trafficserver-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Peach <jpe...@apache.org>
Subject Re: TS_VCONN_PRE_ACCEPT_HOOK and TS_SSL_SNI_HOOK hooks
Date Thu, 14 Jul 2016 05:34:02 GMT

> On Jul 14, 2016, at 2:45 PM, James Peach <jpeach@apache.org> wrote:
> 
> Hi all,
> 
> I'm looking at a plugin that will blind tunnel SSL sessions, so I tried to use both TS_VCONN_PRE_ACCEPT_HOOK
and the TS_SSL_SNI_HOOK. AFAICT neither of these work.
> 
> If you use TS_VCONN_PRE_ACCEPT_HOOK, the session just hangs unless you bounce the call
to TSVConnReenable through TSContSchedule. Once you do this, curl fails with a SSL record
error.
> 
> If you use TS_SSL_SNI_HOOK and call TSVConnTunnel without a TSVConnReenable, you also
get a SSL record error. If you call TSVConnReenable, you get a SSL negotiation error (expected
since I don't have any certificates).
> 
> I'm going to keep debugging this, but I wondered whether anyone has successfully used
these?

OK, the SSL record error is because Traffic Server responds with a clear text 500 error (though
something eats the HTTP response header). We do end up in HttpTransact::HandleBlindTunnel(),
but this bails once it turns out we are not doing inbound transparency. So it looks like these
APIs only work if you are doing transparent networking :-/

J
Mime
View raw message