On Mon, Apr 25, 2016 at 3:33 AM Reindl Harald <[email protected]> wrote:
> > Am 17.04.2016 um 01:26 schrieb Leif Hedstrom: > >> On Apr 16, 2016, at 4:56 PM, Reindl Harald <[email protected] > >> <mailto:[email protected]>> wrote: > >> > >> Am 17.04.2016 um 00:52 schrieb Leif Hedstrom: > >>>> On Apr 16, 2016, at 4:44 PM, Reindl Harald <[email protected] > >>>> <mailto:[email protected]>> wrote: > >>>> > >>>> Am 17.04.2016 um 00:38 schrieb Leif Hedstrom: > >>>>>> so what gives you ab -c 5 -n 100https://www.thelounge.net/on > >>>>>> <http://www.thelounge.net/on> your client? > >>>>> > >>>>> It fails too from that CentOS7 box to your box. > >>>>>> > >>>>>> [harry@srv-rhsoft:~]$ ab -c 5 -n > >>>>>> 100https://docs.trafficserver.apache.org/ > >>>>>> <http://docs.trafficserver.apache.org/> > >>>>>> This is ApacheBench, Version 2.3 <$Revision: 1706008 $> > >>>>>> Copyright 1996 Adam Twiss, Zeus Technology > >>>>>> Ltd,http://www.zeustech.net/ > >>>>>> Licensed to The Apache Software Foundation,http://www.apache.org/ > >>>>>> > >>>>>> Benchmarkingdocs.trafficserver.apache.org > >>>>>> <http://benchmarkingdocs.trafficserver.apache.org> > >>>>>> <http://docs.trafficserver.apache.org/>(be patient)...^C > >>>>>> > >>>>>> Server Software: ATS/6.2.0 > >>>>>> Server Hostname: docs.trafficserver.apache.org > >>>>>> <http://docs.trafficserver.apache.org/> > >>>>>> Server Port: 443 > >>>>>> SSL/TLS Protocol: TLSv1.2,ECDHE-RSA-AES128-GCM-SHA256,2048,128 > >>>>> > >>>>> So it seems your ab works against this CentOS7 box running ATS > v6.2.0 ? > >>>> > >>>> yes > >>>> > >>>>> What version of OpenSSL did you build ATS with? I am running > >>>>> docs.trafficserver.a.o with OpenSSL v1.0.2g if I recall (latest > stable > >>>>> release) > >>>> > >>>> seems not matter that much since i have this issue for years now and > >>>> the httpd servers are built in the same environments with the same > >>>> libraries and don't have that issue > >>> > >>> Wonder if it could be one of those -f compiler flags? I’m attaching > >>> my config.nice that I run on docs.trafficserver, this compiles with > >>> ASAN though, so you likely want to remove that at least (if you are > >>> willing to try). > >> > >> i will give it a try ASAP, however the whole web and mail stack is > >> built with that flags (based on the flags below which are %{optflags} > >> and only ATS has the specific problem > > > > Yeah, it seems odd that it’d break like that because of compiler flags. > > But I honestly have no other ideas as to why it breaks on your system, > > and not mine :-/. Can anyone else confirm or deny this breakage on their > > installs? > > just a notice again before i try to build with other flags > _____________________________________________ > > https://www.ssllabs.com/ssltest/ > > docs.trafficserver.apache.org: > SSL 2 handshake compatibility Yes > I believe what is going on here is that we use SSLv23_server_method() which will negotiate the highest version of TLS supported by both sides, but does so with the SSLv2Hello handshake. This does not mean we necessarily support SSLv2/3. > > www.thelounge.net: > SSL 2 handshake compatibility No > It is my understanding that HTTPD matches the server method to only negotiate the version configured. This means it is using something like TLSv1_2_server_method() which only supports the TLS1.2 handshake. What is your HTTPD config? > _____________________________________________ > > CONFIG proxy.config.ssl.SSLv2 INT 0 > CONFIG proxy.config.ssl.SSLv3 INT 0 > CONFIG proxy.config.ssl.TLSv1 INT 1 > CONFIG proxy.config.ssl.TLSv1_1 INT 1 > CONFIG proxy.config.ssl.TLSv1_2 INT 1 > CONFIG proxy.config.ssl.client.certification_level INT 0 > CONFIG proxy.config.ssl.server.multicert.filename STRING > ssl_multicert.config > CONFIG proxy.config.ssl.server.cert.path STRING /etc/trafficserver/ssl/ > CONFIG proxy.config.ssl.server.private_key.path STRING > /etc/trafficserver/ssl/ > CONFIG proxy.config.ssl.CA.cert.path STRING /etc/trafficserver/ssl/ > CONFIG proxy.config.ssl.server.cipher_suite STRING > > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECD$ > CONFIG proxy.config.ssl.server.honor_cipher_order INT 1 > CONFIG proxy.config.ssl.server.dhparams_file STRING > /etc/trafficserver/ssl/dhparams.pem > >
