On Wed, Jul 23, 2014 at 08:26:39AM -0700, Bryan Call wrote:
>
> Below is our announcement for the security issue reported to us from
> Yahoo! Japan. All versions of Apache Traffic Server are vulnerable.
Is there any information available about this problem, so that we can make
a judgement on c
RHEL/Fedora builds:
v5.0.1:
---
Rawide http://koji.fedoraproject.org/koji/taskinfo?taskID=7188293
Fedora-21 http://koji.fedoraproject.org/koji/taskinfo?taskID=7188299
EPEL-7 http://koji.fedoraproject.org/koji/taskinfo?taskID=7188304
EPEL-6 http://koji.fedorapro
On Wed, Jun 04, 2014 at 11:28:07AM +0200, Jean Baptiste Favre wrote:
> Hello,
> Each VM has 4GB memory.
>
> traffic_line -r proxy.config.cache.ram_cache.size gives 2147483648
I would consider increasing proxy.config.cache.ram_cache.size to at
least 3GB on your 4GB VMs. Assuming ATS will have bett
How much memory does the VM have? How much
proxy.config.cache.ram_cache.size have you given it? How much data are
you caching? How much is delivered to clients ?
-jf
On Thu, Dec 05, 2013 at 11:53:59PM +, Igor Galić wrote:
>
> The artefacts are available for download at
>
> http://people.apache.org/~igalic/releases/
>
> -rw-r--r-- 1 igalic igalic 6358857 Dec 5 22:19
> trafficserver-4.1.2-rc0.tar.bz2
> -rw-r--r-- 1 igalic igalic 836 Dec 5 22
On Sun, Nov 10, 2013 at 01:26:32PM +, Igor Galić wrote:
>
> Inspired by PostgreSQL's move[1][2], I've been considering to
> go down the road of offering (at least) RPM and Deb packages*
> for CentOS/Fedora, Debian/Ubuntu of the latest supported
> Apache Traffic Server releases.
Why not use th
On Fri, Jul 12, 2013 at 08:50:40PM +, Igor Galić wrote:
>
> is anyone who's actively using 3.2.x still doing tests?
Sorry, it's vacation time here.. so I haven't had time to build/test it.
> Do you *want* a new 3.2.x release? Or are you all looking
> for a stable 3.4.x?
I don't know if we'
Successful builds for:
rawhide: http://koji.fedoraproject.org/koji/taskinfo?taskID=4886118
fedora-18: http://koji.fedoraproject.org/koji/taskinfo?taskID=4886128
fedora-17: http://koji.fedoraproject.org/koji/taskinfo?taskID=4886131
fedora-16: http://koji.fedoraproject.org/koji/taskinfo?taskID=48861
+1
Builds and runs fine on my RHEL6 lab-servers.
-jf
On Sun, Oct 14, 2012 at 6:56 AM, James Peach wrote:
>>
>> Sorry, but I'm still getting the same failure with the respun 3.2.3...
>
> Thanks for testing this Jan-Frode. I filed this as
> https://issues.apache.org/jira/browse/TS-1526, pushed a fix to master, and
> proposed it for 3.2.3.
>
a9874cb
On Sat, Oct 13, 2012 at 5:33 PM, Igor Galić wrote:
>
> That change is in the re-spin of the tar balls.
>
Sorry, but I'm still getting the same failure with the respun 3.2.3...
[janfrode@stl1 ~]$ curl -v -v https://webint.example.net/
* About to connect() to webint.example.net port 443
* Tryin
On Sat, Oct 13, 2012 at 12:04 PM, Igor Galić wrote:
>
> I'd like to point out again that the reported SSL failures were due to
> old versions of curl.
>
It's not just the old curl that's failing. That's just an easy utility
to demonstrate the problem. Our jboss applications (Java 1.6) also
fails
On Fri, Oct 12, 2012 at 5:16 PM, James Peach wrote:
>
> That looks perfectly reasonable. What does webint.example.net resolve to on
> the client? Can you show me the result of "curl -v -v"?
>
After running the output trough "sed 's/readldomain/example.net/g'".
All names are in public dns, and c
On Fri, Oct 12, 2012 at 12:53 AM, James Peach wrote:
>
> What's your SSL configuration look like? What are your certificates?
>
ssl_multicert.config:
dest_ip=81.167.37.99
ssl_cert_name=/etc/pki/tls/certs/star.webint.example.no.crt
ssl_key_name=/etc/pki/tls/private/star.webint.example.no.key
ssl
Builds and works for RHEL6/x86_64, but I'm again getting ssl handshake
failure from curl.. Suspect maybe TS-1484 broke the fix for TS-1392 ..
