[jira] [Work logged] (TS-4468) http.server_session_sharing.match = both unsafe with HTTPS

[ASF GitHub Bot (JIRA)]

     [ 
https://issues.apache.org/jira/browse/TS-4468?focusedWorklogId=28587&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-28587
 ]

ASF GitHub Bot logged work on TS-4468:
--------------------------------------

                Author: ASF GitHub Bot
            Created on: 09/Sep/16 15:19
            Start Date: 09/Sep/16 15:19
    Worklog Time Spent: 10m 
      Work Description: GitHub user shinrich opened a pull request:

    https://github.com/apache/trafficserver/pull/1000

    TS-4468: http.server_session_sharing.match check SNI

    Started with patch proposed by Jered Floyd on the bug.  Tested the basic 
case of SNI name match/mismatch and reuse seem to work as expected.

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/shinrich/trafficserver ts-4468

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/trafficserver/pull/1000.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #1000
    
----
commit 262707c9ae1eb929fd1b91821569ff7aa9297f0e
Author: Susan Hinrichs <shinr...@ieee.org>
Date:   2016-09-09T15:14:18Z

    TS-4468: http.server_session_sharing.match check SNI

----


Issue Time Tracking
-------------------

            Worklog Id:     (was: 28587)
            Time Spent: 10m
    Remaining Estimate: 0h

> http.server_session_sharing.match = both unsafe with HTTPS
> ----------------------------------------------------------
>
>                 Key: TS-4468
>                 URL: https://issues.apache.org/jira/browse/TS-4468
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: HTTP, SSL
>    Affects Versions: 6.1.1
>            Reporter: Jered Floyd
>            Assignee: Susan Hinrichs
>             Fix For: 7.0.0
>
>         Attachments: TS-4468.patch
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> proxy.config.http.server_session_sharing.match has a default value of "both", 
> which compares IP address, port, and FQDN when determining whether a 
> connection can be reused for further user agent requests.
> The "host" (FQDN) matching does not behave safely when ATS is operating as a 
> reverse proxy.  The compared value is the origin server FQDN after mapping, 
> rather than the initial "Host" target.
> If multiple Hosts map to the same origin server and the scheme is HTTPS, ATS 
> will attempt to reuse a connection that may have an SNI Host that does not 
> match the HTTP Host.  With Apache 2.4 origin servers this results in 400 Bad 
> Request to the user agent.
> PROBLEM REPRODUCTION:
> You can observe this behavior with two mapping rules such as:
> map https://example.com/ https://origin.example.com/
> map https://www.example.com/ https://origin.example.com/
> Non-caching clients alternately fetching URIs from the two targets will see 
> 400 Bad Request responses intermittently.
> WORKAROUND:
> proxy.config.http.server_session_sharing.match should have a default value of 
> "none" when proxy.config.reverse_proxy.enabled is "1"
> SUGGESTED FIXES:
> In order of completeness:
> 1) Do not share server sessions on reverse_proxy requests.
> 2) Do not share server sessions on reverse_proxy requests where scheme is 
> HTTPS.
> 3) Compare target host (SNI host) rather than replacement host when 
> determining if reuse of server session is allowed (when 
> server_session_sharing.match is set to "host" or "both").



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)