[jira] [Commented] (TS-3283) Certain SSL handshake error during client-hello hangs the client and leaves network connection open
[
https://issues.apache.org/jira/browse/TS-3283?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14270389#comment-14270389
]
Leif Hedstrom commented on TS-3283:
---
[~shinrich] Susan, can you please take a look at this one and possible shepherd
the fixes.
> Certain SSL handshake error during client-hello hangs the client and leaves
> network connection open
> ---
>
> Key: TS-3283
> URL: https://issues.apache.org/jira/browse/TS-3283
> Project: Traffic Server
> Issue Type: Bug
> Components: SSL
>Reporter: Joe Chung
>Assignee: Susan Hinrichs
> Fix For: 5.3.0
>
>
> h3. Problem Description
> Send an SSLv2 Client Hello with an old cipher suite request against Traffic
> Server 4.2.2, and the connection will freeze on the client side and
> eventually time out after 120 seconds.
> The Traffic Server detects the SSL error, but instead of closing the
> connection, goes on to accept new connections.
> h3. Reproduction
> === Client: Macbook Pro running OSX Mavericks 10.9.5 ===
> {code:none}
> $ openssl version -a
> OpenSSL 0.9.8za 5 Jun 2014
> built on: Aug 10 2014
> platform: darwin64-x86_64-llvm
> options: bn(64,64) md2(int) rc4(ptr,char) des(idx,cisc,16,int) blowfish(idx)
> compiler: -arch x86_64 -fmessage-length=0 -pipe -Wno-trigraphs
> -fpascal-strings -fasm-blocks -O3 -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H
> -DL_ENDIAN -DMD32_REG_T=int -DOPENSSL_NO_IDEA -DOPENSSL_PIC -DOPENSSL_THREADS
> -DZLIB -mmacosx-version-min=10.6
> OPENSSLDIR: "/System/Library/OpenSSL"
> {code}
> h4. The following command triggers the bad behavior on the 4.2.2 server.
> {code:none}
> $ openssl s_client -connect 192.168.20.130:443 -ssl2 -debug
> CONNECTED(0003)
> write to 0x7fb9f2508610 [0x7fb9f300f201] (45 bytes => 45 (0x2D))
> - 80 2b 01 00 02 00 12 00-00 00 10 07 00 c0 03 00 .+..
> 0010 - 80 01 00 80 06 00 40 04-00 80 02 00 80 f4 71 1a ..@...q.
> 0020 - ad 23 06 59 4d f8 d2 c5-b2 57 a9 66 4c.#.YMW.fL
> ^C
> {code}
> At this point, the client is hung, and I have to hit ctrl-c to interrupt it
> or wait 120 seconds for tcp timeout.
> h3. Server: Lubuntu 13.10 on VMware
> {code:none}
> $ openssl version -a
> OpenSSL 1.0.1e 11 Feb 2013
> built on: Fri Jun 20 18:52:25 UTC 2014
> platform: debian-i386
> options: bn(64,32) rc4(8x,mmx) des(ptr,risc1,16,long) blowfish(idx)
> compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT
> -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector
> --param=ssp-buffer-size=4 -Wformat -Werror=format-security
> -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack
> -Wall -DOPENSSL_NO_TLS1_2_CLIENT -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50
> -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT
> -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM
> -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
> OPENSSLDIR: "/usr/lib/ssl"
> {code}
> {code:none}
> $ diff /usr/local/etc/trafficserver/records.config.422
> /usr/local/etc/trafficserver/records.config
> 113c113
> < CONFIG proxy.config.http.server_ports STRING 8080
> ---
> > CONFIG proxy.config.http.server_ports STRING 8080 443:ssl
> 594,595c594,595
> < CONFIG proxy.config.diags.debug.enabled INT 0
> < CONFIG proxy.config.diags.debug.tags STRING http.*|dns.*
> ---
> > CONFIG proxy.config.diags.debug.enabled INT 1
> > CONFIG proxy.config.diags.debug.tags STRING ssl.*
> {code}
> {code:none}
> $ /usr/local/bin/traffic_server --version
> [TrafficServer] using root directory '/usr/local'
> Apache Traffic Server - traffic_server - 4.2.2 - (build # 0723 on Jan 7 2015
> at 23:04:32)
> $ sudo /usr/local/bin/traffic_server
> [sudo] password for user:
> [TrafficServer] using root directory '/usr/local'
> [Jan 8 00:53:42.618] Server {0xb702e700} DEBUG: (ssl) setting SNI callbacks
> with for ctx 0xa4a7928
> [Jan 8 00:53:42.618] Server {0xb702e700} DEBUG: (ssl) indexed '*' with
> SSL_CTX 0xa4a7928
> [Jan 8 00:53:42.619] Server {0xb702e700} DEBUG: (ssl) importing SNI names
> from /usr/local/etc/trafficserver
> [Jan 8 00:54:02.256] Server {0xb6265b40} DEBUG: (ssl)
> [SSLNextProtocolAccept:mainEvent] event 202 netvc 0xb280fa90
> [Jan 8 00:54:02.256] Server {0xb6265b40} DEBUG: (ssl) ssl_callback_info ssl:
> 0xb280fcb8 where: 16 ret: 1
> [Jan 8 00:54:02.256] Server {0xb6265b40} DEBUG: (ssl) ssl_callback_info ssl:
> 0xb280fcb8 where: 8193 ret: 1
> [Jan 8 00:54:02.256] Server {0xb6265b40} DEBUG: (ssl) ssl_callback_info ssl:
> 0xb280fcb8 where: 8194 ret: -1
> [Jan 8 00:54:02.256] Server {0xb6265b40} DEBUG: (ssl)
> SSL::3055967040:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown
> protocol:s23_srvr.c:628
> [Jan 8 00:54:02.25
[jira] [Commented] (TS-3283) Certain SSL handshake error during client-hello hangs the client and leaves network connection open
[
https://issues.apache.org/jira/browse/TS-3283?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14270438#comment-14270438
]
Joe Chung commented on TS-3283:
---
Since this happens on 4.2.2, I'm hoping that it will be fixed in the 4.2.x
branch since it is a LTS branch. Thanks.
