[
https://issues.apache.org/jira/browse/TS-4468?focusedWorklogId=28822&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-28822
]
ASF GitHub Bot logged work on TS-4468:
--------------------------------------
Author: ASF GitHub Bot
Created on: 12/Sep/16 17:16
Start Date: 12/Sep/16 17:16
Worklog Time Spent: 10m
Work Description: Github user jpeach commented on a diff in the pull
request:
https://github.com/apache/trafficserver/pull/1000#discussion_r78414024
--- Diff: proxy/http/HttpSessionManager.cc ---
@@ -75,17 +75,32 @@ ServerSessionPool::match(HttpServerSession *ss,
sockaddr const *addr, INK_MD5 co
(TS_SERVER_SESSION_SHARING_MATCH_HOST == match_style ||
ats_ip_addr_port_eq(ss->get_server_ip(), addr));
}
+bool
+ServerSessionPool::match_sni(HttpSM *sm, NetVConnection *netvc)
+{
+ // TS-4468: If the connection matches, make sure the SNI server
+ // name (if present) matches the request hostname
+ int len = 0;
+ const char *req_host =
sm->t_state.hdr_info.server_request.host_get(&len);
+ const char *session_sni = netvc->options.sni_servername;
+
+ return ((sm->t_state.scheme != URL_WKSIDX_HTTPS) || !session_sni ||
!strncmp(session_sni, req_host, len));
--- End diff --
What is the scheme check doing?
Issue Time Tracking
-------------------
Worklog Id: (was: 28822)
Time Spent: 40m (was: 0.5h)
> http.server_session_sharing.match = both unsafe with HTTPS
> ----------------------------------------------------------
>
> Key: TS-4468
> URL: https://issues.apache.org/jira/browse/TS-4468
> Project: Traffic Server
> Issue Type: Bug
> Components: HTTP, SSL
> Affects Versions: 6.1.1
> Reporter: Jered Floyd
> Assignee: Susan Hinrichs
> Fix For: 7.0.0
>
> Attachments: TS-4468.patch
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> proxy.config.http.server_session_sharing.match has a default value of "both",
> which compares IP address, port, and FQDN when determining whether a
> connection can be reused for further user agent requests.
> The "host" (FQDN) matching does not behave safely when ATS is operating as a
> reverse proxy. The compared value is the origin server FQDN after mapping,
> rather than the initial "Host" target.
> If multiple Hosts map to the same origin server and the scheme is HTTPS, ATS
> will attempt to reuse a connection that may have an SNI Host that does not
> match the HTTP Host. With Apache 2.4 origin servers this results in 400 Bad
> Request to the user agent.
> PROBLEM REPRODUCTION:
> You can observe this behavior with two mapping rules such as:
> map https://example.com/ https://origin.example.com/
> map https://www.example.com/ https://origin.example.com/
> Non-caching clients alternately fetching URIs from the two targets will see
> 400 Bad Request responses intermittently.
> WORKAROUND:
> proxy.config.http.server_session_sharing.match should have a default value of
> "none" when proxy.config.reverse_proxy.enabled is "1"
> SUGGESTED FIXES:
> In order of completeness:
> 1) Do not share server sessions on reverse_proxy requests.
> 2) Do not share server sessions on reverse_proxy requests where scheme is
> HTTPS.
> 3) Compare target host (SNI host) rather than replacement host when
> determining if reuse of server session is allowed (when
> server_session_sharing.match is set to "host" or "both").
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
