trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jean Baptiste Favre <webmas...@jbfavre.org>
Subject ATS & SSL termination
Date Wed, 09 Oct 2013 15:08:10 GMT
I'm new to trafficserver.
Using ATS 3.2.5 on Debian 7.0 Wheezy, I need to be able to cache content
from SSL requests.

These requests are made by an internal application against externals
services, mostly using HTTPS.
So, my application will be the client and external services origin server.

Using HTTP proxy, requests work but content is not cached which, I
think, is obviously OK since client will established CONNECT tunnel
which makes ATS unable to see content.

>From my understanding, I need to set up SSL termination.
I followed:
http://trafficserver.apache.org/docs/trunk/admin/security-options/#UsingSSLTermination

For now, I use self-signed SSL certificate generated with:
openssl req -x509 -newkey rsa:2048 -keyout keypriv.pem -out cert.pem
-days 365

And passphrase is removed with
openssl rsa -in keypriv.pem -out key.pem

Between Client & ATS, here's what I use for configuration:

CONFIG proxy.config.http.server_ports STRING 80:ipv4 443:ipv4:ssl
CONFIG proxy.config.http.connect_ports STRING 443 563
CONFIG proxy.config.ssl.client.certification_level INT 0
CONFIG proxy.config.ssl.server.cert.path STRING /etc/trafficserver
CONFIG proxy.config.ssl.server.cert.filename STRING cert.pem
CONFIG proxy.config.ssl.server.private_key.path STRING /etc/trafficserver
CONFIG proxy.config.ssl.server.private_key.filename STRING key.pem

Still from my understanding, I don't need any specific option for ATS to
origin server connections since ATS will act as client and therefore do
not need any certificate.

But, it does not work. Using curl, here's what I get:
curl -vvv -k --proxy https://my_proxy:443 "https://secure.website.tld/"
* About to connect() to proxy my_proxy port 443 (#0)
*   Trying xxx.yyy.uuu.ttt...
* connected
* Connected to my_proxy (xxx.yyy.uuu.ttt) port 443 (#0)
* Establish HTTP proxy tunnel to secure.website.tld:443
> CONNECT secure.website.tld:443 HTTP/1.1
> Host: secure.website.tld:443
> User-Agent: curl/7.26.0
> Proxy-Connection: Keep-Alive
>
* Easy mode waiting response from proxy CONNECT

And here's what I get on ATS side:
Server {0x2b3cb338b700} ERROR: SSL ERROR: SSL_ServerHandShake.
Server {0x2b3cb338b700} ERROR: SSL::5:error:1407609B:SSL
routines:SSL23_GET_CLIENT_HELLO:https proxy request:s23_srvr.c:423:
Server {0x2b3cb338b700} ERROR: SSL ERROR: SSL_ServerHandShake.
Server {0x2b3cb338b700} ERROR: SSL::5:error:1407609B:SSL
routines:SSL23_GET_CLIENT_HELLO:https proxy request:s23_srvr.c:423:
Server {0x2b3cb348c700} ERROR: SSL ERROR: SSL_ServerHandShake.
Server {0x2b3cb348c700} ERROR: SSL::6:error:1407609B:SSL
routines:SSL23_GET_CLIENT_HELLO:https proxy request:s23_srvr.c:423:
Server {0x2b3cb348c700} ERROR: SSL ERROR: SSL_ServerHandShake.
Server {0x2b3cb348c700} ERROR: SSL::6:error:1407609B:SSL
routines:SSL23_GET_CLIENT_HELLO:https proxy request:s23_srvr.c:423:
Server {0x2b3cb358d700} ERROR: SSL ERROR: SSL_ServerHandShake.
Server {0x2b3cb358d700} ERROR: SSL::7:error:1407609B:SSL
routines:SSL23_GET_CLIENT_HELLO:https proxy request:s23_srvr.c:423:

I bet I missed a point, but can't find which one.

Any help appreciated,
Jean-Baptiste

Mime
View raw message