> On Jan 29, 2015, at 4:40 PM, Reindl Harald <[email protected]> wrote: > > > Am 30.01.2015 um 01:23 schrieb James Peach: >>> On Jan 29, 2015, at 4:14 PM, Reindl Harald <[email protected]> wrote: >>> >>> Am 29.01.2015 um 20:25 schrieb James Peach: >>>>> On Jan 29, 2015, at 10:29 AM, Reindl Harald <[email protected]> >>>>> wrote: >>>>> >>>>> >>>>> [root@localhost:~]$ cat /etc/trafficserver/ssl_multicert.config >>>>> ssl_cert_name=thelounge.net.pem ssl_ca_name=godaddy_ca_sha256.crt >>>>> ssl_ticket_enabled=0 >>>>> >>>>> https://www.ssllabs.com/ssltest/ >>>>> Session resumption (caching) Yes >>>>> Session resumption (tickets) Yes >>>>> SSL 2 handshake compatibility No >>>> >>>> First, what version of OpenSSL is this? We try to set SSL_OP_NO_TICKET, >>>> which I believe was added in OpenSSL 0.9.9. Maybe httpd uses a different >>>> technique to disable session tickets. >>> >>> Fedora 20 >>> openssl-1.0.1e-41.fc20 >>> >>>> Can you turn on "ssl" debug logging? With ssl_ticket_enabled=0 you should >>>> see a message like "ssl session ticket is disabled" ... >>> >>> not sure how to do that >> >> To do this with a running process: >> >> traffic_line -s proxy.config.diags.debug.tags -v ssl >> traffic_line -s proxy.config.diags.debug.enabled -v 1 >> traffic_line -x >> >> Depending on your config, you will most likely see the messages in diags.log > > [root@proxy:~]$ traffic_line -s proxy.config.diags.debug.tags -v ssl > Set proxy.config.diags.debug.tags > [root@proxy:~]$ traffic_line -s proxy.config.diags.debug.enabled -v 1 > Set proxy.config.diags.debug.enabled > [root@proxy:~]$ traffic_line -x > [root@proxy:~]$ cat /var/log/trafficserver/diags.log > [Jan 30 01:36:12.651] Server {0x2aed1f3ea700} NOTE: updated diags config > [Jan 30 01:36:21.651] Server {0x2aed1f3ea700} NOTE: updated diags config > > nothing relevant
Sorry, it didn't reload the SSL config because ssl_multicert.config didn't change. I should have asked you you touch it before the traffic_line -x. > may i ask you to just fire https://www.ssllabs.com/ssltest/ against a site > running ATS with SSL - that also shows ofr the issue below "SSL 2 handshake > compatibility No" > >>> the only reachable server for ssllabs ist the production one >>> testing environments are not reachable from outside >>> >>>>> (the ssl 2 handshake compatibility needs to be fixed too for some client >>>>> like "ab" the apache benchmark tool) >>> >>> BTW: that annoys me for years now - "ab" supports SNI fine but not with ATS >> >> I don't know what the problem is with "ab", but there is config for allowing >> various SSL protocol versions: >> >> $ traffic_line -m proxy.config.ssl.*v[0-9_] >> proxy.config.ssl.SSLv2 0 >> proxy.config.ssl.SSLv3 0 >> proxy.config.ssl.TLSv1 1 >> proxy.config.ssl.TLSv1_1 1 >> proxy.config.ssl.TLSv1_2 1 >> proxy.config.ssl.client.SSLv2 0 >> proxy.config.ssl.client.SSLv3 1 >> proxy.config.ssl.client.TLSv1 1 >> proxy.config.ssl.client.TLSv1_1 1 >> proxy.config.ssl.client.TLSv1_2 1 > > http://sourceforge.net/p/ssllabs/mailman/message/25619891/ > > It means that the server supports SSLv2 handshake, even though it may > not support SSLv2 itself. Essentially it's an optimization. Instead of > a client first requesting SSLv2 (with a SSLv2 handshake) and failing > (if the server does not support it), then having to request SSLv3 or > better (with a SSLv3 handshake), the client can use the SSLv2 > handshake to indicate support for newer protocols. > > CONFIG proxy.config.ssl.SSLv2 INT 0 > CONFIG proxy.config.ssl.SSLv3 INT 0 > CONFIG proxy.config.ssl.TLSv1 INT 1 > CONFIG proxy.config.ssl.TLSv1_1 INT 1 > CONFIG proxy.config.ssl.TLSv1_2 INT 1 > CONFIG proxy.config.ssl.client.SSLv2 INT 1 > CONFIG proxy.config.ssl.client.SSLv3 INT 1 > CONFIG proxy.config.ssl.client.TLSv1 INT 1 > CONFIG proxy.config.ssl.client.TLSv1_1 INT 1 > CONFIG proxy.config.ssl.client.TLSv1_2 INT 1 > ____________________________ > > "ab" clearly says: > > 139961005492208:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 > alert handshake failure:s23_clnt.c:744: > SSL handshake failed (1). > 139961005492208:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 > alert handshake failure:s23_clnt.c:744: > SSL handshake failed (1). > 139961005492208:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 > alert handshake failure:s23_clnt.c:744: > SSL handshake failed (1). > 139961005492208:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 > alert handshake failure:s23_clnt.c:744: > >
