[jira] [Commented] (TS-3314) SSL errors after upgrade from 5.1.2 - 5.2.0
[
https://issues.apache.org/jira/browse/TS-3314?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14287799#comment-14287799
]
Andre commented on TS-3314:
---
Exactly. I have the 3 mentioned dhparams in the same folder as the certificates
and it worked with 5.1.2.
I could set proxy.config.ssl.server.dhparams_file to the certificates directory
if that helps?
here's the ciphers I accept which, in my humble opinion, represent a modern,
sane default:
proxy.config.ssl.server.cipher_suite STRING
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS:!aNULL:!eNULL
SSL errors after upgrade from 5.1.2 - 5.2.0
Key: TS-3314
URL: https://issues.apache.org/jira/browse/TS-3314
Project: Traffic Server
Issue Type: Bug
Components: Core, SSL
Reporter: Andre
Assignee: Susan Hinrichs
I upgraded my ATS from 5.1.2 to 5.2.0 by keeping all my config files.
When I start the trafficserver, I do get errors in the diags.log and https
sites do not work. Here is an extract of the diags.log:
{code}
[Jan 22 15:19:58.381] Server {0x2b42c3b03bc0} NOTE: loading SSL certificate
configuration from /opt/trafficserver/etc/trafficserver/ssl_multicert.config
[Jan 22 15:19:58.386] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source
returned invalid parameters
[Jan 22 15:19:58.386] Server {0x2b42c3b03bc0} ERROR: failed to load SSL
certificate specification from
/opt/trafficserver/etc/trafficserver/ssl_multicert.config line 57
[Jan 22 15:19:58.391] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source
returned invalid parameters
[Jan 22 15:19:58.392] Server {0x2b42c3b03bc0} ERROR: failed to load SSL
certificate specification from
/opt/trafficserver/etc/trafficserver/ssl_multicert.config line 58
[Jan 22 15:19:58.396] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source
returned invalid parameters
[Jan 22 15:19:58.397] Server {0x2b42c3b03bc0} ERROR: failed to load SSL
certificate specification from
/opt/trafficserver/etc/trafficserver/ssl_multicert.config line 59
[Jan 22 15:19:58.401] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source
returned invalid parameters
[Jan 22 15:19:58.413] Server {0x2b42c3b03bc0} NOTE: traffic server running
[Jan 22 15:19:58.494] Server {0x2b42c9547700} NOTE: cache enabled
[Jan 22 15:20:01.176] Server {0x2b42d4f17700} ERROR:
SSL::47566040430336:error:140BA0C3:SSL routines:SSL_new:null ssl
ctx:ssl_lib.c:281: peer address is 2a01:4f8:160:24ca::3
[Jan 22 15:20:01.176] Server {0x2b42d4f17700} ERROR: failed to create SSL
server session
[Jan 22 15:22:19.813] Server {0x2b42d5018700} ERROR:
SSL::47566041483008:error:140BA0C3:SSL routines:SSL_new:null ssl
ctx:ssl_lib.c:281: peer address is 66.249.64.77
[Jan 22 15:22:19.813] Server {0x2b42d5018700} ERROR: failed to create SSL
server session
[Jan 22 15:25:01.191] Server {0x2b42d5119700} ERROR:
SSL::47566042535680:error:140BA0C3:SSL routines:SSL_new:null ssl
ctx:ssl_lib.c:281: peer address is 2a01:4f8:160:24ca::3
[Jan 22 15:25:01.191] Server {0x2b42d5119700} ERROR: failed to create SSL
server session
{code}
Here is what I have in my ssl_multicert.config:
{code}
ssl_cert_name=domain1.crt ssl_key_name=domain1.key
ssl_cert_name=domain2.crt ssl_key_name=domain2.key
dest_ip=* ssl_cert_name=domain3.crt ssl_key_name=domain3.key
{code}
the .crt files contain my certificate and the intermediate certificate, the
ca is in the truststore.
There are 3 possible dh params available in the configured certificate
directory: dh512.pem, dh1024.pem and dh2048.pem
why did it work in 5.1.2 and is no longer working in 5.2.0?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (TS-3314) SSL errors after upgrade from 5.1.2 - 5.2.0
[
https://issues.apache.org/jira/browse/TS-3314?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14287702#comment-14287702
]
Susan Hinrichs commented on TS-3314:
This was broken by TS-2417, adding support for DHE. This patch added a new
entry for the dhparams file, proxy.config.ssl.server.dhparams_file.
