trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From salil GK <gksa...@gmail.com>
Subject Re: Connection rejected for MTLS forward proxy
Date Wed, 21 Feb 2018 02:18:45 GMT
*-- added some formatting for clarity .. sorry for repeat post !*

*Q. Do you really have 'CONFIG proxy.config.ssl.client.CA
<http://proxy.config.ssl.client.ca/>.**cert.filename STRING ca.pem' twice
in your records.config? Also, I don't think ATS verifies the client
certificate unless told to do so and I don't see that in your
records.config. -*
*A. Yes I can see the entry twice in the records.conf file - should I keep
only one entry ?*

*Q. I'm not sure what the units of the "configured handshake_timer" are. *=
*A. it is 20*

CONFIG proxy.config.ssl.handshake_timeout_in INT 20

CONFIG proxy.config.ssl.client.certification_level INT 2

CONFIG proxy.config.ssl.client.verify.server INT 0

also I have the parameters
CONFIG proxy.config.ssl.client.cert.path STRING and
CONFIG proxy.config.ssl.client.CA.cert.path  configured - is it really
required - or will it create any issue ?

Thanks
Salil

On 21 February 2018 at 06:54, salil GK <gksalil@gmail.com> wrote:

> Do you really have 'CONFIG proxy.config.ssl.client.CA
> <http://proxy.config.ssl.client.ca/>.cert.filename STRING ca.pem' twice
> in your records.config? Also, I don't think ATS verifies the client
> certificate unless told to do so and I don't see that in your
> records.config. - Yes I can see the entry twice in the records.conf file -
> should I keep only one entry ?
>
>  I'm not sure what the units of the "configured handshake_timer" are. = it
> is 20
>
> CONFIG proxy.config.ssl.handshake_timeout_in INT 20
>
> CONFIG proxy.config.ssl.client.certification_level INT 2
>
> CONFIG proxy.config.ssl.client.verify.server INT 0
>
> also I have the parameters  CONFIG proxy.config.ssl.client.cert.path
> STRING and CONFIG proxy.config.ssl.client.CA.cert.path  configured - is
> it really required - or will it create any issue ?
>
> Thanks
> Salil
>
>
> On 21 February 2018 at 06:30, Alan Carroll <solidwallofcode@oath.com>
> wrote:
>
>> Based on just this, I would say it is the client rejecting the
>> certificate provided by ATS. I'm not sure what the units of the "configured
>> handshake_timer" are.  You should also see a lot more logging data than
>> just this. In particular there should be messages about ATS loading up the
>> certificates, both client and server.
>>
>> Do you really have 'CONFIG proxy.config.ssl.client.CA.cert.filename
>> STRING ca.pem' twice in your records.config? Also, I don't think ATS
>> verifies the client certificate unless told to do so and I don't see that
>> in your records.config.
>>
>> On Tue, Feb 20, 2018 at 5:55 PM, salil GK <gksalil@gmail.com> wrote:
>>
>>> I can see the following lines in the ATS logs.
>>>
>>> >>>
>>>
>>> 2018-02-20T10:46:49.496+00:00 gmt-dvor-vcsc1 traffic_server[7634]:
>>> {0x7f66f43fb740} DEBUG: <SSLUtils.cc:1687 (ssl_callback_info)> (ssl)
>>> ssl_callback_info ssl: 0x557514e03a00 where: 8194 ret: -1
>>>
>>> 2018-02-20T10:46:49.496+00:00 gmt-dvor-vcsc1 traffic_server[7634]:
>>> {0x7f66f43fb740} DEBUG: <SSLNetVConnection.cc:1102
>>> (sslServerHandShakeEvent)> (ssl) trace=FALSE
>>>
>>> 2018-02-20T10:46:49.496+00:00 gmt-dvor-vcsc1 traffic_server[7634]:
>>> {0x7f66f43fb740} DEBUG: <SSLNetVConnection.cc:1106
>>> (sslServerHandShakeEvent)> (ssl) SSL handshake error: SSL_ERROR_WANT_READ
>>> (2), errno=0
>>>
>>> 2018-02-20T10:46:49.496+00:00 gmt-dvor-vcsc1 traffic_server[7634]:
>>> {0x7f66f43fb740} DEBUG: <SSLNetVConnection.cc:514 (net_read_io)> (ssl)
ssl
>>> handshake for vc 0x55751507fca0, took 0.583 seconds, configured
>>> handshake_timer: 20
>>>
>>> 2018-02-20T10:46:49.496+00:00 gmt-dvor-vcsc1 traffic_server[7634]:
>>> {0x7f66f43fb740} DEBUG: <SSLNetVConnection.cc:1095
>>> (sslServerHandShakeEvent)> (ssl) SSL handshake error: EOF
>>>
>>> <<<
>>>
>>>
>>> Is there any indication from this information - or do we need any more
>>> information from the system ?
>>>
>>> could this be the issue with handshake timeout window ? just wondering.
>>>
>>>
>>> Regs
>>>
>>> ~S
>>>
>>> On 20 February 2018 at 01:57, Alan Carroll <solidwallofcode@oath.com>
>>> wrote:
>>>
>>>> You can enable the debug tag 'ssl' to get more data.
>>>>
>>>> See
>>>> https://docs.trafficserver.apache.org/en/7.1.x/developer-gui
>>>> de/debugging/debug-tags.en.html?highlight=debug%20enable#oth
>>>> er-useful-internal-debug-tags
>>>> https://docs.trafficserver.apache.org/en/7.1.x/admin-guide/f
>>>> iles/records.config.en.html?highlight=debug%20enable#proxy.c
>>>> onfig.diags.debug.enabled
>>>>
>>>> On Mon, Feb 19, 2018 at 11:12 AM, gksalil <gksalil@gmail.com> wrote:
>>>>
>>>>> Hello
>>>>>
>>>>>   I have setup a MTLS forward proxy with ATS. But what happens is -
>>>>> connection to forward proxy is getting reset - I mean ATS is sending
>>>>> RST
>>>>> message to the client.
>>>>> I have verified the certificate that client is sending with the root
CA
>>>>> certificate that ATS using for verifying the client certificate. That
>>>>> shows
>>>>> verified.
>>>>>
>>>>> ~ # openssl verify -CAfile /tmp/ca.pem /tmp/tomcat.pem
>>>>> /tmp/tomcat.pem: OK
>>>>>
>>>>> But from Wireshark I can see the following sequence
>>>>>
>>>>> client to server -> Certificate ,  client key exchange, certificate
>>>>> verify
>>>>> client to server -> Change Cipher spec, Encrypted handshake message
>>>>> Server to client -> [RST, ACK]
>>>>>
>>>>> How do I fix this issue - any clues ?
>>>>>
>>>>> from my records.conf
>>>>>
>>>>> CONFIG proxy.config.ssl.client.CA.cert.filename STRING ca.pem
>>>>> CONFIG proxy.config.ssl.CA.cert.filename STRING ca.pem
>>>>> CONFIG proxy.config.ssl.server.cert.path STRING <location where
>>>>> certificates
>>>>> are stored>
>>>>>
>>>>> CONFIG proxy.config.ssl.client.CA.cert.filename STRING ca.pem
>>>>> CONFIG proxy.config.ssl.client.CA.cert.path STRING <location where
>>>>> certificates are stored>
>>>>>
>>>>> Is there any way I can make ATS log more ssl logs ?
>>>>>
>>>>> Thanks in advance
>>>>> ~S
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Sent from: http://apache-traffic-server.24303.n7.nabble.com/
>>>>>
>>>>
>>>>
>>>
>>
>

Mime
View raw message