> Certain SSL handshake error during client-hello hangs the client and leaves
> network connection open
> ---
>
> Key: TS-3283
> URL: https://issues.apache.org/jira/browse/TS-3283
> Project: Traffic Server
> Issue Type: Bug
> Components: SSL
>Reporter: Joe Chung
>Assignee: Susan Hinrichs
> Fix For: 5.3.0
>
>
> h3. Problem Description
> Send an SSLv2 Client Hello with an old cipher suite request against Traffic
> Server 4.2.2, and the connection will freeze on the client side and
> eventually time out after 120 seconds.
> The Traffic Server detects the SSL error, but instead of closing the
> connection, goes on to accept new connections.
> h3. Reproduction
> === Client: Macbook Pro running OSX Mavericks 10.9.5 ===
> {code:none}
> $ openssl version -a
> OpenSSL 0.9.8za 5 Jun 2014
> built on: Aug 10 2014
> platform: darwin64-x86_64-llvm
> options: bn(64,64) md2(int) rc4(ptr,char) des(idx,cisc,16,int) blowfish(idx)
> compiler: -arch x86_64 -fmessage-length=0 -pipe -Wno-trigraphs
> -fpascal-strings -fasm-blocks -O3 -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H
> -DL_ENDIAN -DMD32_REG_T=int -DOPENSSL_NO_IDEA -DOPENSSL_PIC -DOPENSSL_THREADS
> -DZLIB -mmacosx-version-min=10.6
> OPENSSLDIR: "/System/Library/OpenSSL"
> {code}
> h4. The following command triggers the bad behavior on the 4.2.2 server.
> {code:none}
> $ openssl s_client -connect 192.168.20.130:443 -ssl2 -debug
> CONNECTED(0003)
> write to 0x7fb9f2508610 [0x7fb9f300f201] (45 bytes => 45 (0x2D))
> - 80 2b 01 00 02 00 12 00-00 00 10 07 00 c0 03 00 .+..
> 0010 - 80 01 00 80 06 00 40 04-00 80 02 00 80 f4 71 1a ..@...q.
> 0020 - ad 23 06 59 4d f8 d2 c5-b2 57 a9 66 4c.#.YMW.fL
> ^C
> {code}
> At this point, the client is hung, and I have to hit ctrl-c to interrupt it
> or wait 120 seconds for tcp timeout.
> h3. Server: Lubuntu 13.10 on VMware
> {code:none}
> $ openssl version -a
> OpenSSL 1.0.1e 11 Feb 2013
> built on: Fri Jun 20 18:52:25 UTC 2014
> platform: debian-i386
> options: bn(64,32) rc4(8x,mmx) des(ptr,risc1,16,long) blowfish(idx)
> compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT
> -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector
> --param=ssp-buffer-size=4 -Wformat -Werror=format-security
> -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack
> -Wall -DOPENSSL_NO_TLS1_2_CLIENT -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50
> -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT
> -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM
> -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
> OPENSSLDIR: "/usr/lib/ssl"
> {code}
> {code:none}
> $ diff /usr/local/etc/trafficserver/records.config.422
> /usr/local/etc/trafficserver/records.config
> 113c113
> < CONFIG proxy.config.http.server_ports STRING 8080
> ---
> > CONFIG proxy.config.http.server_ports STRING 8080 443:ssl
> 594,595c594,595
> < CONFIG proxy.config.diags.debug.enabled INT 0
> < CONFIG proxy.config.diags.debug.tags STRING http.*|dns.*
> ---
> > CONFIG proxy.config.diags.debug.enabled INT 1
> > CONFIG proxy.config.diags.debug.tags STRING ssl.*
> {code}
> {code:none}
> $ /usr/local/bin/traffic_server --version
> [TrafficServer] using root directory '/usr/local'
> Apache Traffic Server - traffic_server - 4.2.2 - (build # 0723 on Jan 7 2015
> at 23:04:32)
> $ sudo /usr/local/bin/traffic_server
> [sudo] password for user:
> [TrafficServer] using root directory '/usr/local'
> [Jan 8 00:53:42.618] Server {0xb702e700} DEBUG: (ssl) setting SNI callbacks
> with for ctx 0xa4a7928
> [Jan 8 00:53:42.618] Server {0xb702e700} DEBUG: (ssl) indexed '*' with
> SSL_CTX 0xa4a7928
> [Jan 8 00:53:42.619] Server {0xb702e700} DEBUG: (ssl) importing SNI names
> from /usr/local/etc/trafficserver
> [Jan 8 00:54:02.256] Server {0xb6265b40} DEBUG: (ssl)
> [SSLNextProtocolAccept:mainEvent] event 202 netvc 0xb280fa90
> [Jan 8 00:54:02.256] Server {0xb6265b40} DEBUG: (ssl) ssl_callback_info ssl:
> 0xb280fcb8 where: 16 ret: 1
> [Jan 8 00:54:02.256] Server {0xb6265b40} DEBUG: (ssl) ssl_callback_info ssl:
> 0xb280fcb8 where: 8193 ret: 1
> [Jan 8 00:54:02.256] Server {0xb6265b40} DEBUG: (ssl) ssl_callback_info ssl:
> 0xb280fcb8 where: 8194 ret: -1
> [Jan 8 00:54:02.256] Server {0xb6265b40} DEBUG: (ssl)
> SSL::3055967040:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown
> protocol:s23_srvr.c:628
> [J
[jira] [Commented] (TS-3283) Certain SSL handshake error during client-hello hangs the client and leaves network connection open
[
https://issues.apache.org/jira/browse/TS-3283?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14270454#comment-14270454
]
Leif Hedstrom commented on TS-3283:
---
Joe: That's up to the release manager for v4.2.x to take into consideration.
What will happen is that when this gets committed, the committer will, if she
agrees, mark this Jira as a back port candidate to 4.2.x.
> Certain SSL handshake error during client-hello hangs the client and leaves
> network connection open
> ---
>
> Key: TS-3283
> URL: https://issues.apache.org/jira/browse/TS-3283
> Project: Traffic Server
> Issue Type: Bug
> Components: SSL
>Reporter: Joe Chung
>Assignee: Susan Hinrichs
> Fix For: 5.3.0
>
>
> h3. Problem Description
> Send an SSLv2 Client Hello with an old cipher suite request against Traffic
> Server 4.2.2, and the connection will freeze on the client side and
> eventually time out after 120 seconds.
> The Traffic Server detects the SSL error, but instead of closing the
> connection, goes on to accept new connections.
> h3. Reproduction
> === Client: Macbook Pro running OSX Mavericks 10.9.5 ===
> {code:none}
> $ openssl version -a
> OpenSSL 0.9.8za 5 Jun 2014
> built on: Aug 10 2014
> platform: darwin64-x86_64-llvm
> options: bn(64,64) md2(int) rc4(ptr,char) des(idx,cisc,16,int) blowfish(idx)
> compiler: -arch x86_64 -fmessage-length=0 -pipe -Wno-trigraphs
> -fpascal-strings -fasm-blocks -O3 -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H
> -DL_ENDIAN -DMD32_REG_T=int -DOPENSSL_NO_IDEA -DOPENSSL_PIC -DOPENSSL_THREADS
> -DZLIB -mmacosx-version-min=10.6
> OPENSSLDIR: "/System/Library/OpenSSL"
> {code}
> h4. The following command triggers the bad behavior on the 4.2.2 server.
> {code:none}
> $ openssl s_client -connect 192.168.20.130:443 -ssl2 -debug
> CONNECTED(0003)
> write to 0x7fb9f2508610 [0x7fb9f300f201] (45 bytes => 45 (0x2D))
> - 80 2b 01 00 02 00 12 00-00 00 10 07 00 c0 03 00 .+..
> 0010 - 80 01 00 80 06 00 40 04-00 80 02 00 80 f4 71 1a ..@...q.
> 0020 - ad 23 06 59 4d f8 d2 c5-b2 57 a9 66 4c.#.YMW.fL
> ^C
> {code}
> At this point, the client is hung, and I have to hit ctrl-c to interrupt it
> or wait 120 seconds for tcp timeout.
> h3. Server: Lubuntu 13.10 on VMware
> {code:none}
> $ openssl version -a
> OpenSSL 1.0.1e 11 Feb 2013
> built on: Fri Jun 20 18:52:25 UTC 2014
> platform: debian-i386
> options: bn(64,32) rc4(8x,mmx) des(ptr,risc1,16,long) blowfish(idx)
> compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT
> -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector
> --param=ssp-buffer-size=4 -Wformat -Werror=format-security
> -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack
> -Wall -DOPENSSL_NO_TLS1_2_CLIENT -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50
> -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT
> -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM
> -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
> OPENSSLDIR: "/usr/lib/ssl"
> {code}
> {code:none}
> $ diff /usr/local/etc/trafficserver/records.config.422
> /usr/local/etc/trafficserver/records.config
> 113c113
> < CONFIG proxy.config.http.server_ports STRING 8080
> ---
> > CONFIG proxy.config.http.server_ports STRING 8080 443:ssl
> 594,595c594,595
> < CONFIG proxy.config.diags.debug.enabled INT 0
> < CONFIG proxy.config.diags.debug.tags STRING http.*|dns.*
> ---
> > CONFIG proxy.config.diags.debug.enabled INT 1
> > CONFIG proxy.config.diags.debug.tags STRING ssl.*
> {code}
> {code:none}
> $ /usr/local/bin/traffic_server --version
> [TrafficServer] using root directory '/usr/local'
> Apache Traffic Server - traffic_server - 4.2.2 - (build # 0723 on Jan 7 2015
> at 23:04:32)
> $ sudo /usr/local/bin/traffic_server
> [sudo] password for user:
> [TrafficServer] using root directory '/usr/local'
> [Jan 8 00:53:42.618] Server {0xb702e700} DEBUG: (ssl) setting SNI callbacks
> with for ctx 0xa4a7928
> [Jan 8 00:53:42.618] Server {0xb702e700} DEBUG: (ssl) indexed '*' with
> SSL_CTX 0xa4a7928
> [Jan 8 00:53:42.619] Server {0xb702e700} DEBUG: (ssl) importing SNI names
> from /usr/local/etc/trafficserver
> [Jan 8 00:54:02.256] Server {0xb6265b40} DEBUG: (ssl)
> [SSLNextProtocolAccept:mainEvent] event 202 netvc 0xb280fa90
> [Jan 8 00:54:02.256] Server {0xb6265b40} DEBUG: (ssl) ssl_callback_info ssl:
> 0xb280fcb8 where: 16 ret: 1
> [Jan 8 00:54:02.256] Server {0xb6265b40} DEBUG: (ssl) ssl_callback_info ssl:
> 0xb280fcb8 where: 8193 ret: 1
> [Jan 8 00:54:02.256] Server {0xb6265b40} DEBUG: (ssl) ssl_callback_info ssl:
> 0xb280fcb8 where: 8194 ret: -1
> [Jan 8 00:54:02.256] Server {0xb6265b40} DEBUG: (ssl)
>
[jira] [Commented] (TS-3283) Certain SSL handshake error during client-hello hangs the client and leaves network connection open
[
https://issues.apache.org/jira/browse/TS-3283?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14284661#comment-14284661
]
Susan Hinrichs commented on TS-3283:
The code change that Joe noted was part of the fix for TS-2751. That involved
quite a lot of code, so I wouldn't recommend back porting TS-2751. The patch
that Joe provides looks like it should work in isolation. It should not make
things worse, and it should make things work better in the error case. I'll
talk with the 4.2 release manager to see if we can get it in the queue for the
next rev of 4.2.x (when/if it occurs).
> Certain SSL handshake error during client-hello hangs the client and leaves
> network connection open
> ---
>
> Key: TS-3283
> URL: https://issues.apache.org/jira/browse/TS-3283
> Project: Traffic Server
> Issue Type: Bug
> Components: SSL
>Reporter: Joe Chung
>Assignee: Susan Hinrichs
> Fix For: 5.3.0
>
>
> h3. Problem Description
> Send an SSLv2 Client Hello with an old cipher suite request against Traffic
> Server 4.2.2, and the connection will freeze on the client side and
> eventually time out after 120 seconds.
> The Traffic Server detects the SSL error, but instead of closing the
> connection, goes on to accept new connections.
