trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jean Baptiste Favre <webmas...@jbfavre.org>
Subject Re: ATS & SSL termination
Date Wed, 09 Oct 2013 16:25:44 GMT
Hello James,
Thanks for your quick reply.

I added following line into ssl_multicert.config:
dest_ip=* ssl_cert_name=cert.pem ssl_key_name=key.pem

Then run /usr/bin/traffic_server -T ssl and get these logs when
launching curl command:

Server {0x7ffebb655700} DEBUG: (ssl) [SSLNextProtocolAccept:mainEvent]
event 202 netvc 0x22574d0
Server {0x7ffebb655700} DEBUG: (ssl) IP context is (nil), default
context 0x7ffebc0a5170
Server {0x7ffebb655700} DEBUG: (ssl)
SSLNetVConnection::sslServerHandShakeEvent, error
Server {0x7ffebb655700} ERROR: SSL ERROR: SSL_ServerHandShake.
Server {0x7ffebb655700} ERROR: SSL::5:error:1407609B:SSL
routines:SSL23_GET_CLIENT_HELLO:https proxy request:s23_srvr.c:423:
Server {0x7ffebb655700} DEBUG: (ssl)
SSLNetVConnection::sslServerHandShakeEvent, error
Server {0x7ffebb655700} ERROR: SSL ERROR: SSL_ServerHandShake.
Server {0x7ffebb655700} ERROR: SSL::5:error:1407609B:SSL
routines:SSL23_GET_CLIENT_HELLO:https proxy request:s23_srvr.c:423:

Will continue debugging tomorrow,

Regards,
Jean-Baptiste


On 09/10/2013 17:22, James Peach wrote:
> On Oct 9, 2013, at 8:08 AM, Jean Baptiste Favre <webmaster@jbfavre.org> wrote:
> 
>> I'm new to trafficserver.
>> Using ATS 3.2.5 on Debian 7.0 Wheezy, I need to be able to cache content
>> from SSL requests.
>>
>> These requests are made by an internal application against externals
>> services, mostly using HTTPS.
>> So, my application will be the client and external services origin server.
>>
>> Using HTTP proxy, requests work but content is not cached which, I
>> think, is obviously OK since client will established CONNECT tunnel
>> which makes ATS unable to see content.
>>
>> From my understanding, I need to set up SSL termination.
>> I followed:
>> http://trafficserver.apache.org/docs/trunk/admin/security-options/#UsingSSLTermination
> 
> Sorry, these docs have not been updated. The SSL termination configuration is described
more accurately here:
> 
> https://trafficserver.readthedocs.org/en/latest/admin/security-options.en.html#using-ssl-termination
> https://trafficserver.readthedocs.org/en/latest/reference/configuration/ssl_multicert.config.en.html
> 
> You need to specify the SSL certificates in ssl_multicert.config. If you need additional
debugging on the server end, you can set the "ssl" diagnostic tag.
> 
>>
>> For now, I use self-signed SSL certificate generated with:
>> openssl req -x509 -newkey rsa:2048 -keyout keypriv.pem -out cert.pem
>> -days 365
>>
>> And passphrase is removed with
>> openssl rsa -in keypriv.pem -out key.pem
>>
>> Between Client & ATS, here's what I use for configuration:
>>
>> CONFIG proxy.config.http.server_ports STRING 80:ipv4 443:ipv4:ssl
>> CONFIG proxy.config.http.connect_ports STRING 443 563
>> CONFIG proxy.config.ssl.client.certification_level INT 0
>> CONFIG proxy.config.ssl.server.cert.path STRING /etc/trafficserver
>> CONFIG proxy.config.ssl.server.cert.filename STRING cert.pem
>> CONFIG proxy.config.ssl.server.private_key.path STRING /etc/trafficserver
>> CONFIG proxy.config.ssl.server.private_key.filename STRING key.pem
>>
>> Still from my understanding, I don't need any specific option for ATS to
>> origin server connections since ATS will act as client and therefore do
>> not need any certificate.
>>
>> But, it does not work. Using curl, here's what I get:
>> curl -vvv -k --proxy https://my_proxy:443 "https://secure.website.tld/"
>> * About to connect() to proxy my_proxy port 443 (#0)
>> *   Trying xxx.yyy.uuu.ttt...
>> * connected
>> * Connected to my_proxy (xxx.yyy.uuu.ttt) port 443 (#0)
>> * Establish HTTP proxy tunnel to secure.website.tld:443
>>> CONNECT secure.website.tld:443 HTTP/1.1
>>> Host: secure.website.tld:443
>>> User-Agent: curl/7.26.0
>>> Proxy-Connection: Keep-Alive
>>>
>> * Easy mode waiting response from proxy CONNECT
>>
>> And here's what I get on ATS side:
>> Server {0x2b3cb338b700} ERROR: SSL ERROR: SSL_ServerHandShake.
>> Server {0x2b3cb338b700} ERROR: SSL::5:error:1407609B:SSL
>> routines:SSL23_GET_CLIENT_HELLO:https proxy request:s23_srvr.c:423:
>> Server {0x2b3cb338b700} ERROR: SSL ERROR: SSL_ServerHandShake.
>> Server {0x2b3cb338b700} ERROR: SSL::5:error:1407609B:SSL
>> routines:SSL23_GET_CLIENT_HELLO:https proxy request:s23_srvr.c:423:
>> Server {0x2b3cb348c700} ERROR: SSL ERROR: SSL_ServerHandShake.
>> Server {0x2b3cb348c700} ERROR: SSL::6:error:1407609B:SSL
>> routines:SSL23_GET_CLIENT_HELLO:https proxy request:s23_srvr.c:423:
>> Server {0x2b3cb348c700} ERROR: SSL ERROR: SSL_ServerHandShake.
>> Server {0x2b3cb348c700} ERROR: SSL::6:error:1407609B:SSL
>> routines:SSL23_GET_CLIENT_HELLO:https proxy request:s23_srvr.c:423:
>> Server {0x2b3cb358d700} ERROR: SSL ERROR: SSL_ServerHandShake.
>> Server {0x2b3cb358d700} ERROR: SSL::7:error:1407609B:SSL
>> routines:SSL23_GET_CLIENT_HELLO:https proxy request:s23_srvr.c:423:
>>
>> I bet I missed a point, but can't find which one.
>>
>> Any help appreciated,
>> Jean-Baptiste
> 
> 
> !DSPAM:525574d3155718310332580!
> 
> 


Mime
View raw message