On Oct 9, 2013, at 9:25 AM, Jean Baptiste Favre <[email protected]> wrote:
> Hello James,
> Thanks for your quick reply.
>
> I added following line into ssl_multicert.config:
> dest_ip=* ssl_cert_name=cert.pem ssl_key_name=key.pem
>
> Then run /usr/bin/traffic_server -T ssl and get these logs when
> launching curl command:
>
> Server {0x7ffebb655700} DEBUG: (ssl) [SSLNextProtocolAccept:mainEvent]
> event 202 netvc 0x22574d0
> Server {0x7ffebb655700} DEBUG: (ssl) IP context is (nil), default
> context 0x7ffebc0a5170
> Server {0x7ffebb655700} DEBUG: (ssl)
> SSLNetVConnection::sslServerHandShakeEvent, error
> Server {0x7ffebb655700} ERROR: SSL ERROR: SSL_ServerHandShake.
> Server {0x7ffebb655700} ERROR: SSL::5:error:1407609B:SSL
> routines:SSL23_GET_CLIENT_HELLO:https proxy request:s23_srvr.c:423:
> Server {0x7ffebb655700} DEBUG: (ssl)
> SSLNetVConnection::sslServerHandShakeEvent, error
> Server {0x7ffebb655700} ERROR: SSL ERROR: SSL_ServerHandShake.
> Server {0x7ffebb655700} ERROR: SSL::5:error:1407609B:SSL
> routines:SSL23_GET_CLIENT_HELLO:https proxy request:s23_srvr.c:423:
>
> Will continue debugging tomorrow,
Are you positive that the curl command you are using is actually sending SSL,
rather than HTTP?
>
> Regards,
> Jean-Baptiste
>
>
> On 09/10/2013 17:22, James Peach wrote:
>> On Oct 9, 2013, at 8:08 AM, Jean Baptiste Favre <[email protected]>
>> wrote:
>>
>>> I'm new to trafficserver.
>>> Using ATS 3.2.5 on Debian 7.0 Wheezy, I need to be able to cache content
>>> from SSL requests.
>>>
>>> These requests are made by an internal application against externals
>>> services, mostly using HTTPS.
>>> So, my application will be the client and external services origin server.
>>>
>>> Using HTTP proxy, requests work but content is not cached which, I
>>> think, is obviously OK since client will established CONNECT tunnel
>>> which makes ATS unable to see content.
>>>
>>> From my understanding, I need to set up SSL termination.
>>> I followed:
>>> http://trafficserver.apache.org/docs/trunk/admin/security-options/#UsingSSLTermination
>>
>> Sorry, these docs have not been updated. The SSL termination configuration
>> is described more accurately here:
>>
>> https://trafficserver.readthedocs.org/en/latest/admin/security-options.en.html#using-ssl-termination
>> https://trafficserver.readthedocs.org/en/latest/reference/configuration/ssl_multicert.config.en.html
>>
>> You need to specify the SSL certificates in ssl_multicert.config. If you
>> need additional debugging on the server end, you can set the "ssl"
>> diagnostic tag.
>>
>>>
>>> For now, I use self-signed SSL certificate generated with:
>>> openssl req -x509 -newkey rsa:2048 -keyout keypriv.pem -out cert.pem
>>> -days 365
>>>
>>> And passphrase is removed with
>>> openssl rsa -in keypriv.pem -out key.pem
>>>
>>> Between Client & ATS, here's what I use for configuration:
>>>
>>> CONFIG proxy.config.http.server_ports STRING 80:ipv4 443:ipv4:ssl
>>> CONFIG proxy.config.http.connect_ports STRING 443 563
>>> CONFIG proxy.config.ssl.client.certification_level INT 0
>>> CONFIG proxy.config.ssl.server.cert.path STRING /etc/trafficserver
>>> CONFIG proxy.config.ssl.server.cert.filename STRING cert.pem
>>> CONFIG proxy.config.ssl.server.private_key.path STRING /etc/trafficserver
>>> CONFIG proxy.config.ssl.server.private_key.filename STRING key.pem
>>>
>>> Still from my understanding, I don't need any specific option for ATS to
>>> origin server connections since ATS will act as client and therefore do
>>> not need any certificate.
>>>
>>> But, it does not work. Using curl, here's what I get:
>>> curl -vvv -k --proxy https://my_proxy:443 "https://secure.website.tld/";
>>> * About to connect() to proxy my_proxy port 443 (#0)
>>> * Trying xxx.yyy.uuu.ttt...
>>> * connected
>>> * Connected to my_proxy (xxx.yyy.uuu.ttt) port 443 (#0)
>>> * Establish HTTP proxy tunnel to secure.website.tld:443
>>>> CONNECT secure.website.tld:443 HTTP/1.1
>>>> Host: secure.website.tld:443
>>>> User-Agent: curl/7.26.0
>>>> Proxy-Connection: Keep-Alive
>>>>
>>> * Easy mode waiting response from proxy CONNECT
>>>
>>> And here's what I get on ATS side:
>>> Server {0x2b3cb338b700} ERROR: SSL ERROR: SSL_ServerHandShake.
>>> Server {0x2b3cb338b700} ERROR: SSL::5:error:1407609B:SSL
>>> routines:SSL23_GET_CLIENT_HELLO:https proxy request:s23_srvr.c:423:
>>> Server {0x2b3cb338b700} ERROR: SSL ERROR: SSL_ServerHandShake.
>>> Server {0x2b3cb338b700} ERROR: SSL::5:error:1407609B:SSL
>>> routines:SSL23_GET_CLIENT_HELLO:https proxy request:s23_srvr.c:423:
>>> Server {0x2b3cb348c700} ERROR: SSL ERROR: SSL_ServerHandShake.
>>> Server {0x2b3cb348c700} ERROR: SSL::6:error:1407609B:SSL
>>> routines:SSL23_GET_CLIENT_HELLO:https proxy request:s23_srvr.c:423:
>>> Server {0x2b3cb348c700} ERROR: SSL ERROR: SSL_ServerHandShake.
>>> Server {0x2b3cb348c700} ERROR: SSL::6:error:1407609B:SSL
>>> routines:SSL23_GET_CLIENT_HELLO:https proxy request:s23_srvr.c:423:
>>> Server {0x2b3cb358d700} ERROR: SSL ERROR: SSL_ServerHandShake.
>>> Server {0x2b3cb358d700} ERROR: SSL::7:error:1407609B:SSL
>>> routines:SSL23_GET_CLIENT_HELLO:https proxy request:s23_srvr.c:423:
>>>
>>> I bet I missed a point, but can't find which one.
>>>
>>> Any help appreciated,
>>> Jean-Baptiste
>>
>>
>> !DSPAM:525574d3155718310332580!
>>
>>
>
