[ https://issues.apache.org/jira/browse/TS-4468?focusedWorklogId=28587&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-28587 ]
ASF GitHub Bot logged work on TS-4468: -------------------------------------- Author: ASF GitHub Bot Created on: 09/Sep/16 15:19 Start Date: 09/Sep/16 15:19 Worklog Time Spent: 10m Work Description: GitHub user shinrich opened a pull request: https://github.com/apache/trafficserver/pull/1000 TS-4468: http.server_session_sharing.match check SNI Started with patch proposed by Jered Floyd on the bug. Tested the basic case of SNI name match/mismatch and reuse seem to work as expected. You can merge this pull request into a Git repository by running: $ git pull https://github.com/shinrich/trafficserver ts-4468 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/trafficserver/pull/1000.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #1000 ---- commit 262707c9ae1eb929fd1b91821569ff7aa9297f0e Author: Susan Hinrichs <shinr...@ieee.org> Date: 2016-09-09T15:14:18Z TS-4468: http.server_session_sharing.match check SNI ---- Issue Time Tracking ------------------- Worklog Id: (was: 28587) Time Spent: 10m Remaining Estimate: 0h > http.server_session_sharing.match = both unsafe with HTTPS > ---------------------------------------------------------- > > Key: TS-4468 > URL: https://issues.apache.org/jira/browse/TS-4468 > Project: Traffic Server > Issue Type: Bug > Components: HTTP, SSL > Affects Versions: 6.1.1 > Reporter: Jered Floyd > Assignee: Susan Hinrichs > Fix For: 7.0.0 > > Attachments: TS-4468.patch > > Time Spent: 10m > Remaining Estimate: 0h > > proxy.config.http.server_session_sharing.match has a default value of "both", > which compares IP address, port, and FQDN when determining whether a > connection can be reused for further user agent requests. > The "host" (FQDN) matching does not behave safely when ATS is operating as a > reverse proxy. The compared value is the origin server FQDN after mapping, > rather than the initial "Host" target. > If multiple Hosts map to the same origin server and the scheme is HTTPS, ATS > will attempt to reuse a connection that may have an SNI Host that does not > match the HTTP Host. With Apache 2.4 origin servers this results in 400 Bad > Request to the user agent. > PROBLEM REPRODUCTION: > You can observe this behavior with two mapping rules such as: > map https://example.com/ https://origin.example.com/ > map https://www.example.com/ https://origin.example.com/ > Non-caching clients alternately fetching URIs from the two targets will see > 400 Bad Request responses intermittently. > WORKAROUND: > proxy.config.http.server_session_sharing.match should have a default value of > "none" when proxy.config.reverse_proxy.enabled is "1" > SUGGESTED FIXES: > In order of completeness: > 1) Do not share server sessions on reverse_proxy requests. > 2) Do not share server sessions on reverse_proxy requests where scheme is > HTTPS. > 3) Compare target host (SNI host) rather than replacement host when > determining if reuse of server session is allowed (when > server_session_sharing.match is set to "host" or "both"). -- This message was sent by Atlassian JIRA (v6.3.4#6332)