trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Susan Hinrichs <shinr...@verizonmedia.com>
Subject Re: SSL Handshake Error with TS 8.0.2 and self signed certificate
Date Mon, 25 Feb 2019 14:16:46 GMT
I am guessing that your FireFox failure is due to the self-signed
certificate.  The mainstream browsers have been getting more picky.  Does a
GET request work if you use curl with the -k (don't verify server
certificate) argument?

I am more concerned by the crash of your signed certificate.  Could you
share the text output of your certificate?  From the debug messages it
seems that it is failing in the logic that is pulling the names out of the
certificates to enter into the Context map.  Output of "openssl x509 -in
<cert.pem> -text"  or something similar.

Susan

On Sun, Feb 24, 2019 at 4:11 AM Alexander Rabenstein <
alexander@die-rabensteins.de> wrote:

> Hi,
>
>
>
> I am trying to Setup TS with a self signed certificate as forwarding Proxy
> who should terminate all ssl Connections to origin Servers and then if
> necessary act as ssl Client to the origin Server.
>
>
>
> I created the cert with openssl and also imported in Firefox.
>
>
>
> When I try with openssl as Client I get the following Output:
>
>
>
> ONNECTED(00000003)
>
> depth=0 CN = ssst.fritz.box
>
> verify error:num=18:self signed certificate
>
> verify return:1
>
> depth=0 CN = ssst.fritz.box
>
> verify return:1
>
> ---
>
> Certificate chain
>
> 0 s:/CN=ssst.fritz.box
>
>    i:/CN=ssst.fritz.box
>
> ---
>
> Server certificate
>
> -----BEGIN CERTIFICATE-----
>
> MIIFBTCCAu2gAwIBAgIJAOhY4Knu31BbMA0GCSqGSIb3DQEBCwUAMBkxFzAVBgNV
>
> BAMMDnNzc3QuZnJpdHouYm94MB4XDTE5MDIyNDAwMTc0OVoXDTIwMDIyNDAwMTc0
>
> OVowGTEXMBUGA1UEAwwOc3NzdC5mcml0ei5ib3gwggIiMA0GCSqGSIb3DQEBAQUA
>
> A4ICDwAwggIKAoICAQC1BS6l4aya1z/7Z+ZgL8o7qGwXrU0oAr/CEL0vSl8u7JxH
>
> j4QFkPuu1BBzw7MWgVzQtxCs9Igq8SHS6g1HUY9IxeAC+1U3E3uC2cetQTEVerbb
>
> 4EC+zMbzBT6LoGquw96NYkoNW4CLh0CFkHS5Jx9stRNdbi1Y2U6nyo7ijU1JPWYN
>
> /dkDcOoXrxfXqBY8IuJldIXwWjM8A/YNxSr1bTQh9Eta73+OimoWY22a4ScMufLE
>
> r3Grvh3xcXSfuEZzHaag06LfPRiVTdYiD8h1LFHcEno8DJrHTagzHZw5Y/+QtlPr
>
> 4zkSJEw4TwknUyPx0qdSoRo4PTZLUOzXd8t/2bOTLRM3W6WZQ9Wjk4++DmLgFAzh
>
> MC5WLlfn8/B9tZUnTbIbyL1FARc0bNyuWbBMsln/8nrW6XpiPbhlaNVwOX1kgFBX
>
> vyoOsZ4EjXQpzExYcm1G09C/PiiEpBEDzZLSojENgPnvwRjsR4Dswuqc6HxyxEv4
>
> hjXq+MnLrR66n3kZASwQX0DB533kk+bQFkeQ1/VHR0RpOt0hkf4HL70J6+F2e3sR
>
> QqzvFulpaWFl8ZI8XFIvJRDZuCd/MwVskurxVvzof9P31nrb6mSJkgYIlguX+zVi
>
> L6ppvnDtgYIHEmnFq7AbgfAswlH9/z7e234flBfg1Mp9QDlweUvi6w97UugR+wID
>
> AQABo1AwTjAdBgNVHQ4EFgQUyEqcFYmUz0PhwTUsyc1IsryaPBowHwYDVR0jBBgw
>
> FoAUyEqcFYmUz0PhwTUsyc1IsryaPBowDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0B
>
> AQsFAAOCAgEAoRybmMudIuymPWN9PwKD0xah8UvdVBxCQwrV0O9yS7VzqL7zhexh
>
> wvl6148082ORHSuDQogcOukzXKLr4DUBGXE6KcUeLbCuXT3S3RbcJ+D+Or5js467
>
> F66Ov7wu96CUediANqW8+4PBbbDOvmkJb2tqzXoKNbCwWiOy8WmDq19AKmOxb7B8
>
> wW6yPNnoMuXKm3MzioYVVxlzY2dVTlz2ra1chnzchGwNGSZopu6rlCs2fawRAUjE
>
> yGYjWOyvPsGnrAF4J/w13bQsxpHmreLIHTzwUYUk/sIyrNYLwLCpzsx2AyM6kFwC
>
> 3klAWoZ9FOkzFdeeUWPacQG9S5XVfrc0WbanZWawEDoNwn5yg5DfPDBEvg5ocwNL
>
> 6YvRkcGhatNJhT82jU6enCoWNvEO/UG/EP5+rgXgUkxA6KvEsScoK9n/c1PTqISt
>
> 0dQCNyxOSlgaUYpl6Cb8E+ESy2ztO0HjpHVQnQF0jKYQhXM5+6vj5pjKPiD3Os75
>
> PFz9FjD1hjUsNVNiaHxvxjPcK3N3OgbN+66ZaquiC0avZ9u9twRylKtI/mbKmUda
>
> ns9xdhWP5YnnwYm7SCII5pHvdp69tm4tWtjyUxlA5w/YAazhiR5v2uHceKyIOoXB
>
> NckowYPTiPRtM3LGPPf7qYWJB6jDlCL3bGAYSh5vY2fczusCemF/eak=
>
> -----END CERTIFICATE-----
>
> subject=/CN=ssst.fritz.box
>
> issuer=/CN=ssst.fritz.box
>
> ---
>
> No client certificate CA names sent
>
> Peer signing digest: SHA512
>
> Server Temp Key: ECDH, P-256, 256 bits
>
> ---
>
> SSL handshake has read 2236 bytes and written 415 bytes
>
> ---
>
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
>
> Server public key is 4096 bit
>
> Secure Renegotiation IS supported
>
> Compression: NONE
>
> Expansion: NONE
>
> No ALPN negotiated
>
> SSL-Session:
>
>     Protocol  : TLSv1.2
>
>     Cipher    : ECDHE-RSA-AES256-GCM-SHA384
>
>     Session-ID:
> 7BB8424C6E8024BD53629BA955FD8F6D7EBFBE9D93F1F04D7714DF807AF37396
>
>     Session-ID-ctx:
>
>     Master-Key:
> 2BEC5E965363094EEAF067E098EE817654AC8653040A4A0321F140642C395DC43E72FB3C9FED44E9F65397ECC0D10B60
>
>     Key-Arg   : None
>
>     Krb5 Principal: None
>
>     PSK identity: None
>
>     PSK identity hint: None
>
>     TLS session ticket lifetime hint: 300 (seconds)
>
>     TLS session ticket:
>
>     0000 - 0f 05 62 e6 0d 6b 7e d0-c4 12 a8 72 1a 4d 13 e7
> ..b..k~....r.M..
>
>     0010 - 77 6c 20 32 42 96 d3 49-4e cc 29 ca a9 e8 95 ef   wl
> 2B..IN.).....
>
>     0020 - 13 69 6f 31 63 74 f4 1f-c6 62 54 11 5a a9 ff 62
> .io1ct...bT.Z..b
>
>     0030 - 5c b1 d3 9f 3e 9f 16 e5-0b 25 c8 e4 de 6c 00 fd
> \...>....%...l..
>
>     0040 - 79 c4 07 c3 4b b8 8d cd-de c7 dc a9 b6 c7 ce 06
> y...K...........
>
>     0050 - a3 1f 39 3d b2 9b ab 39-2d da 4d f5 bc b8 96 aa
> ..9=...9-.M.....
>
>     0060 - 52 d0 67 34 84 5b b9 c0-1c 0d d3 4d 6a 97 33 ac
> R.g4.[.....Mj.3.
