On Oct 9, 2013, at 8:08 AM, Jean Baptiste Favre <[email protected]> wrote:
> I'm new to trafficserver. > Using ATS 3.2.5 on Debian 7.0 Wheezy, I need to be able to cache content > from SSL requests. > > These requests are made by an internal application against externals > services, mostly using HTTPS. > So, my application will be the client and external services origin server. > > Using HTTP proxy, requests work but content is not cached which, I > think, is obviously OK since client will established CONNECT tunnel > which makes ATS unable to see content. > > From my understanding, I need to set up SSL termination. > I followed: > http://trafficserver.apache.org/docs/trunk/admin/security-options/#UsingSSLTermination Sorry, these docs have not been updated. The SSL termination configuration is described more accurately here: https://trafficserver.readthedocs.org/en/latest/admin/security-options.en.html#using-ssl-termination https://trafficserver.readthedocs.org/en/latest/reference/configuration/ssl_multicert.config.en.html You need to specify the SSL certificates in ssl_multicert.config. If you need additional debugging on the server end, you can set the "ssl" diagnostic tag. > > For now, I use self-signed SSL certificate generated with: > openssl req -x509 -newkey rsa:2048 -keyout keypriv.pem -out cert.pem > -days 365 > > And passphrase is removed with > openssl rsa -in keypriv.pem -out key.pem > > Between Client & ATS, here's what I use for configuration: > > CONFIG proxy.config.http.server_ports STRING 80:ipv4 443:ipv4:ssl > CONFIG proxy.config.http.connect_ports STRING 443 563 > CONFIG proxy.config.ssl.client.certification_level INT 0 > CONFIG proxy.config.ssl.server.cert.path STRING /etc/trafficserver > CONFIG proxy.config.ssl.server.cert.filename STRING cert.pem > CONFIG proxy.config.ssl.server.private_key.path STRING /etc/trafficserver > CONFIG proxy.config.ssl.server.private_key.filename STRING key.pem > > Still from my understanding, I don't need any specific option for ATS to > origin server connections since ATS will act as client and therefore do > not need any certificate. > > But, it does not work. Using curl, here's what I get: > curl -vvv -k --proxy https://my_proxy:443 "https://secure.website.tld/"; > * About to connect() to proxy my_proxy port 443 (#0) > * Trying xxx.yyy.uuu.ttt... > * connected > * Connected to my_proxy (xxx.yyy.uuu.ttt) port 443 (#0) > * Establish HTTP proxy tunnel to secure.website.tld:443 >> CONNECT secure.website.tld:443 HTTP/1.1 >> Host: secure.website.tld:443 >> User-Agent: curl/7.26.0 >> Proxy-Connection: Keep-Alive >> > * Easy mode waiting response from proxy CONNECT > > And here's what I get on ATS side: > Server {0x2b3cb338b700} ERROR: SSL ERROR: SSL_ServerHandShake. > Server {0x2b3cb338b700} ERROR: SSL::5:error:1407609B:SSL > routines:SSL23_GET_CLIENT_HELLO:https proxy request:s23_srvr.c:423: > Server {0x2b3cb338b700} ERROR: SSL ERROR: SSL_ServerHandShake. > Server {0x2b3cb338b700} ERROR: SSL::5:error:1407609B:SSL > routines:SSL23_GET_CLIENT_HELLO:https proxy request:s23_srvr.c:423: > Server {0x2b3cb348c700} ERROR: SSL ERROR: SSL_ServerHandShake. > Server {0x2b3cb348c700} ERROR: SSL::6:error:1407609B:SSL > routines:SSL23_GET_CLIENT_HELLO:https proxy request:s23_srvr.c:423: > Server {0x2b3cb348c700} ERROR: SSL ERROR: SSL_ServerHandShake. > Server {0x2b3cb348c700} ERROR: SSL::6:error:1407609B:SSL > routines:SSL23_GET_CLIENT_HELLO:https proxy request:s23_srvr.c:423: > Server {0x2b3cb358d700} ERROR: SSL ERROR: SSL_ServerHandShake. > Server {0x2b3cb358d700} ERROR: SSL::7:error:1407609B:SSL > routines:SSL23_GET_CLIENT_HELLO:https proxy request:s23_srvr.c:423: > > I bet I missed a point, but can't find which one. > > Any help appreciated, > Jean-Baptiste
