trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alan Carroll <solidwallofc...@oath.com>
Subject Re: Connection rejected for MTLS forward proxy
Date Wed, 21 Feb 2018 01:00:10 GMT
Based on just this, I would say it is the client rejecting the certificate
provided by ATS. I'm not sure what the units of the "configured
handshake_timer" are.  You should also see a lot more logging data than
just this. In particular there should be messages about ATS loading up the
certificates, both client and server.

Do you really have 'CONFIG proxy.config.ssl.client.CA.cert.filename STRING
ca.pem' twice in your records.config? Also, I don't think ATS verifies the
client certificate unless told to do so and I don't see that in your
records.config.

On Tue, Feb 20, 2018 at 5:55 PM, salil GK <gksalil@gmail.com> wrote:

> I can see the following lines in the ATS logs.
>
> >>>
>
> 2018-02-20T10:46:49.496+00:00 gmt-dvor-vcsc1 traffic_server[7634]:
> {0x7f66f43fb740} DEBUG: <SSLUtils.cc:1687 (ssl_callback_info)> (ssl)
> ssl_callback_info ssl: 0x557514e03a00 where: 8194 ret: -1
>
> 2018-02-20T10:46:49.496+00:00 gmt-dvor-vcsc1 traffic_server[7634]:
> {0x7f66f43fb740} DEBUG: <SSLNetVConnection.cc:1102
> (sslServerHandShakeEvent)> (ssl) trace=FALSE
>
> 2018-02-20T10:46:49.496+00:00 gmt-dvor-vcsc1 traffic_server[7634]:
> {0x7f66f43fb740} DEBUG: <SSLNetVConnection.cc:1106
> (sslServerHandShakeEvent)> (ssl) SSL handshake error: SSL_ERROR_WANT_READ
> (2), errno=0
>
> 2018-02-20T10:46:49.496+00:00 gmt-dvor-vcsc1 traffic_server[7634]:
> {0x7f66f43fb740} DEBUG: <SSLNetVConnection.cc:514 (net_read_io)> (ssl) ssl
> handshake for vc 0x55751507fca0, took 0.583 seconds, configured
> handshake_timer: 20
>
> 2018-02-20T10:46:49.496+00:00 gmt-dvor-vcsc1 traffic_server[7634]:
> {0x7f66f43fb740} DEBUG: <SSLNetVConnection.cc:1095
> (sslServerHandShakeEvent)> (ssl) SSL handshake error: EOF
>
> <<<
>
>
> Is there any indication from this information - or do we need any more
> information from the system ?
>
> could this be the issue with handshake timeout window ? just wondering.
>
>
> Regs
>
> ~S
>
> On 20 February 2018 at 01:57, Alan Carroll <solidwallofcode@oath.com>
> wrote:
>
>> You can enable the debug tag 'ssl' to get more data.
>>
>> See
>> https://docs.trafficserver.apache.org/en/7.1.x/developer-gui
>> de/debugging/debug-tags.en.html?highlight=debug%20enable#oth
>> er-useful-internal-debug-tags
>> https://docs.trafficserver.apache.org/en/7.1.x/admin-guide/
>> files/records.config.en.html?highlight=debug%20enable#proxy
>> .config.diags.debug.enabled
>>
>> On Mon, Feb 19, 2018 at 11:12 AM, gksalil <gksalil@gmail.com> wrote:
>>
>>> Hello
>>>
>>>   I have setup a MTLS forward proxy with ATS. But what happens is -
>>> connection to forward proxy is getting reset - I mean ATS is sending RST
>>> message to the client.
>>> I have verified the certificate that client is sending with the root CA
>>> certificate that ATS using for verifying the client certificate. That
>>> shows
>>> verified.
>>>
>>> ~ # openssl verify -CAfile /tmp/ca.pem /tmp/tomcat.pem
>>> /tmp/tomcat.pem: OK
>>>
>>> But from Wireshark I can see the following sequence
>>>
>>> client to server -> Certificate ,  client key exchange, certificate
>>> verify
>>> client to server -> Change Cipher spec, Encrypted handshake message
>>> Server to client -> [RST, ACK]
>>>
>>> How do I fix this issue - any clues ?
>>>
>>> from my records.conf
>>>
>>> CONFIG proxy.config.ssl.client.CA.cert.filename STRING ca.pem
>>> CONFIG proxy.config.ssl.CA.cert.filename STRING ca.pem
>>> CONFIG proxy.config.ssl.server.cert.path STRING <location where
>>> certificates
>>> are stored>
>>>
>>> CONFIG proxy.config.ssl.client.CA.cert.filename STRING ca.pem
>>> CONFIG proxy.config.ssl.client.CA.cert.path STRING <location where
>>> certificates are stored>
>>>
>>> Is there any way I can make ATS log more ssl logs ?
>>>
>>> Thanks in advance
>>> ~S
>>>
>>>
>>>
>>>
>>>
>>> --
>>> Sent from: http://apache-traffic-server.24303.n7.nabble.com/
>>>
>>
>>
>

Mime
View raw message