>
>     0070 - aa 9f 73 ef 0a c4 41 87-0c 43 98 48 4c f6 e7 5a
> ..s...A..C.HL..Z
>
>     0080 - 77 ff 3c 8e 8b 61 3b 8f-59 cc fa fb 13 73 68 14
> w.<..a;.Y....sh.
>
>     0090 - f7 89 fa b2 6f 9d fb e6-d5 12 5e a2 11 bd a8 04
> ....o.....^.....
>
>     00a0 - 61 4a ad 11 e5 49 7b 17-a7 a5 a5 a8 a2 61 a4 d1
> aJ...I{......a..
>
>     00b0 - b6 6d ba 7c 0a 9f 9e 96-bf e7 94 34 33 d1 71 96
> .m.|.......43.q.
>
>
>
>     Start Time: 1550971360
>
>     Timeout   : 300 (sec)
>
>     Verify return code: 18 (self signed certificate)
>
>
>
> But when I try to open any Website in Firefox i get Error secure
> Connection failed.
>
> At the same time TS write the following debug Output:
>
>
>
> [Feb 24 02:25:03.773] {0x7fca02a4c700} DEBUG: <SSLNetVConnection.cc:997
> (sslStartHandShake)> (ssl) IP context is (nil) for [192.168.1.47:61867]
> -> [192.168.1.58:8080], default context 0x1042710
>
> [Feb 24 02:25:03.773] {0x7fca02a4c700} DEBUG: <SSLNetVConnection.cc:1105
> (sslServerHandShakeEvent)> (ssl) Initialize preaccept curHook from NULL
>
> [Feb 24 02:25:03.773] {0x7fca02a4c700} DEBUG: <SSLNetVConnection.cc:1139
> (sslServerHandShakeEvent)> (ssl) Go on with the handshake state=2
>
> [Feb 24 02:25:03.773] {0x7fca02a4c700} DEBUG: <SSLNetVConnection.cc:1146
> (sslServerHandShakeEvent)> (ssl) 0x7fc9b001f460 first read
>
> [Feb 24 02:25:03.773] {0x7fca02a4c700} DEBUG: <SSLNetVConnection.cc:445
> (read_raw_data)> (ssl) 0x7fc9b001f460 read r=213 total=4096 bio=213
>
> [Feb 24 02:25:03.773] {0x7fca02a4c700} DEBUG: <SSLUtils.cc:1510
> (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7fc9f802ee80 where: 16
> ret: 1 State: before/accept initialization
>
> [Feb 24 02:25:03.773] {0x7fca02a4c700} DEBUG: <SSLUtils.cc:1510
> (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7fc9f802ee80 where:
> 8193 ret: 1 State: before/accept initialization
>
> [Feb 24 02:25:03.773] {0x7fca02a4c700} DEBUG: <SSLUtils.cc:1510
> (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7fc9f802ee80 where:
> 8194 ret: -1 State: SSLv2/v3 read client hello A
>
> [Feb 24 02:25:03.773] {0x7fca02a4c700} DEBUG: <SSLUtils.cc:2352
> (SSLAccept)> (ssl.error.accept) SSL accept returned -1, ssl_error=1,
> ERR_get_error=336027803 (error:1407609B:SSL
> routines:SSL23_GET_CLIENT_HELLO:https proxy request)
>
> [Feb 24 02:25:03.773] {0x7fca02a4c700} DEBUG: <SSLNetVConnection.cc:1213
> (sslServerHandShakeEvent)> (ssl-diag)
> SSL::140505604474624:error:1407609B:SSL
> routines:SSL23_GET_CLIENT_HELLO:https proxy request:s23_srvr.c:397: peer
> address is 192.168.1.47
>
> [Feb 24 02:25:03.773] {0x7fca02a4c700} DEBUG: <SSLNetVConnection.cc:1213
> (sslServerHandShakeEvent)> (ssl-diag) SSL handshake error: SSL_ERROR_SSL
> (1), errno=0
>
> [Feb 24 02:25:03.773] {0x7fca02a4c700} DEBUG: <SSLNetVConnection.cc:1339
> (sslServerHandShakeEvent)> (ssl-diag)
> SSLNetVConnection::sslServerHandShakeEvent, SSL_ERROR_SSL errno=0
>
> [Feb 24 02:25:03.775] {0x7fca026a9700} DEBUG:
> <SSLNextProtocolAccept.cc:127 (mainEvent)> (ssl)
> [SSLNextProtocolAccept:mainEvent] event 202 netvc 0x7fc9b001f460
>
>
>
> The cipher config in records.config is the Default config:
>
>
>
> CONFIG proxy.config.ssl.server.cipher_suite STRING
> ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
>
>
>
> In ssl_multicert.config I have only this line:
>
>   dest_ip=*        ssl_cert_name=cert.pem ssl_key_name=key.pem
>
>
>
> Whould be great If anyone could Point me in the Right direction how to
> solve or Analyse this further.
>
>
>
> Ps. I first tried it not with a self signed cert but with a cert from an
> mkcert ca https://github.com/FiloSottile/mkcert , but I get an segfault
> immediatly after Startup with the pem’s from mkcert:
>
>
>
> alexander.rabenstein@SSST ats]$ ./bin/traffic_server start
>
> Traffic Server 8.0.2 Feb 18 2019 13:06:18 SSST.fritz.box
>
> traffic_server: using root directory '/opt/ats'
>
> [Feb 24 02:28:27.003] {0x7fcf22f1f880} DEBUG: <DNS.cc:1778 (ink_dns_init)>
> (dns) ink_dns_init: called with init_called = 0
>
> [Feb 24 02:28:27.013] {0x7fcf22f1f880} DEBUG: <DNS.cc:284 (dns_init)>
> (dns) localhost=SSST.fritz.box
>
> [Feb 24 02:28:27.013] {0x7fcf22f1f880} DEBUG: <DNS.cc:285 (dns_init)>
> (dns) Round-robin nameservers = 1
>
> [Feb 24 02:28:27.014] {0x7fcf1c820700} DEBUG: <DNS.cc:539 (startEvent)>
> (dns) DNSHandler::startEvent: on thread 0
>
> [Feb 24 02:28:27.014] {0x7fcf1c820700} DEBUG: <DNS.cc:484 (open_con)>
> (dns) open_con: opening connection 192.168.1.1:53
>
> [Feb 24 02:28:27.014] {0x7fcf1c820700} DEBUG: <DNSConnection.cc:159
> (connect)> (dns) random port = 0.0.0.0:34498
>
> [Feb 24 02:28:27.014] {0x7fcf1c820700} DEBUG: <DNS.cc:512 (open_con)>
> (dns) opening connection 192.168.1.1:53 SUCCEEDED for 0
>
> [Feb 24 02:28:27.014] {0x7fcf1c820700} DEBUG: <DNS.cc:562 (startEvent)>
> (dns_pas) opened connection to 192.168.1.1:53, n_con = 1
>
> [Feb 24 02:28:27.018] {0x7fcf22f1f880} DEBUG: <SSLUtils.cc:933
> (SSLInitializeLibrary)> (ssl) FIPS_mode: 0
>
> [Feb 24 02:28:27.018] {0x7fcf22f1f880} DEBUG: <SSLConfig.cc:433
> (freeCTXmap)> (ssl) freeing CTX Map
>
> [Feb 24 02:28:27.018] {0x7fcf22f1f880} DEBUG: <SSLSessionCache.cc:40
> (SSLSessionCache)> (ssl.session_cache) Created new ssl session cache
> 0x267e200 with 256 buckets each with size max size 400
>
> [Feb 24 02:28:27.018] {0x7fcf22f1f880} DEBUG: <SSLUtils.cc:2145
> (SSLParseCertificateConfiguration)> (ssl) currently parsing dest_ip
>
> [Feb 24 02:28:27.018] {0x7fcf22f1f880} DEBUG: <SSLUtils.cc:1598
> (SSLInitServerContext)> (ssl.session_cache) ssl context=0x2684710: using
> session cache options, enabled=2, size=102400, num_buckets=256,
> skip_on_contention=0, timeout=0, auto_clear=1
>
> [Feb 24 02:28:27.018] {0x7fcf22f1f880} DEBUG: <SSLUtils.cc:1620
> (SSLInitServerContext)> (ssl.session_cache) enabling SSL session cache with
> ATS implementation
>
> [Feb 24 02:28:27.018] {0x7fcf22f1f880} DEBUG: <SSLUtils.cc:1634
> (SSLInitServerContext)> (ssl) enabling SSL_MODE_RELEASE_BUFFERS