> h3. Reproduction
> === Client: Macbook Pro running OSX Mavericks 10.9.5 ===
> {code:none}
> $ openssl version -a
> OpenSSL 0.9.8za 5 Jun 2014
> built on: Aug 10 2014
> platform: darwin64-x86_64-llvm
> options: bn(64,64) md2(int) rc4(ptr,char) des(idx,cisc,16,int) blowfish(idx)
> compiler: -arch x86_64 -fmessage-length=0 -pipe -Wno-trigraphs
> -fpascal-strings -fasm-blocks -O3 -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H
> -DL_ENDIAN -DMD32_REG_T=int -DOPENSSL_NO_IDEA -DOPENSSL_PIC -DOPENSSL_THREADS
> -DZLIB -mmacosx-version-min=10.6
> OPENSSLDIR: "/System/Library/OpenSSL"
> {code}
> h4. The following command triggers the bad behavior on the 4.2.2 server.
> {code:none}
> $ openssl s_client -connect 192.168.20.130:443 -ssl2 -debug
> CONNECTED(0003)
> write to 0x7fb9f2508610 [0x7fb9f300f201] (45 bytes => 45 (0x2D))
> - 80 2b 01 00 02 00 12 00-00 00 10 07 00 c0 03 00 .+..
> 0010 - 80 01 00 80 06 00 40 04-00 80 02 00 80 f4 71 1a ..@...q.
> 0020 - ad 23 06 59 4d f8 d2 c5-b2 57 a9 66 4c.#.YMW.fL
> ^C
> {code}
> At this point, the client is hung, and I have to hit ctrl-c to interrupt it
> or wait 120 seconds for tcp timeout.
> h3. Server: Lubuntu 13.10 on VMware
> {code:none}
> $ openssl version -a
> OpenSSL 1.0.1e 11 Feb 2013
> built on: Fri Jun 20 18:52:25 UTC 2014
> platform: debian-i386
> options: bn(64,32) rc4(8x,mmx) des(ptr,risc1,16,long) blowfish(idx)
> compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT
> -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector
> --param=ssp-buffer-size=4 -Wformat -Werror=format-security
> -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack
> -Wall -DOPENSSL_NO_TLS1_2_CLIENT -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50
> -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT
> -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM
> -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
> OPENSSLDIR: "/usr/lib/ssl"
> {code}
> {code:none}
> $ diff /usr/local/etc/trafficserver/records.config.422
> /usr/local/etc/trafficserver/records.config
> 113c113
> < CONFIG proxy.config.http.server_ports STRING 8080
> ---
> > CONFIG proxy.config.http.server_ports STRING 8080 443:ssl
> 594,595c594,595
> < CONFIG proxy.config.diags.debug.enabled INT 0
> < CONFIG proxy.config.diags.debug.tags STRING http.*|dns.*
> ---
> > CONFIG proxy.config.diags.debug.enabled INT 1
> > CONFIG proxy.config.diags.debug.tags STRING ssl.*
> {code}
> {code:none}
> $ /usr/local/bin/traffic_server --version
> [TrafficServer] using root directory '/usr/local'
> Apache Traffic Server - traffic_server - 4.2.2 - (build # 0723 on Jan 7 2015
> at 23:04:32)
> $ sudo /usr/local/bin/traffic_server
> [sudo] password for user:
> [TrafficServer] using root directory '/usr/local'
> [Jan 8 00:53:42.618] Server {0xb702e700} DEBUG: (ssl) setting SNI callbacks
> with for ctx 0xa4a7928
> [Jan 8 00:53:42.618] Server {0xb702e700} DEBUG: (ssl) indexed '*' with
> SSL_CTX 0xa4a7928
> [Jan 8 00:53:42.619] Server {0xb702e700} DEBUG: (ssl) importing SNI names
> from /usr/local/etc/trafficserver
> [Jan 8 00:54:02.256] Server {0xb6265b40} DEBUG: (ssl)
> [SSLNextProtocolAccept:mainEvent] event 202 netvc 0xb280fa90
> [Jan 8 00:54:02.256] Server {0xb6265b40} DEBUG: (ssl) ssl_callback_info ssl:
> 0xb280fcb8 where: 16 ret: 1
> [Jan 8 00:54:02.256] Server {0xb6265b40} DEBUG: (ssl) ssl_call
[jira] [Commented] (TS-3283) Certain SSL handshake error during client-hello hangs the client and leaves network connection open
[
https://issues.apache.org/jira/browse/TS-3283?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14286404#comment-14286404
]
ASF subversion and git services commented on TS-3283:
-
Commit cadb017ecee0c53ab1cf9d5b0ab5f7ead9204156 in trafficserver's branch
refs/heads/4.2.x from [~joechung]
[ https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;h=cadb017 ]
TS-3283: Certain SSL handshake error during client-hello hangs the client and
leaves network connection open
> Certain SSL handshake error during client-hello hangs the client and leaves
> network connection open
> ---
>
> Key: TS-3283
> URL: https://issues.apache.org/jira/browse/TS-3283
> Project: Traffic Server
> Issue Type: Bug
> Components: SSL
>Reporter: Joe Chung
>Assignee: Phil Sorber
> Fix For: 4.2.3, 5.3.0
>
>
> h3. Problem Description
> Send an SSLv2 Client Hello with an old cipher suite request against Traffic
> Server 4.2.2, and the connection will freeze on the client side and
> eventually time out after 120 seconds.
> The Traffic Server detects the SSL error, but instead of closing the
> connection, goes on to accept new connections.
> h3. Reproduction
> === Client: Macbook Pro running OSX Mavericks 10.9.5 ===
> {code:none}
> $ openssl version -a
> OpenSSL 0.9.8za 5 Jun 2014
> built on: Aug 10 2014
> platform: darwin64-x86_64-llvm
> options: bn(64,64) md2(int) rc4(ptr,char) des(idx,cisc,16,int) blowfish(idx)
> compiler: -arch x86_64 -fmessage-length=0 -pipe -Wno-trigraphs
> -fpascal-strings -fasm-blocks -O3 -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H
> -DL_ENDIAN -DMD32_REG_T=int -DOPENSSL_NO_IDEA -DOPENSSL_PIC -DOPENSSL_THREADS
> -DZLIB -mmacosx-version-min=10.6
> OPENSSLDIR: "/System/Library/OpenSSL"
> {code}
> h4. The following command triggers the bad behavior on the 4.2.2 server.
