[
https://issues.apache.org/jira/browse/TS-4706?focusedWorklogId=26150&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-26150
]
ASF GitHub Bot logged work on TS-4706:
--------------------------------------
Author: ASF GitHub Bot
Created on: 02/Aug/16 18:44
Start Date: 02/Aug/16 18:44
Worklog Time Spent: 10m
Work Description: GitHub user gtenev opened a pull request:
https://github.com/apache/trafficserver/pull/837
TS-4706 Truncated SNI name during escalation
A fix for a problem with SSL hostname verification failing due to truncated
SNI name.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/gtenev/trafficserver TS-4706
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/trafficserver/pull/837.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #837
----
commit 4d02d0e877e24b1dc94948c236462417bdd9bbf0
Author: Gancho Tenev <gtte...@gmail.com>
Date: 2016-07-29T23:39:44Z
TS-4706 Truncated SNI name during escalation
SSL hostname verification failing due to truncated SNI name.
----
Issue Time Tracking
-------------------
Worklog Id: (was: 26150)
Time Spent: 10m
Remaining Estimate: 0h
> SSL hostname verification failed due to truncated SNI name
> ----------------------------------------------------------
>
> Key: TS-4706
> URL: https://issues.apache.org/jira/browse/TS-4706
> Project: Traffic Server
> Issue Type: Bug
> Components: Core
> Reporter: Gancho Tenev
> Assignee: Gancho Tenev
> Fix For: 7.0.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> SSL hostname verification fails due to truncated SNI name when escalation
> plugin is used to redirect a failed request (404) from a primary origin
> {{primary.com}} to a secondary origin {{secondary.com}}.
> {code:title=Excerpt from the ATS logs showing the error|borderStyle=solid}
> DEBUG: <SSLNetVConnection.cc:1258 (sslClientHandShakeEvent)> (ssl) using SNI
> name ‘secondary.c'’ for client handshake
> DEBUG: <SSLNetVConnection.cc:1303 (sslClientHandShakeEvent)> (ssl.error)
> SSLNetVConnection::sslClientHandShakeEvent, SSL_ERROR_WANT_READ
> DEBUG: <SSLNetVConnection.cc:1258 (sslClientHandShakeEvent)> (ssl) using SNI
> name 'secondary.c’’ for client handshake
> DEBUG: <SSLClientUtils.cc:83 (verify_callback)> (ssl) Hostname verification
> failed for (‘secondary.c')
> {code}
> One could see that the SNI name {{secondary.com}} is truncated to
> {{secondary.c}}
> {code:title=Test case to reproduce}
> $ cat etc/trafficserver/remap.config
> map http://example.com https://primary.com @plugin=escalate.so
> @pparam=404:secondary.com
> $ sudo ./bin/traffic_server -T ssl 2>&1 | egrep -e 'using SNI name .* for
> client handshake'
> DEBUG: <SSLNetVConnection.cc:1223 (sslClientHandShakeEvent)> (ssl) using SNI
> name 'primary.com' for client handshake
> DEBUG: <SSLNetVConnection.cc:1223 (sslClientHandShakeEvent)> (ssl) using SNI
> name 'secondary.c' for client handshake
> $ curl -x localhost:80 'http://example.com/path/to/object'
> {code}
> I have a fix available which produces the following log (SNI hostname no
> longer truncated)
> {code:title=Excerpt from ATS logs after applying the fix}
> $ sudo ./bin/traffic_server -T ssl 2>&1 | egrep -e 'using SNI name .* for
> client handshake'
> DEBUG: <SSLNetVConnection.cc:1223 (sslClientHandShakeEvent)> (ssl) using SNI
> name 'primary.com' for client handshake
> DEBUG: <SSLNetVConnection.cc:1223 (sslClientHandShakeEvent)> (ssl) using SNI
> name 'secondary.com' for client handshake
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
