Hmm. We run with that configuration with our 7.1.x+. I will try to write a test case for master.
On Sat, Dec 29, 2018, 1:50 PM Leif Hedstrom <zw...@apache.org wrote: > Hi, > > I have a “play” server, which I upgraded recently to F29, and ATS is > having issues with one of my certificates. It’s a cert with a wildcard for > *.ogre.com, and this was working fine up until the upgrade to OpenSSL > v1.1.1. The other certs works fine. > > Doing a diagnostics, I see > > [Dec 29 11:42:39.856] [ET_NET 2] DEBUG: <SSLNetVConnection.cc:1555 > (callHooks)> (ssl) callHooks sslHandshakeHookState=2 eventID=60204 > [Dec 29 11:42:39.856] [ET_NET 2] DEBUG: <SSLNetVConnection.cc:1647 > (callHooks)> (ssl) callHooks iterated to curHook=(nil) > [Dec 29 11:42:39.856] [ET_NET 2] DEBUG: <SSLUtils.cc:409 (PerformAction)> > (ssl_sni) www.ogre.com not available in the map > [Dec 29 11:42:39.856] [ET_NET 2] DEBUG: <SSLUtils.cc:332 > (set_context_cert)> (ssl) set_context_cert ssl=0x7f62a654b000 server= > www.ogre.com handshake_complete=0 > [Dec 29 11:42:39.856] [ET_NET 2] DEBUG: <SSLUtils.cc:381 > (set_context_cert)> (ssl) ssl_cert_callback found SSL context > 0x7f62a9150800 for requested name ‘www.ogre.com’ > > > At which point, it fails the TLS handshake (since www.ogre.com is not > available in the map). I can see it loading the certificate though: > > [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:2181 > (SSLParseCertificateConfiguration)> (ssl) currently parsing dest_ip > [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1636 > (SSLInitServerContext)> (ssl.session_cache) ssl context=0x7f62a9150800: > using session cache options, enabled=2, size=102400, num_buckets=256, > skip_on_contention=0, timeout=0, auto_clear=1 > [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1658 > (SSLInitServerContext)> (ssl.session_cache) enabling SSL session cache with > ATS implementation > [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1672 > (SSLInitServerContext)> (ssl) enabling SSL_MODE_RELEASE_BUFFERS > [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1844 > (SSLInitServerContext)> (ssl) Using 'ogre.crt' in hash for session id > context > [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1929 > (SSLInitServerContext)> (ssl) SSL OCSP Stapling is disabled > [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1460 > (SSLCheckServerCertNow)> (ssl) server certificate ogre.crt passed > accessibility and date checks > [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLCertLookup.cc:184 > (ticket_block_create)> (ssl) Create 1 ticket key blocks > [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:2004 > (ssl_store_ssl_context)> (ssl) mapping '71.6.199.13' to certificate ogre.crt > [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLCertLookup.cc:428 > (insert)> (ssl) indexed '4706c70d' with SSL_CTX 0x7f62a9150800 [0] > [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:2040 > (ssl_store_ssl_context)> (ssl) SSL OCSP Stapling is disabled > [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:2051 > (ssl_store_ssl_context)> (ssl) importing SNI names from ogre.crt > [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1505 > (ssl_index_certificate)> (ssl) mapping '*.ogre.com' to certificate > ogre.crt > [Dec 29 11:42:36.795] traffic_server DEBUG: <SSLCertLookup.cc:418 > (insert)> (ssl) indexed '*.ogre.com' with SSL_CTX 0x7f62a9150800 [1] > [Dec 29 11:42:36.795] traffic_server DEBUG: <SSLUtils.cc:1525 > (ssl_index_certificate)> (ssl) mapping 'ogre.com' to certificates ogre.crt > [Dec 29 11:42:36.795] traffic_server DEBUG: <SSLCertLookup.cc:428 > (insert)> (ssl) indexed 'ogre.com' with SSL_CTX 0x7f62a9150800 [2] > [Dec 29 11:42:36.795] traffic_server DEBUG: <SSLUtils.cc:2181 > (SSLParseCertificateConfiguration)> (ssl) currently parsing dest_ip > [Dec 29 11:42:36.795] traffic_server DEBUG: <SSLUtils.cc:1636 > (SSLInitServerContext)> (ssl.session_cache) ssl context=0x7f62a9146000: > using session cache options, enabled=2, size=102400, num_buckets=256, > skip_on_contention=0, timeout=0, auto_clear=1 > [Dec 29 11:42:36.795] traffic_server DEBUG: <SSLUtils.cc:1658 > (SSLInitServerContext)> (ssl.session_cache) enabling SSL session cache with > ATS implementation > [Dec 29 11:42:36.795] traffic_server DEBUG: <SSLUtils.cc:1672 > (SSLInitServerContext)> (ssl) enabling SSL_MODE_RELEASE_BUFFERS > > > My multicast.config file has: > > dest_ip=71.6.199.13 ssl_cert_name=ogre.crt ssl_key_name=ogre.key > ssl_ca_name=gd_bundle-g2-g1.crt > > > DNS for www.ogre.com points to the IP above: > > munin (12:42) 260/0 $ host www.ogre.com > www.ogre.com is an alias for cosmo.ogre.com. > cosmo.ogre.com has address 71.6.199.13 > > > Did we break wildcard matching?? Or did OpenSSL v1.1.1 do it?? The SN in > the certificate is *.ogre.com. > > Cheers, > > — Leif > >
