> On Dec 29, 2018, at 2:36 PM, Leif Hedstrom <zw...@apache.org> wrote:
>
>
>
>> On Dec 29, 2018, at 1:06 PM, SUSAN HINRICHS <shinr...@ieee.org> wrote:
>>
>> Hmm. We run with that configuration with our 7.1.x+. I will try to write
>> a test case for master.
>
>
> It seems to be related to the dest_ip=1.2.3.4, not the actual wild card. If I
> change it to dest_ip=*, then it works for the first rule but not the second.
> E.g. this works for www.ogre.com, but then other sites (matching the second
> line) fails:
>
> dest_ip=* ssl_cert_name=ogre.crt ssl_key_name=ogre.key
> ssl_ca_name=gd_bundle-g2-g1.crt
> dest_ip=* ssl_cert_name=mixed.crt ssl_key_name=mixed.key
> ssl_ca_name=gd_bundle-g2-g1.crt
Also, if I remove the dest_ip=* from these lines, it still fails :-/.
— Leif
>
>
> If I flip the order, it fails as well. This is with OpenSSL v1.1.1, Bryan
> mentioned that maybe this is related to the fixes that went in for v1.1.1a ?
>
> Cheers
>
> — leif
>
>
>
>>
>> On Sat, Dec 29, 2018, 1:50 PM Leif Hedstrom <zw...@apache.org wrote:
>>
>>> Hi,
>>>
>>> I have a “play” server, which I upgraded recently to F29, and ATS is
>>> having issues with one of my certificates. It’s a cert with a wildcard for
>>> *.ogre.com, and this was working fine up until the upgrade to OpenSSL
>>> v1.1.1. The other certs works fine.
>>>
>>> Doing a diagnostics, I see
>>>
>>> [Dec 29 11:42:39.856] [ET_NET 2] DEBUG: <SSLNetVConnection.cc:1555
>>> (callHooks)> (ssl) callHooks sslHandshakeHookState=2 eventID=60204
>>> [Dec 29 11:42:39.856] [ET_NET 2] DEBUG: <SSLNetVConnection.cc:1647
>>> (callHooks)> (ssl) callHooks iterated to curHook=(nil)
>>> [Dec 29 11:42:39.856] [ET_NET 2] DEBUG: <SSLUtils.cc:409 (PerformAction)>
>>> (ssl_sni) www.ogre.com not available in the map
>>> [Dec 29 11:42:39.856] [ET_NET 2] DEBUG: <SSLUtils.cc:332
>>> (set_context_cert)> (ssl) set_context_cert ssl=0x7f62a654b000 server=
>>> www.ogre.com handshake_complete=0
>>> [Dec 29 11:42:39.856] [ET_NET 2] DEBUG: <SSLUtils.cc:381
>>> (set_context_cert)> (ssl) ssl_cert_callback found SSL context
>>> 0x7f62a9150800 for requested name ‘www.ogre.com’
>>>
>>>
>>> At which point, it fails the TLS handshake (since www.ogre.com is not
>>> available in the map). I can see it loading the certificate though:
>>>
>>> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:2181
>>> (SSLParseCertificateConfiguration)> (ssl) currently parsing dest_ip
>>> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1636
>>> (SSLInitServerContext)> (ssl.session_cache) ssl context=0x7f62a9150800:
>>> using session cache options, enabled=2, size=102400, num_buckets=256,
>>> skip_on_contention=0, timeout=0, auto_clear=1
>>> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1658
>>> (SSLInitServerContext)> (ssl.session_cache) enabling SSL session cache with
>>> ATS implementation
>>> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1672
>>> (SSLInitServerContext)> (ssl) enabling SSL_MODE_RELEASE_BUFFERS
>>> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1844
>>> (SSLInitServerContext)> (ssl) Using 'ogre.crt' in hash for session id
>>> context
>>> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1929
>>> (SSLInitServerContext)> (ssl) SSL OCSP Stapling is disabled
>>> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1460
>>> (SSLCheckServerCertNow)> (ssl) server certificate ogre.crt passed
>>> accessibility and date checks
>>> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLCertLookup.cc:184
>>> (ticket_block_create)> (ssl) Create 1 ticket key blocks
>>> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:2004
>>> (ssl_store_ssl_context)> (ssl) mapping '71.6.199.13' to certificate ogre.crt
>>> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLCertLookup.cc:428
>>> (insert)> (ssl) indexed '4706c70d' with SSL_CTX 0x7f62a9150800 [0]
>>> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:2040
>>> (ssl_store_ssl_context)> (ssl) SSL OCSP Stapling is disabled
>>> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:2051
>>> (ssl_store_ssl_context)> (ssl) importing SNI names from ogre.crt
>>> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1505
>>> (ssl_index_certificate)> (ssl) mapping '*.ogre.com' to certificate
>>> ogre.crt
>>> [Dec 29 11:42:36.795] traffic_server DEBUG: <SSLCertLookup.cc:418
>>> (insert)> (ssl) indexed '*.ogre.com' with SSL_CTX 0x7f62a9150800 [1]
>>> [Dec 29 11:42:36.795] traffic_server DEBUG: <SSLUtils.cc:1525
>>> (ssl_index_certificate)> (ssl) mapping 'ogre.com' to certificates ogre.crt
>>> [Dec 29 11:42:36.795] traffic_server DEBUG: <SSLCertLookup.cc:428
>>> (insert)> (ssl) indexed 'ogre.com' with SSL_CTX 0x7f62a9150800 [2]
>>> [Dec 29 11:42:36.795] traffic_server DEBUG: <SSLUtils.cc:2181
>>> (SSLParseCertificateConfiguration)> (ssl) currently parsing dest_ip
>>> [Dec 29 11:42:36.795] traffic_server DEBUG: <SSLUtils.cc:1636
>>> (SSLInitServerContext)> (ssl.session_cache) ssl context=0x7f62a9146000:
>>> using session cache options, enabled=2, size=102400, num_buckets=256,
>>> skip_on_contention=0, timeout=0, auto_clear=1
>>> [Dec 29 11:42:36.795] traffic_server DEBUG: <SSLUtils.cc:1658
>>> (SSLInitServerContext)> (ssl.session_cache) enabling SSL session cache with
>>> ATS implementation
>>> [Dec 29 11:42:36.795] traffic_server DEBUG: <SSLUtils.cc:1672
>>> (SSLInitServerContext)> (ssl) enabling SSL_MODE_RELEASE_BUFFERS
>>>
>>>
>>> My multicast.config file has:
>>>
>>> dest_ip=71.6.199.13 ssl_cert_name=ogre.crt ssl_key_name=ogre.key
>>> ssl_ca_name=gd_bundle-g2-g1.crt
>>>
>>>
>>> DNS for www.ogre.com points to the IP above:
>>>
>>> munin (12:42) 260/0 $ host www.ogre.com
>>> www.ogre.com is an alias for cosmo.ogre.com.
>>> cosmo.ogre.com has address 71.6.199.13
>>>
>>>
>>> Did we break wildcard matching?? Or did OpenSSL v1.1.1 do it?? The SN in
>>> the certificate is *.ogre.com.
>>>
>>> Cheers,
>>>
>>> — Leif
>>>
>>>
>
