bneradt opened a new issue #7561: URL: https://github.com/apache/trafficserver/issues/7561
Traffic Dump retrieves the server-side TLS server name via SSL_get_servername: https://github.com/apache/trafficserver/blob/40de57b047a2b83e023404c3c64f7e3a81b38e64/plugins/experimental/traffic_dump/session_data.cc#L105 With the patch in the following PR the traffic_dump test consistently fails because the SNI is not being retrieved: https://github.com/apache/trafficserver/pull/7537 Locally, @duke8253 and I were not able to reproduce this failure. @duke8253 was able to reproduce this when he ran with OpenSSL 1.1.1d. The documentation mentions bug fixes that went into 1.1.1e SSL_get_servername: https://www.openssl.org/docs/man1.1.1/man3/SSL_set_tlsext_host_name.html Quoting: > HISTORY > > SSL_get_servername() historically provided some unexpected results in certain corner cases. This has been fixed from OpenSSL 1.1.1e. > > Prior to 1.1.1e, when the client requested a servername in an initial TLSv1.2 handshake, the server accepted it, and then the client successfully resumed but set a different explicit servername in the second handshake then when called by the client it returned the servername from the second handshake. This has now been changed to return the servername requested in the original handshake. > > Also prior to 1.1.1e, if the client sent a servername in the first handshake but the server did not accept it, and then a second handshake occurred where TLSv1.2 resumption was successful then when called by the server it returned the servername requested in the original handshake. This has now been changed to NULL. It would be helpful if we could update CI's version of OpenSSL, which currently runs an older version of OpensSSL 3.0.0 master, to have these fixes. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