If the parameter is not set, it loads a built-in 2048 param. If it fails to
load the built in or the one specified by the dhparams_file, it issues the
error you are seeing.
This still is a bit confusing, because I would assume that the built-in one
would get successfully loaded in your case. That still isn't what you want,
since you want choices on which dhparam to load I assume based on the cipher
negotiated.
I'm still figuring out how the old scheme worked. You just placed the dh files
in the same directory as the certificates and the write DH param would get
loaded depending on the version of cipher selected by the negotiation?
SSL errors after upgrade from 5.1.2 - 5.2.0
Key: TS-3314
URL: https://issues.apache.org/jira/browse/TS-3314
Project: Traffic Server
Issue Type: Bug
Components: Core, SSL
Reporter: Andre
Assignee: Susan Hinrichs
I upgraded my ATS from 5.1.2 to 5.2.0 by keeping all my config files.
When I start the trafficserver, I do get errors in the diags.log and https
sites do not work. Here is an extract of the diags.log:
{code}
[Jan 22 15:19:58.381] Server {0x2b42c3b03bc0} NOTE: loading SSL certificate
configuration from /opt/trafficserver/etc/trafficserver/ssl_multicert.config
[Jan 22 15:19:58.386] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source
returned invalid parameters
[Jan 22 15:19:58.386] Server {0x2b42c3b03bc0} ERROR: failed to load SSL
certificate specification from
/opt/trafficserver/etc/trafficserver/ssl_multicert.config line 57
[Jan 22 15:19:58.391] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source
returned invalid parameters
[Jan 22 15:19:58.392] Server {0x2b42c3b03bc0} ERROR: failed to load SSL
certificate specification from
/opt/trafficserver/etc/trafficserver/ssl_multicert.config line 58
[Jan 22 15:19:58.396] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source
returned invalid parameters
[Jan 22 15:19:58.397] Server {0x2b42c3b03bc0} ERROR: failed to load SSL
certificate specification from
/opt/trafficserver/etc/trafficserver/ssl_multicert.config line 59
[Jan 22 15:19:58.401] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source
returned invalid parameters
[Jan 22 15:19:58.413] Server {0x2b42c3b03bc0} NOTE: traffic server running
[Jan 22 15:19:58.494] Server {0x2b42c9547700} NOTE: cache enabled
[Jan 22 15:20:01.176] Server {0x2b42d4f17700} ERROR:
SSL::47566040430336:error:140BA0C3:SSL routines:SSL_new:null ssl
ctx:ssl_lib.c:281: peer address is 2a01:4f8:160:24ca::3
[Jan 22 15:20:01.176] Server {0x2b42d4f17700} ERROR: failed to create SSL
server session
[Jan 22 15:22:19.813] Server {0x2b42d5018700} ERROR:
SSL::47566041483008:error:140BA0C3:SSL routines:SSL_new:null ssl
ctx:ssl_lib.c:281: peer address is 66.249.64.77
[Jan 22 15:22:19.813] Server {0x2b42d5018700} ERROR: failed to create SSL
server session
[Jan 22 15:25:01.191] Server {0x2b42d5119700} ERROR:
SSL::47566042535680:error:140BA0C3:SSL routines:SSL_new:null ssl
ctx:ssl_lib.c:281: peer address is 2a01:4f8:160:24ca::3
[Jan 22 15:25:01.191] Server {0x2b42d5119700} ERROR: failed to create SSL
server session
{code}
Here is what I have in my ssl_multicert.config:
{code}
ssl_cert_name=domain1.crt ssl_key_name=domain1.key
ssl_cert_name=domain2.crt ssl_key_name=domain2.key
dest_ip=* ssl_cert_name=domain3.crt ssl_key_name=domain3.key
{code}
the .crt files contain my certificate and the intermediate certificate, the
ca is in the truststore.
There are 3 possible dh params available in the configured certificate
directory: dh512.pem, dh1024.pem and dh2048.pem
why did it work in 5.1.2 and is no longer working in 5.2.0?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (TS-3314) SSL errors after upgrade from 5.1.2 - 5.2.0
[
https://issues.apache.org/jira/browse/TS-3314?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14287917#comment-14287917
]
Andre commented on TS-3314:
---
That could be true :)
SSL errors after upgrade from 5.1.2 - 5.2.0
Key: TS-3314
URL: https://issues.apache.org/jira/browse/TS-3314
Project: Traffic Server
Issue Type: Bug
Components: Core, SSL
Reporter: Andre
Assignee: Susan Hinrichs
I upgraded my ATS from 5.1.2 to 5.2.0 by keeping all my config files.