?
[janfrode@stl1 ~]$ curl https://webint.example.net/
curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3
alert handshake failure
-jf
On Fri, Sep 21, 2012 at 8:26 PM, Igor Galić wrote:
>
>
> Please take a look at the 3.2.x STATUS page, as well as Jira,
> in case there's anything else you'd like to get into these
> releases. I've already started merging the accepted patches.
>
I'd very much like to see the fix for TS-1484 in 3.2
On Wed, Sep 19, 2012 at 6:43 AM, James Peach wrote:
>
> That's crashing in SSL_CTX_set_tlsext_servername_callback. I bet it's some
> bad mojo happening because we end up using a global SSL context from multiple
> threads. Can you please file a bug?
>
Reported in TS-1484. Any other data I shoul
On Tue, Sep 18, 2012 at 11:39 PM, James Peach wrote:
> On 18/09/2012, at 1:52 PM, Jan-Frode Myklebust wrote:
>
>> On Tue, Sep 18, 2012 at 3:02 PM, Igor Galić wrote:
>>>
>>> Yeh. We'll need to back-port the fix to not ALWAYS assume SNI for
>>> all S
On Tue, Sep 18, 2012 at 3:02 PM, Igor Galić wrote:
>
> Yeh. We'll need to back-port the fix to not ALWAYS assume SNI for
> all SSL connections, since not quite all browsers support that yet
>
> @James, can you please do the proposal, kthnxby
>
>> -jf
This is already in the CHANGES/PATCHES ACCEP
We're running v3.2.0 + 5ec4fb5eff9f5c1e2dc82e187bdd8d5f02080512 (to
fix TS-1392), and when also applying
8586b8ec6d6e934233fc195a4f35944cea1d85a4 it looks it breaks the fix
for TS-1392. I.e. everything works fine in a modern browser, but wget
fails with:
OpenSSL: error:14077410:SSL routines:SSL23
Ok, I see.. Thanks! I'm now building 3.2.0 with
8586b8ec6d6e934233fc195a4f35944cea1d85a4 and will install that on our
traffic servers to see if the problem goes away. Will report back if
it fixes it or not.
-jf
My stack trace looks *very* similar to the one in TS-1276.
-jf
BTW, I do also have these in my records.config:
CONFIG proxy.config.http.server_ports STRING 80:ipv4 80:ipv6
443:ipv4:ssl 443:ipv6:ssl
CONFIG proxy.config.ssl.number.threads INT 0
CONFIG proxy.config.ssl.SSLv2 INT 0
CONFIG proxy.config.ssl.SSLv3 INT 1
CONFIG proxy.config.ssl.TLSv1 INT 1
CONFIG pro
> This looks a bit like https://issues.apache.org/jira/browse/TS-1198.
I saw TS-1198, but believe my certificates are *not* missing..
% grep ^dest_ip /etc/trafficserver/ssl_multicert.config
dest_ip=109.247.114.202
ssl_cert_name=/etc/pki/tls/certs/STAR_services_EXAMPLE_net.crt
ssl_key_name=/etc/pk
Found a few of these in traffic.out:
NOTE: Traffic Server received Sig 11: Segmentation fault
/usr/bin/traffic_server - STACK TRACE:
/lib64/libpthread.so.0(+0xf500)[0x2b0bc33aa500]
/usr/lib64/libssl.so.10(SSL_CTX_callback_ctrl+0x5)[0x2b0bc3e55425]
/usr/bin/traffic_server(_ZN17SSLNetVConnection17ss
I'm struggeling with getting core-dumps for some crashes we're seeing
with ATS 3.2.0 (+TS-1392 patch). What we're seeing is this logged in
"dmesg":
[ET_SSL 5][29708]: segfault at 0 ip 2b7b94f14425 sp
2b7ba4eadb88 error 4 in libssl.so.1.0.0[2b7b94edf000+53000]
and traffic.out saying:
[Sep
On Mon, Aug 06, 2012 at 09:20:51AM -, Igor Galić wrote:
> > Ref: https://issues.apache.org/jira/browse/TS-1392
> >
> > It seems like ATS v3.2.0 requires a Server Name Indication (SNI) to
> > do
> > SSL termination. We use wildcard certs, and don't need/want SNI, so
> > is
> > there some way to
Ref: https://issues.apache.org/jira/browse/TS-1392
It seems like ATS v3.2.0 requires a Server Name Indication (SNI) to do
SSL termination. We use wildcard certs, and don't need/want SNI, so is
there some way to turn off SNI to get broader client support for our
services?
-jf
FYI: I plan on upgrading ATS in EPEL and Fedora to v3.2.0 in a couple of
weeks, unless someone protest. This upgrade might not be completely
transparent, ref:
https://cwiki.apache.org/confluence/display/TS/Upgrading+to+3.2
so when upgrading one might need to change a couple of configurat
On Tue, Jun 19, 2012 at 03:28:44PM -0700, Brian Geffon wrote:
> Can you provide any more information about your setup? About the
> content being cached, and so on... Thanks!
It's a trivial personal server, with only static content proxyed to
apache httpd on port 8080. Only thing a little special i
On Tue, Jun 19, 2012 at 03:38:52PM -0600, Leif Hedstrom wrote:
>
> With 8 +1 votes (4 binding), and no -1's or 0's, this vote passes.
> I'll push the bits to dist soon.
Great!
BTW: are there any upgrade instructions between 3.0 and 3.2, or summary
about important changes between these ?
-jf
On Thu, Jun 14, 2012 at 07:54:09PM -0600, Leif Hedstrom wrote:
>
> I've prepared a release for v3.2.0, this release has no significant
> changes compared to v3.1.4.
+1
Works fine for me on RHEL6/x86_64.
-jf
On Tue, Jun 19, 2012 at 06:41:46AM -0600, Leif Hedstrom wrote:
>
> Does it happen with trunk or 3.1.4?
>
I now tested the 3.2.0 release candidate, and can't trigger the problem
with that version.
-jf
On Tue, Jun 19, 2012 at 06:41:46AM -0600, Leif Hedstrom wrote:
>
> Seems to be the same stack trace Kendo reported last week.
> Is this a regression from 3.0.5?
I have seen some crashes just after starting ATS with earlier releases
also, but then it didn't automatically restart:
http://
On Tue, Jun 19, 2012 at 10:41:54AM +0200, Jan-Frode Myklebust wrote:
> On Mon, Jun 18, 2012 at 09:39:37AM -0700, Brian Geffon wrote:
> > Can you provide a stack trace?
>
> Maybe, if you could give me some instructions for how.. I tried getting
> it to dump core, but unsucce
On Mon, Jun 18, 2012 at 09:39:37AM -0700, Brian Geffon wrote:
> Can you provide a stack trace?
Maybe, if you could give me some instructions for how.. I tried getting
it to dump core, but unsuccessfully...
-jf
ATS 3.0.5 on RHEL6 seems to segfault reliably when I press reload on the
same page a few times in my browser. This is the build I'm using:
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2012-6110/trafficserver-3.0.5-1.el6
Would be great of someone else could confirm this problem.
T
On Fri, Jun 08, 2012 at 01:29:08PM -0600, Leif Hedstrom wrote:
> I'd like to suggest that starting with v3.3.0, we make our
> development releases named e.g.
>
> trafficserver-3.3.0-dev
On a related note.. it would be nice if the release candidates could be
tagged as release candidates (traff
On Thu, May 31, 2012 at 01:44:40PM -0700, Brian Geffon wrote:
>
> We've prepared a package for a v3.0.5 release. Please take a look at
> the artifacts, check the STATUS/README/CHANGES files, and do builds
> and tests. After finishing your examination of the release candidate,
> please cast your ±/
On Sat, May 12, 2012 at 08:08:11PM -0600, Leif Hedstrom wrote:
>
> If we decide not to reroll to fix OSX/clang, I'm +1 on this release,
> it works on FC16 64-bit for me (with gcc).
Fails for me, triggering internal compiler error:
http://koji.fedoraproject.org/koji/getfile?taskID=4073944
On Fri, May 11, 2012 at 11:14:24PM -0700, Brian Geffon wrote:
> Hey Igor,
> What do you think we should do, should we bail on this 3.0.5 RC and
> get TS-1116 fully in and try a new 3.0.5 RC? Considering we have only
> 2 +1s at the moment that might not be a terrible idea in my opinion..
It would b
What systemd security features should be used for ats?
Ref:
http://0pointer.de/blog/projects/security.html
I would suggest:
o "PrivateTmp=yes" to give the service a private /tmp.
o "InaccessibleDirectories=/home /root /boot" to completely
hide these.
o "ReadOnlyDirectories=/
On Fri, Mar 23, 2012 at 01:53:06PM -0700, Brian Geffon wrote:
> What version of g++ are you using?
This build is happening on fedora's build system, so I have no shell on the
box.., but I believe it should be v4.7. It's been out for hours now, so
you're expected to support it ;-)
http://
ATS 3.0.4 fails to build on fedora 17.
Ref:
http://koji.fedoraproject.org/koji/getfile?taskID=3927725&name=build.log
g++ -DHAVE_CONFIG_H -I. -I../../lib/ts -I../../iocore/eventsystem
-I../../iocore/net -I../../iocore/aio -I../../iocore/hostdb
-I../../iocore/cache -I../../iocore/cluster -I../.
ATS is finally heading for Fedora/EPEL. I would much appreciate anybody
testing and giving feedback on the following builds.
https://admin.fedoraproject.org/updates/trafficserver-3.0.4-1.el6
https://admin.fedoraproject.org/updates/trafficserver-3.0.4-1.fc15
https://admin.f
---
configure.ac|1 +
rc/trafficserver.service.in | 13 +
2 files changed, 14 insertions(+), 0 deletions(-)
create mode 100644 rc/trafficserver.service.in
diff --git a/configure.ac b/configure.ac
index 63484ce..5d1b777 100644
--- a/configure.ac
+++ b/configure.a
On Sun, Mar 18, 2012 at 07:37:01PM -, Igor Galić wrote:
>
> I'd put it in rc/ -- like the others.
> And I'd make it a Makefile.am target to replace
>
> > > +EnvironmentFile=-/etc/sysconfig/trafficserver
> > > +PIDFile=/var/run/trafficserver/cop.pid
> > > +ExecStart=/usr/bin/traffic_cop $TC_DA
---
contrib/trafficserver.service | 13 +
1 files changed, 13 insertions(+), 0 deletions(-)
create mode 100644 contrib/trafficserver.service
diff --git a/contrib/trafficserver.service b/contrib/trafficserver.service
new file mode 100644
index 000..7edf9c8
--- /dev/null
+++ b/co
On Tue, Feb 21, 2012 at 03:11:09PM -0600, Alan M. Carroll wrote:
> In my testing, ATS 3.1.2 supports IPv6 traffic. If anyone else could test
> that and provide feedback, that would be useful.
>
Is SSL termination on IPv6 supported in this release ?
-jf
FYI: my unofficial rpms for it has been updated to this release:
http://blag.tanso.net/code/ats/v3.1.1-0.1.unstable/
-jf
On Thu, Aug 25, 2011 at 08:21:25AM -0600, Leif Hedstrom wrote:
>
> I'm not sure that will happen, we label it -unstable for a reason
> (it's a developer release, things will change / break as we make
> changes :). But, if it's a serious issue, lets start the discussion
> on a separate thread.
>
On Thu, Aug 25, 2011 at 02:44:56PM +0200, Jan-Frode Myklebust wrote:
>
> The package name is a bit strange, and causes some problems for RPM
> packaging. It would be great if the "-unstable" string be dropped
> so that it works with the same RPM specfile as for v3.0.x and
On Mon, Aug 22, 2011 at 09:15:19AM -0600, Leif Hedstrom wrote:
>
> I've prepared a package for a v3.1.0 release. Please take a look at
> the artifacts, check the STATUS/README/CHANGES files, and do builds
> and tests. After finishing your examination of the release
> candidate, please cast your ±/
On Tue, Jul 19, 2011 at 08:35:16AM -0600, Leif Hedstrom wrote:
> Is there a bug filed for this?
There is now:
https://issues.apache.org/jira/browse/TS-885
-jf
FYI: I'm working on getting ATS into fedora/epel. There's a review
process going on in bugzilla. I believe this should be close to
finished (I just returned from vacation, and will continue pushing this
forward ASAP):
https://bugzilla.redhat.com/show_bug.cgi?id=683463
If anybody wants to
---
rc/trafficserver.in |2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rc/trafficserver.in b/rc/trafficserver.in
index 6582984..fc892eb 100644
--- a/rc/trafficserver.in
+++ b/rc/trafficserver.in
@@ -398,7 +398,7 @@ case "$1" in
;;
condrestart)
if [ "$DISTRIB_I
I've been lurking since ATS was announced, and am still waiting for a
proper stable release. I work for an ISP, and would like to use ATS
for various proxies and caches, but can't run an "unstable" release
and I can't set up a new platform without IPv6 support. Therefore
we're still rolling out s
57 matches
Mail list logo
