Bug 2106749

Summary: The proxy.config.ssl.server.cipher_suite was replaced.
Product: [Fedora] Fedora EPEL Reporter: Frost <frostnotfall>
Component: trafficserverAssignee: Jered Floyd <jered>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: epel7CC: jered, zrhoffman
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 9.1.2-9 trafficserver-9.1.2-9.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-07-22 17:51:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Frost 2022-07-13 13:00:21 UTC 
The EPEL packaging replaces proxy.config.ssl.server.cipher_suite defaults to use system crypto policies (https://docs.fedoraproject.org/en-US/packaging-guidelines/CryptoPolicies/) however this feature was not introduced until RHEL 8.

So fllowed  official document "Get started -> Configuring A Reverse Proxy" not working.

Here is the full log:
[Jun 29 15:12:47.648] traffic_server STATUS: opened /var/log/trafficserver/diags.log
[Jun 29 15:12:47.648] traffic_server NOTE: updated diags config
[Jun 29 15:12:47.695] traffic_server NOTE: storage.config loading ...
[Jun 29 15:12:47.697] traffic_server NOTE: storage.config finished loading
[Jun 29 15:12:47.730] traffic_server NOTE: ip_allow.yaml loading ...
[Jun 29 15:12:47.732] traffic_server NOTE: ip_allow.yaml finished loading
[Jun 29 15:12:47.733] traffic_server NOTE: parent.config loading ...
[Jun 29 15:12:47.733] traffic_server NOTE: parent.config finished loading
[Jun 29 15:12:47.734] traffic_server NOTE: /etc/trafficserver/logging.yaml loading ...
[Jun 29 15:12:47.735] traffic_server NOTE: /etc/trafficserver/logging.yaml finished loading
[Jun 29 15:12:47.737] traffic_server NOTE: logging initialized[3], logging_mode = 3
[Jun 29 15:12:47.737] traffic_server NOTE: Initialized plugin_dynamic_reload_mode: 1
[Jun 29 15:12:47.737] traffic_server NOTE: plugin.config loading ...
[Jun 29 15:12:47.738] traffic_server NOTE: plugin.config finished loading
[Jun 29 15:12:47.741] traffic_server ERROR: SSL::139969208883328:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl_lib.c:1383
[Jun 29 15:12:47.741] traffic_server ERROR: invalid client cipher suite in records.config

Here is the build info: (traffic_server -V)
Traffic Server 9.1.2 Jun 15 2022 15:39:22 buildvm-x86-03.iad2.fedoraproject.org
traffic_server: using root directory '/usr'
Apache Traffic Server - traffic_server - 9.1.2 - (build # 061515 on Jun 15 2022 at 15:39:22)


This followed github: https://github.com/apache/trafficserver/issues/8929
Comment 1 Jered Floyd 2022-07-13 13:12:07 UTC 
Thanks for catching this error!

This should be fixed in trafficserver-9.1.2-9 which will be in epel-testing soon. (I am not sure why the build hasn't pushed to the update system yet. You can watch for it here: https://bodhi.fedoraproject.org/updates/?search=trafficserver)

Once it's pushed you can give it a try with:
 yum install trafficserver --enablerepo=epel-testing

This will push to stable in 7 days (unless it gets karma from testing beforehand).
Comment 2 Jered Floyd 2022-07-13 13:18:15 UTC 
Ah -- I see that I missed a workflow step.  Pushing to testing now.
Comment 3 Fedora Update System 2022-07-13 13:19:30 UTC 
FEDORA-EPEL-2022-4ad5431d31 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-4ad5431d31
Comment 4 Fedora Update System 2022-07-14 02:09:32 UTC 
FEDORA-EPEL-2022-4ad5431d31 has been pushed to the Fedora EPEL 7 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-4ad5431d31

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 5 Fedora Update System 2022-07-22 17:51:22 UTC 
FEDORA-EPEL-2022-4ad5431d31 has been pushed to the Fedora EPEL 7 stable repository.
If problem still persists, please make note of it in this bug report.