[ https://issues.apache.org/jira/browse/TS-718?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Work on TS-718 started by Zhao Yongming. > can not reuse SSL connections on RHEL5/CentOS5 > ---------------------------------------------- > > Key: TS-718 > URL: https://issues.apache.org/jira/browse/TS-718 > Project: Traffic Server > Issue Type: Bug > Components: SSL > Affects Versions: 2.1.7 > Environment: RHEL5 system with TS 2.1.6 2.1.7 > compared with Apache httpd > Reporter: Zhao Yongming > Assignee: Zhao Yongming > Fix For: 2.1.8 > > > when with apache httpd default mod_ssl: > {noformat} > [root@ts1 httpd]# echo | openssl s_client -reconnect -connect localhost:443 > 2>&1 > CONNECTED(00000003) > depth=0 > /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=ts1.test.cnz.alimama.com/emailAddress=r...@ts1.test.cnz.alimama.com > verify error:num=18:self signed certificate > verify return:1 > depth=0 > /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=ts1.test.cnz.alimama.com/emailAddress=r...@ts1.test.cnz.alimama.com > verify return:1 > --- > Certificate chain > 0 > s:/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=ts1.test.cnz.alimama.com/emailAddress=r...@ts1.test.cnz.alimama.com > > i:/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=ts1.test.cnz.alimama.com/emailAddress=r...@ts1.test.cnz.alimama.com > --- > Server certificate > -----BEGIN CERTIFICATE----- > MIIDSzCCArSgAwIBAgICUWcwDQYJKoZIhvcNAQEFBQAwgcExCzAJBgNVBAYTAi0t > MRIwEAYDVQQIDAlTb21lU3RhdGUxETAPBgNVBAcMCFNvbWVDaXR5MRkwFwYDVQQK > DBBTb21lT3JnYW5pemF0aW9uMR8wHQYDVQQLDBZTb21lT3JnYW5pemF0aW9uYWxV > bml0MSEwHwYDVQQDDBh0czEudGVzdC5jbnouYWxpbWFtYS5jb20xLDAqBgkqhkiG > 9w0BCQEWHXJvb3RAdHMxLnRlc3QuY256LmFsaW1hbWEuY29tMB4XDTExMDMyNDEw > Mjk1MVoXDTEyMDMyMzEwMjk1MVowgcExCzAJBgNVBAYTAi0tMRIwEAYDVQQIDAlT > b21lU3RhdGUxETAPBgNVBAcMCFNvbWVDaXR5MRkwFwYDVQQKDBBTb21lT3JnYW5p > emF0aW9uMR8wHQYDVQQLDBZTb21lT3JnYW5pemF0aW9uYWxVbml0MSEwHwYDVQQD > DBh0czEudGVzdC5jbnouYWxpbWFtYS5jb20xLDAqBgkqhkiG9w0BCQEWHXJvb3RA > dHMxLnRlc3QuY256LmFsaW1hbWEuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB > iQKBgQDg0xr6MMfTUooenmxTyXiaSiHMfrkbGGhjgE0slP1iWfBf62Qal1daSSb8 > hSSFCZI78RWAp/bcadHGPo43xDWBmohLyTnlWksKKcbSJ9atdijC2L2CJNXiWgKC > cu+2jOTLAw0YJVOufuJmm8QaqmHl4y3UGE626VDN8lPGBCrQcwIDAQABo1AwTjAd > BgNVHQ4EFgQUIAfaVLkaRWgWp+zxPtp0bWfbbsgwHwYDVR0jBBgwFoAUIAfaVLka > RWgWp+zxPtp0bWfbbsgwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQA1 > qYMZB0MuCQz2yCAx25C3+UtoZuxdmQxekmOPjtRAm2CRccW7r0ne57BcVU79Qk2s > 6KTU4fO7lJ1tz49ZkX5zts5WuqsWDSb4cfyDb3ybubcZwUu+eSkqVkx/7GAuVgcl > weoLXdgpQ779T45SovOR212BXQpYI0piMDNIB9p0mA== > -----END CERTIFICATE----- > subject=/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=ts1.test.cnz.alimama.com/emailAddress=r...@ts1.test.cnz.alimama.com > issuer=/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=ts1.test.cnz.alimama.com/emailAddress=r...@ts1.test.cnz.alimama.com > --- > No client certificate CA names sent > --- > SSL handshake has read 1418 bytes and written 319 bytes > --- > New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA > Server public key is 1024 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > SSL-Session: > Protocol : TLSv1 > Cipher : DHE-RSA-AES256-SHA > Session-ID: > 8A72957E09AF60AD3807C1D06CE3F9BD88914886B7F1F646B03E8BDA783FAB8B > Session-ID-ctx: > Master-Key: > 42808C5CDF016480F1BC7FF6F764A4886886E430F8E23400D82A9E6A6DE377A30369541E52BA06E1DC878F18DAFC2ECA > Key-Arg : None > Krb5 Principal: None > Start Time: 1300962675 > Timeout : 300 (sec) > Verify return code: 18 (self signed certificate) > --- > drop connection and then reconnect > CONNECTED(00000003) > --- > Reused, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA > Secure Renegotiation IS supported > Compression: zlib compression > Expansion: zlib compression > SSL-Session: > Protocol : TLSv1 > Cipher : DHE-RSA-AES256-SHA > Session-ID: > 8A72957E09AF60AD3807C1D06CE3F9BD88914886B7F1F646B03E8BDA783FAB8B > Session-ID-ctx: > Master-Key: > 42808C5CDF016480F1BC7FF6F764A4886886E430F8E23400D82A9E6A6DE377A30369541E52BA06E1DC878F18DAFC2ECA > Key-Arg : None > Krb5 Principal: None > Compression: 1 (zlib compression) > Start Time: 1300962675 > Timeout : 300 (sec) > Verify return code: 18 (self signed certificate) > --- > drop connection and then reconnect > CONNECTED(00000003) > --- > Reused, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA > Secure Renegotiation IS supported > Compression: zlib compression > Expansion: zlib compression > SSL-Session: > Protocol : TLSv1 > Cipher : DHE-RSA-AES256-SHA > Session-ID: > 8A72957E09AF60AD3807C1D06CE3F9BD88914886B7F1F646B03E8BDA783FAB8B > Session-ID-ctx: > Master-Key: > 42808C5CDF016480F1BC7FF6F764A4886886E430F8E23400D82A9E6A6DE377A30369541E52BA06E1DC878F18DAFC2ECA > Key-Arg : None > Krb5 Principal: None > Compression: 1 (zlib compression) > Start Time: 1300962675 > Timeout : 300 (sec) > Verify return code: 18 (self signed certificate) > --- > drop connection and then reconnect > CONNECTED(00000003) > --- > Reused, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA > Secure Renegotiation IS supported > Compression: zlib compression > Expansion: zlib compression > SSL-Session: > Protocol : TLSv1 > Cipher : DHE-RSA-AES256-SHA > Session-ID: > 8A72957E09AF60AD3807C1D06CE3F9BD88914886B7F1F646B03E8BDA783FAB8B > Session-ID-ctx: > Master-Key: > 42808C5CDF016480F1BC7FF6F764A4886886E430F8E23400D82A9E6A6DE377A30369541E52BA06E1DC878F18DAFC2ECA > Key-Arg : None > Krb5 Principal: None > Compression: 1 (zlib compression) > Start Time: 1300962675 > Timeout : 300 (sec) > Verify return code: 18 (self signed certificate) > --- > drop connection and then reconnect > CONNECTED(00000003) > --- > Reused, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA > Secure Renegotiation IS supported > Compression: zlib compression > Expansion: zlib compression > SSL-Session: > Protocol : TLSv1 > Cipher : DHE-RSA-AES256-SHA > Session-ID: > 8A72957E09AF60AD3807C1D06CE3F9BD88914886B7F1F646B03E8BDA783FAB8B > Session-ID-ctx: > Master-Key: > 42808C5CDF016480F1BC7FF6F764A4886886E430F8E23400D82A9E6A6DE377A30369541E52BA06E1DC878F18DAFC2ECA > Key-Arg : None > Krb5 Principal: None > Compression: 1 (zlib compression) > Start Time: 1300962675 > Timeout : 300 (sec) > Verify return code: 18 (self signed certificate) > --- > drop connection and then reconnect > CONNECTED(00000003) > --- > Reused, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA > Secure Renegotiation IS supported > Compression: zlib compression > Expansion: zlib compression > SSL-Session: > Protocol : TLSv1 > Cipher : DHE-RSA-AES256-SHA > Session-ID: > 8A72957E09AF60AD3807C1D06CE3F9BD88914886B7F1F646B03E8BDA783FAB8B > Session-ID-ctx: > Master-Key: > 42808C5CDF016480F1BC7FF6F764A4886886E430F8E23400D82A9E6A6DE377A30369541E52BA06E1DC878F18DAFC2ECA > Key-Arg : None > Krb5 Principal: None > Compression: 1 (zlib compression) > Start Time: 1300962675 > Timeout : 300 (sec) > Verify return code: 18 (self signed certificate) > --- > DONE > {noformat} > it works fine, but when using TS: > {noformat} > [root@ts1 httpd]# echo | openssl s_client -reconnect -connect localhost:443 > 2>&1 > CONNECTED(00000003) > depth=0 > /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com > verify error:num=20:unable to get local issuer certificate > verify return:1 > depth=0 > /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com > verify error:num=27:certificate not trusted > verify return:1 > depth=0 > /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com > verify error:num=21:unable to verify the first certificate > verify return:1 > --- > Certificate chain > 0 > s:/C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com > > i:/C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ca.ZYMLinux.net/emailAddress=c...@zymlinux.net > --- > Server certificate > -----BEGIN CERTIFICATE----- > MIIGHTCCBAWgAwIBAgIBDDANBgkqhkiG9w0BAQUFADCBjzELMAkGA1UEBhMCQ04x > EDAOBgNVBAgTB0JlaWppbmcxEDAOBgNVBAcTB0JlaWppbmcxFTATBgNVBAoTDFpZ > TUxpbnV4Lm5ldDELMAkGA1UECxMCQ0ExGDAWBgNVBAMTD2NhLlpZTUxpbnV4Lm5l > dDEeMBwGCSqGSIb3DQEJARYPY2FAWllNTGludXgubmV0MB4XDTExMDMwODAyNDMx > MFoXDTEyMDMwNzAyNDMxMFowgaExCzAJBgNVBAYTAkNOMRAwDgYDVQQIEwdCZWlq > aW5nMRAwDgYDVQQHEwdCZWlqaW5nMRUwEwYDVQQKEwxaWU1MaW51eC5uZXQxCzAJ > BgNVBAsTAkNBMSEwHwYDVQQDExh0czMudGVzdC5jbnouYWxpbWFtYS5jb20xJzAl > BgkqhkiG9w0BCQEWGHRzMy50ZXN0LmNuei5hbGltYW1hLmNvbTCCASIwDQYJKoZI > hvcNAQEBBQADggEPADCCAQoCggEBAK1wb18KVJCJM0hdr4xzVIvoVwnWqn4MJ/Kl > o9/FWARJDyymm0RRiU2Enfd+BS7Bj4SJZ8TAhS6PoPD9vK1Sua/Pt3IYPRF9CL89 > jIf5tAXwjCFZhnswhs1HskrtPnOzjbl7H/qFBdNGMvZytPrGxzCsBeXnJsn21M1U > WVn4sgSSBx/vS2H4BZXSyKihq205seDUt6u6L7S0KuDWFRFmBvWkoeaJktS3vyc3 > o1e5B9emVa3scmnIYwrrznA5rNr+gd0EEwaCYNG8zamWF3WnWMMX/LPZhKddjwBh > 5DrcfDEM+Io9gvzfjgc7httyNF4dJxUbQ1gyE9PvIlsQI15ClvcCAwEAAaOCAW4w > ggFqMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMCsGCWCGSAGG+EIBDQQe > FhxUaW55Q0EgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBSJmPPFTTmt > BX9nH55uSiQ4eiCubTCBvAYDVR0jBIG0MIGxgBQbuyvDvYMO2DZ8QnANQf13Y2po > PKGBlaSBkjCBjzELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaWppbmcxEDAOBgNV > BAcTB0JlaWppbmcxFTATBgNVBAoTDFpZTUxpbnV4Lm5ldDELMAkGA1UECxMCQ0Ex > GDAWBgNVBAMTD2NhLlpZTUxpbnV4Lm5ldDEeMBwGCSqGSIb3DQEJARYPY2FAWllN > TGludXgubmV0ggEAMBoGA1UdEgQTMBGBD2NhQFpZTUxpbnV4Lm5ldDAjBgNVHREE > HDAagRh0czMudGVzdC5jbnouYWxpbWFtYS5jb20wDQYJKoZIhvcNAQEFBQADggIB > AAWHF+E7cQu37DSU2RA3aSEjKN0wixzCcDjQvBRl4lP+r56UcPbJSV264uKqIMRZ > Vq4Sp0haE1NOYrS+vq7+Ws0hnuXaKysNOwcwia2Epi4AHcb81Ou6RLWP5ClVoL/o > 2HCzx4wwJsVTP5dHktYYFjUk6rv9bvOl0ESyBtyGKHeG+Vuj+27ZshV3H1IRAgdE > nfUx85hEjVbUmvuWFIE6sw92YnXTFFCSzMjpqU8+fHdd0KQ2z9UBY9KaRhjf57se > oqcQzJGSV67qqJNiIuBLAQJC/5090m+LwDuAm9abRFF/Qz8MZp7ZoxEG8KoqBAXg > 3qkNo1e4uQEhlDk9ttMR/BSi9iRxH95EBay0zWWKfrJ+S4zR2cI8/B0hTg42N/Ek > rbeszX4NEu3MZTfxuOwDoQkStHl6Wwe9/DMrqXtn2LyFTSxSOZwTsQCGT0Gxdvvo > e9DM/tTzwttwzWQhcgWv0rpv4T5amGckDtou2cAaSQtpUZ84+HUvIA/2PCUf8vs7 > gdkppnxUwemG/KDtqlX9MmTn6hNm3YgbQHPukNX8Mj8YCRAwP65yeZyxI/uysHtn > yoW/dEVqfud0/KnkJD5Bxz3RlOvj0Bg6mqbCB3siDvaLA9TfMbMGnMCbkJ282Kdh > TxeXEoP7oSznRJwTLeYaDBuz7TypMz/6FZ3DJXGjq00O > -----END CERTIFICATE----- > subject=/C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com > issuer=/C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ca.ZYMLinux.net/emailAddress=c...@zymlinux.net > --- > No client certificate CA names sent > --- > SSL handshake has read 1738 bytes and written 447 bytes > --- > New, TLSv1/SSLv3, Cipher is AES256-SHA > Server public key is 2048 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > SSL-Session: > Protocol : TLSv1 > Cipher : AES256-SHA > Session-ID: > 4655CB9C20336F697635D635BA10C454B4CAF65CE6965B74D88053A8930F49D7 > Session-ID-ctx: > Master-Key: > B570F0491201E31F6E69A9BD7B0308B628FEB841F2F296F67D48A74D539B54C617E31ACE9A8665893F07B7531908928F > Key-Arg : None > Krb5 Principal: None > Start Time: 1300962759 > Timeout : 300 (sec) > Verify return code: 21 (unable to verify the first certificate) > --- > drop connection and then reconnect > CONNECTED(00000003) > depth=0 > /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com > verify error:num=20:unable to get local issuer certificate > verify return:1 > depth=0 > /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com > verify error:num=27:certificate not trusted > verify return:1 > depth=0 > /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com > verify error:num=21:unable to verify the first certificate > verify return:1 > --- > New, TLSv1/SSLv3, Cipher is AES256-SHA > Secure Renegotiation IS supported > Compression: zlib compression > Expansion: zlib compression > SSL-Session: > Protocol : TLSv1 > Cipher : AES256-SHA > Session-ID: > 9A2259F250116E51D7E02D6930EA66F597955A9817B50D902FD60A146884B89E > Session-ID-ctx: > Master-Key: > 786BC54F416400E75D3817883618579FADE6EC2654DF97E8D6E862920198641EBE0BA5C3C71831972FC5A5286D4CE983 > Key-Arg : None > Krb5 Principal: None > Compression: 1 (zlib compression) > Start Time: 1300962759 > Timeout : 300 (sec) > Verify return code: 21 (unable to verify the first certificate) > --- > drop connection and then reconnect > CONNECTED(00000003) > depth=0 > /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com > verify error:num=20:unable to get local issuer certificate > verify return:1 > depth=0 > /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com > verify error:num=27:certificate not trusted > verify return:1 > depth=0 > /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com > verify error:num=21:unable to verify the first certificate > verify return:1 > --- > New, TLSv1/SSLv3, Cipher is AES256-SHA > Secure Renegotiation IS supported > Compression: zlib compression > Expansion: zlib compression > SSL-Session: > Protocol : TLSv1 > Cipher : AES256-SHA > Session-ID: > 1D0DD5DD06E9C2D1190EA13D89D7C5908E82A7DBEC96CFA85975A5643BC7F7AB > Session-ID-ctx: > Master-Key: > A409F56F9AD1155B4D194B7B42B4A3E93A65F75E44B38C1A33A8A51EBA747FF6E6BF9E36241C8422DC5F414E21183F3E > Key-Arg : None > Krb5 Principal: None > Compression: 1 (zlib compression) > Start Time: 1300962759 > Timeout : 300 (sec) > Verify return code: 21 (unable to verify the first certificate) > --- > drop connection and then reconnect > CONNECTED(00000003) > depth=0 > /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com > verify error:num=20:unable to get local issuer certificate > verify return:1 > depth=0 > /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com > verify error:num=27:certificate not trusted > verify return:1 > depth=0 > /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com > verify error:num=21:unable to verify the first