Upgraded test in PR https://github.com/apache/trafficserver/pull/4751
On Fri, Jan 4, 2019 at 9:12 AM Susan Hinrichs <shinr...@oath.com> wrote: > I added two more tests in the tls_check_cert_selection autest to exercise > ssl_multicert with a specific dest_ip set in addition to the SNI select. > That test passes for me with openssl-1.1.1a and the current master. It has > previously failed for me with openssl-1.1.1 because the laster cert > selection does not work, so only the default certificate will ever be used. > > Leif, did upgrading to openssl-1.1.1a fix things for you? > > On Sat, Dec 29, 2018 at 5:41 PM SUSAN HINRICHS <shinr...@ieee.org> wrote: > >> If you use the non-default cert, you need 1.1.1a or the original 1.1.1 >> release with the fix. >> >> On Sat, Dec 29, 2018, 3:36 PM Leif Hedstrom <zw...@apache.org wrote: >> >> > >> > >> > > On Dec 29, 2018, at 1:06 PM, SUSAN HINRICHS <shinr...@ieee.org> >> wrote: >> > > >> > > Hmm. We run with that configuration with our 7.1.x+. I will try to >> > write >> > > a test case for master. >> > >> > >> > It seems to be related to the dest_ip=1.2.3.4, not the actual wild card. >> > If I change it to dest_ip=*, then it works for the first rule but not >> the >> > second. E.g. this works for www.ogre.com, but then other sites >> (matching >> > the second line) fails: >> > >> > dest_ip=* ssl_cert_name=ogre.crt ssl_key_name=ogre.key >> > ssl_ca_name=gd_bundle-g2-g1.crt >> > dest_ip=* ssl_cert_name=mixed.crt ssl_key_name=mixed.key >> > ssl_ca_name=gd_bundle-g2-g1.crt >> > >> > >> > If I flip the order, it fails as well. This is with OpenSSL v1.1.1, >> Bryan >> > mentioned that maybe this is related to the fixes that went in for >> v1.1.1a ? >> > >> > Cheers >> > >> > — leif >> > >> > >> > >> > > >> > > On Sat, Dec 29, 2018, 1:50 PM Leif Hedstrom <zw...@apache.org wrote: >> > > >> > >> Hi, >> > >> >> > >> I have a “play” server, which I upgraded recently to F29, and ATS is >> > >> having issues with one of my certificates. It’s a cert with a >> wildcard >> > for >> > >> *.ogre.com, and this was working fine up until the upgrade to >> OpenSSL >> > >> v1.1.1. The other certs works fine. >> > >> >> > >> Doing a diagnostics, I see >> > >> >> > >> [Dec 29 11:42:39.856] [ET_NET 2] DEBUG: <SSLNetVConnection.cc:1555 >> > >> (callHooks)> (ssl) callHooks sslHandshakeHookState=2 eventID=60204 >> > >> [Dec 29 11:42:39.856] [ET_NET 2] DEBUG: <SSLNetVConnection.cc:1647 >> > >> (callHooks)> (ssl) callHooks iterated to curHook=(nil) >> > >> [Dec 29 11:42:39.856] [ET_NET 2] DEBUG: <SSLUtils.cc:409 >> > (PerformAction)> >> > >> (ssl_sni) www.ogre.com not available in the map >> > >> [Dec 29 11:42:39.856] [ET_NET 2] DEBUG: <SSLUtils.cc:332 >> > >> (set_context_cert)> (ssl) set_context_cert ssl=0x7f62a654b000 server= >> > >> www.ogre.com handshake_complete=0 >> > >> [Dec 29 11:42:39.856] [ET_NET 2] DEBUG: <SSLUtils.cc:381 >> > >> (set_context_cert)> (ssl) ssl_cert_callback found SSL context >> > >> 0x7f62a9150800 for requested name ‘www.ogre.com’ >> > >> >> > >> >> > >> At which point, it fails the TLS handshake (since www.ogre.com is >> not >> > >> available in the map). I can see it loading the certificate though: >> > >> >> > >> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:2181 >> > >> (SSLParseCertificateConfiguration)> (ssl) currently parsing dest_ip >> > >> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1636 >> > >> (SSLInitServerContext)> (ssl.session_cache) ssl >> context=0x7f62a9150800: >> > >> using session cache