my config files. When I start the trafficserver, I do get errors in the diags.log and https sites do not work. Here is an extract of the diags.log: {code} [Jan 22 15:19:58.381] Server {0x2b42c3b03bc0} NOTE: loading SSL certificate configuration from /opt/trafficserver/etc/trafficserver/ssl_multicert.config [Jan 22 15:19:58.386] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source returned invalid parameters [Jan 22 15:19:58.386] Server {0x2b42c3b03bc0} ERROR: failed to load SSL certificate specification from /opt/trafficserver/etc/trafficserver/ssl_multicert.config line 57 [Jan 22 15:19:58.391] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source returned invalid parameters [Jan 22 15:19:58.392] Server {0x2b42c3b03bc0} ERROR: failed to load SSL certificate specification from /opt/trafficserver/etc/trafficserver/ssl_multicert.config line 58 [Jan 22 15:19:58.396] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source returned invalid parameters [Jan 22 15:19:58.397] Server {0x2b42c3b03bc0} ERROR: failed to load SSL certificate specification from /opt/trafficserver/etc/trafficserver/ssl_multicert.config line 59 [Jan 22 15:19:58.401] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source returned invalid parameters [Jan 22 15:19:58.413] Server {0x2b42c3b03bc0} NOTE: traffic server running [Jan 22 15:19:58.494] Server {0x2b42c9547700} NOTE: cache enabled [Jan 22 15:20:01.176] Server {0x2b42d4f17700} ERROR: SSL::47566040430336:error:140BA0C3:SSL routines:SSL_new:null ssl ctx:ssl_lib.c:281: peer address is 2a01:4f8:160:24ca::3 [Jan 22 15:20:01.176] Server {0x2b42d4f17700} ERROR: failed to create SSL server session [Jan 22 15:22:19.813] Server {0x2b42d5018700} ERROR: SSL::47566041483008:error:140BA0C3:SSL routines:SSL_new:null ssl ctx:ssl_lib.c:281: peer address is 66.249.64.77 [Jan 22 15:22:19.813] Server {0x2b42d5018700} ERROR: failed to create SSL server session [Jan 22 15:25:01.191] Server {0x2b42d5119700} ERROR: SSL::47566042535680:error:140BA0C3:SSL routines:SSL_new:null ssl ctx:ssl_lib.c:281: peer address is 2a01:4f8:160:24ca::3 [Jan 22 15:25:01.191] Server {0x2b42d5119700} ERROR: failed to create SSL server session {code} Here is what I have in my ssl_multicert.config: {code} ssl_cert_name=domain1.crt ssl_key_name=domain1.key ssl_cert_name=domain2.crt ssl_key_name=domain2.key dest_ip=* ssl_cert_name=domain3.crt ssl_key_name=domain3.key {code} the .crt files contain my certificate and the intermediate certificate, the ca is in the truststore. There are 3 possible dh params available in the configured certificate directory: dh512.pem, dh1024.pem and dh2048.pem why did it work in 5.1.2 and is no longer working in 5.2.0? -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3314) SSL errors after upgrade from 5.1.2 - 5.2.0
[ https://issues.apache.org/jira/browse/TS-3314?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14287899#comment-14287899 ] Bryan Call commented on TS-3314: [~andnej] DHE support wasn't added until 5.2.0 (TS-2417). I would assume that those ciphers were silently ignored when you were running earlier versions. SSL errors after upgrade from 5.1.2 - 5.2.0 Key: TS-3314 URL: https://issues.apache.org/jira/browse/TS-3314 Project: Traffic Server Issue Type: Bug Components: Core, SSL Reporter: Andre Assignee: Susan Hinrichs I upgraded my ATS from 5.1.2 to 5.2.0 by keeping all my config files. When I start the trafficserver, I do get errors in the diags.log and https sites do not work. Here is an extract of the diags.log: {code} [Jan 22 15:19:58.381] Server {0x2b42c3b03bc0} NOTE: loading SSL certificate configuration from /opt/trafficserver/etc/trafficserver/ssl_multicert.config [Jan 22 15:19:58.386] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source returned invalid parameters [Jan 22 15:19:58.386] Server {0x2b42c3b03bc0} ERROR: failed to load SSL certificate specification from /opt/trafficserver/etc/trafficserver/ssl_multicert.config line 57 [Jan 22 