From users-return-6964-archive-asf-public=cust-asf.ponee.io@trafficserver.apache.org Wed Feb 21 02:24:39 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 79100180654 for ; Wed, 21 Feb 2018 02:24:38 +0100 (CET) Received: (qmail 18991 invoked by uid 500); 21 Feb 2018 01:24:37 -0000 Mailing-List: contact users-help@trafficserver.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@trafficserver.apache.org Delivered-To: mailing list users@trafficserver.apache.org Received: (qmail 18981 invoked by uid 99); 21 Feb 2018 01:24:37 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 21 Feb 2018 01:24:37 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id C6B82C0033 for ; Wed, 21 Feb 2018 01:24:36 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.9 X-Spam-Level: * X-Spam-Status: No, score=1.9 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=2, HTML_OBFUSCATE_05_10=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001] autolearn=disabled Authentication-Results: spamd4-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id wJR-JCAv_DPS for ; Wed, 21 Feb 2018 01:24:34 +0000 (UTC) Received: from mail-qk0-f172.google.com (mail-qk0-f172.google.com [209.85.220.172]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 2A1395F1F3 for ; Wed, 21 Feb 2018 01:24:34 +0000 (UTC) Received: by mail-qk0-f172.google.com with SMTP id v124so54223qkh.11 for ; Tue, 20 Feb 2018 17:24:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=//uzPuMhipohYtHhgc9i3XXDfKIOlbLKrpaAK4cUGLM=; b=WKdt1ur8r4l9wTILLtPd+Stp0xf4235tE9jUUDw9etNohSVfBgyrgh+WwM7CnojGI6 mdoYeyAmC36PXzvtJIhUz6qLHQ3QczrTQ4Fd14i2JVW3F6y0VXuq+nPR7AsQ73Sb444q m+Np3LwVRxo5r3VNNy7uv1Y5jalEEkbwXKCIoWshgsOU0gwC3OmMaZzINTFfEHwJazhf d08rkrMMDI8iSEQtvIfRXXOunzX0YPPuo4mL+ZtY+Y162h+6LHlOdHyCfJJAdeh5Ezc0 r5hSQoTMkeq9kvJaljEcO69CeGgOh6XSzOAAPHFpFi40P++urJz7VfJDa1JS7YvXWhWA IAaA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=//uzPuMhipohYtHhgc9i3XXDfKIOlbLKrpaAK4cUGLM=; b=jZ6U5w4oy0jUQ9U76Hd864Cor9qTRNNCI+tTDhWsGmPSSMenuOIVm4L0GhhppP/q4n rdz5Cv3/4rXabSqxkY3hlrmov4/5ujBP+0DAH4wa4JaVdQ80eWw2hjt/EfXSoPwlx+vq CzEltH/MLItHmtg4HtYuBAW/EBl9urDOcQ1fGuovIxkezTC/Pj+hKJ2/4IZ7EiDwXli1 jBHNhl87gyTLMFNwrU0MIGsgayPcPMUFDS+M0WgA8bVzUK17dua9xkVyPA9me648mmhp GmGD7uDJ/A81KDjL4b8yznFI6zjTZfmt6Yn2JY0NrsRdLxWASYcF99c9FktVVw3iOfAx Zw3g== X-Gm-Message-State: APf1xPB3iKTH3yKY2GxUJ2HTAt4zKsr6bO6dYNFXFf95vH6G7M/G0zvW YgH3tr7qvlXmZmC4XwzjEfigJInyBm2Pw8cpqfx86g== X-Google-Smtp-Source: AG47ELv3JYCNw8SDPwncT3i5ylh1UIw/93mTatyeGiTz1bzqjXqGsw/YhxIFtzsbga7R8TvvzcswIAJAecZDOK2t4CI= X-Received: by 10.55.134.133 with SMTP id i127mr2621962qkd.275.1519176273363; Tue, 20 Feb 2018 17:24:33 -0800 (PST) MIME-Version: 1.0 Received: by 10.12.149.112 with HTTP; Tue, 20 Feb 2018 17:24:32 -0800 (PST) In-Reply-To: References: <1519060350246-0.post@n7.nabble.com> From: salil GK Date: Wed, 21 Feb 2018 06:54:32 +0530 Message-ID: Subject: Re: Connection rejected for MTLS forward proxy To: users@trafficserver.apache.org Content-Type: multipart/alternative; boundary="94eb2c089c622008240565aeca6b" --94eb2c089c622008240565aeca6b Content-Type: text/plain; charset="UTF-8" Do you really have 'CONFIG proxy.config.ssl.client.CA .cert.filename STRING ca.pem' twice in your records.config? Also, I don't think ATS verifies the client certificate unless told to do so and I don't see that in your records.config. - Yes I can see the entry twice in the records.conf file - should I keep only one entry ? I'm not sure what the units of the "configured handshake_timer" are. = it is 20 CONFIG proxy.config.ssl.handshake_timeout_in INT 20 CONFIG proxy.config.ssl.client.certification_level INT 2 CONFIG proxy.config.ssl.client.verify.server INT 0 also I have the parameters CONFIG proxy.config.ssl.client.cert.path STRING and CONFIG proxy.config.ssl.client.CA.cert.path configured - is it really required - or will it create any issue ? Thanks Salil On 21 February 2018 at 06:30, Alan Carroll wrote: > Based on just this, I would say it is the client rejecting the certificate > provided by ATS. I'm not sure what the units of the "configured > handshake_timer" are. You should also see a lot more logging data than > just this. In particular there should be messages about ATS loading up the > certificates, both client and server. > > Do you really have 'CONFIG proxy.config.ssl.client.CA.cert.filename > STRING ca.pem' twice in your records.config? Also, I don't think ATS > verifies the client certificate unless told to do so and I don't see that > in your records.config. > > On Tue, Feb 20, 2018 at 5:55 PM, salil GK wrote: > >> I can see the following lines in the ATS logs. >> >> >>> >> >> 2018-02-20T10:46:49.496+00:00 gmt-dvor-vcsc1 traffic_server[7634]: >> {0x7f66f43fb740} DEBUG: (ssl) >> ssl_callback_info ssl: 0x557514e03a00 where: 8194 ret: -1 >> >> 2018-02-20T10:46:49.496+00:00 gmt-dvor-vcsc1 traffic_server[7634]: >> {0x7f66f43fb740} DEBUG: > (sslServerHandShakeEvent)> (ssl) trace=FALSE >> >> 2018-02-20T10:46:49.496+00:00 gmt-dvor-vcsc1 traffic_server[7634]: >> {0x7f66f43fb740} DEBUG: > (sslServerHandShakeEvent)> (ssl) SSL handshake error: SSL_ERROR_WANT_READ >> (2), errno=0 >> >> 2018-02-20T10:46:49.496+00:00 gmt-dvor-vcsc1 traffic_server[7634]: >> {0x7f66f43fb740} DEBUG: (ssl) ssl >> handshake for vc 0x55751507fca0, took 0.583 seconds, configured >> handshake_timer: 20 >> >> 2018-02-20T10:46:49.496+00:00 gmt-dvor-vcsc1 traffic_server[7634]: >> {0x7f66f43fb740} DEBUG: > (sslServerHandShakeEvent)> (ssl) SSL handshake error: EOF >> >> <<< >> >> >> Is there any indication from this information - or do we need any more >> information from the system ? >> >> could this be the issue with handshake timeout window ? just wondering. >> >> >> Regs >> >> ~S >> >> On 20 February 2018 at 01:57, Alan Carroll >> wrote: >> >>> You can enable the debug tag 'ssl' to get more data. >>> >>> See >>> https://docs.trafficserver.apache.org/en/7.1.x/developer-gui >>> de/debugging/debug-tags.en.html?highlight=debug%20enable#oth >>> er-useful-internal-debug-tags >>> https://docs.trafficserver.apache.org/en/7.1.x/admin-guide/f >>> iles/records.config.en.html?highlight=debug%20enable#proxy. >>> config.diags.debug.enabled >>> >>> On Mon, Feb 19, 2018 at 11:12 AM, gksalil wrote: >>> >>>> Hello >>>> >>>> I have setup a MTLS forward proxy with ATS. But what happens is - >>>> connection to forward proxy is getting reset - I mean ATS is sending RST >>>> message to the client. >>>> I have verified the certificate that client is sending with the root CA >>>> certificate that ATS using for verifying the client certificate. That >>>> shows >>>> verified. >>>> >>>> ~ # openssl verify -CAfile /tmp/ca.pem /tmp/tomcat.pem >>>> /tmp/tomcat.pem: OK >>>> >>>> But from Wireshark I can see the following sequence >>>> >>>> client to server -> Certificate , client key exchange, certificate >>>> verify >>>> client to server -> Change Cipher spec, Encrypted handshake message >>>> Server to client -> [RST, ACK] >>>> >>>> How do I fix this issue - any clues ? >>>> >>>> from my records.conf >>>> >>>> CONFIG proxy.config.ssl.client.CA.cert.filename STRING ca.pem >>>> CONFIG proxy.config.ssl.CA.cert.filename STRING ca.pem >>>> CONFIG proxy.config.ssl.server.cert.path STRING >>> certificates >>>> are stored> >>>> >>>> CONFIG proxy.config.ssl.client.CA.cert.filename STRING ca.pem >>>> CONFIG proxy.config.ssl.client.CA.cert.path STRING >>> certificates are stored> >>>> >>>> Is there any way I can make ATS log more ssl logs ? >>>> >>>> Thanks in advance >>>> ~S >>>> >>>> >>>> >>>> >>>> >>>> -- >>>> Sent from: http://apache-traffic-server.24303.n7.nabble.com/ >>>> >>> >>> >> > --94eb2c089c622008240565aeca6b Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Do you really have 'CONFIG=C2=A0proxy.config.ssl.client.CA.cert.filename= STRING ca.pem' twice in your records.config? Also, I don't think A= TS verifies the client certificate unless told to do so and I don't see= that in your records.config. - Yes I can see the entry twice in the record= s.conf file - should I keep only one entry ?