> {code:none}
> $ openssl s_client -connect 192.168.20.130:443 -ssl2 -debug
> CONNECTED(0003)
> write to 0x7fb9f2508610 [0x7fb9f300f201] (45 bytes => 45 (0x2D))
> - 80 2b 01 00 02 00 12 00-00 00 10 07 00 c0 03 00 .+..
> 0010 - 80 01 00 80 06 00 40 04-00 80 02 00 80 f4 71 1a ..@...q.
> 0020 - ad 23 06 59 4d f8 d2 c5-b2 57 a9 66 4c.#.YMW.fL
> ^C
> {code}
> At this point, the client is hung, and I have to hit ctrl-c to interrupt it
> or wait 120 seconds for tcp timeout.
> h3. Server: Lubuntu 13.10 on VMware
> {code:none}
> $ openssl version -a
> OpenSSL 1.0.1e 11 Feb 2013
> built on: Fri Jun 20 18:52:25 UTC 2014
> platform: debian-i386
> options: bn(64,32) rc4(8x,mmx) des(ptr,risc1,16,long) blowfish(idx)
> compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT
> -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector
> --param=ssp-buffer-size=4 -Wformat -Werror=format-security
> -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack
> -Wall -DOPENSSL_NO_TLS1_2_CLIENT -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50
> -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT
> -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM
> -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
> OPENSSLDIR: "/usr/lib/ssl"
> {code}
> {code:none}
> $ diff /usr/local/etc/trafficserver/records.config.422
> /usr/local/etc/trafficserver/records.config
> 113c113
> < CONFIG proxy.config.http.server_ports STRING 8080
> ---
> > CONFIG proxy.config.http.server_ports STRING 8080 443:ssl
> 594,595c594,595
> < CONFIG proxy.config.diags.debug.enabled INT 0
> < CONFIG proxy.config.diags.debug.tags STRING http.*|dns.*
> ---
> > CONFIG proxy.config.diags.debug.enabled INT 1
> > CONFIG proxy.config.diags.debug.tags STRING ssl.*
> {code}
> {code:none}
> $ /usr/local/bin/traffic_server --version
> [TrafficServer] using root directory '/usr/local'
> Apache Traffic Server - traffic_server - 4.2.2 - (build # 0723 on Jan 7 2015
> at 23:04:32)
> $ sudo /usr/local/bin/traffic_server
> [sudo] password for user:
> [TrafficServer] using root directory '/usr/local'
> [Jan 8 00:53:42.618] Server {0xb702e700} DEBUG: (ssl) setting SNI callbacks
> with for ctx 0xa4a7928
> [Jan 8 00:53:42.618] Server {0xb702e700} DEBUG: (ssl) indexed '*' with
> SSL_CTX 0xa4a7928
> [Jan 8 00:53:42.619] Server {0xb702e700} DEBUG: (ssl) importing SNI names
> from /usr/local/etc/trafficserver
> [Jan 8 00:54:02.256] Server {0xb6265b40} DEBUG: (ssl)
> [SSLNextProtocolAccept:mainEvent] event 202 netvc 0xb280fa90
> [Jan 8 00:54:02.256] Server {0xb6265b40} DEBUG: (ssl) ssl_callback_info ssl:
> 0xb280fcb8 where: 16 ret: 1
> [Jan 8 00:54:02.256] Server {0xb6265b40} DEBUG: (ssl) ssl_callback_info ssl:
> 0xb280fcb8 where: 8193 ret: 1
> [Jan 8 00:54:02.256] Server {0xb6265b40} DEBUG: (ss
[jira] [Commented] (TS-3283) Certain SSL handshake error during client-hello hangs the client and leaves network connection open
[
https://issues.apache.org/jira/browse/TS-3283?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14297802#comment-14297802
]
Sudheer Vinukonda commented on TS-3283:
---
I wonder if the patch causes some sort of resource leak...looking at the code
naively, it seems that the patch doesn't send an ACCEPT event to the upper
layers (http?) in error cases anymore, whereas it was sending it before the
change. I am not entirely sure, if there would be any upper layer continuations
waiting at the point where this happens (protocol probe trampoline), but, if
there are, then how are they released?
> Certain SSL handshake error during client-hello hangs the client and leaves
> network connection open
> ---
>
> Key: TS-3283
> URL: https://issues.apache.org/jira/browse/TS-3283
> Project: Traffic Server
> Issue Type: Bug
> Components: SSL
>Reporter: Joe Chung
>Assignee: Phil Sorber
> Fix For: 4.2.3
>
>
> h3. Problem Description
> Send an SSLv2 Client Hello with an old cipher suite request against Traffic
> Server 4.2.2, and the connection will freeze on the client side and
> eventually time out after 120 seconds.
> The Traffic Server detects the SSL error, but instead of closing the
> connection, goes on to accept new connections.
> h3. Reproduction
> === Client: Macbook Pro running OSX Mavericks 10.9.5 ===
> {code:none}
> $ openssl version -a
> OpenSSL 0.9.8za 5 Jun 2014
> built on: Aug 10 2014
> platform: darwin64-x86_64-llvm
> options: bn(64,64) md2(int) rc4(ptr,char) des(idx,cisc,16,int) blowfish(idx)
> compiler: -arch x86_64 -fmessage-length=0 -pipe -Wno-trigraphs
> -fpascal-strings -fasm-blocks -O3 -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H
> -DL_ENDIAN -DMD32_REG_T=int -DOPENSSL_NO_IDEA -DOPENSSL_PIC -DOPENSSL_THREADS
> -DZLIB -mmacosx-version-min=10.6
> OPENSSLDIR: "/System/Library/OpenSSL"
> {code}
> h4. The following command triggers the bad behavior on the 4.2.2 server.
> {code:none}
> $ openssl s_client -connect 192.168.20.130:443 -ssl2 -debug
> CONNECTED(0003)
> write to 0x7fb9f2508610 [0x7fb9f300f201] (45 bytes => 45 (0x2D))
> - 80 2b 01 00 02 00 12 00-00 00 10 07 00 c0 03 00 .+..
> 0010 - 80 01 00 80 06 00 40 04-00 80 02 00 80 f4 71 1a ..@...q.
> 0020 - ad 23 06 59 4d f8 d2 c5-b2 57 a9 66 4c.#.YMW.fL
> ^C
> {code}
> At this point, the client is hung, and I have to hit ctrl-c to interrupt it
> or wait 120 seconds for tcp timeout.