When I start the trafficserver, I do get errors in the diags.log and https
sites do not work. Here is an extract of the diags.log:
{code}
[Jan 22 15:19:58.381] Server {0x2b42c3b03bc0} NOTE: loading SSL certificate
configuration from /opt/trafficserver/etc/trafficserver/ssl_multicert.config
[Jan 22 15:19:58.386] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source
returned invalid parameters
[Jan 22 15:19:58.386] Server {0x2b42c3b03bc0} ERROR: failed to load SSL
certificate specification from
/opt/trafficserver/etc/trafficserver/ssl_multicert.config line 57
[Jan 22 15:19:58.391] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source
returned invalid parameters
[Jan 22 15:19:58.392] Server {0x2b42c3b03bc0} ERROR: failed to load SSL
certificate specification from
/opt/trafficserver/etc/trafficserver/ssl_multicert.config line 58
[Jan 22 15:19:58.396] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source
returned invalid parameters
[Jan 22 15:19:58.397] Server {0x2b42c3b03bc0} ERROR: failed to load SSL
certificate specification from
/opt/trafficserver/etc/trafficserver/ssl_multicert.config line 59
[Jan 22 15:19:58.401] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source
returned invalid parameters
[Jan 22 15:19:58.413] Server {0x2b42c3b03bc0} NOTE: traffic server running
[Jan 22 15:19:58.494] Server {0x2b42c9547700} NOTE: cache enabled
[Jan 22 15:20:01.176] Server {0x2b42d4f17700} ERROR:
SSL::47566040430336:error:140BA0C3:SSL routines:SSL_new:null ssl
ctx:ssl_lib.c:281: peer address is 2a01:4f8:160:24ca::3
[Jan 22 15:20:01.176] Server {0x2b42d4f17700} ERROR: failed to create SSL
server session
[Jan 22 15:22:19.813] Server {0x2b42d5018700} ERROR:
SSL::47566041483008:error:140BA0C3:SSL routines:SSL_new:null ssl
ctx:ssl_lib.c:281: peer address is 66.249.64.77
[Jan 22 15:22:19.813] Server {0x2b42d5018700} ERROR: failed to create SSL
server session
[Jan 22 15:25:01.191] Server {0x2b42d5119700} ERROR:
SSL::47566042535680:error:140BA0C3:SSL routines:SSL_new:null ssl
ctx:ssl_lib.c:281: peer address is 2a01:4f8:160:24ca::3
[Jan 22 15:25:01.191] Server {0x2b42d5119700} ERROR: failed to create SSL
server session
{code}
Here is what I have in my ssl_multicert.config:
{code}
ssl_cert_name=domain1.crt ssl_key_name=domain1.key
ssl_cert_name=domain2.crt ssl_key_name=domain2.key
dest_ip=* ssl_cert_name=domain3.crt ssl_key_name=domain3.key
{code}
the .crt files contain my certificate and the intermediate certificate, the
ca is in the truststore.
There are 3 possible dh params available in the configured certificate
directory: dh512.pem, dh1024.pem and dh2048.pem
why did it work in 5.1.2 and is no longer working in 5.2.0?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (TS-3314) SSL errors after upgrade from 5.1.2 - 5.2.0
[
https://issues.apache.org/jira/browse/TS-3314?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14287884#comment-14287884
]
Susan Hinrichs commented on TS-3314:
The dhparams_file path is calculated relative to the path in
proxy.config.config_dir
So where is your certs directory? When I got the relative path wrong in my
build, I see the same behavior that you describe.
Try putting an absolute path to your .pem file. Or try adjusting the relative
path so it will be correct when combined with the value of your config_dir
parameter.
SSL errors after upgrade from 5.1.2 - 5.2.0
Key: TS-3314
URL: https://issues.apache.org/jira/browse/TS-3314
Project: Traffic Server
Issue Type: Bug
Components: Core, SSL
Reporter: Andre
Assignee: Susan Hinrichs
I upgraded my ATS from 5.1.2 to 5.2.0 by keeping all my config files.
