trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Peach <jpe...@apache.org>
Subject Re: ATS & SSL termination
Date Wed, 09 Oct 2013 15:22:22 GMT
On Oct 9, 2013, at 8:08 AM, Jean Baptiste Favre <webmaster@jbfavre.org> wrote:

> I'm new to trafficserver.
> Using ATS 3.2.5 on Debian 7.0 Wheezy, I need to be able to cache content
> from SSL requests.
> 
> These requests are made by an internal application against externals
> services, mostly using HTTPS.
> So, my application will be the client and external services origin server.
> 
> Using HTTP proxy, requests work but content is not cached which, I
> think, is obviously OK since client will established CONNECT tunnel
> which makes ATS unable to see content.
> 
> From my understanding, I need to set up SSL termination.
> I followed:
> http://trafficserver.apache.org/docs/trunk/admin/security-options/#UsingSSLTermination

Sorry, these docs have not been updated. The SSL termination configuration is described more
accurately here:

https://trafficserver.readthedocs.org/en/latest/admin/security-options.en.html#using-ssl-termination
https://trafficserver.readthedocs.org/en/latest/reference/configuration/ssl_multicert.config.en.html

You need to specify the SSL certificates in ssl_multicert.config. If you need additional debugging
on the server end, you can set the "ssl" diagnostic tag.

> 
> For now, I use self-signed SSL certificate generated with:
> openssl req -x509 -newkey rsa:2048 -keyout keypriv.pem -out cert.pem
> -days 365
> 
> And passphrase is removed with
> openssl rsa -in keypriv.pem -out key.pem
> 
> Between Client & ATS, here's what I use for configuration:
> 
> CONFIG proxy.config.http.server_ports STRING 80:ipv4 443:ipv4:ssl
> CONFIG proxy.config.http.connect_ports STRING 443 563
> CONFIG proxy.config.ssl.client.certification_level INT 0
> CONFIG proxy.config.ssl.server.cert.path STRING /etc/trafficserver
> CONFIG proxy.config.ssl.server.cert.filename STRING cert.pem
> CONFIG proxy.config.ssl.server.private_key.path STRING /etc/trafficserver
> CONFIG proxy.config.ssl.server.private_key.filename STRING key.pem
> 
> Still from my understanding, I don't need any specific option for ATS to
> origin server connections since ATS will act as client and therefore do
> not need any certificate.
> 
> But, it does not work. Using curl, here's what I get:
> curl -vvv -k --proxy https://my_proxy:443 "https://secure.website.tld/"
> * About to connect() to proxy my_proxy port 443 (#0)
> *   Trying xxx.yyy.uuu.ttt...
> * connected
> * Connected to my_proxy (xxx.yyy.uuu.ttt) port 443 (#0)
> * Establish HTTP proxy tunnel to secure.website.tld:443
>> CONNECT secure.website.tld:443 HTTP/1.1
>> Host: secure.website.tld:443
>> User-Agent: curl/7.26.0
>> Proxy-Connection: Keep-Alive
>> 
> * Easy mode waiting response from proxy CONNECT
> 
> And here's what I get on ATS side:
> Server {0x2b3cb338b700} ERROR: SSL ERROR: SSL_ServerHandShake.
> Server {0x2b3cb338b700} ERROR: SSL::5:error:1407609B:SSL
> routines:SSL23_GET_CLIENT_HELLO:https proxy request:s23_srvr.c:423:
> Server {0x2b3cb338b700} ERROR: SSL ERROR: SSL_ServerHandShake.
> Server {0x2b3cb338b700} ERROR: SSL::5:error:1407609B:SSL
> routines:SSL23_GET_CLIENT_HELLO:https proxy request:s23_srvr.c:423:
> Server {0x2b3cb348c700} ERROR: SSL ERROR: SSL_ServerHandShake.
> Server {0x2b3cb348c700} ERROR: SSL::6:error:1407609B:SSL
> routines:SSL23_GET_CLIENT_HELLO:https proxy request:s23_srvr.c:423:
> Server {0x2b3cb348c700} ERROR: SSL ERROR: SSL_ServerHandShake.
> Server {0x2b3cb348c700} ERROR: SSL::6:error:1407609B:SSL
> routines:SSL23_GET_CLIENT_HELLO:https proxy request:s23_srvr.c:423:
> Server {0x2b3cb358d700} ERROR: SSL ERROR: SSL_ServerHandShake.
> Server {0x2b3cb358d700} ERROR: SSL::7:error:1407609B:SSL
> routines:SSL23_GET_CLIENT_HELLO:https proxy request:s23_srvr.c:423:
> 
> I bet I missed a point, but can't find which one.
> 
> Any help appreciated,
> Jean-Baptiste


Mime
View raw message