15:19:58.391] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source returned invalid parameters [Jan 22 15:19:58.392] Server {0x2b42c3b03bc0} ERROR: failed to load SSL certificate specification from /opt/trafficserver/etc/trafficserver/ssl_multicert.config line 58 [Jan 22 15:19:58.396] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source returned invalid parameters [Jan 22 15:19:58.397] Server {0x2b42c3b03bc0} ERROR: failed to load SSL certificate specification from /opt/trafficserver/etc/trafficserver/ssl_multicert.config line 59 [Jan 22 15:19:58.401] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source returned invalid parameters [Jan 22 15:19:58.413] Server {0x2b42c3b03bc0} NOTE: traffic server running [Jan 22 15:19:58.494] Server {0x2b42c9547700} NOTE: cache enabled [Jan 22 15:20:01.176] Server {0x2b42d4f17700} ERROR: SSL::47566040430336:error:140BA0C3:SSL routines:SSL_new:null ssl ctx:ssl_lib.c:281: peer address is 2a01:4f8:160:24ca::3 [Jan 22 15:20:01.176] Server {0x2b42d4f17700} ERROR: failed to create SSL server session [Jan 22 15:22:19.813] Server {0x2b42d5018700} ERROR: SSL::47566041483008:error:140BA0C3:SSL routines:SSL_new:null ssl ctx:ssl_lib.c:281: peer address is 66.249.64.77 [Jan 22 15:22:19.813] Server {0x2b42d5018700} ERROR: failed to create SSL server session [Jan 22 15:25:01.191] Server {0x2b42d5119700} ERROR: SSL::47566042535680:error:140BA0C3:SSL routines:SSL_new:null ssl ctx:ssl_lib.c:281: peer address is 2a01:4f8:160:24ca::3 [Jan 22 15:25:01.191] Server {0x2b42d5119700} ERROR: failed to create SSL server session {code} Here is what I have in my ssl_multicert.config: {code} ssl_cert_name=domain1.crt ssl_key_name=domain1.key ssl_cert_name=domain2.crt ssl_key_name=domain2.key dest_ip=* ssl_cert_name=domain3.crt ssl_key_name=domain3.key {code} the .crt files contain my certificate and the intermediate certificate, the ca is in the truststore. There are 3 possible dh params available in the configured certificate directory: dh512.pem, dh1024.pem and dh2048.pem why did it work in 5.1.2 and is no longer working in 5.2.0? -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3314) SSL errors after upgrade from 5.1.2 - 5.2.0
[ https://issues.apache.org/jira/browse/TS-3314?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14287914#comment-14287914 ] Andre commented on TS-3314: --- setting it to CONFIG proxy.config.ssl.server.dhparams_file STRING /opt/trafficserver/etc/trafficserver/certs/dh2048.pem does not work either my certs is in /home/www/certs, but I have a symbolic link in /opt/trafficserver to certs. proxy.config.config_dir is not set in my records.conf, so it should default to /opt/trafficserver SSL errors after upgrade from 5.1.2 - 5.2.0 Key: TS-3314 URL: https://issues.apache.org/jira/browse/TS-3314 Project: Traffic Server Issue Type: Bug Components: Core, SSL Reporter: Andre Assignee: Susan Hinrichs I upgraded my ATS from 5.1.2 to 5.2.0 by keeping all my config files. When I start the trafficserver, I do get errors in the diags.log and https sites do not work. Here is an extract of the diags.log: {code} [Jan 22 15:19:58.381] Server {0x2b42c3b03bc0} NOTE: loading SSL certificate configuration from /opt/trafficserver/etc/trafficserver/ssl_multicert.config [Jan 22 15:19:58.386] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source returned invalid parameters [Jan 22 15:19:58.386] Server {0x2b42c3b03bc0} ERROR: failed to load SSL certificate specification from /opt/trafficserver/etc/trafficserver/ssl_multicert.config line 57 [Jan 22 15:19:58.391] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source returned invalid parameters [Jan 22 15:19:58.392] Server {0x2b42c3b03bc0} ERROR: failed to load SSL certificate specification from /opt/trafficserver/etc/trafficserver/ssl_multicert.config line 58 [Jan 22 15:19:58.396] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source returned invalid parameters [Jan 22 15:19:58.397] Server {0x2b42c3b03bc0} ERROR: failed to load SSL certificate specification from /opt/trafficserver/etc/trafficserver/ssl_multicert.config line 59 [Jan 22 15:19:58.401] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source returned invalid parameters [Jan 22 15:19:58.413] Server {0x2b42c3b03bc0} NOTE: traffic server running [Jan 22 15:19:58.494] Server {0x2b42c9547700} NOTE: cache enabled [Jan 22 15:20:01.176] Server {0x2b42d4f17700} ERROR: SSL::47566040430336:error:140BA0C3:SSL routines:SSL_new:null ssl ctx:ssl_lib.c:281: peer address is 2a01:4f8:160:24ca::3 [Jan 22 15:20:01.176] Server {0x2b42d4f17700} ERROR: failed to create SSL server session [Jan 22 15:22:19.813] Server {0x2b42d5018700} ERROR: SSL::47566041483008:error:140BA0C3:SSL routines:SSL_new:null ssl ctx:ssl_lib.c:281: peer address is 66.249.64.77 [Jan 22 15:22:19.813] Server {0x2b42d5018700} ERROR: failed to create SSL server session [Jan 22 15:25:01.191] Server {0x2b42d5119700} ERROR: SSL::47566042535680:error:140BA0C3:SSL routines:SSL_new:null ssl ctx:ssl_lib.c:281: peer address is 2a01:4f8:160:24ca::3 [Jan 22 15:25:01.191] Server {0x2b42d5119700} ERROR: failed to create SSL server session {code} Here is what I have in my ssl_multicert.config: {code} ssl_cert_name=domain1.crt ssl_key_name=domain1.key ssl_cert_name=domain2.crt ssl_key_name=domain2.key dest_ip=* ssl_cert_name=domain3.crt ssl_key_name=domain3.key {code} the .crt files contain my certificate and the intermediate certificate, the ca is in the truststore. There are 3 possible dh params available in the configured certificate directory: dh512.pem, dh1024.pem and dh2048.pem why did it work in 5.1.2 and is no longer working in 5.2.0? -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3314) SSL errors after upgrade from 5.1.2 - 5.2.0
[ https://issues.apache.org/jira/browse/TS-3314?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14287839#comment-14287839 ] Susan Hinrichs commented on TS-3314: Are you certain your dh2048.pem file was being used? The dhparams_file does not appear until 5.2. Just doubled checked that in the 5.1.2 source. If you add an unrecognized config entry, ATS does not complain. And ATS is setting the SSL_OP_SINGLE_DH_USE and SSL_OP_SINGLE_ECDH_USE which I think means that you do not need to specify the DH parameters. In any case, thanks for your records.config entries. I'll get the 5.2 behavior tracked down. SSL errors after upgrade from 5.1.2 - 5.2.0 Key: TS-3314 URL: https://issues.apache.org/jira/browse/TS-3314 Project: Traffic Server Issue Type: Bug Components: Core, SSL Reporter: Andre Assignee: Susan Hinrichs I upgraded my ATS from 5.1.2 to 5.2.0 by keeping all my config files. When I start the trafficserver, I do get errors in the diags.log and https sites do not work. Here is an extract of the diags.log: {code} [Jan 22 15:19:58.381] Server {0x2b42c3b03bc0} NOTE: loading SSL certificate configuration from /opt/trafficserver/etc/trafficserver/ssl_multicert.config [Jan 22 15:19:58.386] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source returned invalid parameters [Jan 22 15:19:58.386] Server {0x2b42c3b03bc0} ERROR: failed to load SSL certificate specification from /opt/trafficserver/etc/trafficserver/ssl_multicert.config line 57 [Jan 22 15:19:58.391] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source returned invalid parameters [Jan 22 15:19:58.392] Server {0x2b42c3b03bc0} ERROR: failed to load SSL certificate specification from /opt/trafficserver/etc/trafficserver/ssl_multicert.config line 58 [Jan 22 15:19:58.396] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source returned invalid parameters [Jan 22 15:19:58.397] Server {0x2b42c3b03bc0} ERROR: failed to load SSL certificate specification from /opt/trafficserver/etc/trafficserver/ssl_multicert.config line 59 [Jan 22 15:19:58.401] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source returned invalid parameters [Jan 22 15:19:58.413] Server {0x2b42c3b03bc0} NOTE: traffic server running [Jan 22 15:19:58.494] Server {0x2b42c9547700} NOTE: cache enabled [Jan 22 15:20:01.176] Server {0x2b42d4f17700} ERROR: SSL::47566040430336:error:140BA0C3:SSL routines:SSL_new:null ssl ctx:ssl_lib.c:281: peer address is 2a01:4f8:160:24ca::3 [Jan 22 15:20:01.176] Server {0x2b42d4f17700} ERROR: failed to create SSL server session [Jan 22 15:22:19.813] Server {0x2b42d5018700} ERROR: SSL::47566041483008:error:140BA0C3:SSL routines:SSL_new:null ssl ctx:ssl_lib.c:281: peer address is 66.249.64.77 [Jan 22 15:22:19.813] Server {0x2b42d5018700} ERROR: failed to create SSL server session [Jan 22 15:25:01.191] Server {0x2b42d5119700} ERROR: SSL::47566042535680:error:140BA0C3:SSL routines:SSL_new:null ssl ctx:ssl_lib.c:281: peer address is 2a01:4f8:160:24ca::3 [Jan 22 15:25:01.191] Server {0x2b42d5119700} ERROR: failed to create SSL server session {code} Here is what I have in my ssl_multicert.config: {code} ssl_cert_name=domain1.crt ssl_key_name=domain1.key ssl_cert_name=domain2.crt ssl_key_name=domain2.key dest_ip=* ssl_cert_name=domain3.crt ssl_key_name=domain3.key {code} the .crt files contain my certificate and the intermediate certificate, the ca is in the truststore. There are 3 possible dh params available in the configured certificate directory: dh512.pem, dh1024.pem and dh2048.pem why did it work in 5.1.2 and is no longer working in 5.2.0? -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3314) SSL errors after upgrade from 5.1.2 - 5.2.0
[ https://issues.apache.org/jira/browse/TS-3314?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14287860#comment-14287860 ] Andre commented on TS-3314: --- I have these entries since I've first setup ATS back in October and didn't touch it since basically. So this line does date back to October and I think that was 5.1.0 or 5.1.1 ? SSL errors after upgrade from 5.1.2 - 5.2.0 Key: TS-3314 URL: https://issues.apache.org/jira/browse/TS-3314 Project: Traffic Server Issue Type: Bug Components: Core, SSL Reporter: Andre Assignee: Susan Hinrichs I upgraded my ATS from 5.1.2 to 5.2.0 by keeping all my config files. When I start the trafficserver, I do get errors in the diags.log and https sites do not work. Here is an extract of the diags.log: {code} [Jan 22 15:19:58.381] Server {0x2b42c3b03bc0} NOTE: loading SSL certificate configuration from /opt/trafficserver/etc/trafficserver/ssl_multicert.config [Jan 22 15:19:58.386] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source returned invalid parameters [Jan 22 15:19:58.386] Server {0x2b42c3b03bc0} ERROR: failed to load SSL certificate specification from /opt/trafficserver/etc/trafficserver/ssl_multicert.config line 57 [Jan 22 15:19:58.391] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source returned invalid parameters [Jan 22 15:19:58.392] Server {0x2b42c3b03bc0} ERROR: failed to load SSL certificate specification from /opt/trafficserver/etc/trafficserver/ssl_multicert.config line 58 [Jan 22 15:19:58.396] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source returned invalid parameters [Jan 22 15:19:58.397] Server {0x2b42c3b03bc0} ERROR: failed to load SSL certificate specification from /opt/trafficserver/etc/trafficserver/ssl_multicert.config line 59 [Jan 22 15:19:58.401] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source returned invalid parameters [Jan 22 15:19:58.413] Server {0x2b42c3b03bc0} NOTE: traffic server running [Jan 22 15:19:58.494] Server {0x2b42c9547700} NOTE: cache enabled [Jan 22 15:20:01.176] Server {0x2b42d4f17700} ERROR: SSL::47566040430336:error:140BA0C3:SSL routines:SSL_new:null ssl ctx:ssl_lib.c:281: peer address is 2a01:4f8:160:24ca::3 [Jan 22 15:20:01.176] Server {0x2b42d4f17700} ERROR: failed to create SSL server session [Jan 22 15:22:19.813] Server {0x2b42d5018700} ERROR: SSL::47566041483008:error:140BA0C3:SSL routines:SSL_new:null ssl ctx:ssl_lib.c:281: peer address is 66.249.64.77 [Jan 22 15:22:19.813] Server {0x2b42d5018700} ERROR: failed to create SSL server session [Jan 22 15:25:01.191] Server {0x2b42d5119700} ERROR: SSL::47566042535680:error:140BA0C3:SSL routines:SSL_new:null