[TS-2593] HTTPS to origin fails on CentOS6.x - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Blocker
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 4.2.0, 5.0.0
Component/s: SSL
Labels:
- A

Description

I'm having this problem where mapping to https:// URLs always fails to connect / communicate with the origin. I've tracked this down to ~~TS-2355~~, and I suspect (but not sure) that setting the nonexistent OpenSSL option breaks something badly. I'd like to make the following changes:

diff --git a/iocore/net/P_SSLUtils.h b/iocore/net/P_SSLUtils.h
index 5ed2d82..289ff99 100644
--- a/iocore/net/P_SSLUtils.h
+++ b/iocore/net/P_SSLUtils.h
@@ -33,15 +33,6 @@
 #error Traffic Server requires a OpenSSL library that support threads
 #endif

-// if we are compiling against an early version of OpenSSL, define our own values
-#ifndef SSL_OP_NO_TLSv1_1
-#define SSL_OP_NO_TLSv1_1 0x10000000L
-#endif
-#ifndef SSL_OP_NO_TLSv1_2
-#define SSL_OP_NO_TLSv1_2 0x08000000L
-#endif
-#define SSL_VERSION_1_0_1 0x010001000 // MMNNFFPPS: major minor fix patch status
-
 struct SSLConfigParams;
 struct SSLCertLookup;

diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc
index 9a20883..f9df79e 100644
--- a/iocore/net/SSLConfig.cc
+++ b/iocore/net/SSLConfig.cc
@@ -149,12 +149,19 @@ SSLConfigParams::initialize()
   REC_ReadConfigInteger(options, "proxy.config.ssl.TLSv1");
   if (!options)
     ssl_ctx_options |= SSL_OP_NO_TLSv1;
+
+  // These are not available in all, older versions of OpenSSL (e.g. CentOS6)
+#ifdef SSL_OP_NO_TLSv1_1
   REC_ReadConfigInteger(options, "proxy.config.ssl.TLSv1_1");
   if (!options)
     ssl_ctx_options |= SSL_OP_NO_TLSv1_1;
+#endif
+#ifdef SSL_OP_NO_TLSv1_2
   REC_ReadConfigInteger(options, "proxy.config.ssl.TLSv1_2");
   if (!options)
     ssl_ctx_options |= SSL_OP_NO_TLSv1_2;
+#endif
+
 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
   REC_ReadConfigInteger(options, "proxy.config.ssl.server.honor_cipher_order");
   if (options)
diff --git a/mgmt/RecordsConfig.cc b/mgmt/RecordsConfig.cc
index 41b876c..7f71243 100644
--- a/mgmt/RecordsConfig.cc
+++ b/mgmt/RecordsConfig.cc
@@ -1227,7 +1227,8 @@ RecordElement RecordsConfig[] = {
   ,
   {RECT_CONFIG, "proxy.config.ssl.TLSv1_1", RECD_INT, "1", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
   ,
-  {RECT_CONFIG, "proxy.config.ssl.TLSv1_2", RECD_INT, "0", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL} // default disabled for now.  OpenSSL v1.0.1e (and lower) have issue TS-2355
+  // Disable this when using some versions of OpenSSL that causes crashes. See TS-2355.
+  {RECT_CONFIG, "proxy.config.ssl.TLSv1_2", RECD_INT, "1", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
   ,
   {RECT_CONFIG, "proxy.config.ssl.compression", RECD_INT, "0", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
   ,

That much said, I'm also wondering if we should make the defaults for the TLSv1_2 a little less draconian? For example, can we detect which versions this works in, and change the default to "1"? Or can we change the default to "1", and ask people that run into the crasher to either upgrade OpenSSL, or alternatively disable v1.2 ?

Attachments

Issue Links

is related to

TS-2355 ATS 4.0.x crashes when using OpenSSL 1.0.1e

Closed

Activity

People

Assignee:: Leif Hedstrom

Reporter:: Leif Hedstrom

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 27/Feb/14 02:43

Updated:: 18/Dec/14 05:08

Resolved:: 27/Feb/14 17:36