Hi Alan,
Thanks for responding. I've pasted the output from openssl s_client. I
don't understand the error it's giving because I can see in the ATS loading
my certificate in the debug logs. I've prefixed the important lines in the
debug log with '=>'.
Dk.
----------------------------------------------------------
> openssl s_client -host 10.3.27.19 -port 7453
CONNECTED(00000003)
140260354160280:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3
alert handshake failure:s23_clnt.c:769:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 305 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1541190685
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
ATS Config:
----------------------------------------------------------------------------------
CONFIG proxy.config.http.server_ports STRING 8080 7453:ssl
...
CONFIG proxy.config.ssl.SSLv2 INT 0
CONFIG proxy.config.ssl.SSLv3 INT 1
CONFIG proxy.config.ssl.TLSv1 INT 1
CONFIG proxy.config.ssl.TLSv1_1 INT 1
CONFIG proxy.config.ssl.TLSv1_2 INT 1
CONFIG proxy.config.ssl.server.cipher_suite STRING
AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-
SHA:DES-CBC3-SHA:!aNULL:!eNULL:!LOW:!MD5:!SSLV2:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-
CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
CONFIG proxy.config.ssl.server.honor_cipher_order INT 1
CONFIG proxy.config.ssl.compression INT 0
----------------------------------------------------------------------------------
root@5a09849699ac:/opt/trafficserver/bin# ./traffic_server -T ssl
traffic_server: using root directory '/opt/trafficserver'
[Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLSessionCache.cc:42
(SSLSessionCache)> (ssl.session_cache) Created new ssl session cache
0x19de710 with 256 buckets each with size max size 400
[Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1304
(SSLInitServerContext)> (ssl.session_cache) ssl context=0x19e4a50: using
session cache options, enabled=2, size=102400, num_buckets=256,
skip_on_contention=0, timeout=0, auto_clear=1
[Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1326
(SSLInitServerContext)> (ssl.session_cache) enabling SSL session cache with
ATS implementation
[Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1340
(SSLInitServerContext)> (ssl) enabling SSL_MODE_RELEASE_BUFFERS
[Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1532
(SSLInitServerContext)> (ssl) Using 'emadisonisland.crt' in hash for
session id context
[Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1281
(SSLCheckServerCertNow)> (ssl) server certificate emadisonisland.crt passed
accessibility and date checks
[Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1808
(ssl_store_ssl_context)> (ssl) ssl ocsp stapling is disabled
=> [Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1819
(ssl_store_ssl_context)> (ssl) importing SNI names from emadisonisland.crt
=> [Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1633
(ssl_index_certificate)> (ssl) mapping 'www.emadisonisland.com' to
certificate emadisonisland.crt
[Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLCertLookup.cc:380
(insert)> (ssl) indexed 'www.emadisonisland.com' with SSL_CTX 0x19e4a50 [0]
[Nov 2 20:31:22.998] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1304
(SSLInitServerContext)> (ssl.session_cache) ssl context=0x19e9be0: using
session cache options, enabled=2, size=102400, num_buckets=256,
skip_on_contention=0, timeout=0, auto_clear=1
[Nov 2 20:31:22.998] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1326
(SSLInitServerContext)> (ssl.session_cache) enabling SSL session cache with
ATS implementation
[Nov 2 20:31:22.998] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1340
(SSLInitServerContext)> (ssl) enabling SSL_MODE_RELEASE_BUFFERS
[Nov 2 20:31:22.998] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1532
(SSLInitServerContext)> (ssl) Using '(null)' in hash for session id context
[Nov 2 20:31:22.998] Server {0x7fad4b72e740} DEBUG: <SSLCertLookup.cc:380
(insert)> (ssl) indexed '*' with SSL_CTX 0x19e9be0 [1]
[Nov 2 20:31:22.998] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1808
(ssl_store_ssl_context)> (ssl) ssl ocsp stapling is disabled