options, enabled=2, size=102400, num_buckets=256, >> > >> skip_on_contention=0, timeout=0, auto_clear=1 >> > >> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1658 >> > >> (SSLInitServerContext)> (ssl.session_cache) enabling SSL session >> cache >> > with >> > >> ATS implementation >> > >> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1672 >> > >> (SSLInitServerContext)> (ssl) enabling SSL_MODE_RELEASE_BUFFERS >> > >> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1844 >> > >> (SSLInitServerContext)> (ssl) Using 'ogre.crt' in hash for session id >> > >> context >> > >> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1929 >> > >> (SSLInitServerContext)> (ssl) SSL OCSP Stapling is disabled >> > >> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1460 >> > >> (SSLCheckServerCertNow)> (ssl) server certificate ogre.crt passed >> > >> accessibility and date checks >> > >> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLCertLookup.cc:184 >> > >> (ticket_block_create)> (ssl) Create 1 ticket key blocks >> > >> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:2004 >> > >> (ssl_store_ssl_context)> (ssl) mapping '71.6.199.13' to certificate >> > ogre.crt >> > >> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLCertLookup.cc:428 >> > >> (insert)> (ssl) indexed '4706c70d' with SSL_CTX 0x7f62a9150800 [0] >> > >> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:2040 >> > >> (ssl_store_ssl_context)> (ssl) SSL OCSP Stapling is disabled >> > >> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:2051 >> > >> (ssl_store_ssl_context)> (ssl) importing SNI names from ogre.crt >> > >> [Dec 29 11:42:36.794] traffic_server DEBUG: <SSLUtils.cc:1505 >> > >> (ssl_index_certificate)> (ssl) mapping '*.ogre.com' to certificate >> > >> ogre.crt >> > >> [Dec 29 11:42:36.795] traffic_server DEBUG: <SSLCertLookup.cc:418 >> > >> (insert)> (ssl) indexed '*.ogre.com' with SSL_CTX 0x7f62a9150800 [1] >> > >> [Dec 29 11:42:36.795] traffic_server DEBUG: <SSLUtils.cc:1525 >> > >> (ssl_index_certificate)> (ssl) mapping 'ogre.com' to certificates >> > ogre.crt >> > >> [Dec 29 11:42:36.795] traffic_server DEBUG: <SSLCertLookup.cc:428 >> > >> (insert)> (ssl) indexed 'ogre.com' with SSL_CTX 0x7f62a9150800 [2] >> > >> [Dec 29 11:42:36.795] traffic_server DEBUG: <SSLUtils.cc:2181 >> > >> (SSLParseCertificateConfiguration)> (ssl) currently parsing dest_ip >> > >> [Dec 29 11:42:36.795] traffic_server DEBUG: <SSLUtils.cc:1636 >> > >> (SSLInitServerContext)> (ssl.session_cache) ssl >> context=0x7f62a9146000: >> > >> using session cache options, enabled=2, size=102400, num_buckets=256, >> > >> skip_on_contention=0, timeout=0, auto_clear=1 >> > >> [Dec 29 11:42:36.795] traffic_server DEBUG: <SSLUtils.cc:1658 >> > >> (SSLInitServerContext)> (ssl.session_cache) enabling SSL session >> cache >> > with >> > >> ATS implementation >> > >> [Dec 29 11:42:36.795] traffic_server DEBUG: <SSLUtils.cc:1672 >> > >> (SSLInitServerContext)> (ssl) enabling SSL_MODE_RELEASE_BUFFERS >> > >> >> > >> >> > >> My multicast.config file has: >> > >> >> > >> dest_ip=71.6.199.13 ssl_cert_name=ogre.crt ssl_key_name=ogre.key >> > >> ssl_ca_name=gd_bundle-g2-g1.crt >> > >> >> > >> >> > >> DNS for www.ogre.com points to the IP above: >> > >> >> > >> munin (12:42) 260/0 $ host www.ogre.com >> > >> www.ogre.com is an alias for cosmo.ogre.com. >> > >> cosmo.ogre.com has address 71.6.199.13 >> > >> >> > >> >> > >> Did we break wildcard matching?? Or did OpenSSL v1.1.1 do it?? The >> SN in >> > >> the certificate is *.ogre.com. >> > >> >> > >> Cheers, >> > >> >> > >> — Leif >> > >> >> > >> >> > >> > >> >
