Re: Connection rejected for MTLS forward proxy

2018-02-21 Thread Alan Carroll
I meant more what *units* the handshake_timer is. Looking at the code, it seems to be in seconds meaning it is unlikely that is the problem (if the handshake took .5s with a 20s timeout). I'd recommend having any configuration value at most once, although I don't think it would break anything.

FINAL REMINDER: CFP for Apache EU Roadshow Closes 25th February

2018-02-21 Thread Sharan F
Hello Apache Supporters and Enthusiasts This is your FINAL reminder that the Call for Papers (CFP) for the Apache EU Roadshow is closing soon. Our Apache EU Roadshow will focus on Cloud, IoT, Apache Tomcat, Apache Http and will run from 13-14 June 2018 in Berlin. Note that the CFP deadline

Re: Connection rejected for MTLS forward proxy

2018-02-21 Thread Persia Aziz
Hi, What you want is 'proxy.config.ssl.CA.cert.filename' and  proxy.config.ssl.CA.cert.path not the client.CA configs. I know it is a bit confusing. The client.CA ones are used to verify origin server certificates. Try the configs and see if that works. Docs for the configs: records.config —

Re: Connection rejected for MTLS forward proxy

2018-02-21 Thread Susan Hinrichs
If you are in a test environment where you can share your wireshark pcap file that might also be interesting. On Wed, Feb 21, 2018 at 11:58 AM, Persia Aziz wrote: > Do you see this EOF if you have client verification disabled? > > Syeda Persia Aziz > Software Developer >

Re: Connection rejected for MTLS forward proxy

2018-02-21 Thread Persia Aziz
Do you see this EOF if you have client verification disabled? Syeda Persia Aziz Software DeveloperYahoo! Inc.Champaign, Illinois On Wednesday, February 21, 2018, 11:48:40 AM CST, Persia Aziz wrote: Hmm interesting. From  your debug log, looks like ATS wants to

Re: Connection rejected for MTLS forward proxy

2018-02-21 Thread salil GK
I have assigned these variables also the same values - CONFIG proxy.config.ssl.CA.cert.filename STRING ca.pem CONFIG proxy.config.ssl.CA.cert.path STRING /directory/where/ca.pem # and CONFIG proxy.config.ssl.client.CA.cert.filename STRING ca.pem CONFIG proxy.config.ssl.client.CA.cert.path

Re: Connection rejected for MTLS forward proxy

2018-02-21 Thread Persia Aziz
Hmm interesting. From  your debug log, looks like ATS wants to read more data from the buffer which it can not find. Hence, throwing an EOF.  Syeda Persia Aziz Software DeveloperYahoo! Inc.Champaign, Illinois On Wednesday, February 21, 2018, 11:35:11 AM CST, salil GK

Re: Connection rejected for MTLS forward proxy

2018-02-21 Thread Susan Hinrichs
It looks like in this exchange the client did not send a client certificate. But the other exchanges in the log file don't have the " ssl3_get_client_certificate:peer did not return a certificate" message. So perhaps one test exchange had the client certificate missing. The server certificate

Re: Connection rejected for MTLS forward proxy

2018-02-21 Thread Alan Carroll
This looks like the important part of the logs (you can drop by my desk for further detail if you want, Susan & Persia). AFAICT this covers an entire transaction. I checked the start up messages and saw no errors, but I did not see any mention of 'ca.pem'. Is there some typo in his configuration?