The connect request is being blocked - ATS is rejecting it. You can't redirect
the SSL request because your user agent is not generating an SSL request -
that's the root of the problem. The user agent is creating a CONNECT request.
This also means the user agent is not creating SSL packets, either.
If you want to terminate SSL in ATS, then you need
1) A certificate installed in ATS to use for the termination2) The user agent
must connect to ATS as if it were the SSL endpoint, because it is the SSL
endpoint for the user agent.3) This means the certificate in ATS must have a
domain name that resolves to the ATS address and the user agent must directly
connect to that domain name.
E.g., if the domain name is "bob.com", then ATS must have a certificate for the
name "bob.com", the user agent must connect via SSL to "bob.com", and the DNS
resolution for "bob.com" must be the IP address of the ATS SSL proxy port. The
most likely cause of getting CONNECT instead of SSL packets is because the user
agent has been configured to use ATS as a proxy. That won't work, ATS must act
as if it were the SSL termination point in order to be the SSL termination
point.
On Tuesday, May 5, 2015 9:21 AM, Jiří Podhorský <podhorsky....@gmail.com>
wrote:
Hello Dave,
thanks for answer.
I already tried this and I didn't succeed.
I tries configurations of curl/wget, traffic server, even a solution with
created plugin of traffic server, where I wanted to redirect ssl packets to
right ssl ports, but I wasn't succeed.
Is there another way how to block the connect request? At least some
script, which can redirect the ssl requests according to http header to
right port?
Jiri
2015-05-05 15:55 GMT+02:00 Dave Thompson <da...@yahoo-inc.com.invalid>:
> Jiri,
>
> This is a client initiated behavior issue. If you want your client to SSL
> terminate at ATS, it needs to send an SSL client-hello rather than a
> CONNECT as the first message. If you are using curl, a --proxy to an SSL
> site, will do a CONNECT rather than SSL terminate. If in doubt, a
> tcpdump/wireshark can be used to confirm what client is sending.
> Perhaps your test browser configured to proxy tunnel as well.
>
> Dave
>
>
> On Tuesday, May 5, 2015 6:02 AM, Jiří Podhorský <
> podhorsky....@gmail.com> wrote:
>
>
> Hello,
>
> I'm trying to configure traffic server with ssl termination
>
> https://docs.trafficserver.apache.org/en/latest/admin/security-options.en.html
>
> But ssl termination don't work with browsers, wget or curl, because first
> request is CONNECT, which is not expected in ssl port and creates log:
>
> SSLv3, TLS handshake, Client hello (1):
> error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
> Closing connection #0
>
> (plain http request connect is taken as Client hello message of ssl).
>
> I didn't find a way, how to redirect this message to not-ssl port or deny
> it.
>
> I tried to find some configuration or patch, but I didn't find any
> workarouds for this issue.
>
> Can you help me?
>
> Thanks.
>
> Jiri
>
>
>
>