When I start the trafficserver, I do get errors in the diags.log and https
sites do not work. Here is an extract of the diags.log:
{code}
[Jan 22 15:19:58.381] Server {0x2b42c3b03bc0} NOTE: loading SSL certificate
configuration from /opt/trafficserver/etc/trafficserver/ssl_multicert.config
[Jan 22 15:19:58.386] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source
returned invalid parameters
[Jan 22 15:19:58.386] Server {0x2b42c3b03bc0} ERROR: failed to load SSL
certificate specification from
/opt/trafficserver/etc/trafficserver/ssl_multicert.config line 57
[Jan 22 15:19:58.391] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source
returned invalid parameters
[Jan 22 15:19:58.392] Server {0x2b42c3b03bc0} ERROR: failed to load SSL
certificate specification from
/opt/trafficserver/etc/trafficserver/ssl_multicert.config line 58
[Jan 22 15:19:58.396] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source
returned invalid parameters
[Jan 22 15:19:58.397] Server {0x2b42c3b03bc0} ERROR: failed to load SSL
certificate specification from
/opt/trafficserver/etc/trafficserver/ssl_multicert.config line 59
[Jan 22 15:19:58.401] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source
returned invalid parameters
[Jan 22 15:19:58.413] Server {0x2b42c3b03bc0} NOTE: traffic server running
[Jan 22 15:19:58.494] Server {0x2b42c9547700} NOTE: cache enabled
[Jan 22 15:20:01.176] Server {0x2b42d4f17700} ERROR:
SSL::47566040430336:error:140BA0C3:SSL routines:SSL_new:null ssl
ctx:ssl_lib.c:281: peer address is 2a01:4f8:160:24ca::3
[Jan 22 15:20:01.176] Server {0x2b42d4f17700} ERROR: failed to create SSL
server session
[Jan 22 15:22:19.813] Server {0x2b42d5018700} ERROR:
SSL::47566041483008:error:140BA0C3:SSL routines:SSL_new:null ssl
ctx:ssl_lib.c:281: peer address is 66.249.64.77
[Jan 22 15:22:19.813] Server {0x2b42d5018700} ERROR: failed to create SSL
server session
[Jan 22 15:25:01.191] Server {0x2b42d5119700} ERROR:
SSL::47566042535680:error:140BA0C3:SSL routines:SSL_new:null ssl
ctx:ssl_lib.c:281: peer address is 2a01:4f8:160:24ca::3
[Jan 22 15:25:01.191] Server {0x2b42d5119700} ERROR: failed to create SSL
server session
{code}
Here is what I have in my ssl_multicert.config:
{code}
ssl_cert_name=domain1.crt ssl_key_name=domain1.key
ssl_cert_name=domain2.crt ssl_key_name=domain2.key
dest_ip=* ssl_cert_name=domain3.crt ssl_key_name=domain3.key
{code}
the .crt files contain my certificate and the intermediate certificate, the
ca is in the truststore.
There are 3 possible dh params available in the configured certificate
directory: dh512.pem, dh1024.pem and dh2048.pem
why did it work in 5.1.2 and is no longer working in 5.2.0?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (TS-3314) SSL errors after upgrade from 5.1.2 - 5.2.0
[
https://issues.apache.org/jira/browse/TS-3314?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14287899#comment-14287899
]
Bryan Call commented on TS-3314:
[~andnej]
DHE support wasn't added until 5.2.0 (TS-2417). I would assume that those
ciphers were silently ignored when you were running earlier versions.
SSL errors after upgrade from 5.1.2 - 5.2.0
Key: TS-3314
URL: https://issues.apache.org/jira/browse/TS-3314
Project: Traffic Server
Issue Type: Bug
Components: Core, SSL
Reporter: Andre
Assignee: Susan Hinrichs
I upgraded my ATS from 5.1.2 to 5.2.0 by keeping all my config files.
