trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From salil GK <gksa...@gmail.com>
Subject Re: Connection rejected for MTLS forward proxy
Date Wed, 21 Feb 2018 17:35:10 GMT
I have assigned these variables also the same values -

CONFIG proxy.config.ssl.CA.cert.filename STRING ca.pem

CONFIG proxy.config.ssl.CA.cert.path STRING /directory/where/ca.pem


# and


CONFIG proxy.config.ssl.client.CA.cert.filename STRING ca.pem

CONFIG proxy.config.ssl.client.CA.cert.path STRING /directory/where/ca.pem

On 21 February 2018 at 22:48, Persia Aziz <persia.aziz@yahoo.com> wrote:

> Hi,
>
> What you want is 'proxy.config.ssl.CA.cert.filename' and
> proxy.config.ssl.CA.cert.path not the client.CA configs. I know it is a
> bit confusing. The client.CA ones are used to verify origin server
> certificates. Try the configs and see if that works.
>
> Docs for the configs:
>
> records.config — Apache Traffic Server 8.0.0 documentation
> <https://docs.trafficserver.apache.org/en/latest/admin-guide/files/records.config.en.html?highlight=proxy%20config%20ssl%20ca%20cert%20filename#proxy.config.ssl.CA.cert.filename>
>
> records.config — Apache Traffic Server 8.0.0 documentation
>
>
> <https://docs.trafficserver.apache.org/en/latest/admin-guide/files/records.config.en.html?highlight=proxy%20config%20ssl%20ca%20cert%20filename#proxy.config.ssl.CA.cert.filename>
>
>
>
> - Sincerely
> Syeda Persia Aziz
> Software Developer
> Yahoo! Inc.
> Champaign, Illinois
>
>
> On Wednesday, February 21, 2018, 10:41:32 AM CST, Alan Carroll <
> solidwallofcode@oath.com> wrote:
>
>
> I meant more what *units* the handshake_timer is. Looking at the code, it
> seems to be in seconds meaning it is unlikely that is the problem (if the
> handshake took .5s with a 20s timeout).
>
> I'd recommend having any configuration value at most once, although I
> don't think it would break anything.
>
> Looking at the code, it appears the client cert verify callback was hit
> (SSLUtils.cc:1687) with a failure reported by openSSL. I'd look at debug
> messages much earlier, during process start, to see if the certs are
> getting loaded correctly.
>
>
>

Mime
View raw message