Someone else may find this useful, so I thought I would share. (Apologies for the earlier cross-post)
Configuring TLS Client Authentication in Traffic Control (Experimental Testing Procedure) ========= Note: Trafficserver does not currently allow per-Delivery Service (per-remap) configuration of client authentication. The below instructions will enable client authentication for all HTTPS services on a given profile/cache. 1) In TrafficOps, configure the Edge cache “Profile” to turn on client authentication. Set the following parameters: - name: CONFIG proxy.config.ssl.client.certification_level - file: records.config - value: INT 2 Screenshot: https://cisco.box.com/s/lxtlfbfrbpnaa17cnp4dddj2p0wwzril - name: CONFIG proxy.config.ssl.CA.cert.filename - file: records.config - value: STRING etc/trafficserver/ssl/ca.crt Screenshot: https://cisco.box.com/s/hq7vubwd9z0k1g8705eaagbvdg0aokjc See below for instructions on generating the Certificate Authority (CA), Certificate and private key. You can add the CA file via TrafficOps, but its a painful process. Please see the screenshot. If you wish to skip this step, you can scp the file directly to the cache (/opt/trafficserver/etc/trafficserver/ssl/client_ca.crt) Screenshot: https://cisco.box.com/s/849imlapxj1e30zi6y63a8fwd31swv21 (Now that I know what a take and bake is, I think I was better off before. Configuring a whole SSL Cert in here is pretty painful, but thanks to Jeff for the help on this step) 2) Queue and run ORT On caches to get updated settings 3) Verify by making a curl request $ curl -k --cert ~/client_auth/client.crt --key ~/client_auth/client.key -v https://edge-cache-1.cdn.cisco.com/test.m3u8 On success, you will receive the content. On failure, you will see something like: [cloud-user trafficserver]$ curl -k -v https://edge-cache-1.cdn.cisco.com/test.m3u8 * About to connect() to localhost port 443 (#0) * Trying ::1... * Connected to localhost (::1) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * skipping SSL peer certificate verification * NSS: client certificate not found (nickname not specified) * NSS error -12227 (SSL_ERROR_HANDSHAKE_FAILURE_ALERT) * SSL peer was unable to negotiate an acceptable set of security parameters. * Closing connection 0 curl: (35) NSS: client certificate not found (nickname not specified) Generating a Certificate Authority and Client Certificate (optional) ========= 1) Create the Certificate Authority Key $ openssl genrsa -out client_ca.key 2048 2) Generate the Certificate Authority Cert $ openssl req -new -x509 -key ./client_ca.key -out client_ca.crt 2) Generate the Client Key and Certificate Signing Request $ openssl req -newkey rsa:2048 -nodes -keyout client.key -out client.csr 3) Use the Certificate Authority to sign the client certificate signing request $ openssl x509 -req -in ./client.csr -CA ./client_ca.crt -CAkey ./client_ca.key -CAcreateserial -out client.crt 4) The client_ca.crt file is copied to the Trafficserver. The client (curl) is given client.crt and client.key