When I start the trafficserver, I do get errors in the diags.log and https
sites do not work. Here is an extract of the diags.log:
{code}
[Jan 22 15:19:58.381] Server {0x2b42c3b03bc0} NOTE: loading SSL certificate
configuration from /opt/trafficserver/etc/trafficserver/ssl_multicert.config
[Jan 22 15:19:58.386] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source
returned invalid parameters
[Jan 22 15:19:58.386] Server {0x2b42c3b03bc0} ERROR: failed to load SSL
certificate specification from
/opt/trafficserver/etc/trafficserver/ssl_multicert.config line 57
[Jan 22 15:19:58.391] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source
returned invalid parameters
[Jan 22 15:19:58.392] Server {0x2b42c3b03bc0} ERROR: failed to load SSL
certificate specification from
/opt/trafficserver/etc/trafficserver/ssl_multicert.config line 58
[Jan 22 15:19:58.396] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source
returned invalid parameters
[Jan 22 15:19:58.397] Server {0x2b42c3b03bc0} ERROR: failed to load SSL
certificate specification from
/opt/trafficserver/etc/trafficserver/ssl_multicert.config line 59
[Jan 22 15:19:58.401] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source
returned invalid parameters
[Jan 22 15:19:58.413] Server {0x2b42c3b03bc0} NOTE: traffic server running
[Jan 22 15:19:58.494] Server {0x2b42c9547700} NOTE: cache enabled
[Jan 22 15:20:01.176] Server {0x2b42d4f17700} ERROR:
SSL::47566040430336:error:140BA0C3:SSL routines:SSL_new:null ssl
ctx:ssl_lib.c:281: peer address is 2a01:4f8:160:24ca::3
[Jan 22 15:20:01.176] Server {0x2b42d4f17700} ERROR: failed to create SSL
server session
[Jan 22 15:22:19.813] Server {0x2b42d5018700} ERROR:
SSL::47566041483008:error:140BA0C3:SSL routines:SSL_new:null ssl
ctx:ssl_lib.c:281: peer address is 66.249.64.77
[Jan 22 15:22:19.813] Server {0x2b42d5018700} ERROR: failed to create SSL
server session
[Jan 22 15:25:01.191] Server {0x2b42d5119700} ERROR:
SSL::47566042535680:error:140BA0C3:SSL routines:SSL_new:null ssl
ctx:ssl_lib.c:281: peer address is 2a01:4f8:160:24ca::3
[Jan 22 15:25:01.191] Server {0x2b42d5119700} ERROR: failed to create SSL
server session
{code}
Here is what I have in my ssl_multicert.config:
{code}
ssl_cert_name=domain1.crt ssl_key_name=domain1.key
ssl_cert_name=domain2.crt ssl_key_name=domain2.key
dest_ip=* ssl_cert_name=domain3.crt ssl_key_name=domain3.key
{code}
the .crt files contain my certificate and the intermediate certificate, the
ca is in the truststore.
There are 3 possible dh params available in the configured certificate
directory: dh512.pem, dh1024.pem and dh2048.pem
why did it work in 5.1.2 and is no longer working in 5.2.0?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (TS-3314) SSL errors after upgrade from 5.1.2 - 5.2.0
[
https://issues.apache.org/jira/browse/TS-3314?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14287914#comment-14287914
]
Andre commented on TS-3314:
---
setting it to CONFIG proxy.config.ssl.server.dhparams_file STRING
/opt/trafficserver/etc/trafficserver/certs/dh2048.pem does not work either
my certs is in /home/www/certs, but I have a symbolic link in
/opt/trafficserver to certs.
proxy.config.config_dir is not set in my records.conf, so it should default to
/opt/trafficserver
SSL errors after upgrade from 5.1.2 - 5.2.0
Key: TS-3314
URL: https://issues.apache.org/jira/browse/TS-3314
Project: Traffic Server
Issue Type: Bug
Components: Core, SSL
Reporter: Andre
Assignee: Susan Hinrichs
I upgraded my ATS from 5.1.2 to 5.2.0 by keeping all my config files.
When I start the trafficserver, I do get errors in the diags.log and https
sites do not work. Here is an extract of the diags.log:
{code}
[Jan 22 15:19:58.381] Server {0x2b42c3b03bc0} NOTE: loading SSL certificate
configuration from /opt/trafficserver/etc/trafficserver/ssl_multicert.config
[Jan 22 15:19:58.386] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source
returned invalid parameters
[Jan 22 15:19:58.386] Server {0x2b42c3b03bc0} ERROR: failed to load SSL
certificate specification from
/opt/trafficserver/etc/trafficserver/ssl_multicert.config line 57
[Jan 22 15:19:58.391] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source
returned invalid parameters
[Jan 22 15:19:58.392] Server {0x2b42c3b03bc0} ERROR: failed to load SSL
certificate specification from
/opt/trafficserver/etc/trafficserver/ssl_multicert.config line 58
[Jan 22 15:19:58.396] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source
returned invalid parameters
[Jan 22 15:19:58.397] Server {0x2b42c3b03bc0} ERROR: failed to load SSL
certificate specification from
/opt/trafficserver/etc/trafficserver/ssl_multicert.config line 59
[Jan 22 15:19:58.401] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source
returned invalid parameters
[Jan 22 15:19:58.413] Server {0x2b42c3b03bc0} NOTE: traffic server running
