Am 30.01.2015 um 01:23 schrieb James Peach:
On Jan 29, 2015, at 4:14 PM, Reindl Harald <[email protected]> wrote:Am 29.01.2015 um 20:25 schrieb James Peach:On Jan 29, 2015, at 10:29 AM, Reindl Harald <[email protected]> wrote: [root@localhost:~]$ cat /etc/trafficserver/ssl_multicert.config ssl_cert_name=thelounge.net.pem ssl_ca_name=godaddy_ca_sha256.crt ssl_ticket_enabled=0 https://www.ssllabs.com/ssltest/ Session resumption (caching) Yes Session resumption (tickets) Yes SSL 2 handshake compatibility NoFirst, what version of OpenSSL is this? We try to set SSL_OP_NO_TICKET, which I believe was added in OpenSSL 0.9.9. Maybe httpd uses a different technique to disable session tickets.Fedora 20 openssl-1.0.1e-41.fc20Can you turn on "ssl" debug logging? With ssl_ticket_enabled=0 you should see a message like "ssl session ticket is disabled" ...not sure how to do thatTo do this with a running process: traffic_line -s proxy.config.diags.debug.tags -v ssl traffic_line -s proxy.config.diags.debug.enabled -v 1 traffic_line -x Depending on your config, you will most likely see the messages in diags.log
[root@proxy:~]$ traffic_line -s proxy.config.diags.debug.tags -v ssl
Set proxy.config.diags.debug.tags
[root@proxy:~]$ traffic_line -s proxy.config.diags.debug.enabled -v 1
Set proxy.config.diags.debug.enabled
[root@proxy:~]$ traffic_line -x
[root@proxy:~]$ cat /var/log/trafficserver/diags.log
[Jan 30 01:36:12.651] Server {0x2aed1f3ea700} NOTE: updated diags config
[Jan 30 01:36:21.651] Server {0x2aed1f3ea700} NOTE: updated diags config
nothing relevant
may i ask you to just fire https://www.ssllabs.com/ssltest/ against a
site running ATS with SSL - that also shows ofr the issue below "SSL 2
handshake compatibility No"
the only reachable server for ssllabs ist the production one testing environments are not reachable from outside(the ssl 2 handshake compatibility needs to be fixed too for some client like "ab" the apache benchmark tool)BTW: that annoys me for years now - "ab" supports SNI fine but not with ATSI don't know what the problem is with "ab", but there is config for allowing various SSL protocol versions: $ traffic_line -m proxy.config.ssl.*v[0-9_] proxy.config.ssl.SSLv2 0 proxy.config.ssl.SSLv3 0 proxy.config.ssl.TLSv1 1 proxy.config.ssl.TLSv1_1 1 proxy.config.ssl.TLSv1_2 1 proxy.config.ssl.client.SSLv2 0 proxy.config.ssl.client.SSLv3 1 proxy.config.ssl.client.TLSv1 1 proxy.config.ssl.client.TLSv1_1 1 proxy.config.ssl.client.TLSv1_2 1
http://sourceforge.net/p/ssllabs/mailman/message/25619891/ It means that the server supports SSLv2 handshake, even though it may not support SSLv2 itself. Essentially it's an optimization. Instead of a client first requesting SSLv2 (with a SSLv2 handshake) and failing (if the server does not support it), then having to request SSLv3 or better (with a SSLv3 handshake), the client can use the SSLv2 handshake to indicate support for newer protocols. CONFIG proxy.config.ssl.SSLv2 INT 0 CONFIG proxy.config.ssl.SSLv3 INT 0 CONFIG proxy.config.ssl.TLSv1 INT 1 CONFIG proxy.config.ssl.TLSv1_1 INT 1 CONFIG proxy.config.ssl.TLSv1_2 INT 1 CONFIG proxy.config.ssl.client.SSLv2 INT 1 CONFIG proxy.config.ssl.client.SSLv3 INT 1 CONFIG proxy.config.ssl.client.TLSv1 INT 1 CONFIG proxy.config.ssl.client.TLSv1_1 INT 1 CONFIG proxy.config.ssl.client.TLSv1_2 INT 1 ____________________________ "ab" clearly says:139961005492208:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:744:
SSL handshake failed (1).139961005492208:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:744:
SSL handshake failed (1).139961005492208:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:744:
SSL handshake failed (1).139961005492208:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:744:
signature.asc
Description: OpenPGP digital signature
