trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Persia Aziz <persia.a...@yahoo.com>
Subject Re: Connection rejected for MTLS forward proxy
Date Wed, 21 Feb 2018 17:48:32 GMT

Hmm interesting. From  your debug log, looks like ATS wants to read more data from the buffer
which it can not find. Hence, throwing an EOF. 
Syeda Persia Aziz
Software DeveloperYahoo! Inc.Champaign, Illinois 

    On Wednesday, February 21, 2018, 11:35:11 AM CST, salil GK <gksalil@gmail.com> wrote:
 
 
 I have assigned these variables also the same values - 

CONFIG proxy.config.ssl.CA.cert.filename STRING ca.pem

CONFIG proxy.config.ssl.CA.cert.path STRING /directory/where/ca.pem




# and 




CONFIG proxy.config.ssl.client.CA.cert.filename STRING ca.pem



CONFIG proxy.config.ssl.client.CA.cert.path STRING /directory/where/ca.pem

On 21 February 2018 at 22:48, Persia Aziz <persia.aziz@yahoo.com> wrote:

Hi,
What you want is 'proxy.config.ssl.CA.cert. filename' and proxy.config.ssl.CA.cert. path not
the client.CA configs. I know it is a bit confusing. The client.CA ones are used to verify
origin server certificates. Try the configs and see if that works.
Docs for the configs:
records.config — Apache Traffic Server 8.0.0 documentation


| 
| 
|  | 
records.config — Apache Traffic Server 8.0.0 documentation


 |

 |

 |




- SincerelySyeda Persia Aziz
Software DeveloperYahoo! Inc.Champaign, Illinois 

    On Wednesday, February 21, 2018, 10:41:32 AM CST, Alan Carroll <solidwallofcode@oath.com>
wrote:  
 
 I meant more what *units* the handshake_timer is. Looking at the code, it seems to be in
seconds meaning it is unlikely that is the problem (if the handshake took .5s with a 20s timeout).
I'd recommend having any configuration value at most once, although I don't think it would
break anything.
Looking at the code, it appears the client cert verify callback was hit (SSLUtils.cc:1687)
with a failure reported by openSSL. I'd look at debug messages much earlier, during process
start, to see if the certs are getting loaded correctly.

  

  
Mime
View raw message