[Jan 22 15:19:58.494] Server {0x2b42c9547700} NOTE: cache enabled
[Jan 22 15:20:01.176] Server {0x2b42d4f17700} ERROR:
SSL::47566040430336:error:140BA0C3:SSL routines:SSL_new:null ssl
ctx:ssl_lib.c:281: peer address is 2a01:4f8:160:24ca::3
[Jan 22 15:20:01.176] Server {0x2b42d4f17700} ERROR: failed to create SSL
server session
[Jan 22 15:22:19.813] Server {0x2b42d5018700} ERROR:
SSL::47566041483008:error:140BA0C3:SSL routines:SSL_new:null ssl
ctx:ssl_lib.c:281: peer address is 66.249.64.77
[Jan 22 15:22:19.813] Server {0x2b42d5018700} ERROR: failed to create SSL
server session
[Jan 22 15:25:01.191] Server {0x2b42d5119700} ERROR:
SSL::47566042535680:error:140BA0C3:SSL routines:SSL_new:null ssl
ctx:ssl_lib.c:281: peer address is 2a01:4f8:160:24ca::3
[Jan 22 15:25:01.191] Server {0x2b42d5119700} ERROR: failed to create SSL
server session
{code}
Here is what I have in my ssl_multicert.config:
{code}
ssl_cert_name=domain1.crt ssl_key_name=domain1.key
ssl_cert_name=domain2.crt ssl_key_name=domain2.key
dest_ip=* ssl_cert_name=domain3.crt ssl_key_name=domain3.key
{code}
the .crt files contain my certificate and the intermediate certificate, the
ca is in the truststore.
There are 3 possible dh params available in the configured certificate
directory: dh512.pem, dh1024.pem and dh2048.pem
why did it work in 5.1.2 and is no longer working in 5.2.0?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (TS-3314) SSL errors after upgrade from 5.1.2 - 5.2.0
[
https://issues.apache.org/jira/browse/TS-3314?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14287839#comment-14287839
]
Susan Hinrichs commented on TS-3314:
Are you certain your dh2048.pem file was being used? The dhparams_file does
not appear until 5.2. Just doubled checked that in the 5.1.2 source.
If you add an unrecognized config entry, ATS does not complain. And ATS is
setting the SSL_OP_SINGLE_DH_USE and SSL_OP_SINGLE_ECDH_USE which I think means
that you do not need to specify the DH parameters.
In any case, thanks for your records.config entries. I'll get the 5.2 behavior
tracked down.
SSL errors after upgrade from 5.1.2 - 5.2.0
Key: TS-3314
URL: https://issues.apache.org/jira/browse/TS-3314
Project: Traffic Server
Issue Type: Bug
Components: Core, SSL
Reporter: Andre
Assignee: Susan Hinrichs
I upgraded my ATS from 5.1.2 to 5.2.0 by keeping all my config files.
When I start the trafficserver, I do get errors in the diags.log and https
sites do not work. Here is an extract of the diags.log:
{code}
[Jan 22 15:19:58.381] Server {0x2b42c3b03bc0} NOTE: loading SSL certificate
configuration from /opt/trafficserver/etc/trafficserver/ssl_multicert.config
[Jan 22 15:19:58.386] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source
returned invalid parameters
[Jan 22 15:19:58.386] Server {0x2b42c3b03bc0} ERROR: failed to load SSL
certificate specification from
/opt/trafficserver/etc/trafficserver/ssl_multicert.config line 57
[Jan 22 15:19:58.391] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source
returned invalid parameters
[Jan 22 15:19:58.392] Server {0x2b42c3b03bc0} ERROR: failed to load SSL
certificate specification from
/opt/trafficserver/etc/trafficserver/ssl_multicert.config line 58
[Jan 22 15:19:58.396] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source
returned invalid parameters
[Jan 22 15:19:58.397] Server {0x2b42c3b03bc0} ERROR: failed to load SSL
certificate specification from
/opt/trafficserver/etc/trafficserver/ssl_multicert.config line 59
[Jan 22 15:19:58.401] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source
returned invalid parameters
[Jan 22 15:19:58.413] Server {0x2b42c3b03bc0} NOTE: traffic server running
[Jan 22 15:19:58.494] Server {0x2b42c9547700} NOTE: cache enabled
[Jan 22 15:20:01.176] Server {0x2b42d4f17700} ERROR:
SSL::47566040430336:error:140BA0C3:SSL routines:SSL_new:null ssl
ctx:ssl_lib.c:281: peer address is 2a01:4f8:160:24ca::3
[Jan 22 15:20:01.176] Server {0x2b42d4f17700} ERROR: failed to create SSL
server session
[Jan 22 15:22:19.813] Server {0x2b42d5018700} ERROR:
SSL::47566041483008:error:140BA0C3:SSL routines:SSL_new:null ssl
ctx:ssl_lib.c:281: peer address is 66.249.64.77
[Jan 22 15:22:19.813] Server {0x2b42d5018700} ERROR: failed to create SSL
server session
[Jan 22 15:25:01.191] Server {0x2b42d5119700} ERROR:
SSL::47566042535680:error:140BA0C3:SSL routines:SSL_new:null ssl
ctx:ssl_lib.c:281: peer address is 2a01:4f8:160:24ca::3
[Jan 22 15:25:01.191] Server {0x2b42d5119700} ERROR: failed to create SSL
server session
{code}
Here is what I have in my ssl_multicert.config:
{code}
ssl_cert_name=domain1.crt ssl_key_name=domain1.key
ssl_cert_name=domain2.crt ssl_key_name=domain2.key
dest_ip=* ssl_cert_name=domain3.crt ssl_key_name=domain3.key
{code}
the .crt files contain my certificate and the intermediate certificate, the
ca is in the truststore.
