[
https://issues.apache.org/jira/browse/TS-2924?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14055056#comment-14055056
]
Sudheer Vinukonda edited comment on TS-2924 at 7/8/14 4:03 PM:
---------------------------------------------------------------
While it may be desirable to have ATS support configurable cipher list for the
client context, as far as I understand, the root cause for the second case (TLS
connection hang) is not related to whether the origin supports latest ssl
protocols. The issue is mainly caused by some origins not correctly handling
long Client Hello messages. Disabling TLS may help in most cases, but, the
issue may still happen if SNI is used and the origin's hostname is long enough.
For more details -
https://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=2771
Openssl seems to have a fix for this issue:
http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=0467ea686244
was (Author: sudheerv):
While it may be desirable to have ATS support configurable cipher list for the
client context, as far as I understand, the root cause for this particular
issue is not related to whether the origin supports latest ssl protocols. The
issue is mainly caused by some origins not correctly handling long Client Hello
messages. Disabling TLS may help in most cases, but, the issue may still happen
if SNI is used and the origin's hostname is long enough.
For more details -
https://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=2771
Openssl seems to have a fix for this issue:
http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=0467ea686244
> Configurable client's ssl protocols and cipher suite
> ----------------------------------------------------
>
> Key: TS-2924
> URL: https://issues.apache.org/jira/browse/TS-2924
> Project: Traffic Server
> Issue Type: Improvement
> Components: SSL
> Reporter: Wei Sun
> Labels: yahoo
>
> A few old origins cannot support the latest ssl protocols well, ats is
> expected to be able to configure dedicated cipher suite and protocols for SSL
> client context.
> {code}
> e.g. Enable SSLv3/TLSv1/TLSv1_1/TLSv1_2
> map http://foo1.com https://www.bankadviser.com/scbteod/scbteod_logo.GIF
> map http://foo2.com
> https://applications.bancopopular.com/images/emails/fb-share-button.jpg
> curl -H 'Host: foo1.com' http://localhost:8080/ -v // failed to setup ssl
> connection to origin
> curl -H 'Host: foo2.com' http://localhost:8080/ -v //SSL connection hang
> {code}
--
This message was sent by Atlassian JIRA
(v6.2#6252)
