trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Zack Bartel <zbar...@proofpoint.com>
Subject Client / TS certificates 7.x vs 8.x
Date Tue, 05 Jan 2021 22:49:20 GMT
Hello,
We are using client -> TS SSL termination and using client certificates and a CA. While
upgrading to 8.x this has stopped working and I'm having trouble figuring out why. I was wondering
if there may have been some change in 8.x or error with my config  which would be obvious
to someone.

The error is "SSL alert number 80" internal error.

SSL_connect:SSLv3/TLS read server certificate request
SSL_connect:SSLv3/TLS read server done
SSL_connect:SSLv3/TLS write client certificate
SSL_connect:SSLv3/TLS write client key exchange
SSL_connect:SSLv3/TLS write certificate verify
SSL_connect:SSLv3/TLS write change cipher spec


SSL_connect:SSLv3/TLS write finished
read from 0x564393d04170 [0x564393d0e6a3] (5 bytes => 5 (0x5))
0000 - 15 03 03 00 02                                    .....
read from 0x564393d04170 [0x564393d0e6a8] (2 bytes => 2 (0x2))
0000 - 02 50                                             .P

SSL3 alert read:fatal:internal error
SSL_connect:error in error
139713745085760:error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:../ssl/record/rec_layer_s3.c:1543:SSL
alert number 80



I've inspected the traffic with Wireshark to confirm the exchange is identical between the
versions up until the "Internal Error" response. Tried up to 7.1.12-rc0 which works and 8.0.0
-> 8.1.x which does not. I've also tried on Ubuntu and Centos8 with the same results.

Relevant config:


records.config:
CONFIG proxy.config.ssl.CA.cert.path STRING /ssl/
CONFIG proxy.config.ssl.CA.cert.filename STRING ca.pem

CONFIG proxy.config.ssl.client.verify.server INT 1
CONFIG proxy.config.ssl.client.certification_level INT 2
CONFIG proxy.config.ssl.client.CA.cert.path STRING /etc/pki/tls/certs/
CONFIG proxy.config.ssl.client.CA.cert.filename STRING ca-bundle.crt

CONFIG proxy.config.ssl.client.cipher_suite STRING TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:DES-CBC3-SHA

CONFIG proxy.config.ssl.server.private_key.path STRING /ssl/
CONFIG proxy.config.ssl.server.cert.path STRING /ssl/

CONFIG proxy.config.ssl.server.cipher_suite STRING ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

ssl_multicert.config:
ssl_cert_name=server.pem


Any help on this greatly appreciated, thank you,

Zack

Mime
View raw message