trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From micu...@gmail.com
Subject Re: [E] Force trafficserver to TLSv1.3
Date Fri, 11 Dec 2020 06:53:50 GMT
Yes, of course I have.

CONFIG proxy.config.ssl.client.cert.path STRING /etc/ssl/certs/
CONFIG proxy.config.ssl.client.cert.filename STRING xxx.pem

CONFIG proxy.config.ssl.client.CA.cert.path STRING /etc/ssl/certs/
CONFIG proxy.config.ssl.client.CA.cert.filename STRING xxx_CA.pem

Question is if ATS is able send verify_client_post_handshake as extension
in TLS Client Hello.
Contrary if ATS do not send "post_handshake_auth" extension  then according
to RFC 8446 <https://tools.ietf.org/html/rfc8446>:

The "post_handshake_auth" extension is used to indicate that a client
   is willing to perform post-handshake authentication (Section 4.6.2
<https://tools.ietf.org/html/rfc8446#section-4.6.2>).
   Servers MUST NOT send a post-handshake CertificateRequest to clients
   which do not offer this extension. Servers MUST NOT send this extension.



On Thu, Dec 10, 2020 at 5:48 PM Susan Hinrichs <shinrich@verizonmedia.com>
wrote:

> Sounds like the origin is requesting a client certificate which ATS is not
> providing.
>
> Do you have your ATS configured to specify a client certificate if the
> origin requests one?  This can be configured by the records.config setting
> proxy.config.ssl.client.cert.filename (and related) These settings can also
> be overridden on a per remap basis by using conf_remap.so.
>
> https://docs.trafficserver.apache.org/en/latest/admin-guide/files/records.config.en.html?#proxy-config-ssl-client-cert-filename
>
>
> On Thu, Dec 10, 2020 at 7:17 AM <micunek@gmail.com> wrote:
>
>> Hi,
>> I found a explanation how Wireshark presents TLSv1.3 and it seems my
>> configuration is OK and TLSv1.3 is used.
>>
>> However I have another problem with origin server.
>> It send me bag "403 Forbidden" because of :
>>
>> SSL Library Error: error:14268117:SSL
>> routines:SSL_verify_client_post_handshake:extension not received
>>
>>
>> As I understand ATS do not send  in Client Hello
>> "verify_client_post_handshake " extension.
>>
>> Is it possible to configure somehow?
>>
>>
>> Thanks Peter
>>
>

Mime
View raw message