trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Peach <jpe...@apache.org>
Subject Re: ATS & SSL termination
Date Wed, 09 Oct 2013 17:48:06 GMT
On Oct 9, 2013, at 9:25 AM, Jean Baptiste Favre <webmaster@jbfavre.org> wrote:

> Hello James,
> Thanks for your quick reply.
> 
> I added following line into ssl_multicert.config:
> dest_ip=* ssl_cert_name=cert.pem ssl_key_name=key.pem
> 
> Then run /usr/bin/traffic_server -T ssl and get these logs when
> launching curl command:
> 
> Server {0x7ffebb655700} DEBUG: (ssl) [SSLNextProtocolAccept:mainEvent]
> event 202 netvc 0x22574d0
> Server {0x7ffebb655700} DEBUG: (ssl) IP context is (nil), default
> context 0x7ffebc0a5170
> Server {0x7ffebb655700} DEBUG: (ssl)
> SSLNetVConnection::sslServerHandShakeEvent, error
> Server {0x7ffebb655700} ERROR: SSL ERROR: SSL_ServerHandShake.
> Server {0x7ffebb655700} ERROR: SSL::5:error:1407609B:SSL
> routines:SSL23_GET_CLIENT_HELLO:https proxy request:s23_srvr.c:423:
> Server {0x7ffebb655700} DEBUG: (ssl)
> SSLNetVConnection::sslServerHandShakeEvent, error
> Server {0x7ffebb655700} ERROR: SSL ERROR: SSL_ServerHandShake.
> Server {0x7ffebb655700} ERROR: SSL::5:error:1407609B:SSL
> routines:SSL23_GET_CLIENT_HELLO:https proxy request:s23_srvr.c:423:
> 
> Will continue debugging tomorrow,

Are you positive that the curl command you are using is actually sending SSL, rather than
HTTP?

> 
> Regards,
> Jean-Baptiste
> 
> 
> On 09/10/2013 17:22, James Peach wrote:
>> On Oct 9, 2013, at 8:08 AM, Jean Baptiste Favre <webmaster@jbfavre.org> wrote:
>> 
>>> I'm new to trafficserver.
>>> Using ATS 3.2.5 on Debian 7.0 Wheezy, I need to be able to cache content
>>> from SSL requests.
>>> 
>>> These requests are made by an internal application against externals
>>> services, mostly using HTTPS.
>>> So, my application will be the client and external services origin server.
>>> 
>>> Using HTTP proxy, requests work but content is not cached which, I
>>> think, is obviously OK since client will established CONNECT tunnel
>>> which makes ATS unable to see content.
>>> 
>>> From my understanding, I need to set up SSL termination.
>>> I followed:
>>> http://trafficserver.apache.org/docs/trunk/admin/security-options/#UsingSSLTermination
>> 
>> Sorry, these docs have not been updated. The SSL termination configuration is described
more accurately here:
>> 
>> https://trafficserver.readthedocs.org/en/latest/admin/security-options.en.html#using-ssl-termination
>> https://trafficserver.readthedocs.org/en/latest/reference/configuration/ssl_multicert.config.en.html
>> 
>> You need to specify the SSL certificates in ssl_multicert.config. If you need additional
debugging on the server end, you can set the "ssl" diagnostic tag.
>> 
>>> 
>>> For now, I use self-signed SSL certificate generated with:
>>> openssl req -x509 -newkey rsa:2048 -keyout keypriv.pem -out cert.pem
>>> -days 365
>>> 
>>> And passphrase is removed with
>>> openssl rsa -in keypriv.pem -out key.pem
>>> 
>>> Between Client & ATS, here's what I use for configuration:
>>> 
>>> CONFIG proxy.config.http.server_ports STRING 80:ipv4 443:ipv4:ssl
>>> CONFIG proxy.config.http.connect_ports STRING 443 563
>>> CONFIG proxy.config.ssl.client.certification_level INT 0
>>> CONFIG proxy.config.ssl.server.cert.path STRING /etc/trafficserver
>>> CONFIG proxy.config.ssl.server.cert.filename STRING cert.pem
>>> CONFIG proxy.config.ssl.server.private_key.path STRING /etc/trafficserver
>>> CONFIG proxy.config.ssl.server.private_key.filename STRING key.pem
>>> 
>>> Still from my understanding, I don't need any specific option for ATS to
>>> origin server connections since ATS will act as client and therefore do
>>> not need any certificate.
>>> 
>>> But, it does not work. Using curl, here's what I get:
>>> curl -vvv -k --proxy https://my_proxy:443 "https://secure.website.tld/"
>>> * About to connect() to proxy my_proxy port 443 (#0)
>>> *   Trying xxx.yyy.uuu.ttt...
>>> * connected
>>> * Connected to my_proxy (xxx.yyy.uuu.ttt) port 443 (#0)
>>> * Establish HTTP proxy tunnel to secure.website.tld:443
>>>> CONNECT secure.website.tld:443 HTTP/1.1
>>>> Host: secure.website.tld:443
>>>> User-Agent: curl/7.26.0
>>>> Proxy-Connection: Keep-Alive
>>>> 
>>> * Easy mode waiting response from proxy CONNECT
>>> 
>>> And here's what I get on ATS side:
>>> Server {0x2b3cb338b700} ERROR: SSL ERROR: SSL_ServerHandShake.
>>> Server {0x2b3cb338b700} ERROR: SSL::5:error:1407609B:SSL
>>> routines:SSL23_GET_CLIENT_HELLO:https proxy request:s23_srvr.c:423:
>>> Server {0x2b3cb338b700} ERROR: SSL ERROR: SSL_ServerHandShake.
>>> Server {0x2b3cb338b700} ERROR: SSL::5:error:1407609B:SSL
>>> routines:SSL23_GET_CLIENT_HELLO:https proxy request:s23_srvr.c:423:
>>> Server {0x2b3cb348c700} ERROR: SSL ERROR: SSL_ServerHandShake.
>>> Server {0x2b3cb348c700} ERROR: SSL::6:error:1407609B:SSL
>>> routines:SSL23_GET_CLIENT_HELLO:https proxy request:s23_srvr.c:423:
>>> Server {0x2b3cb348c700} ERROR: SSL ERROR: SSL_ServerHandShake.
>>> Server {0x2b3cb348c700} ERROR: SSL::6:error:1407609B:SSL
>>> routines:SSL23_GET_CLIENT_HELLO:https proxy request:s23_srvr.c:423:
>>> Server {0x2b3cb358d700} ERROR: SSL ERROR: SSL_ServerHandShake.
>>> Server {0x2b3cb358d700} ERROR: SSL::7:error:1407609B:SSL
>>> routines:SSL23_GET_CLIENT_HELLO:https proxy request:s23_srvr.c:423:
>>> 
>>> I bet I missed a point, but can't find which one.
>>> 
>>> Any help appreciated,
>>> Jean-Baptiste
>> 
>> 
>> !DSPAM:525574d3155718310332580!
>> 
>> 
> 


Mime
View raw message