trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Igor Galić <i.ga...@brainsware.org>
Subject Re: SSL handshake problem
Date Fri, 16 Dec 2011 14:12:59 GMT


----- Original Message -----
> Hi,
> 
> I want to configure the TS as a reverse proxy which can handle HTTP

Which version of TS?

> and
> HTTPS traffic. I set up a map in remap.config like this:
> 
> map https://extern.tld/ http://internal.local:7080/
> reverse_map http://internal.local:7080/ https://external.tld/
> 
> The relevant configuration in the records.config:
> 
> CONFIG proxy.config.reverse_proxy.enabled INT 1
> CONFIG proxy.config.header.parse.no_host_url_redirect STRING NULL
> 
> CONFIG proxy.config.ssl.enabled INT 1
> CONFIG proxy.config.ssl.SSLv2 INT 1

Welcome to 2011, where SSLv2 has been deprecated for more than half
a decade.

> CONFIG proxy.config.ssl.SSLv3 INT 1
> CONFIG proxy.config.ssl.TLSv1 INT 1
> CONFIG proxy.config.ssl.server_port INT 443
> CONFIG proxy.config.ssl.client.certification_level INT 0
> CONFIG proxy.config.ssl.server.cert.filename STRING server.pem
> CONFIG proxy.config.ssl.server.cert_chain.filename STRING NULL
> CONFIG proxy.config.ssl.server.cert.path STRING /etc/ssl/private/
> CONFIG proxy.config.ssl.server.private_key.filename STRING NULL
> CONFIG proxy.config.ssl.server.private_key.path STRING /etc/ssl/private/
> CONFIG proxy.config.ssl.CA.cert.filename STRING NULL
> CONFIG proxy.config.ssl.CA.cert.path STRING NULL

Where is your private key?
Is your private key encrypted?

Does your certificate (server.pem) include everything?
(cert, key, chain) - because nothing else is provided

> 
> If I want to access the URL, I get the following:
> $openssl s_client -debug -status -connect extern.tld:443
> 
> CONNECTED(00000003)
> write to 0xb4aef0 [0xb4b1a8] (104 bytes => 104 (0x68))
> 0000 - 16 03 01 00 63 01 00 00-5f 03 01 4e eb 1e af 40
>   ....c..._..N...@
> 0010 - 58 bc c2 4e 91 32 4b 58-80 44 5a eb 11 58 aa bd
>   X..N.2KX.DZ..X..
> 0020 - 9d 67 c4 a0 cd 23 17 1c-ce b3 0f 00 00 28 00 39
>   .g...#.......(.9
> 0030 - 00 38 00 35 00 16 00 13-00 0a 00 33 00 32 00 2f
>   .8.5.......3.2./
> 0040 - 00 05 00 04 00 15 00 12-00 09 00 14 00 11 00 08
>   ................
> 0050 - 00 06 00 03 00 ff 02 01-00 00 0d 00 23 00 00 00
>   ............#...
> 0060 - 05 00 05 01                                       ....
> 0068 - <SPACES/NULS>
> read from 0xb4aef0 [0xb64488] (7 bytes => 7 (0x7))
> 0000 - 15 03 01 00 02 02 28                              ......(
> 5564:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
> handshake failure:s23_clnt.c:602:
> 
> 
> $curl -v -0 https://extern.tld/
> * About to connect() to dev.ejump.sic-software.tk port 443 (#0)
> *   Trying 193.158.63.21... connected
> * successfully set certificate verify locations:
> *   CAfile: /usr/ssl/certs/ca-bundle.crt
>   CApath: none
> * SSLv3, TLS handshake, Client hello (1):
> * error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
> handshake failure
> * Closing connection #0
> curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3
> alert handshake failure
> 
> 
> the traffic.out logfile says:
> 
> Server {1080852432} ERROR: SSL ERROR: SSL_ServerHandShake.
> Server {1080852432} ERROR: SSL::0:error:1408A0C1:SSL
> routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1226:
> 
> 
> Whats going wrong here? I can't track it down to to problem :(
> HTTP traffic works just fine.
> 
> Aaron

i
 

-- 
Igor Galić

Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/
GPG: 6880 4155 74BD FD7C B515  2EA5 4B1D 9E08 A097 C9AE


Mime
View raw message