[Nov 2 20:31:22.998] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1819
(ssl_store_ssl_context)> (ssl) importing SNI names from (null)
[Nov 2 20:31:22.999] Server {0x7fad4b72e740} DEBUG:
<SSLNetProcessor.cc:100 (start)> (ssl) Disabling ET_SSL threads (config is
set to -1), using thread group ET_NET=0
[Nov 2 20:31:23.007] Server {0x7fad4b72e740} DEBUG:
<SSLNextProtocolSet.cc:65 (create_npn_advertisement)> (ssl) advertising
protocol http/1.0
[Nov 2 20:31:23.007] Server {0x7fad4b72e740} DEBUG:
<SSLNextProtocolSet.cc:65 (create_npn_advertisement)> (ssl) advertising
protocol http/1.1
[Nov 2 20:31:23.007] Server {0x7fad4b72e740} DEBUG:
<SSLNextProtocolSet.cc:65 (create_npn_advertisement)> (ssl) advertising
protocol http/1.0
[Nov 2 20:31:25.986] Server {0x7fad44366700} DEBUG:
<SSLNextProtocolAccept.cc:129 (mainEvent)> (ssl)
[SSLNextProtocolAccept:mainEvent] event 202 netvc 0x7fad4002b800
=> [Nov 2 20:31:25.986] Server {0x7fad44366700} DEBUG:
<SSLNetVConnection.cc:981 (sslStartHandShake)> (ssl) IP context is (nil)
for [10.3.28.146:39712] -> [172.19.0.2:7453], default context 0x19e9be0
[Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:1671
(ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7facf4021100 where: 16
ret: 1
[Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:1671
(ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7facf4021100 where:
8193 ret: 1
[Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:284
(set_context_cert)> (ssl) set_context_cert ssl=0x7facf4021100 server=(null)
handshake_complete=0
[Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:336
(set_context_cert)> (ssl) ssl_cert_callback using SSL context 0x19e9be0 for
requested name '(null)'
[Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG:
<SSLNetVConnection.cc:1462 (callHooks)> (ssl) callHooks
sslHandshakeHookState=0
[Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:1671
(ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7facf4021100 where:
16392 ret: 552
[Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:1671
(ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7facf4021100 where:
8194 ret: -1
[Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:1671
(ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7facf4021100 where:
8194 ret: -1
=> [Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:2126
(SSLAccept)> (ssl.error.accept) SSL accept returned -1, ssl_error=1,
ERR_get_error=336109761 (error:1408A0C1:SSL
routines:ssl3_get_client_hello:no shared cipher)
[Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG:
<SSLNetVConnection.cc:1105 (sslServerHandShakeEvent)> (ssl) trace=FALSE
=> [Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG:
<SSLNetVConnection.cc:1109 (sslServerHandShakeEvent)> (ssl)
SSL::140382150485760:error:1408A0C1:SSL routines:ssl3_get_client_hello:no
shared cipher:s3_srvr.c:1417: peer address is 10.3.28.146
[Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG:
<SSLNetVConnection.cc:1109 (sslServerHandShakeEvent)> (ssl) SSL handshake
error: SSL_ERROR_SSL (1), errno=0
[Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG:
<SSLNetVConnection.cc:1237 (sslServerHandShakeEvent)> (ssl)
SSLNetVConnection::sslServerHandShakeEvent, SSL_ERROR_SSL errno=0
^Ctraffic_server: Interrupt (Signal sent by the kernel 0 0)
On Fri, Nov 2, 2018 at 12:24 PM Alan Carroll
<solidwallofc...@oath.com.invalid> wrote:
> I'd start with "openssl s_client" to get more debug information, followed
> possibly by a packet capture to be sure the user agent is connecting with
> TLS to a TLS enabled proxy port.
>
> On Fri, Nov 2, 2018 at 1:41 PM Dk Jack <dnj0...@gmail.com> wrote:
>
> > Hi,
> > I enabled SSL on my ATS and my ssl requests are failing with handshake
> > error. From the logs I can tell that it loaded my cert/key correct. When
> I
> > started traffic server in debug mode (./traffic_server -T ssl), I am
> seeing
> > the following error
> >
> > SSL routines:ssl3_get_client_hello:no shared cipher
> >
> > My TLS config is shown below. My cert is a self signed signed cert. My
> ATS
> > version is 6.2.1. I'd appreciate any pointers on how to resolve this.