=C2=A0I'm not sure what the units of the "co= nfigured handshake_timer" are. =3D it is 20

CONFIG proxy.config.ssl.han= dshake_timeout_in INT 20


CONFIG proxy.config.ssl.client.certification_level INT 2

CONFIG proxy.config= .ssl.client.verify.server INT 0

=
also I have the parameters =C2=A0CONFIG proxy.config.ssl.client.cert.path STRING<= span style=3D"color:rgb(0,0,0);font-family:Menlo;font-size:18px;background-= color:rgb(200,255,155)">=C2=A0and=C2=A0CONF= IG proxy.config.ssl.client.CA.cert.path =C2=A0configured - is it rea= lly required - or will it create any issue ?

Thanks
Salil


On 21 February 2018 at 06:30, Alan Carrol= l <solidwallofcode@oath.com> wrote:
Based on just this, I would say it is the client rejec= ting the certificate provided by ATS. I'm not sure what the units of th= e "configured handshake_timer" are.=C2=A0 You should also see a l= ot more logging data than just this. In particular there should be messages= about ATS loading up the certificates, both client and server.

Do you really have 'C= ONFIG proxy= .config.ssl.client.CA.= cert.filename STRING ca.pem' twice in your records.config? Also, I= don't think ATS verifies the client certificate unless told to do so a= nd I don't see that in your records.config.

<= div class=3D"gmail_quote">On Tue, Feb 20, 2018 at 5:55 PM, salil GK <gksal= il@gmail.com> wrote:
I c= an see the following lines in the ATS logs.

>>>=

2018-02-= 20T10:46:49.496+00:00 gmt-dvor-vcsc1 traffic_server[7634]: {0x7f66f43fb740}= DEBUG: <SSLUtils.cc:1687 (ssl_callback_info)> (ssl) ssl_callback_inf= o ssl: 0x557514e03a00 where: 8194 ret: -1

2018-02-20T10:46:49= .496+00:00 gmt-dvor-vcsc1 traffic_server[7634]: {0x7f66f43fb740} DEBUG: <= ;SSLNetVConnection.cc:1102 (sslServerHandShakeEvent)> (ssl) trace=3DFALS= E

2018-02-20T10:46:49= .496+00:00 gmt-dvor-vcsc1 traffic_server[7634]: {0x7f66f43fb740} DEBUG: <= ;SSLNetVConnection.cc:1106 (sslServerHandShakeEvent)> (ssl) SSL handshak= e error: SSL_ERROR_WANT_READ (2), errno=3D0

2018-02-20T10:46:49= .496+00:00 gmt-dvor-vcsc1 traffic_server[7634]: {0x7f66f43fb740} DEBUG: <= ;SSLNetVConnection.cc:514 (net_read_io)> (ssl) ssl handshake for vc 0x55= 751507fca0, took 0.583 seconds, configured handshake_timer: 20

2018-02-20T10:46:49= .496+00:00 gmt-dvor-vcsc1 traffic_server[7634]: {0x7f66f43fb740} DEBUG: <= ;SSLNetVConnection.cc:1095 (sslServerHandShakeEvent)> (ssl) SSL handshak= e error: EOF

<<<


Is there any indication from this information - or do we need any more = information from the system ?

could this be the issue with handshake timeout window = ? just wondering.


Regs

~S

<= br>
On 20 February 2018 at 01:57, Alan Carroll <solidwallofcode@oath.com> wrote:
=

On Mon= , Feb 19, 2018 at 11:12 AM, gksalil <gksalil@gmail.com> wrot= e:
Hello

=C2=A0 I have setup a MTLS forward proxy with ATS. But what happens is - connection to forward proxy is getting reset - I mean ATS is sending RST message to the client.
I have verified the certificate that client is sending with the root CA
certificate that ATS using for verifying the client certificate. That shows=
verified.

~ # openssl verify -CAfile /tmp/ca.pem /tmp/tomcat.pem
/tmp/tomcat.pem: OK

But from Wireshark I can see the following sequence

client to server -> Certificate ,=C2=A0 client key exchange, certificate= verify
client to server -> Change Cipher spec, Encrypted handshake message
Server to client -> [RST, ACK]

How do I fix this issue - any clues ?

from my records.conf

CONFIG prox= y.config.ssl.client.CA.cert.filename STRING ca.pem
CONFIG proxy.config.ssl.CA.cert.filename STRING ca.pem
CONFIG proxy.config.ssl.server.cert.path STRING <location where cer= tificates
are stored>

CONFIG prox= y.config.ssl.client.CA.cert.filename STRING ca.pem
CONFIG prox= y.config.ssl.client.CA.cert.path STRING <location where
certificates are stored>

Is there any way I can make ATS log more ssl logs ?

Thanks in advance
~S





--
Sent from: http://apache-traffic-server.24303.= n7.nabble.com/




--94eb2c089c622008240565aeca6b--