[GitHub] [trafficcontrol] zrhoffman commented on issue #4138: Can not access Traffic Vault API when using SSL

Sat, 21 Mar 2020 19:00:47 -0700 

zrhoffman commented on issue #4138: Can not access Traffic Vault API when using 
SSL
URL: https://github.com/apache/trafficcontrol/issues/4138#issuecomment-602135753
 
 
   > > I recommend adding the following line to the bottom of your riak.conf, 
restarting, and trying again [per the riak 
docs](https://docs.riak.com/riak/kv/latest/using/security/basics/index.html#tls-settings):
   > > ```
   > > tls_protocols.tlsv1 = on
   > > ```
   > 
   > I already add this line `tls_protocols.tlsv1 = on` same like in the guide. 
Yeah I know there is difference version curl in both OS. Maybe we need add more 
detail about traffic vault guide? So it the vault could be access by difference 
client OS.
   
   I would suggest using `tls_protocols.tlsv1.1` instead of 
`tls_protocols.tlsv1`, which is TLS 1.0. Updating the Riak configuration is 
only half of the solution, because you also need to limit any client that 
connects to Riak to TLS 1.1:
   
   ```shell
   curl --tlsv1.1 --tls-max 1.1 -vk 
https://trafficvault.ethernet.id:8088/types/default/props
   ```
   
   > Can be accessed when requested from ubuntu 16.04 client.
   
   This means that the OpenSSL library used by your version of `curl` in Ubuntu 
is not using any TLS signature algorithms that are unknown to Riak, which 
sidesteps the Erlang bug that @midchildan mentioned. You generally cannot 
configure this, because anywhere else, including signature algorithms unknown 
to the server is not an issue.
   
   To demonstrate that this is really what is going on, compare the 
(successful) output of
   
   ```shell
   openssl s_client -sigalgs 'RSA+SHA512' -connect trafficvault.ethernet.id:8088
   ```
   
   vs. the unsuccessful output of
   
   ```shell
   openssl s_client -sigalgs 'RSA+SHA512:RSA-PSS+SHA512' -connect 
trafficvault.ethernet.id:8088
   ```

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[email protected]


With regards,
Apache Git Services

Reply via email to