search

apache / trafficserver

Apache Traffic Server™ is a fast, scalable and extensible HTTP/1.1 and HTTP/2 compliant caching proxy server.
https://trafficserver.apache.org/
Apache License 2.0
1.74k stars 781 forks source link

Outgoing HTTPS connections fail with OpenSSL 3.2+ #11465

Open maskit opened 1 week ago

maskit commented 1 week ago

ATS fails to establish outgoing HTTPS connections if it uses OpenSSL 3.2+.

SocketManager::sendto() returns EINVAL (22) because ats_ip_size(dst) returns 0 here. https://github.com/apache/trafficserver/blob/433bb35e3334e21d7040d23c12bca06e4aa81a95/src/iocore/net/BIO_fastopen.cc#L121-L124

Workaround:

diff --git a/src/iocore/net/SSLNetVConnection.cc b/src/iocore/net/SSLNetVConnection.cc
index 4d0e2d9a2..b088026bf 100644
--- a/src/iocore/net/SSLNetVConnection.cc
+++ b/src/iocore/net/SSLNetVConnection.cc
@@ -209,6 +209,9 @@ SSLNetVConnection::_make_ssl_connection(SSL_CTX *ctx)
   if (likely(this->ssl = SSL_new(ctx))) {
     // Only set up the bio stuff for the server side
     if (this->get_context() == NET_VCONNECTION_OUT) {
+      SSL_set_fd(ssl, this->get_socket());
+
+#if !defined(BIO_SOCK_TFO)
       BIO *bio = BIO_new(const_cast<BIO_METHOD *>(BIO_s_fastopen()));
       BIO_set_fd(bio, this->get_socket(), BIO_NOCLOSE);

@@ -217,6 +220,7 @@ SSLNetVConnection::_make_ssl_connection(SSL_CTX *ctx)
       }

       SSL_set_bio(ssl, bio, bio);
+#endif
     } else {
       this->initialize_handshake_buffers();
       BIO *rbio = BIO_new(BIO_s_mem());
zwoop commented 1 week ago

This seems like a priority for v10.0.0

ywkaras commented 5 days ago

Verified the problem on Ubuntu. The tls_verify Au test fails.