Am 16.04.2015 um 16:16 schrieb Susan Hinrichs:
On 4/16/2015 7:11 AM, Reindl Harald wrote:Can you give details about your configuration? We must be doing something different.* Fedora 20 x86_64 * ATS 5.2.1 * openssl-1.0.1e-42.fc20 the certificate is a RSA4096 SHA256 wildcard, the same as on https://secure.thelounge.net/ which is running httpd while https://www.thelounge.net/ is running ATS in frontI've tried replicating your environment better to no avail. I'm I reading your statement above correctly that there is a httpd proxy in between the client and ATS?
no https://secure.thelounge.net/ is running httpd https://www.thelounge.net/ is running ATSbot witth the same 4096 RSA/SHA256 widlcard cert and as far as possible itdentical settings (cipher order and so on)
Do previous versions of ATS work for you?
no, i *never* was able to benchmark TLS with ATS SSL23_GET_SERVER_HELLO:sslv3 is pretty clear https://technet.microsoft.com/en-us/library/cc785811%28v=ws.10%29.aspx a SSL23 HELLo don't imply SSL3 or even SSL2 are suupporetd
cat records.config | grep ssl CONFIG proxy.config.http.server_ports STRING 80 443:ssl CONFIG proxy.config.ssl.SSLv2 INT 0 CONFIG proxy.config.ssl.SSLv3 INT 0 CONFIG proxy.config.ssl.TLSv1 INT 1 CONFIG proxy.config.ssl.TLSv1_1 INT 1 CONFIG proxy.config.ssl.TLSv1_2 INT 1 CONFIG proxy.config.ssl.client.SSLv2 INT 1 CONFIG proxy.config.ssl.client.SSLv3 INT 1 CONFIG proxy.config.ssl.client.TLSv1 INT 1 CONFIG proxy.config.ssl.client.TLSv1_1 INT 1 CONFIG proxy.config.ssl.client.TLSv1_2 INT 1 CONFIG proxy.config.ssl.client.certification_level INT 0 CONFIG proxy.config.ssl.server.multicert.filename STRING ssl_multicert.config CONFIG proxy.config.ssl.server.cert.path STRING /etc/trafficserver/ssl/ CONFIG proxy.config.ssl.server.private_key.path STRING /etc/trafficserver/ssl/ CONFIG proxy.config.ssl.CA.cert.path STRING /etc/trafficserver/ssl/ CONFIG proxy.config.ssl.server.cipher_suite STRING ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-CAMELLIA256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:CAMELLIA128-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA:!LOW:!MEDIUM CONFIG proxy.config.ssl.server.honor_cipher_order INT 1 CONFIG proxy.config.ssl.server.dhparams_file STRING /etc/trafficserver/ssl/dhparams.pemOn 4/16/2015 6:31 AM, Reindl Harald wrote:Am 16.04.2015 um 13:22 schrieb Susan Hinrichs:Are you seeing actual failed connections? Or is ATS just logging more intermediate error cases than httpd?it is just impossible to use "ab" against a ATS, see difference below and when you run https://www.ssllabs.com/ssltest/ against both sites you see SSL2/SSL3 disabled on both that pretty sure affects also other older clients not only "ab" for no good reasons __________________________________________________________ [harry@rh:~]$ ab -n 1 https://www.thelounge.net/ This is ApacheBench, Version 2.3 <$Revision: 1638069 $> Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/ Licensed to The Apache Software Foundation, http://www.apache.org/ Benchmarking www.thelounge.net (be patient)...SSL handshake failed (1). 140536880785376:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:770: ..done __________________________________________________________ [harry@rh:~]$ ab -n 1 https://secure.thelounge.net/ This is ApacheBench, Version 2.3 <$Revision: 1638069 $> Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/ Licensed to The Apache Software Foundation, http://www.apache.org/ Benchmarking secure.thelounge.net (be patient).....done Server Software: Server Hostname: secure.thelounge.net Server Port: 443 SSL/TLS Protocol: TLSv1.2,ECDHE-RSA-AES128-GCM-SHA256,4096,128 __________________________________________________________On 4/16/2015 6:13 AM, Reindl Harald wrote:Am 16.04.2015 um 13:08 schrieb Neddy, NH. Nam:Yeah, it's been long time: https://issues.apache.org/jira/browse/TS-2402"SSL v3 is disabled" is a completly different story than breaking client handshakes, as said *all* our services have SSL3 disabled and you can benchmark a httpd-server without any issues with "ab"On Thu, Apr 16, 2015 at 4:57 PM, Reindl Harald <[email protected]> wrote:why is it still a issue doing a benchmark to a ATS server with "ab -c 100 -n 20000 https://traffic-server-site/"; while the same works just fine when the server is a normal httpd with SSLv3 also disabled? 140343245031392:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:770: SSL handshake failed (1). 140343245031392:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:770: SSL handshake failed (1). 140343245031392:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:770: SSL handshake failed (1). 140343245031392:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:770: SSL handshake failed (1). 140343245031392:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:770: SSL handshake failed (1). 140343245031392:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:770
signature.asc
Description: OpenPGP digital signature