certificate > verify return:1 > --- > New, TLSv1/SSLv3, Cipher is AES256-SHA > Secure Renegotiation IS supported > Compression: zlib compression > Expansion: zlib compression > SSL-Session: > Protocol : TLSv1 > Cipher : AES256-SHA > Session-ID: > A6FF45E425461DEB031419FE72EC5674A448450BA197FECE8CC27A58CAD0ED55 > Session-ID-ctx: > Master-Key: > 3C5696BCC95BE15B2352F157340F70E7AA13CE6AA5A07D1F606A617380603D72FB856907511DF168A919ED023FF76BD0 > Key-Arg : None > Krb5 Principal: None > Compression: 1 (zlib compression) > Start Time: 1300962759 > Timeout : 300 (sec) > Verify return code: 21 (unable to verify the first certificate) > --- > drop connection and then reconnect > CONNECTED(00000003) > depth=0 > /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com > verify error:num=20:unable to get local issuer certificate > verify return:1 > depth=0 > /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com > verify error:num=27:certificate not trusted > verify return:1 > depth=0 > /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com > verify error:num=21:unable to verify the first certificate > verify return:1 > --- > New, TLSv1/SSLv3, Cipher is AES256-SHA > Secure Renegotiation IS supported > Compression: zlib compression > Expansion: zlib compression > SSL-Session: > Protocol : TLSv1 > Cipher : AES256-SHA > Session-ID: > 90A1D6EE36998F47A335578819698EE57933DB788C430D617C8B07E7872D011E > Session-ID-ctx: > Master-Key: > 87ED7181AFE13C8A36A5A6A2A9E9912C1E4AADED0053C3F03ADC9E01D9548A4D791A1B4EACB20851585F730E455677E4 > Key-Arg : None > Krb5 Principal: None > Compression: 1 (zlib compression) > Start Time: 1300962759 > Timeout : 300 (sec) > Verify return code: 21 (unable to verify the first certificate) > --- > drop connection and then reconnect > CONNECTED(00000003) > depth=0 > /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com > verify error:num=20:unable to get local issuer certificate > verify return:1 > depth=0 > /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com > verify error:num=27:certificate not trusted > verify return:1 > depth=0 > /C=CN/ST=Beijing/L=Beijing/O=ZYMLinux.net/OU=CA/CN=ts3.test.cnz.alimama.com/emailAddress=ts3.test.cnz.alimama.com > verify error:num=21:unable to verify the first certificate > verify return:1 > --- > New, TLSv1/SSLv3, Cipher is AES256-SHA > Secure Renegotiation IS supported > Compression: zlib compression > Expansion: zlib compression > SSL-Session: > Protocol : TLSv1 > Cipher : AES256-SHA > Session-ID: > DB52C8DA3A369E05DB5E8A21ED0B7A931AC235651EDF6FFE85F21D5F0452CBF2 > Session-ID-ctx: > Master-Key: > 90E093DB76E39DA4A534EE73F2EB87CA48B1BC5B2E1D017C0D0ADED02F151A80802729ADEA0DAF54EF6F271413B1E522 > Key-Arg : None > Krb5 Principal: None > Compression: 1 (zlib compression) > Start Time: 1300962759 > Timeout : 300 (sec) > Verify return code: 21 (unable to verify the first certificate) > --- > DONE > {noformat} > also tested TS on other distribution, works without error: > gentoo: > {noformat} > zymtest1 trafficserver # echo | openssl s_client -reconnect -connect > zymtest1.corp.aliyk.com:443 2>&1 | grep Reused > Reused, TLSv1/SSLv3, Cipher is AES256-SHA > Reused, TLSv1/SSLv3, Cipher is AES256-SHA > Reused, TLSv1/SSLv3, Cipher is AES256-SHA > Reused, TLSv1/SSLv3, Cipher is AES256-SHA > Reused, TLSv1/SSLv3, Cipher is AES256-SHA > {noformat} -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira