On Mar 25, 2013, at 10:37 AM, Ketan Mehta <[email protected]> wrote:
> Hi All, > > I’m not sure why SSL handshake freezes after Client hello. I did some changes > in SSL Termination section. > > [root@cacheserver trafficserver]# curl -3kvI https://www.web1.com > * About to connect() to www.web1.com port 443 > * Trying 172.16.89.32... connected > * Connected to www.web1.com (172.16.89.32) port 443 > * successfully set certificate verify locations: > * CAfile: /etc/pki/tls/certs/ca-bundle.crt > CApath: none > * SSLv3, TLS handshake, Client hello (1): On the Traffic Server side, enable the 'ssl' diagnostic tag; that might show something interesting. lso, you don't show it, but I assume that you are using ssl_multivert.config to specify which certificates should be served? https://cwiki.apache.org/confluence/display/TS/Upgrading+to+3.2 > > ############################################################################## > # > # SSL Termination > # > ############################################################################## > CONFIG proxy.config.ssl.client.certification_level INT 0 > CONFIG proxy.config.ssl.server.cert.filename STRING www-web1.crt > CONFIG proxy.config.ssl.server.cert.path STRING etc/trafficserver/ssl > CONFIG proxy.config.ssl.server.cert_chain.filename STRING NULL > CONFIG proxy.config.ssl.server.private_key.filename STRING www-web1.key > CONFIG proxy.config.ssl.server.private_key.path STRING etc/trafficserver/ssl > CONFIG proxy.config.ssl.CA.cert.filename STRING NULL > CONFIG proxy.config.ssl.CA.cert.path STRING NULL > ################################ > # client related configuration # > ################################ > CONFIG proxy.config.ssl.client.verify.server INT 0 > CONFIG proxy.config.ssl.client.cert.filename STRING NULL > CONFIG proxy.config.ssl.client.cert.path STRING etc/trafficserver/ssl > CONFIG proxy.config.ssl.client.private_key.filename STRING NULL > CONFIG proxy.config.ssl.client.private_key.path STRING etc/trafficserver/ssl > CONFIG proxy.config.ssl.client.CA.cert.filename STRING NULL > CONFIG proxy.config.ssl.client.CA.cert.path STRING etc/trafficserver > > ############################################################################## > # > # Remap.config > # > ############################################################################## > map https://www.web1.com:443 http://webserver:4000 > reverse_map http://webserver:4000 https://www.web1.com > > Thanks, > Ketan > From: Ketan Mehta [mailto:[email protected]] > Sent: 22 March 2013 17:33 > To: [email protected] > Subject: RE: Trafficserver and HTTPS (SSL Termination) > > Thanks J > > From: [email protected] [mailto:[email protected]] On Behalf Of Anshu > Prateek > Sent: 22 March 2013 17:20 > To: [email protected] > Subject: RE: Trafficserver and HTTPS (SSL Termination) > > Hi Ketan, > I ll try to get you the perms I used. > > Regards > Anshu Prateek > > On Mar 22, 2013 7:29 PM, "Ketan Mehta" <[email protected]> > wrote: > Hi Anshu, > > The permission are same for cert/key on both the server. > > @marswrk, > > I changed the certificate to PEM format with no password and restarted > Traffiserver and webserver, but still it is not working. I’m not using > ssl_multicert.config. > > [root@webserver ~]# netstat -tanp > Active Internet connections (servers and established) > Proto Recv-Q Send-Q Local Address Foreign Address > State PID/Program name > tcp 0 0 0.0.0.0:4000 0.0.0.0:* > LISTEN 26418/httpd > tcp 0 0 0.0.0.0:4001 0.0.0.0:* > LISTEN 26418/httpd > tcp 0 0 0.0.0.0:5000 0.0.0.0:* > LISTEN 26418/httpd > tcp 0 0 0.0.0.0:5001 0.0.0.0:* > LISTEN 26418/httpd > > [root@cacheserver trafficserver]# netstat -tanp > Active Internet connections (servers and established) > Proto Recv-Q Send-Q Local Address Foreign Address > State PID/Program name > tcp 0 0 0.0.0.0:80 0.0.0.0:* > LISTEN 22332/traffic_manag > tcp 0 0 0.0.0.0:8083 0.0.0.0:* > LISTEN 22332/traffic_manag > tcp 0 0 127.0.0.1:8084 0.0.0.0:* > LISTEN 22341/traffic_serve > tcp 0 0 0.0.0.0:443 0.0.0.0:* > LISTEN 22332/traffic_manag > > From: [email protected] [mailto:[email protected]] > Sent: 22 March 2013 02:32 > To: [email protected] > Subject: Re: Trafficserver and HTTPS (SSL Termination) > > I had a problem with my https too. I fixed by making sure certificate file in > PEM format. Also removed password that was used to protect cert. > Did you restart trafficserver? My first config did not take effect and the > port was not actually listening yet. > > And since it was a work network also needed to get the firewall permissions > updated. > > I joined recently did I miss the ssl_multicert.config post? > Were there any relevant error messages in the log files? > Sent on the Sprint® Now Network from my BlackBerry® > From: Anshu Prateek <[email protected]> > Sender: [email protected] > Date: Thu, 21 Mar 2013 23:08:18 +0530 > To: <[email protected]> > ReplyTo: [email protected] > Subject: Re: Trafficserver and HTTPS (SSL Termination) > > Had seen this issue a while back, the file permissions of the SSL cert > files/keys were the main culprit. The file permisssion for the certs/keys > should be the same as how they are under http server. (the read permission to > all for key was one of the problems). > > regards > Anshu Prateek > > > On Thu, Mar 21, 2013 at 8:46 PM, Ketan Mehta > <[email protected]> wrote: > Hi All, > > I'm trying to build the cache solution using Apache Traffic Server (ATS). I'm > trying to build a test environment with 2 servers. I have installed ATS-3.2 > on one of the server (Cacheserver) and Apache web on the other (Webserver). > > On Webserver, I have configure two website www.web1.com and www.web2.com. It > is configured to listen on port 4000, 40001 for HTTP requests and 5000, 5001 > for HTTPS requests. I'm using self-signed certificate for those website. > > On Cacheserver, I have configured Traffic Server to listen on port 80 and 443 > for HTTP and HTTPS requests. > > Both the websites are working fine when I point web browser to > webserver(HTTP & HTPPS requests), but when I point it to Cacheserver HTTP > request works, but HTTPS requests end up with error. > > [root@cacheserver ~]# curl -k -v https://www.web1.com > * About to connect() to www.web1.com port 443 > * Trying 172.16.89.32... connected > * Connected to www.web1.com (172.16.89.32) port 443 > * successfully set certificate verify locations: > * CAfile: /etc/pki/tls/certs/ca-bundle.crt > CApath: none > * SSLv2, Client hello (1): > error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol > * Closing connection #0 > curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol > > All the certificates and keys are located under etc/trafficserver/ssl on > Cacheserver. I’ve copied webserver-cert.crt and webserver-key.key from the > Webserver. > > [root@cacheserver ls -l /opt/ats/etc/trafficserver/ssl > -rw-r--r-- 1 root root 6334 Mar 21 14:48 cachesvr-bundle.crt > -rw-r--r-- 1 root root 6146 Mar 21 14:43 originsvr-bundle.crt > -rw-r--r-- 1 root root 887 Mar 21 14:46 www.web1.com.key > -rw-r--r-- 1 root root 887 Mar 21 14:46 www.web2.com.key > > Below are the configuration of remap.config and records.config files. > > #### Record.config ########## > CONFIG proxy.config.ssl.number.threads INT 0 > CONFIG proxy.config.ssl.SSLv2 INT 0 > CONFIG proxy.config.ssl.SSLv3 INT 1 > CONFIG proxy.config.ssl.TLSv1 INT 1 > CONFIG proxy.config.ssl.server.cipher_suite STRING > RC4+RSA:AES128-SHA:AES256-SHA:CAMELLIA128-SHA:!eNULL:!aNULL:!EXP:!LOW:!ADH:!EDH > CONFIG proxy.config.ssl.server.honor_cipher_order INT 0 > CONFIG proxy.config.ssl.compression INT 0 > CONFIG proxy.config.ssl.client.certification_level INT 1 > CONFIG proxy.config.ssl.server.cert_chain.filename STRING cachesvr-bundle.crt > CONFIG proxy.config.ssl.server.cert.path STRING etc/trafficserver/ssl > CONFIG proxy.config.ssl.server.private_key.path STRING etc/trafficserver/ssl > CONFIG proxy.config.ssl.CA.cert.filename STRING NULL > CONFIG proxy.config.ssl.CA.cert.path STRING etc/trafficserver > ################################ > # client related configuration # > ################################ > CONFIG proxy.config.ssl.client.verify.server INT 0 > CONFIG proxy.config.ssl.client.cert.filename STRING originsvr-bundle.crt > CONFIG proxy.config.ssl.client.cert.path STRING etc/trafficserver/ssl > CONFIG proxy.config.ssl.client.private_key.filename STRING NULL > CONFIG proxy.config.ssl.client.private_key.path STRING etc/trafficserver > CONFIG proxy.config.ssl.client.CA.cert.filename STRING NULL > CONFIG proxy.config.ssl.client.CA.cert.path STRING etc/trafficserver > > #### remap.config ##### > map http://www.web1.com http://webserver:4000 > reverse_map http://webserver:4000 http://www.web1.com > map http://www.web2.com http://webserver:4001 > reverse_map http://webserver:4001 http://www.web2.com > map https://www.web1.com https://webserver:5000 > reverse_map http://webserver:5000 https://www.web1.com > map https://www.web2.com https://webserver:5001 > reverse_map https://webserver:5001 https://www.web2.com > > What I'm trying to achieve is > > Client --Http--> Cache server --Http-->Origin server (http://www.web1.com and > http://www.web2.com) > Client --Https--> Cache server --Https-->Origin server (http://www.web1.com > and http://www.web2.com) > > But it doesn't work with https. What I’m doing wrong here. > > Let me know if anything is not clear. > > Thanks, > Ketan > > > Save Paper - do you really need to print this email? > > Confidentiality > The contents of this e-mail is intended for the named addressee only. > It contains information which may be confidential and which may also be > legally privileged. > Unless you are the named addressee (or authorised to receive for the > addressee) you may not copy or use it, or disclose it to anyone else. If you > received it in error please notify us immediately and then destroy it. > > Viruses > Although we have taken steps to ensure that this email and attachments are > free from any virus, we advise that in keeping with good computing practice > the recipient should ensure they are actually virus free. > > Opinions > Unless expressly stated, opinions in this message are those of the individual > sender and not of The Rank Group Plc. The Rank Group Plc accepts no liability > or responsibility for any onward transmission or use of e-mails and > attachment having left The Rank Group Plc domain. > > The Rank Group Plc - Company Registration No. 03140769; Rank Leisure Holdings > Limited - Company Registration No. 01841255; Rank Group Gaming Division > Limited - Company Registration No. 03213743; Grosvenor Casinos Limited - > Company Registration No. 00877080; Mecca Bingo Limited - Company Registration > No. 01854120; Rank Leisure Limited - Company Registration No. 03417930; Rank > Limited - Company Registration No. 03211794, all of which are registered in > England and Wales and have their registered office at: Statesman House, > Stafferton Way, Maidenhead, SL6 1AY, England. > This email message has been delivered safely by Mimecast. > For more information please visit http://www.mimecast.com > > > > Save Paper - do you really need to print this email? > > Confidentiality > The contents of this e-mail is intended for the named addressee only. > It contains information which may be confidential and which may also be > legally privileged. > Unless you are the named addressee (or authorised to receive for the > addressee) you may not copy or use it, or disclose it to anyone else. If you > received it in error please notify us immediately and then destroy it. > > Viruses > Although we have taken steps to ensure that this email and attachments are > free from any virus, we advise that in keeping with good computing practice > the recipient should ensure they are actually virus free. > > Opinions > Unless expressly stated, opinions in this message are those of the individual > sender and not of The Rank Group Plc. The Rank Group Plc accepts no liability > or responsibility for any onward transmission or use of e-mails and > attachment having left The Rank Group Plc domain. > > The Rank Group Plc - Company Registration No. 03140769; Rank Leisure Holdings > Limited - Company Registration No. 01841255; Rank Group Gaming Division > Limited - Company Registration No. 03213743; Grosvenor Casinos Limited - > Company Registration No. 00877080; Mecca Bingo Limited - Company Registration > No. 01854120; Rank Leisure Limited - Company Registration No. 03417930; Rank > Limited - Company Registration No. 03211794, all of which are registered in > England and Wales and have their registered office at: Statesman House, > Stafferton Way, Maidenhead, SL6 1AY, England. > This email message has been delivered safely by Mimecast. > For more information please visit http://www.mimecast.com > > > Save Paper - do you really need to print this email? > > Confidentiality > The contents of this e-mail is intended for the named addressee only. > It contains information which may be confidential and which may also be > legally privileged. > Unless you are the named addressee (or authorised to receive for the > addressee) you may not copy or use it, or disclose it to anyone else. If you > received it in error please notify us immediately and then destroy it. > > Viruses > Although we have taken steps to ensure that this email and attachments are > free from any virus, we advise that in keeping with good computing practice > the recipient should ensure they are actually virus free. > > Opinions > Unless expressly stated, opinions in this message are those of the individual > sender and not of The Rank Group Plc. The Rank Group Plc accepts no liability > or responsibility for any onward transmission or use of e-mails and > attachment having left The Rank Group Plc domain. > > The Rank Group Plc - Company Registration No. 03140769; Rank Leisure Holdings > Limited - Company Registration No. 01841255; Rank Group Gaming Division > Limited - Company Registration No. 03213743; Grosvenor Casinos Limited - > Company Registration No. 00877080; Mecca Bingo Limited - Company Registration > No. 01854120; Rank Leisure Limited - Company Registration No. 03417930; Rank > Limited - Company Registration No. 03211794, all of which are registered in > England and Wales and have their registered office at: Statesman House, > Stafferton Way, Maidenhead, SL6 1AY, England. > This email message has been delivered safely by Mimecast. > For more information please visit http://www.mimecast.com > > > Save Paper - do you really need to print this email? > > Confidentiality > The contents of this e-mail is intended for the named addressee only. > It contains information which may be confidential and which may also be > legally privileged. > Unless you are the named addressee (or authorised to receive for the > addressee) you may not copy or use it, or disclose it to anyone else. If you > received it in error please notify us immediately and then destroy it. > > Viruses > Although we have taken steps to ensure that this email and attachments are > free from any virus, we advise that in keeping with good computing practice > the recipient should ensure they are actually virus free. > > Opinions > Unless expressly stated, opinions in this message are those of the individual > sender and not of The Rank Group Plc. The Rank Group Plc accepts no liability > or responsibility for any onward transmission or use of e-mails and > attachment having left The Rank Group Plc domain. > > The Rank Group Plc - Company Registration No. 03140769; Rank Leisure Holdings > Limited - Company Registration No. 01841255; Rank Group Gaming Division > Limited - Company Registration No. 03213743; Grosvenor Casinos Limited - > Company Registration No. 00877080; Mecca Bingo Limited - Company Registration > No. 01854120; Rank Leisure Limited - Company Registration No. 03417930; Rank > Limited - Company Registration No. 03211794, all of which are registered in > England and Wales and have their registered office at: Statesman House, > Stafferton Way, Maidenhead, SL6 1AY, England. > This email message has been delivered safely by Mimecast. > For more information please visit http://www.mimecast.com