> > Thanks.
> >
> > Dk.
> >
> > CONFIG proxy.config.ssl.SSLv2 INT 0
> > CONFIG proxy.config.ssl.SSLv3 INT 1
> > CONFIG proxy.config.ssl.TLSv1 INT 1
> > CONFIG proxy.config.ssl.TLSv1_1 INT 1
> > CONFIG proxy.config.ssl.TLSv1_2 INT 1
> > CONFIG proxy.config.ssl.server.cipher_suite STRING
> >
> >
> AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!LOW:!MD5:!SSLV2:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
> > CONFIG proxy.config.ssl.server.honor_cipher_order INT 1
> > CONFIG proxy.config.ssl.compression INT 0
> >
> >
> > Debug logs:
> > [Nov 2 18:16:07.664] Server {0x7f8822572700} DEBUG:
> > <SSLNextProtocolAccept.cc:129 (mainEvent)> (ssl)
> > [SSLNextProtocolAccept:mainEvent] event 202 netvc 0x7f8820072800
> > [Nov 2 18:16:07.664] Server {0x7f8822572700} DEBUG:
> > <SSLNetVConnection.cc:981 (sslStartHandShake)> (ssl) IP context is (nil)
> > for [10.3.28.146:39678] -> [172.19.0.2:7453], default context 0x2d82bc0
> > [Nov 2 18:16:07.664] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
> > (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7f87d4021100 where:
> 16
> > ret: 1
> > [Nov 2 18:16:07.664] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
> > (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7f87d4021100 where:
> > 8193 ret: 1
> > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
> > <SSLNetVConnection.cc:1402 (select_next_protocol)> (ssl) selected ALPN
> > protocol http/1.1
> > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:284
> > (set_context_cert)> (ssl) set_context_cert ssl=0x7f87d4021100
> server=(null)
> > handshake_complete=0
> > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:336
> > (set_context_cert)> (ssl) ssl_cert_callback using SSL context 0x2d82bc0
> for
> > requested name '(null)'
> > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
> > <SSLNetVConnection.cc:1462 (callHooks)> (ssl) callHooks
> > sslHandshakeHookState=0
> > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
> > (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7f87d4021100 where:
> > 16392 ret: 552
> > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
> > (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7f87d4021100 where:
> > 8194 ret: -1
> > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
> > (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7f87d4021100 where:
> > 8194 ret: -1
> > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:2126
> > (SSLAccept)> (ssl.error.accept) SSL accept returned -1, ssl_error=1,
> > ERR_get_error=336109761 (error:1408A0C1:SSL
> > routines:ssl3_get_client_hello:no shared cipher)
> > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
> > <SSLNetVConnection.cc:1105 (sslServerHandShakeEvent)> (ssl) trace=FALSE
> > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
> > <SSLNetVConnection.cc:1109 (sslServerHandShakeEvent)> (ssl)
> > SSL::140222668416768:error:1408A0C1:SSL routines:ssl3_get_client_hello:no
> > shared cipher:s3_srvr.c:1417: peer address is 10.3.28.146
> > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
> > <SSLNetVConnection.cc:1109 (sslServerHandShakeEvent)> (ssl) SSL handshake
> > error: SSL_ERROR_SSL (1), errno=0
> > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
> > <SSLNetVConnection.cc:1237 (sslServerHandShakeEvent)> (ssl)
> > SSLNetVConnection::sslServerHandShakeEvent, SSL_ERROR_SSL errno=0
> > ^Ctraffic_server: Interrupt (Signal sent by the kernel 0 0)
> >
>
>
> --
> *Beware the fisherman who's casting out his line in to a dried up
> riverbed.*
> *Oh don't try to tell him 'cause he won't believe. Throw some bread to the
> ducks instead.*
> *It's easier that way. *- Genesis : Duke : VI 25-28
>