ssl ctx:ssl_lib.c:281: peer address is 2a01:4f8:160:24ca::3 [Jan 22 15:25:01.191] Server {0x2b42d5119700} ERROR: failed to create SSL server session {code} Here is what I have in my ssl_multicert.config: {code} ssl_cert_name=domain1.crt ssl_key_name=domain1.key ssl_cert_name=domain2.crt ssl_key_name=domain2.key dest_ip=* ssl_cert_name=domain3.crt ssl_key_name=domain3.key {code} the .crt files contain my certificate and the intermediate certificate, the ca is in the truststore. There are 3 possible dh params available in the configured certificate directory: dh512.pem, dh1024.pem and dh2048.pem why did it work in 5.1.2 and is no longer working in 5.2.0? -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3314) SSL errors after upgrade from 5.1.2 - 5.2.0
[ https://issues.apache.org/jira/browse/TS-3314?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14288213#comment-14288213 ] Susan Hinrichs commented on TS-3314: Great! I'll go ahead and close out the issue then. SSL errors after upgrade from 5.1.2 - 5.2.0 Key: TS-3314 URL: https://issues.apache.org/jira/browse/TS-3314 Project: Traffic Server Issue Type: Bug Components: Core, SSL Reporter: Andre Assignee: Susan Hinrichs I upgraded my ATS from 5.1.2 to 5.2.0 by keeping all my config files. When I start the trafficserver, I do get errors in the diags.log and https sites do not work. Here is an extract of the diags.log: {code} [Jan 22 15:19:58.381] Server {0x2b42c3b03bc0} NOTE: loading SSL certificate configuration from /opt/trafficserver/etc/trafficserver/ssl_multicert.config [Jan 22 15:19:58.386] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source returned invalid parameters [Jan 22 15:19:58.386] Server {0x2b42c3b03bc0} ERROR: failed to load SSL certificate specification from /opt/trafficserver/etc/trafficserver/ssl_multicert.config line 57 [Jan 22 15:19:58.391] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source returned invalid parameters [Jan 22 15:19:58.392] Server {0x2b42c3b03bc0} ERROR: failed to load SSL certificate specification from /opt/trafficserver/etc/trafficserver/ssl_multicert.config line 58 [Jan 22 15:19:58.396] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source returned invalid parameters [Jan 22 15:19:58.397] Server {0x2b42c3b03bc0} ERROR: failed to load SSL certificate specification from /opt/trafficserver/etc/trafficserver/ssl_multicert.config line 59 [Jan 22 15:19:58.401] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source returned invalid parameters [Jan 22 15:19:58.413] Server {0x2b42c3b03bc0} NOTE: traffic server running [Jan 22 15:19:58.494] Server {0x2b42c9547700} NOTE: cache enabled [Jan 22 15:20:01.176] Server {0x2b42d4f17700} ERROR: SSL::47566040430336:error:140BA0C3:SSL routines:SSL_new:null ssl ctx:ssl_lib.c:281: peer address is 2a01:4f8:160:24ca::3 [Jan 22 15:20:01.176] Server {0x2b42d4f17700} ERROR: failed to create SSL server session [Jan 22 15:22:19.813] Server {0x2b42d5018700} ERROR: SSL::47566041483008:error:140BA0C3:SSL routines:SSL_new:null ssl ctx:ssl_lib.c:281: peer address is 66.249.64.77 [Jan 22 15:22:19.813] Server {0x2b42d5018700} ERROR: failed to create SSL server session [Jan 22 15:25:01.191] Server {0x2b42d5119700} ERROR: SSL::47566042535680:error:140BA0C3:SSL routines:SSL_new:null ssl ctx:ssl_lib.c:281: peer address is 2a01:4f8:160:24ca::3 [Jan 22 15:25:01.191] Server {0x2b42d5119700} ERROR: failed to create SSL server session {code} Here is what I have in my ssl_multicert.config: {code} ssl_cert_name=domain1.crt ssl_key_name=domain1.key ssl_cert_name=domain2.crt ssl_key_name=domain2.key dest_ip=* ssl_cert_name=domain3.crt ssl_key_name=domain3.key {code} the .crt files contain my certificate and the intermediate certificate, the ca is in the truststore. There are 3 possible dh params available in the configured certificate directory: dh512.pem, dh1024.pem and dh2048.pem why did it work in 5.1.2 and is no longer working in 5.2.0? -- This message was sent by Atlassian JIRA (v6.3.4#6332)