There are 3 possible dh params available in the configured certificate
directory: dh512.pem, dh1024.pem and dh2048.pem
why did it work in 5.1.2 and is no longer working in 5.2.0?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (TS-3314) SSL errors after upgrade from 5.1.2 - 5.2.0
[
https://issues.apache.org/jira/browse/TS-3314?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14287860#comment-14287860
]
Andre commented on TS-3314:
---
I have these entries since I've first setup ATS back in October and didn't
touch it since basically.
So this line does date back to October and I think that was 5.1.0 or 5.1.1 ?
SSL errors after upgrade from 5.1.2 - 5.2.0
Key: TS-3314
URL: https://issues.apache.org/jira/browse/TS-3314
Project: Traffic Server
Issue Type: Bug
Components: Core, SSL
Reporter: Andre
Assignee: Susan Hinrichs
I upgraded my ATS from 5.1.2 to 5.2.0 by keeping all my config files.
When I start the trafficserver, I do get errors in the diags.log and https
sites do not work. Here is an extract of the diags.log:
{code}
[Jan 22 15:19:58.381] Server {0x2b42c3b03bc0} NOTE: loading SSL certificate
configuration from /opt/trafficserver/etc/trafficserver/ssl_multicert.config
[Jan 22 15:19:58.386] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source
returned invalid parameters
[Jan 22 15:19:58.386] Server {0x2b42c3b03bc0} ERROR: failed to load SSL
certificate specification from
/opt/trafficserver/etc/trafficserver/ssl_multicert.config line 57
[Jan 22 15:19:58.391] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source
returned invalid parameters
[Jan 22 15:19:58.392] Server {0x2b42c3b03bc0} ERROR: failed to load SSL
certificate specification from
/opt/trafficserver/etc/trafficserver/ssl_multicert.config line 58
[Jan 22 15:19:58.396] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source
returned invalid parameters
[Jan 22 15:19:58.397] Server {0x2b42c3b03bc0} ERROR: failed to load SSL
certificate specification from
/opt/trafficserver/etc/trafficserver/ssl_multicert.config line 59
[Jan 22 15:19:58.401] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source
returned invalid parameters
[Jan 22 15:19:58.413] Server {0x2b42c3b03bc0} NOTE: traffic server running
[Jan 22 15:19:58.494] Server {0x2b42c9547700} NOTE: cache enabled
[Jan 22 15:20:01.176] Server {0x2b42d4f17700} ERROR:
SSL::47566040430336:error:140BA0C3:SSL routines:SSL_new:null ssl
ctx:ssl_lib.c:281: peer address is 2a01:4f8:160:24ca::3
[Jan 22 15:20:01.176] Server {0x2b42d4f17700} ERROR: failed to create SSL
server session
[Jan 22 15:22:19.813] Server {0x2b42d5018700} ERROR:
SSL::47566041483008:error:140BA0C3:SSL routines:SSL_new:null ssl
ctx:ssl_lib.c:281: peer address is 66.249.64.77
[Jan 22 15:22:19.813] Server {0x2b42d5018700} ERROR: failed to create SSL
server session
[Jan 22 15:25:01.191] Server {0x2b42d5119700} ERROR:
SSL::47566042535680:error:140BA0C3:SSL routines:SSL_new:null ssl
ctx:ssl_lib.c:281: peer address is 2a01:4f8:160:24ca::3
[Jan 22 15:25:01.191] Server {0x2b42d5119700} ERROR: failed to create SSL
server session
{code}
Here is what I have in my ssl_multicert.config:
{code}
ssl_cert_name=domain1.crt ssl_key_name=domain1.key
ssl_cert_name=domain2.crt ssl_key_name=domain2.key
dest_ip=* ssl_cert_name=domain3.crt ssl_key_name=domain3.key
{code}
the .crt files contain my certificate and the intermediate certificate, the
ca is in the truststore.
