trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Susan Hinrichs <shinr...@verizonmedia.com>
Subject Re: [E] Force trafficserver to TLSv1.3
Date Fri, 11 Dec 2020 15:09:53 GMT
The post_handhake_auth is not wired into ATS yet.  Please file an issue
and/or put up a PR.

Susan

On Fri, Dec 11, 2020 at 12:54 AM <micunek@gmail.com> wrote:

> Yes, of course I have.
>
> CONFIG proxy.config.ssl.client.cert.path STRING /etc/ssl/certs/
> CONFIG proxy.config.ssl.client.cert.filename STRING xxx.pem
>
> CONFIG proxy.config.ssl.client.CA.cert.path STRING /etc/ssl/certs/
> CONFIG proxy.config.ssl.client.CA.cert.filename STRING xxx_CA.pem
>
> Question is if ATS is able send verify_client_post_handshake as extension
> in TLS Client Hello.
> Contrary if ATS do not send "post_handshake_auth" extension  then
> according to RFC 8446
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_rfc8446&d=DwMFaQ&c=sWW_bEwW_mLyN3Kx2v57Q8e-CRbmiT9yOhqES_g_wVY&r=GAqM_xZpxNbVqsR-aGvQBjOG3d33Y2-i4ynL-JkEouY&m=dHiiPqkyyHSl-9b3vx4X8tOb71wAdz3SNhxib3Tauyg&s=6Q5EKRjUtEXxv8fI9KLh89HQ5GAttKLWqVHzpke5NIc&e=>
> :
>
> The "post_handshake_auth" extension is used to indicate that a client
>    is willing to perform post-handshake authentication (Section 4.6.2 <https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_rfc8446-23section-2D4.6.2&d=DwMFaQ&c=sWW_bEwW_mLyN3Kx2v57Q8e-CRbmiT9yOhqES_g_wVY&r=GAqM_xZpxNbVqsR-aGvQBjOG3d33Y2-i4ynL-JkEouY&m=dHiiPqkyyHSl-9b3vx4X8tOb71wAdz3SNhxib3Tauyg&s=UaAaGrnlwZ93nZ_vsBQXTPCWYegpOTWhdMVL3BciksU&e=>).
>    Servers MUST NOT send a post-handshake CertificateRequest to clients
>    which do not offer this extension. Servers MUST NOT send this extension.
>
>
>
> On Thu, Dec 10, 2020 at 5:48 PM Susan Hinrichs <shinrich@verizonmedia.com>
> wrote:
>
>> Sounds like the origin is requesting a client certificate which ATS is
>> not providing.
>>
>> Do you have your ATS configured to specify a client certificate if the
>> origin requests one?  This can be configured by the records.config setting
>> proxy.config.ssl.client.cert.filename (and related) These settings can also
>> be overridden on a per remap basis by using conf_remap.so.
>>
>> https://docs.trafficserver.apache.org/en/latest/admin-guide/files/records.config.en.html?#proxy-config-ssl-client-cert-filename
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.trafficserver.apache.org_en_latest_admin-2Dguide_files_records.config.en.html-3F-23proxy-2Dconfig-2Dssl-2Dclient-2Dcert-2Dfilename&d=DwMFaQ&c=sWW_bEwW_mLyN3Kx2v57Q8e-CRbmiT9yOhqES_g_wVY&r=GAqM_xZpxNbVqsR-aGvQBjOG3d33Y2-i4ynL-JkEouY&m=dHiiPqkyyHSl-9b3vx4X8tOb71wAdz3SNhxib3Tauyg&s=2sCMMIzJ0LCafkVukFlHimKew6Redksmb8Jd30eiGuM&e=>
>>
>>
>> On Thu, Dec 10, 2020 at 7:17 AM <micunek@gmail.com> wrote:
>>
>>> Hi,
>>> I found a explanation how Wireshark presents TLSv1.3 and it seems my
>>> configuration is OK and TLSv1.3 is used.
>>>
>>> However I have another problem with origin server.
>>> It send me bag "403 Forbidden" because of :
>>>
>>> SSL Library Error: error:14268117:SSL
>>> routines:SSL_verify_client_post_handshake:extension not received
>>>
>>>
>>> As I understand ATS do not send  in Client Hello
>>> "verify_client_post_handshake " extension.
>>>
>>> Is it possible to configure somehow?
>>>
>>>
>>> Thanks Peter
>>>
>>

Mime
View raw message