trafficserver icon indicating copy to clipboard operation
trafficserver copied to clipboard

Published 20 hours ago verified publisher icon apache

Expired certificate prevents ATS from allowing TLS connections

Open smalenfant opened this issue 1 year ago • 6 comments

I believe the functionality of proxy.config.ssl.server.multicert.exit_on_load_fail INT 0 has been broken by 9163.

This was working well in 8.1.3 and 9.1.3 where a certificate can't prevent ATS from starting TLS properly.

Here's the logs I can see in 9.2.0:

[Mar 17 15:17:59.749] traffic_server NOTE: ssl_multicert.config loading ...
[Mar 17 15:18:02.375] traffic_server ERROR: invalid certificate /opt/trafficserver/etc/trafficserver/ssl/edge_wifi-staging-webview_cdn1_coxlab_net_cert.cer: certificate expired
[Mar 17 15:18:02.375] traffic_server ERROR: /opt/trafficserver/etc/trafficserver/ssl_multicert.config failed to load

When attempting to connect to a different endpoint in the remap, I get the following in the diags.log:

[Mar 17 15:18:02.600] [ET_NET 1] ERROR: SSL::140108205278784:error:0A0000C3:SSL routines::null ssl ctx:ssl/ssl_lib.c:677: peer address is 2001:578:30:9101:68:1:14:151
[Mar 17 15:18:02.602] [ET_NET 1] ERROR: failed to create SSL server session

An expired certificate should not prevent ATS from serving HTTPs. I also since the same case with a certificate "key" file missing.

The odd behavior is that ATS will still work for HTTP which might fool monitoring system that trafficserver is configured properly.

smalenfant avatar Mar 17 '23 15:03 smalenfant

I might understand what's going on here. Would you be able to try a patch later this week? Ping me on slack if you can.

SolidWallOfCode avatar Mar 21 '23 16:03 SolidWallOfCode

I think the issue is the change to not use a "broken" config. This applies to the initial load so any error prevents having a TLS configuration. We might want to tweak this so if it's the initial load, a broken config is used anyway and if that's a problem then the "exit on load failure" should be enabled.

SolidWallOfCode avatar Mar 21 '23 17:03 SolidWallOfCode

Sent patch, waiting on testing.

SolidWallOfCode avatar Mar 21 '23 19:03 SolidWallOfCode

@smalenfant is this still an issue for you, or should we close it?

ywkaras avatar Apr 11 '23 03:04 ywkaras

Just came back from vacation - testing

smalenfant avatar Apr 11 '23 14:04 smalenfant

This issue has been automatically marked as stale because it has not had recent activity. Marking it stale to flag it for further consideration by the community.

github-actions[bot] avatar Apr 11 '24 01:04 github-actions[bot]