> h3. Server: Lubuntu 13.10 on VMware
> {code:none}
> $ openssl version -a
> OpenSSL 1.0.1e 11 Feb 2013
> built on: Fri Jun 20 18:52:25 UTC 2014
> platform: debian-i386
> options: bn(64,32) rc4(8x,mmx) des(ptr,risc1,16,long) blowfish(idx)
> compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT
> -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector
> --param=ssp-buffer-size=4 -Wformat -Werror=format-security
> -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack
> -Wall -DOPENSSL_NO_TLS1_2_CLIENT -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50
> -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT
> -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM
> -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
> OPENSSLDIR: "/usr/lib/ssl"
> {code}
> {code:none}
> $ diff /usr/local/etc/trafficserver/records.config.422
> /usr/local/etc/trafficserver/records.config
> 113c113
> < CONFIG proxy.config.http.server_ports STRING 8080
> ---
> > CONFIG proxy.config.http.server_ports STRING 8080 443:ssl
> 594,595c594,595
> < CONFIG proxy.config.diags.debug.enabled INT 0
> < CONFIG proxy.config.diags.debug.tags STRING http.*|dns.*
> ---
> > CONFIG proxy.config.diags.debug.enabled INT 1
> > CONFIG proxy.config.diags.debug.tags STRING ssl.*
> {code}
> {code:none}
> $ /usr/local/bin/traffic_server --version
> [TrafficServer] using root directory '/usr/local'
> Apache Traffic Server - traffic_server - 4.2.2 - (build # 0723 on Jan 7 2015
> at 23:04:32)
> $ sudo /usr/local/bin/traffic_server
> [sudo] password for user:
> [TrafficServer] using root directory '/usr/local'
> [Jan 8 00:53:42.618] Server {0xb702e700} DEBUG: (ssl) setting SNI callbacks
> with for ctx 0xa4a7928
> [Jan 8 00:53:42.618] Server {0xb702e700} DEBUG: (ssl) indexed '*' with
> SSL_CTX 0xa4a7928
> [Jan 8 00:53:42.619] Server {0xb702e700} DEBUG: (ssl) importing SNI names
> from /usr/local/etc/trafficserver
> [Jan 8 00:54:02.256] Server {0xb6265b40} DEBUG: (ssl)
> [SSLNextProtocolAccept:mainEvent] event 202 netvc 0xb280fa90
> [Jan 8 00:54:02.256] Server {0xb6265b40} DEBUG: (ssl) ssl_callback_info ssl:
> 0xb280fcb8 where: 16 ret: 1
> [Jan 8 00:54:02.256] Server {0xb6265b40} DEBUG: (ssl) ssl_callba
[jira] [Commented] (TS-3283) Certain SSL handshake error during client-hello hangs the client and leaves network connection open
[
https://issues.apache.org/jira/browse/TS-3283?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14298633#comment-14298633
]
Susan Hinrichs commented on TS-3283:
If this is a leak, it is also a leak in the 5.0 base. Since it has the same
code that does the do_io_close in the error case and returns immediately
instead of sending the ACCEPT event.
I'll try running this scenario in master to see how/whether the endpoint
structures are cleaned up.
> Certain SSL handshake error during client-hello hangs the client and leaves
> network connection open
> ---
>
> Key: TS-3283
> URL: https://issues.apache.org/jira/browse/TS-3283
> Project: Traffic Server
> Issue Type: Bug
> Components: SSL
>Reporter: Joe Chung
>Assignee: Phil Sorber
> Fix For: 4.2.3
>
>
> h3. Problem Description
> Send an SSLv2 Client Hello with an old cipher suite request against Traffic
> Server 4.2.2, and the connection will freeze on the client side and
> eventually time out after 120 seconds.
> The Traffic Server detects the SSL error, but instead of closing the
> connection, goes on to accept new connections.
> h3. Reproduction
> === Client: Macbook Pro running OSX Mavericks 10.9.5 ===
> {code:none}
> $ openssl version -a
> OpenSSL 0.9.8za 5 Jun 2014
> built on: Aug 10 2014
> platform: darwin64-x86_64-llvm
> options: bn(64,64) md2(int) rc4(ptr,char) des(idx,cisc,16,int) blowfish(idx)
> compiler: -arch x86_64 -fmessage-length=0 -pipe -Wno-trigraphs
> -fpascal-strings -fasm-blocks -O3 -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H
> -DL_ENDIAN -DMD32_REG_T=int -DOPENSSL_NO_IDEA -DOPENSSL_PIC -DOPENSSL_THREADS
> -DZLIB -mmacosx-version-min=10.6
> OPENSSLDIR: "/System/Library/OpenSSL"
> {code}
> h4. The following command triggers the bad behavior on the 4.2.2 server.
> {code:none}
> $ openssl s_client -connect 192.168.20.130:443 -ssl2 -debug
> CONNECTED(0003)
> write to 0x7fb9f2508610 [0x7fb9f300f201] (45 bytes => 45 (0x2D))
> - 80 2b 01 00 02 00 12 00-00 00 10 07 00 c0 03 00 .+..
> 0010 - 80 01 00 80 06 00 40 04-00 80 02 00 80 f4 71 1a ..@...q.
> 0020 - ad 23 06 59 4d f8 d2 c5-b2 57 a9 66 4c.#.YMW.fL
> ^C
> {code}
> At this point, the client is hung, and I have to hit ctrl-c to interrupt it
> or wait 120 seconds for tcp timeout.
> h3. Server: Lubuntu 13.10 on VMware
> {code:none}
> $ openssl version -a
> OpenSSL 1.0.1e 11 Feb 2013
> built on: Fri Jun 20 18:52:25 UTC 2014
> platform: debian-i386
> options: bn(64,32) rc4(8x,mmx) des(ptr,risc1,16,long) blowfish(idx)
> compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT
> -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector
> --param=ssp-buffer-size=4 -Wformat -Werror=format-security
> -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack
> -Wall -DOPENSSL_NO_TLS1_2_CLIENT -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50
> -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT
> -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM
> -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
> OPENSSLDIR: "/usr/lib/ssl"
> {code}
> {code:none}
> $ diff /usr/local/etc/trafficserver/records.config.422
> /usr/local/etc/trafficserver/records.config
> 113c113
> < CONFIG proxy.config.http.server_ports STRING 8080
> ---
> > CONFIG proxy.config.http.server_ports STRING 8080 443:ssl
> 594,595c594,595
> < CONFIG proxy.config.diags.debug.enabled INT 0
> < CONFIG proxy.config.diags.debug.tags STRING http.*|dns.*
> ---
> > CONFIG proxy.config.diags.debug.enabled INT 1
> > CONFIG proxy.config.diags.debug.tags STRING ssl.*
> {code}
> {code:none}
> $ /usr/local/bin/traffic_server --version
> [TrafficServer] using root directory '/usr/local'
> Apache Traffic Server - traffic_server - 4.2.2 - (build # 0723 on Jan 7 2015
> at 23:04:32)
> $ sudo /usr/local/bin/traffic_server
> [sudo] password for user:
> [TrafficServer] using root directory '/usr/local'
> [Jan 8 00:53:42.618] Server {0xb702e700} DEBUG: (ssl) setting SNI callbacks
> with for ctx 0xa4a7928
> [Jan 8 00:53:42.618] Server {0xb702e700} DEBUG: (ssl) indexed '*' with
> SSL_CTX 0xa4a7928
> [Jan 8 00:53:42.619] Server {0xb702e700} DEBUG: (ssl) importing SNI names
> from /usr/local/etc/trafficserver
> [Jan 8 00:54:02.256] Server {0xb6265b40} DEBUG: (ssl)
> [SSLNextProtocolAccept:mainEvent] event 202 netvc 0xb280fa90
> [Jan 8 00:54:02.256] Server {0xb6265b40} DEBUG: (ssl) ssl_callback_info ssl:
> 0xb280fcb8 where: 16 ret: 1
> [Jan 8 00:54:02.256] Server {0xb6265b40} DEBUG: (ssl) ssl_callback_info ssl:
> 0xb280fcb8 where: 8193 ret: 1
> [Jan 8 00:54:02.256] Server {0xb6265b40} DEBUG: (ssl) ssl_callback_info ssl:
> 0xb280fcb8 where
[jira] [Commented] (TS-3283) Certain SSL handshake error during client-hello hangs the client and leaves network connection open
[
https://issues.apache.org/jira/browse/TS-3283?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14299076#comment-14299076
]
Susan Hinrichs commented on TS-3283:
Looked at the code more closely and ran a few cases though the debugger. I
think we are in good shape here.
In the accept case, the trampoline sends the accept message through other
accept objects. Ultimately session objects are created.
In the error case, we don't want to create a session object. The accept
objects are static so they do not need to be deleted.
Looking through the other case that send and receive NET_EVENT_ACCEPT events,
the error cases are mostly not addressed. In one case, the do_io_close was
called on the net vc.
Here in the SSLNextProtocolTrampoline, with the patch in the error case we call
netvc->do_io_close and delete the trampoline object. Which I think cleans up
everything that has been allocated for the connection so far.
> Certain SSL handshake error during client-hello hangs the client and leaves
> network connection open
> ---
>
> Key: TS-3283
> URL: https://issues.apache.org/jira/browse/TS-3283
> Project: Traffic Server
> Issue Type: Bug
> Components: SSL
>Reporter: Joe Chung
>Assignee: Phil Sorber
> Fix For: 4.2.3
>
>
> h3. Problem Description
> Send an SSLv2 Client Hello with an old cipher suite request against Traffic
> Server 4.2.2, and the connection will freeze on the client side and
> eventually time out after 120 seconds.
> The Traffic Server detects the SSL error, but instead of closing the
> connection, goes on to accept new connections.
> h3. Reproduction
> === Client: Macbook Pro running OSX Mavericks 10.9.5 ===
> {code:none}
> $ openssl version -a
> OpenSSL 0.9.8za 5 Jun 2014
> built on: Aug 10 2014
> platform: darwin64-x86_64-llvm
> options: bn(64,64) md2(int) rc4(ptr,char) des(idx,cisc,16,int) blowfish(idx)
> compiler: -arch x86_64 -fmessage-length=0 -pipe -Wno-trigraphs
> -fpascal-strings -fasm-blocks -O3 -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H
> -DL_ENDIAN -DMD32_REG_T=int -DOPENSSL_NO_IDEA -DOPENSSL_PIC -DOPENSSL_THREADS
> -DZLIB -mmacosx-version-min=10.6
> OPENSSLDIR: "/System/Library/OpenSSL"
> {code}
> h4. The following command triggers the bad behavior on the 4.2.2 server.
> {code:none}
> $ openssl s_client -connect 192.168.20.130:443 -ssl2 -debug
> CONNECTED(0003)
> write to 0x7fb9f2508610 [0x7fb9f300f201] (45 bytes => 45 (0x2D))
> - 80 2b 01 00 02 00 12 00-00 00 10 07 00 c0 03 00 .+..
> 0010 - 80 01 00 80 06 00 40 04-00 80 02 00 80 f4 71 1a ..@...q.
> 0020 - ad 23 06 59 4d f8 d2 c5-b2 57 a9 66 4c.#.YMW.fL
> ^C
> {code}
> At this point, the client is hung, and I have to hit ctrl-c to interrupt it
> or wait 120 seconds for tcp timeout.
> h3. Server: Lubuntu 13.10 on VMware
> {code:none}
> $ openssl version -a
> OpenSSL 1.0.1e 11 Feb 2013
> built on: Fri Jun 20 18:52:25 UTC 2014
> platform: debian-i386
> options: bn(64,32) rc4(8x,mmx) des(ptr,risc1,16,long) blowfish(idx)
> compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT
> -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector
> --param=ssp-buffer-size=4 -Wformat -Werror=format-security
> -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack
> -Wall -DOPENSSL_NO_TLS1_2_CLIENT -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50
> -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT
> -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM
> -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
> OPENSSLDIR: "/usr/lib/ssl"
> {code}
> {code:none}
> $ diff /usr/local/etc/trafficserver/records.config.422
> /usr/local/etc/trafficserver/records.config
> 113c113
> < CONFIG proxy.config.http.server_ports STRING 8080
> ---
> > CONFIG proxy.config.http.server_ports STRING 8080 443:ssl
> 594,595c594,595
> < CONFIG proxy.config.diags.debug.enabled INT 0
> < CONFIG proxy.config.diags.debug.tags STRING http.*|dns.*
> ---
> > CONFIG proxy.config.diags.debug.enabled INT 1
> > CONFIG proxy.config.diags.debug.tags STRING ssl.*
> {code}
> {code:none}
> $ /usr/local/bin/traffic_server --version
> [TrafficServer] using root directory '/usr/local'
> Apache Traffic Server - traffic_server - 4.2.2 - (build # 0723 on Jan 7 2015
> at 23:04:32)
> $ sudo /usr/local/bin/traffic_server
> [sudo] password for user:
> [TrafficServer] using root directory '/usr/local'
> [Jan 8 00:53:42.618] Server {0xb702e700} DEBUG: (ssl) setting SNI callbacks
> with for ctx 0xa4a7928
> [Jan 8 00:53:42.618] Server {0xb702e700} DEBUG: (ssl) indexed '*' with
> SSL_CTX 0xa4a7928
> [Jan 8 00:53:42.619] Server {0xb702e700} DEBUG: (ssl) importing SNI name
[jira] [Commented] (TS-3283) Certain SSL handshake error during client-hello hangs the client and leaves network connection open
[
https://issues.apache.org/jira/browse/TS-3283?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14299077#comment-14299077
]
Susan Hinrichs commented on TS-3283:
Looked at the code more closely and ran a few cases though the debugger. I
think we are in good shape here.
In the accept case, the trampoline sends the accept message through other
accept objects. Ultimately session objects are created.
In the error case, we don't want to create a session object. The accept
objects are static so they do not need to be deleted.
Looking through the other case that send and receive NET_EVENT_ACCEPT events,
the error cases are mostly not addressed. In one case, the do_io_close was
called on the net vc.
Here in the SSLNextProtocolTrampoline, with the patch in the error case we call
netvc->do_io_close and delete the trampoline object. Which I think cleans up
everything that has been allocated for the connection so far.
> Certain SSL handshake error during client-hello hangs the client and leaves
> network connection open
> ---
>
> Key: TS-3283
> URL: https://issues.apache.org/jira/browse/TS-3283
> Project: Traffic Server
> Issue Type: Bug
> Components: SSL
>Reporter: Joe Chung
>Assignee: Phil Sorber
> Fix For: 4.2.3
>
>
> h3. Problem Description
> Send an SSLv2 Client Hello with an old cipher suite request against Traffic
> Server 4.2.2, and the connection will freeze on the client side and
> eventually time out after 120 seconds.
> The Traffic Server detects the SSL error, but instead of closing the
> connection, goes on to accept new connections.
> h3. Reproduction
> === Client: Macbook Pro running OSX Mavericks 10.9.5 ===
> {code:none}
> $ openssl version -a
> OpenSSL 0.9.8za 5 Jun 2014
> built on: Aug 10 2014
> platform: darwin64-x86_64-llvm
> options: bn(64,64) md2(int) rc4(ptr,char) des(idx,cisc,16,int) blowfish(idx)
> compiler: -arch x86_64 -fmessage-length=0 -pipe -Wno-trigraphs
> -fpascal-strings -fasm-blocks -O3 -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H
> -DL_ENDIAN -DMD32_REG_T=int -DOPENSSL_NO_IDEA -DOPENSSL_PIC -DOPENSSL_THREADS
> -DZLIB -mmacosx-version-min=10.6
> OPENSSLDIR: "/System/Library/OpenSSL"
> {code}
> h4. The following command triggers the bad behavior on the 4.2.2 server.
> {code:none}
> $ openssl s_client -connect 192.168.20.130:443 -ssl2 -debug
> CONNECTED(0003)
> write to 0x7fb9f2508610 [0x7fb9f300f201] (45 bytes => 45 (0x2D))
> - 80 2b 01 00 02 00 12 00-00 00 10 07 00 c0 03 00 .+..
> 0010 - 80 01 00 80 06 00 40 04-00 80 02 00 80 f4 71 1a ..@...q.
> 0020 - ad 23 06 59 4d f8 d2 c5-b2 57 a9 66 4c.#.YMW.fL
> ^C
> {code}
> At this point, the client is hung, and I have to hit ctrl-c to interrupt it
> or wait 120 seconds for tcp timeout.
> h3. Server: Lubuntu 13.10 on VMware
> {code:none}
> $ openssl version -a
> OpenSSL 1.0.1e 11 Feb 2013
> built on: Fri Jun 20 18:52:25 UTC 2014
> platform: debian-i386
> options: bn(64,32) rc4(8x,mmx) des(ptr,risc1,16,long) blowfish(idx)
> compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT
> -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector
> --param=ssp-buffer-size=4 -Wformat -Werror=format-security
> -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack
> -Wall -DOPENSSL_NO_TLS1_2_CLIENT -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50
> -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT
> -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM
> -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
> OPENSSLDIR: "/usr/lib/ssl"
> {code}
> {code:none}
> $ diff /usr/local/etc/trafficserver/records.config.422
> /usr/local/etc/trafficserver/records.config
> 113c113
> < CONFIG proxy.config.http.server_ports STRING 8080
> ---
> > CONFIG proxy.config.http.server_ports STRING 8080 443:ssl
> 594,595c594,595
> < CONFIG proxy.config.diags.debug.enabled INT 0
> < CONFIG proxy.config.diags.debug.tags STRING http.*|dns.*
> ---
> > CONFIG proxy.config.diags.debug.enabled INT 1
> > CONFIG proxy.config.diags.debug.tags STRING ssl.*
> {code}
> {code:none}
> $ /usr/local/bin/traffic_server --version
> [TrafficServer] using root directory '/usr/local'
> Apache Traffic Server - traffic_server - 4.2.2 - (build # 0723 on Jan 7 2015
> at 23:04:32)
> $ sudo /usr/local/bin/traffic_server
> [sudo] password for user:
> [TrafficServer] using root directory '/usr/local'
> [Jan 8 00:53:42.618] Server {0xb702e700} DEBUG: (ssl) setting SNI callbacks
> with for ctx 0xa4a7928
> [Jan 8 00:53:42.618] Server {0xb702e700} DEBUG: (ssl) indexed '*' with
> SSL_CTX 0xa4a7928
> [Jan 8 00:53:42.619] Server {0xb702e700} DEBUG: (ssl) importing SNI name