There are 3 possible dh params available in the configured certificate
directory: dh512.pem, dh1024.pem and dh2048.pem
why did it work in 5.1.2 and is no longer working in 5.2.0?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (TS-3314) SSL errors after upgrade from 5.1.2 - 5.2.0
[
https://issues.apache.org/jira/browse/TS-3314?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14288213#comment-14288213
]
Susan Hinrichs commented on TS-3314:
Great! I'll go ahead and close out the issue then.
SSL errors after upgrade from 5.1.2 - 5.2.0
Key: TS-3314
URL: https://issues.apache.org/jira/browse/TS-3314
Project: Traffic Server
Issue Type: Bug
Components: Core, SSL
Reporter: Andre
Assignee: Susan Hinrichs
I upgraded my ATS from 5.1.2 to 5.2.0 by keeping all my config files.
When I start the trafficserver, I do get errors in the diags.log and https
sites do not work. Here is an extract of the diags.log:
{code}
[Jan 22 15:19:58.381] Server {0x2b42c3b03bc0} NOTE: loading SSL certificate
configuration from /opt/trafficserver/etc/trafficserver/ssl_multicert.config
[Jan 22 15:19:58.386] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source
returned invalid parameters
[Jan 22 15:19:58.386] Server {0x2b42c3b03bc0} ERROR: failed to load SSL
certificate specification from
/opt/trafficserver/etc/trafficserver/ssl_multicert.config line 57
[Jan 22 15:19:58.391] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source
returned invalid parameters
[Jan 22 15:19:58.392] Server {0x2b42c3b03bc0} ERROR: failed to load SSL
certificate specification from
/opt/trafficserver/etc/trafficserver/ssl_multicert.config line 58
[Jan 22 15:19:58.396] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source
returned invalid parameters
[Jan 22 15:19:58.397] Server {0x2b42c3b03bc0} ERROR: failed to load SSL
certificate specification from
/opt/trafficserver/etc/trafficserver/ssl_multicert.config line 59
[Jan 22 15:19:58.401] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source
returned invalid parameters
[Jan 22 15:19:58.413] Server {0x2b42c3b03bc0} NOTE: traffic server running
[Jan 22 15:19:58.494] Server {0x2b42c9547700} NOTE: cache enabled
[Jan 22 15:20:01.176] Server {0x2b42d4f17700} ERROR:
SSL::47566040430336:error:140BA0C3:SSL routines:SSL_new:null ssl
ctx:ssl_lib.c:281: peer address is 2a01:4f8:160:24ca::3
[Jan 22 15:20:01.176] Server {0x2b42d4f17700} ERROR: failed to create SSL
server session
[Jan 22 15:22:19.813] Server {0x2b42d5018700} ERROR:
SSL::47566041483008:error:140BA0C3:SSL routines:SSL_new:null ssl
ctx:ssl_lib.c:281: peer address is 66.249.64.77
[Jan 22 15:22:19.813] Server {0x2b42d5018700} ERROR: failed to create SSL
server session
[Jan 22 15:25:01.191] Server {0x2b42d5119700} ERROR:
SSL::47566042535680:error:140BA0C3:SSL routines:SSL_new:null ssl
ctx:ssl_lib.c:281: peer address is 2a01:4f8:160:24ca::3
[Jan 22 15:25:01.191] Server {0x2b42d5119700} ERROR: failed to create SSL
server session
{code}
Here is what I have in my ssl_multicert.config:
{code}
ssl_cert_name=domain1.crt ssl_key_name=domain1.key
ssl_cert_name=domain2.crt ssl_key_name=domain2.key
dest_ip=* ssl_cert_name=domain3.crt ssl_key_name=domain3.key
{code}
the .crt files contain my certificate and the intermediate certificate, the
ca is in the truststore.
There are 3 possible dh params available in the configured certificate
directory: dh512.pem, dh1024.pem and dh2048.pem
why did it work in 5.1.2 and is no longer working in 5.2.0?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