>
> [Feb 24 02:28:27.023] {0x7fcf22f1f880} DEBUG: <SSLUtils.cc:1806
> (SSLInitServerContext)> (ssl) Using 'ssst.fritz.box.pem' in hash for
> session id context
>
> [Feb 24 02:28:27.023] {0x7fcf22f1f880} DEBUG: <SSLUtils.cc:1891
> (SSLInitServerContext)> (ssl) SSL OCSP Stapling is disabled
>
> [Feb 24 02:28:27.023] {0x7fcf22f1f880} DEBUG: <SSLUtils.cc:1425
> (SSLCheckServerCertNow)> (ssl) server certificate ssst.fritz.box.pem passed
> accessibility and date checks
>
> [Feb 24 02:28:27.023] {0x7fcf22f1f880} DEBUG: <SSLCertLookup.cc:181
> (ticket_block_create)> (ssl) Create 1 ticket key blocks
>
> [Feb 24 02:28:27.024] {0x7fcf22f1f880} DEBUG: <SSLCertLookup.cc:429
> (insert)> (ssl) indexed '*' with SSL_CTX 0x2684710 [0]
>
> [Feb 24 02:28:27.024] {0x7fcf22f1f880} DEBUG: <SSLUtils.cc:2002
> (ssl_store_ssl_context)> (ssl) SSL OCSP Stapling is disabled
>
> [Feb 24 02:28:27.024] {0x7fcf22f1f880} DEBUG: <SSLUtils.cc:2013
> (ssl_store_ssl_context)> (ssl) importing SNI names from ssst.fritz.box.pem
>
> [Feb 24 02:28:27.025] {0x2ba0907dab00} NOTE: crashlog started,
> target=38026, debug=false syslog=true, uid=1000 euid=1000
>
> [Feb 24 02:28:27.025] {0x2ba0907dab00} WARNING: failed to intialize
> management API: [5] Error establishing socket connection.
>
> [Feb 24 02:28:27.025] {0x2ba0907dab00} NOTE: logging to 0x1087a40
>
> [Feb 24 02:28:27.025] {0x2ba0907dab00} ERROR: wrote crash log to
> /opt/ats/var/log/trafficserver/crash-2019-02-24-022827.log
>
> traffic_server: received signal 11 (Segmentation fault)
>
> traffic_server - STACK TRACE:
>
> ./bin/traffic_server(_Z19crash_logger_invokeiP9siginfo_tPv+0x8e)[0x49971e]
>
> /lib64/libpthread.so.0(+0xf5d0)[0x7fcf211335d0]
>
> /lib64/libc.so.6(+0x13e01a)[0x7fcf2047201a]
>
> ./bin/traffic_server[0x6f8c3c]
>
>
> ./bin/traffic_server(_Z32SSLParseCertificateConfigurationPK15SSLConfigParamsP13SSLCertLookup+0xaaa)[0x6f9e7a]
>
>
> ./bin/traffic_server(_ZN20SSLCertificateConfig11reconfigureEv+0x5a)[0x6cfaca]
>
> ./bin/traffic_server(_ZN20SSLCertificateConfig7startupEv+0xfe)[0x6cfdbe]
>
> ./bin/traffic_server(_ZN15SSLNetProcessor5startEim+0x26)[0x6d8896]
>
> ./bin/traffic_server(main+0x1921)[0x48b0c1]
>
> /lib64/libc.so.6(__libc_start_main+0xf5)[0x7fcf203563d5]
>
> ./bin/traffic_server[0x49472a]
>
> Speicherzugriffsfehler (Speicherabzug geschrieben)
>
>
>
> Would be nice to know if somebody can reproduce this.
>
>
>
>
>
> Kind regards
>
> Alexander Rabenstein
>
>
>

Mime
View raw message