[
https://issues.apache.org/jira/browse/TS-2924?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14055888#comment-14055888
]
Wei Sun edited comment on TS-2924 at 7/9/14 6:18 AM:
-----------------------------------------------------
Actually, for the second case, it's no need to disable ssl protocol by given a
dedicated shorter cipher suite. We have to disable tls1_1 and tls1_2 to fix the
first issue. After disabling some protocols, ats client and origin are still
able to negotiate an agreeable protocol, the lower of that suggested by the ats
in the client hello and the highest supported by the origin will be chosen
afterwards, and the protocols are compatible.
For the openssl workarounds, the default fix I
(https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=4fcdd66fff5fea0cfa1055c6680a76a4303f28a2;hp=102302b05b2ea9c46a29be8a1451b7d1d6e3aa78)
doesn't fix the second hang issue, workaround II
(https://github.com/openssl/openssl/commit/89bd25eb26bbc2ebceb4cd892e7453337804820c)
is to chop the supported ciphers, I think it is even worse than a preferred
cipher suite.
was (Author: sunwei):
Actually, for the second case, it's no need to disable ssl protocol by given a
dedicated shorter cipher suite. We have to disable tls1_1 and tls1_2 to fix the
first issue. After disabling some protocols, ats client and origin are still
able to negotiate an agreeable protocol, the lower of that suggested by the ats
in the client hello and the highest supported by the origin will be chosen
afterwards, and the protocols are compatible. And the default workaround I
(https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=4fcdd66fff5fea0cfa1055c6680a76a4303f28a2;hp=102302b05b2ea9c46a29be8a1451b7d1d6e3aa78)
in openssl doesn't fix the second hang issue, workaround II
(https://github.com/openssl/openssl/commit/89bd25eb26bbc2ebceb4cd892e7453337804820c)
is just to chop the supported ciphers, I think it is even worse than a
preferred cipher suite.
> Configurable client's ssl protocols and cipher suite
> ----------------------------------------------------
>
> Key: TS-2924
> URL: https://issues.apache.org/jira/browse/TS-2924
> Project: Traffic Server
> Issue Type: Improvement
> Components: SSL
> Reporter: Wei Sun
> Labels: yahoo
>
> A few old origins cannot support the latest ssl protocols well, ats is
> expected to be able to configure dedicated cipher suite and protocols for SSL
> client context.
> {code}
> e.g. Enable SSLv3/TLSv1/TLSv1_1/TLSv1_2
> map http://foo1.com https://www.bankadviser.com/scbteod/scbteod_logo.GIF
> map http://foo2.com
> https://applications.bancopopular.com/images/emails/fb-share-button.jpg
> curl -H 'Host: foo1.com' http://localhost:8080/ -v // failed to setup ssl
> connection to origin
> curl -H 'Host: foo2.com' http://localhost:8080/ -v //SSL connection hang
> {code}
--
This message was sent by Atlassian JIRA
(v6.2#6252)
