weixin_39901358
weixin_39901358
2020-11-28 19:42

Multi Domain SSL Certificate Support

I have a problem with Hitch 1.4.6 that I suspect is due to our x509 InCommon Multi Domain SSL (SHA-2) Certificate. 

I would like to use Hitch, but keep seeing this SSL error: ssl client handshake err=SSL_ERROR_WANT_READ The only thing that is unusual is we are using a Multi Domain SSL

cat library.pem -----BEGIN RSA PRIVATE KEY-----MIIEowIBAAKCAQEAyI/2yWIhNwzy2gnM0o1Vnol7RMXjD1stjYZtUH7GVNLmWmpKBnYyGIVbczk/G1eNyH+LL04WGBozQrlvheGYoFK9r8KLxLUeDeKmB/J5UV/9O8u+ [some lines removed from this listing] 0ePUeYyaV1VG53AVtGXUdN7R+uo/r/pZ7SN4BRBoct8O2n3IRlG+ya27BtqMu72B4ygG3h4x303HZt0qwDg4CjrqscqmP7sVikunJtFGQKIcZQ3D11Il -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE-----MIIF0TCCBLmgAwIBAgIQGuJ9uRjEupEZjObozGQ0RzANBgkqhkiG9w0BAQsFADB2MQswCQYDVQQGEwJVUzELMAkGA1UECBMCTUkxEjAQBgNVBAcTCUFubiBBcmJvcjESMBAGA1UEChMJSW50ZXJuZXQyMREwDwYDVQQLEwhJbkNvbW1vbjEfMB0GA1UEAxMW [some lines removed from this listing] QV4P9sAVc1Y1I/qzhjSMnMb/7m+4uiKkB05/1PbTA8E8wbX2KWFpp4zxZ2eONuTh4iWHCcxZcmPH/M1wZHJ8MTLFZ3opLC44WofEPzdv9RU7HeIA5UnzqHzR0xIx+jeKyfE7ebY= -----END CERTIFICATE-----

I consistently see the SSL Error from Hitch. 

Using: hitch --conf=hitch.conf 20170822T152147.829236 [22482] {core} hitch 1.4.6 starting 20170822T152147.829281 [22482] {core} Using OpenSSL version 1000105f.20170822T152147.830578 [22482] {core} Listening on 0.0.0.0:8443 20170822T152147.830584 [22482] {core} Loading certificate pem files (1) 20170822T152147.837737 [22482] {core} Using DH parameters from /etc/hitch/library.pem 20170822T152147.837753 [22482] {core} DH initialized with 2048 bit key 20170822T152147.837800 [22482] {core} ECDH Initialized with NIST P-256 20170822T152147.838084 [22482] {core} Loaded cached OCSP staple for cert '/etc/hitch/library.pem' 20170822T152147.838259 [22483] {core} Process 0 online 20170822T152147.838323 [22483] {core} Successfully attached to CPU #51
20170822T152147.838328 [22482] {core} hitch 1.4.6 initialization complete 20170822T152147.838420 [22484] {ocsp} Refresh of OCSP staple for /etc/hitch/library.pem scheduled in 448370 seconds 20170822T152158.245456 [22483] 130.191.26.2:29395 :0 8:9 proxy connect 20170822T152158.245477 [22483] 130.191.26.2:29395 :0 8:9 ssl handshake start 20170822T152158.245491 [22483] 130.191.26.2:29395 :0 8:9 ssl client handshake revents=1 20170822T152158.249106 [22483] 130.191.26.2:29395 :0 8:9 ssl client handshake err=SSL_ERROR_WANT_READ

该提问来源于开源项目:varnish/hitch

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答

5条回答

  • weixin_39934296 weixin_39934296 5月前

    I see the same as . Any update on this?

    点赞 评论 复制链接分享
  • weixin_39884492 weixin_39884492 5月前

    Same here

    点赞 评论 复制链接分享
  • weixin_39901358 weixin_39901358 5月前

    I forgot to mention I get a blank page trying to load the site via Hitch. The browser pauses for a second and displays:

    library.sdsu.edu didn’t send any data. ERR_EMPTY_RESPONSE

    image

    点赞 评论 复制链接分享
  • weixin_39816260 weixin_39816260 5月前

    I am experiencing this issue as well. Hitch starts up properly. I see PEM files load and OCSP stapling occur but on making a request to the Hitch proxy I get an ERR_EMPTY_RESPONSE and see a ssl client handshake err=SSL_ERROR_WANT_READ logged.

    This is running hitch 1.4.6 starting inside a docker container with Alpine linux 3.7 as the base image and using OpenSSL version 100020ef.

    点赞 评论 复制链接分享
  • weixin_39559079 weixin_39559079 5月前

    The actual code that triggers this is:

    
    static void
    client_handshake(struct ev_loop *loop, ev_io *w, int revents)
    {
        (void)revents;
        int t;
        const char *errtok;
        proxystate *ps;
        int errno_val;
    
    
        CAST_OBJ_NOTNULL(ps, w->data, PROXYSTATE_MAGIC);
    
        LOGPROXY(ps,"ssl client handshake revents=%x\n",revents);
        t = SSL_do_handshake(ps->ssl);
        if (t == 1) {
                end_handshake(ps);
        } else {
                errno_val = errno;
                int err = SSL_get_error(ps->ssl, t);
                switch (err) {
    #define SSL_ERR(a)                          \
                        case a: errtok = #a; break;
    #include "ssl_err.h"
    #undef SSL_ERR
                default:
                        errtok = "<undefined>";
                }
    
                LOGPROXY(ps,"ssl client handshake err=%s\n",errtok);
                if (err == SSL_ERROR_WANT_READ) {
                        ev_io_stop(loop, &ps->ev_w_handshake);
                        ev_io_start(loop, &ps->ev_r_handshake);
                } else if (err == SSL_ERROR_WANT_WRITE) {
                        ev_io_stop(loop, &ps->ev_r_handshake);
                        ev_io_start(loop, &ps->ev_w_handshake);
                } else if (err == SSL_ERROR_ZERO_RETURN) {
                        LOG("{%s} Connection closed (in handshake)\n",
                            w->fd == ps->fd_up ? "client" : "backend");
                        shutdown_proxy(ps, SHUTDOWN_SSL);
                } else if (err == SSL_ERROR_SYSCALL) {
                        LOG("{%s} SSL socket error in handshake: %s\n",
                            w->fd == ps->fd_up ? "client" : "backend",
                            strerror(errno_val));
                        shutdown_proxy(ps, SHUTDOWN_SSL);
                } else {
                        if (err == SSL_ERROR_SSL) {
                                log_ssl_error(ps, "Handshake failure");
                        } else {
                                LOG("{%s} Unexpected SSL error "
                                    "(in handshake): %d\n",
                                    w->fd == ps->fd_up ? "client" : "backend",
                                    err);
                        }
                        shutdown_proxy(ps, SHUTDOWN_SSL);
                }
        }
    }
    </undefined>

    As you can see, the error is just that OpenSSL wants to read from the socket where the handshake is happening, and that there are noe data to be read. OpenSSL returns SSL_ERROR_WANT_READ, and we (Hitch) reacts by telling ev that it should wait for the socket to be readable. In other words, this is normal, and nothing to worry about. (Please correct me if I am wrong).

    I am leaving this open so that we can consider changing the logging / documentation in this area.

    点赞 评论 复制链接分享

相关推荐