Uploaded image for project: 'Traffic Server'
  1. Traffic Server
  2. TS-2569

ssl options are ignored if ssl_multicert.config does not contain an entry with dest_ip=*

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 4.2.0, 5.0.0
    • SSL
    • None

    Description

      We discovered that the proxy.config.ssl.server.honor_cipher_order=1 setting was not working correctly. After investigating it was determined that if you do not have a dest_ip=* in the ssl_multicert.config file then the server cipher order setting will not be honored.

      ssl_multicert.config
      dest_ip=192.168.214.131 ssl_cert_name=cert.pem

      records.config
      CONFIG proxy.config.ssl.server.cipher_suite STRING RC4-SHA:AES128-SHA:DES-CBC3-SHA:AES256-SHA:ALL:!NULL
      CONFIG proxy.config.ssl.server.honor_cipher_order INT 1

      Result (client selection is honored):
      % echo | openssl s_client -connect 192.168.214.131:443 -cipher 'AES128-SHA:RC4-SHA' 2>&1 | grep 'Cipher is'
      New, TLSv1/SSLv3, Cipher is AES128-SHA
      % echo | openssl s_client -connect 192.168.214.131:443 -cipher 'RC4-SHA:AES128-SHA' 2>&1 | grep 'Cipher is'
      New, TLSv1/SSLv3, Cipher is RC4-SHA

      Attachments

        1. TS-2569_4.2.patch
          8 kB
          Ron Barber
        2. TS-2569.patch
          8 kB
          Ron Barber

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. TS-2402 SSL v3 is disabled

          • Major - Major loss of function.
          • Closed

          Activity

            People

              rwbarber2 Ron Barber
              rwbarber2 Ron Barber
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: