trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From salil GK <gksa...@gmail.com>
Subject Re: Connection rejected for MTLS forward proxy
Date Wed, 21 Feb 2018 01:24:32 GMT
Do you really have 'CONFIG proxy.config.ssl.client.CA
<http://proxy.config.ssl.client.ca/>.cert.filename STRING ca.pem' twice in
your records.config? Also, I don't think ATS verifies the client
certificate unless told to do so and I don't see that in your
records.config. - Yes I can see the entry twice in the records.conf file -
should I keep only one entry ?

 I'm not sure what the units of the "configured handshake_timer" are. = it
is 20

CONFIG proxy.config.ssl.handshake_timeout_in INT 20

CONFIG proxy.config.ssl.client.certification_level INT 2

CONFIG proxy.config.ssl.client.verify.server INT 0

also I have the parameters  CONFIG proxy.config.ssl.client.cert.path STRING
 and CONFIG proxy.config.ssl.client.CA.cert.path  configured - is it really
required - or will it create any issue ?

Thanks
Salil


On 21 February 2018 at 06:30, Alan Carroll <solidwallofcode@oath.com> wrote:

> Based on just this, I would say it is the client rejecting the certificate
> provided by ATS. I'm not sure what the units of the "configured
> handshake_timer" are.  You should also see a lot more logging data than
> just this. In particular there should be messages about ATS loading up the
> certificates, both client and server.
>
> Do you really have 'CONFIG proxy.config.ssl.client.CA.cert.filename
> STRING ca.pem' twice in your records.config? Also, I don't think ATS
> verifies the client certificate unless told to do so and I don't see that
> in your records.config.
>
> On Tue, Feb 20, 2018 at 5:55 PM, salil GK <gksalil@gmail.com> wrote:
>
>> I can see the following lines in the ATS logs.
>>
>> >>>
>>
>> 2018-02-20T10:46:49.496+00:00 gmt-dvor-vcsc1 traffic_server[7634]:
>> {0x7f66f43fb740} DEBUG: <SSLUtils.cc:1687 (ssl_callback_info)> (ssl)
>> ssl_callback_info ssl: 0x557514e03a00 where: 8194 ret: -1
>>
>> 2018-02-20T10:46:49.496+00:00 gmt-dvor-vcsc1 traffic_server[7634]:
>> {0x7f66f43fb740} DEBUG: <SSLNetVConnection.cc:1102
>> (sslServerHandShakeEvent)> (ssl) trace=FALSE
>>
>> 2018-02-20T10:46:49.496+00:00 gmt-dvor-vcsc1 traffic_server[7634]:
>> {0x7f66f43fb740} DEBUG: <SSLNetVConnection.cc:1106
>> (sslServerHandShakeEvent)> (ssl) SSL handshake error: SSL_ERROR_WANT_READ
>> (2), errno=0
>>
>> 2018-02-20T10:46:49.496+00:00 gmt-dvor-vcsc1 traffic_server[7634]:
>> {0x7f66f43fb740} DEBUG: <SSLNetVConnection.cc:514 (net_read_io)> (ssl) ssl
>> handshake for vc 0x55751507fca0, took 0.583 seconds, configured
>> handshake_timer: 20
>>
>> 2018-02-20T10:46:49.496+00:00 gmt-dvor-vcsc1 traffic_server[7634]:
>> {0x7f66f43fb740} DEBUG: <SSLNetVConnection.cc:1095
>> (sslServerHandShakeEvent)> (ssl) SSL handshake error: EOF
>>
>> <<<
>>
>>
>> Is there any indication from this information - or do we need any more
>> information from the system ?
>>
>> could this be the issue with handshake timeout window ? just wondering.
>>
>>
>> Regs
>>
>> ~S
>>
>> On 20 February 2018 at 01:57, Alan Carroll <solidwallofcode@oath.com>
>> wrote:
>>
>>> You can enable the debug tag 'ssl' to get more data.
>>>
>>> See
>>> https://docs.trafficserver.apache.org/en/7.1.x/developer-gui
>>> de/debugging/debug-tags.en.html?highlight=debug%20enable#oth
>>> er-useful-internal-debug-tags
>>> https://docs.trafficserver.apache.org/en/7.1.x/admin-guide/f
>>> iles/records.config.en.html?highlight=debug%20enable#proxy.
>>> config.diags.debug.enabled
>>>
>>> On Mon, Feb 19, 2018 at 11:12 AM, gksalil <gksalil@gmail.com> wrote:
>>>
>>>> Hello
>>>>
>>>>   I have setup a MTLS forward proxy with ATS. But what happens is -
>>>> connection to forward proxy is getting reset - I mean ATS is sending RST
>>>> message to the client.
>>>> I have verified the certificate that client is sending with the root CA
>>>> certificate that ATS using for verifying the client certificate. That
>>>> shows
>>>> verified.
>>>>
>>>> ~ # openssl verify -CAfile /tmp/ca.pem /tmp/tomcat.pem
>>>> /tmp/tomcat.pem: OK
>>>>
>>>> But from Wireshark I can see the following sequence
>>>>
>>>> client to server -> Certificate ,  client key exchange, certificate
>>>> verify
>>>> client to server -> Change Cipher spec, Encrypted handshake message
>>>> Server to client -> [RST, ACK]
>>>>
>>>> How do I fix this issue - any clues ?
>>>>
>>>> from my records.conf
>>>>
>>>> CONFIG proxy.config.ssl.client.CA.cert.filename STRING ca.pem
>>>> CONFIG proxy.config.ssl.CA.cert.filename STRING ca.pem
>>>> CONFIG proxy.config.ssl.server.cert.path STRING <location where
>>>> certificates
>>>> are stored>
>>>>
>>>> CONFIG proxy.config.ssl.client.CA.cert.filename STRING ca.pem
>>>> CONFIG proxy.config.ssl.client.CA.cert.path STRING <location where
>>>> certificates are stored>
>>>>
>>>> Is there any way I can make ATS log more ssl logs ?
>>>>
>>>> Thanks in advance
>>>> ~S
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Sent from: http://apache-traffic-server.24303.n7.nabble.com/
>>>>
>>>
>>>
>>
>

Mime
View raw message