Am 16.04.2015 um 13:50 schrieb Susan Hinrichs:
I just tried "ab" against my dev master build without problems. I have SSLv3 disabled. It ended up negotiating tlsv1.2. I saw one error about protocol mismatch while I was playing around.
interesting
I also ran the the ssllabs tests against docs.trafficserver.apache.org which is fronted by an ATS server. The only client handshake error it reported was IE6 on winXP (since SSLv3 is disabled).
ssllabs is just fine, for now only "ab" from the httpd-tools is broken as well i face random handshake errors from a httpd running as proxy in front of our ATS on a client side (difficult reasons for that chaining)
Can you give details about your configuration? We must be doing something different.
* Fedora 20 x86_64 * ATS 5.2.1 * openssl-1.0.1e-42.fc20the certificate is a RSA4096 SHA256 wildcard, the same as on https://secure.thelounge.net/ which is running httpd while https://www.thelounge.net/ is running ATS in front
cat records.config | grep ssl CONFIG proxy.config.http.server_ports STRING 80 443:ssl CONFIG proxy.config.ssl.SSLv2 INT 0 CONFIG proxy.config.ssl.SSLv3 INT 0 CONFIG proxy.config.ssl.TLSv1 INT 1 CONFIG proxy.config.ssl.TLSv1_1 INT 1 CONFIG proxy.config.ssl.TLSv1_2 INT 1 CONFIG proxy.config.ssl.client.SSLv2 INT 1 CONFIG proxy.config.ssl.client.SSLv3 INT 1 CONFIG proxy.config.ssl.client.TLSv1 INT 1 CONFIG proxy.config.ssl.client.TLSv1_1 INT 1 CONFIG proxy.config.ssl.client.TLSv1_2 INT 1 CONFIG proxy.config.ssl.client.certification_level INT 0CONFIG proxy.config.ssl.server.multicert.filename STRING ssl_multicert.config
CONFIG proxy.config.ssl.server.cert.path STRING /etc/trafficserver/ssl/CONFIG proxy.config.ssl.server.private_key.path STRING /etc/trafficserver/ssl/
CONFIG proxy.config.ssl.CA.cert.path STRING /etc/trafficserver/ssl/CONFIG proxy.config.ssl.server.cipher_suite STRING ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-CAMELLIA256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:CAMELLIA128-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA:!LOW:!MEDIUM
CONFIG proxy.config.ssl.server.honor_cipher_order INT 1CONFIG proxy.config.ssl.server.dhparams_file STRING /etc/trafficserver/ssl/dhparams.pem
On 4/16/2015 6:31 AM, Reindl Harald wrote:Am 16.04.2015 um 13:22 schrieb Susan Hinrichs:Are you seeing actual failed connections? Or is ATS just logging more intermediate error cases than httpd?it is just impossible to use "ab" against a ATS, see difference below and when you run https://www.ssllabs.com/ssltest/ against both sites you see SSL2/SSL3 disabled on both that pretty sure affects also other older clients not only "ab" for no good reasons __________________________________________________________ [harry@rh:~]$ ab -n 1 https://www.thelounge.net/ This is ApacheBench, Version 2.3 <$Revision: 1638069 $> Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/ Licensed to The Apache Software Foundation, http://www.apache.org/ Benchmarking www.thelounge.net (be patient)...SSL handshake failed (1). 140536880785376:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:770: ..done __________________________________________________________ [harry@rh:~]$ ab -n 1 https://secure.thelounge.net/ This is ApacheBench, Version 2.3 <$Revision: 1638069 $> Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/ Licensed to The Apache Software Foundation, http://www.apache.org/ Benchmarking secure.thelounge.net (be patient).....done Server Software: Server Hostname: secure.thelounge.net Server Port: 443 SSL/TLS Protocol: TLSv1.2,ECDHE-RSA-AES128-GCM-SHA256,4096,128 __________________________________________________________On 4/16/2015 6:13 AM, Reindl Harald wrote:Am 16.04.2015 um 13:08 schrieb Neddy, NH. Nam:Yeah, it's been long time: https://issues.apache.org/jira/browse/TS-2402"SSL v3 is disabled" is a completly different story than breaking client handshakes, as said *all* our services have SSL3 disabled and you can benchmark a httpd-server without any issues with "ab"On Thu, Apr 16, 2015 at 4:57 PM, Reindl Harald <[email protected]> wrote:why is it still a issue doing a benchmark to a ATS server with "ab -c 100 -n 20000 https://traffic-server-site/"; while the same works just fine when the server is a normal httpd with SSLv3 also disabled? 140343245031392:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:770: SSL handshake failed (1). 140343245031392:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:770: SSL handshake failed (1). 140343245031392:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:770: SSL handshake failed (1). 140343245031392:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:770: SSL handshake failed (1). 140343245031392:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:770: SSL handshake failed (1). 140343245031392:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:770
signature.asc
Description: OpenPGP digital signature
