[jira] [Commented] (TS-3249) OpenSSL Engine with ATS

Tue, 06 Jan 2015 12:56:48 -0800 

    [ 
https://issues.apache.org/jira/browse/TS-3249?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14266746#comment-14266746
 ] 

Susan Hinrichs commented on TS-3249:
------------------------------------

I think the folks on chat where misunderstanding your intent.  You are just 
changing from the default openssl crypto engine to your new engine.  Not trying 
to replace the openssl interface with an alternative, correct?  So in theory 
there should be no ATS code change to support you.  But it appears there is a 
bug someplace.

Could you share your openssl.conf file?  And possibly your crypto engine so I 
can reproduce your environment?

> OpenSSL Engine with ATS
> -----------------------
>
>                 Key: TS-3249
>                 URL: https://issues.apache.org/jira/browse/TS-3249
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: SSL
>            Reporter: Sassy Natan
>             Fix For: sometime
>
>         Attachments: xUntitled.png
>
>
> Hi,
> I'm developing some c++ code to include a new engine support under openssl. 
> If you look into the openssl command you will find something like
> "openssl engine -t -v"
> This will print the know openssl engines your system is currently working 
> with. You can change the default or add a new engine support by configure 
> /etc/ssl/openssl.cnf file depending on your linux version. (I used ubuntu).
> Anyway, my own engine is already working with Apache Web Server (using 
> SSLCryptoDevice), same as Nginx, HXProxy and OpenSSH.
> Testing it with ATS failed.
> I compile the code myself, include the debug information and test it with GDB.
> {code}
> [Dec 18 15:05:37.693] Server {0x7ffff1199700} DEBUG: (ssl) advertising 
> protocol http/1.0
> [Dec 18 15:05:37.693] Server {0x7ffff1199700} DEBUG: (ssl) ssl_callback_info 
> ssl: 0x7fffe0000910 where: 8193 ret: 1
> [Dec 18 15:05:37.693] Server {0x7ffff1199700} DEBUG: (ssl) ssl_callback_info 
> ssl: 0x7fffe0000910 where: 8193 ret: 1
> [Dec 18 15:05:37.700] Server {0x7ffff1199700} DEBUG: (ssl) ssl_callback_info 
> ssl: 0x7fffe0000910 where: 8193 ret: 1
> [Dec 18 15:05:37.700] Server {0x7ffff1199700} DEBUG: (ssl) ssl_callback_info 
> ssl: 0x7fffe0000910 where: 8193 ret: 1
> [Dec 18 15:05:37.700] Server {0x7ffff1199700} DEBUG: (ssl) ssl_callback_info 
> ssl: 0x7fffe0000910 where: 8193 ret: 1
> [Dec 18 15:05:37.701] Server {0x7ffff1199700} DEBUG: (ssl) ssl_callback_info 
> ssl: 0x7fffe0000910 where: 8194 ret: -1
> [Dec 18 15:05:37.701] Server {0x7ffff1199700} DEBUG: (ssl) ssl_callback_info 
> ssl: 0x7fffe0000910 where: 8194 ret: -1
> [Dec 18 15:05:37.701] Server {0x7ffff1199700} DEBUG: 
> <SSLNetVConnection.cc:574 (sslServerHandShakeEvent)> (ssl) SSL handshake 
> error: SSL_ERROR_WANT_READ (2), errno=11
> [Dec 18 15:05:37.701] Server {0x7ffff1199700} DEBUG: (ssl) 
> [SSLNextProtocolAccept:mainEvent] event 202 netvc 0x7fffe8017ae0
> [Dec 18 15:05:37.701] Server {0x7ffff1199700} DEBUG: (ssl) ssl_callback_info 
> ssl: 0x7fffe0016ba0 where: 16 ret: 1
> [Dec 18 15:05:37.701] Server {0x7ffff1199700} DEBUG: (ssl) ssl_callback_info 
> ssl: 0x7fffe0016ba0 where: 8193 ret: 1
> [Dec 18 15:05:37.701] Server {0x7ffff1199700} DEBUG: (ssl) 
> ssl_servername_callback ssl=0x7fffe0016ba0 ad=112 lookup=0x11df720 
> server=(null) handshake_complete=0
> [Dec 18 15:05:37.701] Server {0x7ffff1199700} DEBUG: (ssl) 
> ssl_servername_callback found SSL context 0x11e0ad0 for requested name 
> '(null)'
> [Dec 18 15:05:37.701] Server {0x7ffff1199700} DEBUG: (ssl) ssl_callback_info 
> ssl: 0x7fffe0016ba0 where: 8193 ret: 1
> [Dec 18 15:05:37.701] Server {0x7ffff1199700} DEBUG: (ssl) ssl_callback_info 
> ssl: 0x7fffe0016ba0 where: 8193 ret: 1
> [Dec 18 15:05:37.701] Server {0x7ffff1199700} DEBUG: (ssl) ssl_callback_info 
> ssl: 0x7fffe0016ba0 where: 8193 ret: 1
> [Dec 18 15:05:37.708] Server {0x7ffff1199700} DEBUG: (ssl) ssl_callback_info 
> ssl: 0x7fffe0016ba0 where: 8193 ret: 1
> [Dec 18 15:05:37.708] Server {0x7ffff1199700} DEBUG: (ssl) ssl_callback_info 
> ssl: 0x7fffe0016ba0 where: 8193 ret: 1
> [Dec 18 15:05:37.708] Server {0x7ffff1199700} DEBUG: (ssl) ssl_callback_info 
> ssl: 0x7fffe0016ba0 where: 8193 ret: 1
> [Dec 18 15:05:37.708] Server {0x7ffff1199700} DEBUG: (ssl) ssl_callback_info 
> ssl: 0x7fffe0016ba0 where: 8194 ret: -1
> [Dec 18 15:05:37.708] Server {0x7ffff1199700} DEBUG: (ssl) ssl_callback_info 
> ssl: 0x7fffe0016ba0 where: 8194 ret: -1
> [Dec 18 15:05:37.708] Server {0x7ffff1199700} DEBUG: 
> <SSLNetVConnection.cc:574 (sslServerHandShakeEvent)> (ssl) SSL handshake 
> error: SSL_ERROR_WANT_READ (2), errno=11
> [Dec 18 15:05:37.881] Server {0x7ffff1199700} DEBUG: (ssl) ssl_callback_info 
> ssl: 0x7fffe0000910 where: 16388 ret: 563
> [Dec 18 15:05:37.881] Server {0x7ffff1199700} DEBUG: (ssl) ssl_callback_info 
> ssl: 0x7fffe0000910 where: 8194 ret: 0
> [Dec 18 15:05:37.881] Server {0x7ffff1199700} DEBUG: (ssl) 
> SSL::140737238374144:error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert 
> decrypt error:s3_pkt.c:1260:SSL alert number 51: peer address is 172.16.0.2
> [Dec 18 15:05:37.881] Server {0x7ffff1199700} DEBUG: 
> <SSLNetVConnection.cc:574 (sslServerHandShakeEvent)> (ssl) SSL handshake 
> error: SSL_ERROR_SSL (1), errno=0
> [Dec 18 15:05:37.890] Server {0x7ffff1199700} DEBUG: (ssl) ssl_callback_info 
> ssl: 0x7fffe0016ba0 where: 16388 ret: 563
> [Dec 18 15:05:37.891] Server {0x7ffff1199700} DEBUG: (ssl) ssl_callback_info 
> ssl: 0x7fffe0016ba0 where: 8194 ret: 0
> [Dec 18 15:05:37.891] Server {0x7ffff1199700} DEBUG: (ssl) 
> SSL::140737238374144:error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert 
> decrypt error:s3_pkt.c:1260:SSL alert number 51: peer address is 172.16.0.2
> [Dec 18 15:05:37.891] Server {0x7ffff1199700} DEBUG: 
> <SSLNetVConnection.cc:574 (sslServerHandShakeEvent)> (ssl) SSL handshake 
> error: SSL_ERROR_SSL (1), errno=0
> [Dec 18 15:05:38.066] Server {0x7ffff1199700} DEBUG: (ssl) 
> [SSLNextProtocolAccept:mainEvent] event 202 netvc 0x7fffe8017ae0
> [Dec 18 15:05:38.066] Server {0x7ffff1199700} DEBUG: (ssl) ssl_callback_info 
> ssl: 0x7fffe0016ba0 where: 16 ret: 1
> [Dec 18 15:05:38.066] Server {0x7ffff1199700} DEBUG: (ssl) ssl_callback_info 
> ssl: 0x7fffe0016ba0 where: 8193 ret: 1
> [Dec 18 15:05:38.066] Server {0x7ffff1199700} DEBUG: (ssl) ssl_callback_info 
> ssl: 0x7fffe0016ba0 where: 16392 ret: 598
> [Dec 18 15:05:38.066] Server {0x7ffff1199700} DEBUG: (ssl) ssl_callback_info 
> ssl: 0x7fffe0016ba0 where: 8194 ret: -1
> [Dec 18 15:05:38.066] Server {0x7ffff1199700} DEBUG: (ssl) ssl_callback_info 
> ssl: 0x7fffe0016ba0 where: 8194 ret: -1
> [Dec 18 15:05:38.066] Server {0x7ffff1199700} DEBUG: (ssl) 
> SSL::140737238374144:error:140A1175:SSL 
> routines:SSL_BYTES_TO_CIPHER_LIST:inappropriate fallback:ssl_lib.c:1501: peer 
> address is 172.16.0.2
> [Dec 18 15:05:38.066] Server {0x7ffff1199700} DEBUG: 
> <SSLNetVConnection.cc:574 (sslServerHandShakeEvent)> (ssl) SSL handshake 
> error: SSL_ERROR_SSL (1), errno=0
> n
> {code}
> I was trying to get some help via the IRC channel (see the attach png). any 
> idea what can be done?
> I'm willing to write a patch - but will need some guide lines here....
> Thank You
> Sassy



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to