trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From salil GK <gksa...@gmail.com>
Subject Re: Connection rejected for MTLS forward proxy
Date Tue, 20 Feb 2018 23:55:50 GMT
I can see the following lines in the ATS logs.

>>>

2018-02-20T10:46:49.496+00:00 gmt-dvor-vcsc1 traffic_server[7634]:
{0x7f66f43fb740} DEBUG: <SSLUtils.cc:1687 (ssl_callback_info)> (ssl)
ssl_callback_info ssl: 0x557514e03a00 where: 8194 ret: -1

2018-02-20T10:46:49.496+00:00 gmt-dvor-vcsc1 traffic_server[7634]:
{0x7f66f43fb740} DEBUG: <SSLNetVConnection.cc:1102
(sslServerHandShakeEvent)> (ssl) trace=FALSE

2018-02-20T10:46:49.496+00:00 gmt-dvor-vcsc1 traffic_server[7634]:
{0x7f66f43fb740} DEBUG: <SSLNetVConnection.cc:1106
(sslServerHandShakeEvent)> (ssl) SSL handshake error: SSL_ERROR_WANT_READ
(2), errno=0

2018-02-20T10:46:49.496+00:00 gmt-dvor-vcsc1 traffic_server[7634]:
{0x7f66f43fb740} DEBUG: <SSLNetVConnection.cc:514 (net_read_io)> (ssl) ssl
handshake for vc 0x55751507fca0, took 0.583 seconds, configured
handshake_timer: 20

2018-02-20T10:46:49.496+00:00 gmt-dvor-vcsc1 traffic_server[7634]:
{0x7f66f43fb740} DEBUG: <SSLNetVConnection.cc:1095
(sslServerHandShakeEvent)> (ssl) SSL handshake error: EOF

<<<


Is there any indication from this information - or do we need any more
information from the system ?

could this be the issue with handshake timeout window ? just wondering.


Regs

~S

On 20 February 2018 at 01:57, Alan Carroll <solidwallofcode@oath.com> wrote:

> You can enable the debug tag 'ssl' to get more data.
>
> See
> https://docs.trafficserver.apache.org/en/7.1.x/developer-
> guide/debugging/debug-tags.en.html?highlight=debug%20enable#
> other-useful-internal-debug-tags
> https://docs.trafficserver.apache.org/en/7.1.x/admin-
> guide/files/records.config.en.html?highlight=debug%20enable#
> proxy.config.diags.debug.enabled
>
> On Mon, Feb 19, 2018 at 11:12 AM, gksalil <gksalil@gmail.com> wrote:
>
>> Hello
>>
>>   I have setup a MTLS forward proxy with ATS. But what happens is -
>> connection to forward proxy is getting reset - I mean ATS is sending RST
>> message to the client.
>> I have verified the certificate that client is sending with the root CA
>> certificate that ATS using for verifying the client certificate. That
>> shows
>> verified.
>>
>> ~ # openssl verify -CAfile /tmp/ca.pem /tmp/tomcat.pem
>> /tmp/tomcat.pem: OK
>>
>> But from Wireshark I can see the following sequence
>>
>> client to server -> Certificate ,  client key exchange, certificate verify
>> client to server -> Change Cipher spec, Encrypted handshake message
>> Server to client -> [RST, ACK]
>>
>> How do I fix this issue - any clues ?
>>
>> from my records.conf
>>
>> CONFIG proxy.config.ssl.client.CA.cert.filename STRING ca.pem
>> CONFIG proxy.config.ssl.CA.cert.filename STRING ca.pem
>> CONFIG proxy.config.ssl.server.cert.path STRING <location where
>> certificates
>> are stored>
>>
>> CONFIG proxy.config.ssl.client.CA.cert.filename STRING ca.pem
>> CONFIG proxy.config.ssl.client.CA.cert.path STRING <location where
>> certificates are stored>
>>
>> Is there any way I can make ATS log more ssl logs ?
>>
>> Thanks in advance
>> ~S
>>
>>
>>
>>
>>
>> --
>> Sent from: http://apache-traffic-server.24303.n7.nabble.com/
>>
>
>

Mime
View raw message