Hi, Eli Qiao If ca or client certs is wrong, I think client will get error before `client hello`. I tested broken ca cert and client cert in my local environment. See below logs.
yuanying@devstack:~/temp$ curl https://192.168.19.92:6443 --tlsv1.0 -v --key ./client.key --cert ./client.crt --cacert ./ca.crt * Rebuilt URL to: https://192.168.19.92:6443/ * Hostname was NOT found in DNS cache * Trying 192.168.19.92... * Connected to 192.168.19.92 (192.168.19.92) port 6443 (#0) * unable to use client certificate (no key found or wrong pass phrase?) * Closing connection 0 curl: (58) unable to use client certificate (no key found or wrong pass phrase?) -- OTSUKA, Motohiro Sent with Sparrow (http://www.sparrowmailapp.com/?sig) On Wednesday, October 21, 2015 at 20:34, Qiao, Liyong wrote: > Hello, > I need your help on k8s api tls_enabled mode. > Here’s my patch https://review.openstack.org/232421 > > It is always failed on gate, but it works in my setup. > Debug more I found that the ca cert return api return length with difference: > > On my setup: > 10.238.157.49 - - [21/Oct/2015 19:16:17] "POST /v1/certificates HTTP/1.1" 201 > 3360 > … > 10.238.157.49 - - [21/Oct/2015 19:16:17] "GET > /v1/certificates/d4bf6135-a3d0-4980-a785-e3f2900ca315 HTTP/1.1" 200 1357 > > On gate: > > 127.0.0.1 - - [21/Oct/2015 10:59:40] "POST /v1/certificates HTTP/1.1" 201 3352 > 127.0.0.1 - - [21/Oct/2015 10:59:40] "GET > /v1/certificates/a9aa1bbd-d624-4791-a4b9-e7a076c8bf58 HTTP/1.1" 200 1349 > > Misses 8 Bit. > > I also print out the cert file content, but the length of both on gate and my > setup are same. > But failed on gate due to SSL exception. > Does anyone know what will be the root cause? > > > > BR, Eli(Li Yong)Qiao > > > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > (mailto:openstack-dev-requ...@lists.openstack.org?subject:unsubscribe) > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > >
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev