[
https://issues.apache.org/jira/browse/TS-3314?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14287702#comment-14287702
]
Susan Hinrichs edited comment on TS-3314 at 1/22/15 4:48 PM:
-------------------------------------------------------------
This was broken by TS-2417, adding support for DHE. This patch added a new
entry for the dhparams file, proxy.config.ssl.server.dhparams_file.
If the parameter is not set, it loads a built-in 2048 param. If it fails to
load the built in or the one specified by the dhparams_file, it issues the
error you are seeing.
This still is a bit confusing, because I would assume that the built-in one
would get successfully loaded in your case. That still isn't what you want,
since you want choices on which dhparam to load I assume based on the cipher
negotiated.
I'm still figuring out how the old scheme worked. You just placed the dh files
in the same directory as the certificates and the right DH param would get
loaded depending on the version of cipher selected by the negotiation?
was (Author: shinrich):
This was broken by TS-2417, adding support for DHE. This patch added a new
entry for the dhparams file, proxy.config.ssl.server.dhparams_file.
If the parameter is not set, it loads a built-in 2048 param. If it fails to
load the built in or the one specified by the dhparams_file, it issues the
error you are seeing.
This still is a bit confusing, because I would assume that the built-in one
would get successfully loaded in your case. That still isn't what you want,
since you want choices on which dhparam to load I assume based on the cipher
negotiated.
I'm still figuring out how the old scheme worked. You just placed the dh files
in the same directory as the certificates and the write DH param would get
loaded depending on the version of cipher selected by the negotiation?
> SSL errors after upgrade from 5.1.2 -> 5.2.0
> --------------------------------------------
>
> Key: TS-3314
> URL: https://issues.apache.org/jira/browse/TS-3314
> Project: Traffic Server
> Issue Type: Bug
> Components: Core, SSL
> Reporter: Andre
> Assignee: Susan Hinrichs
>
> I upgraded my ATS from 5.1.2 to 5.2.0 by keeping all my config files.
> When I start the trafficserver, I do get errors in the diags.log and https
> sites do not work. Here is an extract of the diags.log:
> {code}
> [Jan 22 15:19:58.381] Server {0x2b42c3b03bc0} NOTE: loading SSL certificate
> configuration from /opt/trafficserver/etc/trafficserver/ssl_multicert.config
> [Jan 22 15:19:58.386] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source
> returned invalid parameters
> [Jan 22 15:19:58.386] Server {0x2b42c3b03bc0} ERROR: failed to load SSL
> certificate specification from
> /opt/trafficserver/etc/trafficserver/ssl_multicert.config line 57
> [Jan 22 15:19:58.391] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source
> returned invalid parameters
> [Jan 22 15:19:58.392] Server {0x2b42c3b03bc0} ERROR: failed to load SSL
> certificate specification from
> /opt/trafficserver/etc/trafficserver/ssl_multicert.config line 58
> [Jan 22 15:19:58.396] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source
> returned invalid parameters
> [Jan 22 15:19:58.397] Server {0x2b42c3b03bc0} ERROR: failed to load SSL
> certificate specification from
> /opt/trafficserver/etc/trafficserver/ssl_multicert.config line 59
> [Jan 22 15:19:58.401] Server {0x2b42c3b03bc0} ERROR: SSL dhparams source
> returned invalid parameters
> [Jan 22 15:19:58.413] Server {0x2b42c3b03bc0} NOTE: traffic server running
> [Jan 22 15:19:58.494] Server {0x2b42c9547700} NOTE: cache enabled
> [Jan 22 15:20:01.176] Server {0x2b42d4f17700} ERROR:
> SSL::47566040430336:error:140BA0C3:SSL routines:SSL_new:null ssl
> ctx:ssl_lib.c:281: peer address is 2a01:4f8:160:24ca::3
> [Jan 22 15:20:01.176] Server {0x2b42d4f17700} ERROR: failed to create SSL
> server session
> [Jan 22 15:22:19.813] Server {0x2b42d5018700} ERROR:
> SSL::47566041483008:error:140BA0C3:SSL routines:SSL_new:null ssl
> ctx:ssl_lib.c:281: peer address is 66.249.64.77
> [Jan 22 15:22:19.813] Server {0x2b42d5018700} ERROR: failed to create SSL
> server session
> [Jan 22 15:25:01.191] Server {0x2b42d5119700} ERROR:
> SSL::47566042535680:error:140BA0C3:SSL routines:SSL_new:null ssl
> ctx:ssl_lib.c:281: peer address is 2a01:4f8:160:24ca::3
> [Jan 22 15:25:01.191] Server {0x2b42d5119700} ERROR: failed to create SSL
> server session
> {code}
> Here is what I have in my ssl_multicert.config:
> {code}
> ssl_cert_name=domain1.crt ssl_key_name=domain1.key
> ssl_cert_name=domain2.crt ssl_key_name=domain2.key
> dest_ip=* ssl_cert_name=domain3.crt ssl_key_name=domain3.key
> {code}
> the .crt files contain my certificate and the intermediate certificate, the
> ca is in the truststore.
> There are 3 possible dh params available in the configured certificate
> directory: dh512.pem, dh1024.pem and dh2048.pem
> why did it work in 5.1.2 and is no longer working in 5.2.0?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
