Re: ssl termination again (and no support for DHE/ECDHE)

Thu, 30 Jan 2014 05:48:04 -0800 

Am 30.01.2014 13:30, schrieb Uri Shachar:
> On Thu, 30 Jan 2014 12:48:33 +0100 Reindl Harald wrote:
>> somehow ATS does not listen on 8443
>> with out the "ssl=" it does but not accept https connections
>>
>> what i don't understand is why i need "server.cert.path" and 
>> "server.private_key.path"
>> at all additionally to "ssl_multicert.config" and which cert this should be 
>> in
>> production, but that's a leter problem after it accepts ssl-connections at 
>> all
>>
>> /etc/trafficserver/records.config:
>> CONFIG proxy.config.http.server_ports STRING 8080,ssl=8443
> 
> Your config is wrong - try:
> CONFIG proxy.config.http.server_ports STRING 8080 8443:ssl
> 
> Also, proxy.config.ssl.cert.path and proxy.config.ssl.server.private_key.path 
> should be paths, not specific certs:
> # This is the path that SSL certificates files are relative to. Certificate
> # names specified in ssl_multicert.config will be located relative to this 
> path.
> CONFIG proxy.config.ssl.server.cert.path STRING config
> # If any private key is not contained in the certificate file, you must
> # fill in the private key path. Private key names specified in
> # ssl_multicert.config will be located relative to this path.
> CONFIG proxy.config.ssl.server.private_key.path STRING config

indeed - thanks for helping the blind man

"CONFIG proxy.config.http.server_ports STRING 8080 8443:ssl" does the trick
one remaining issue currently is that DHE/ECDHE seems not to be supported
while httpd/openssl with the same environment do

[harry@rh:~]$ sslscan rhsoft.testserver.rhsoft.net:8443 | grep Accepted
    Accepted  TLSv1  256 bits  AES256-SHA
    Accepted  TLSv1  256 bits  CAMELLIA256-SHA
    Accepted  TLSv1  168 bits  DES-CBC3-SHA
    Accepted  TLSv1  128 bits  AES128-SHA
    Accepted  TLSv1  128 bits  CAMELLIA128-SHA
    Accepted  TLS11  256 bits  AES256-SHA
    Accepted  TLS11  256 bits  CAMELLIA256-SHA
    Accepted  TLS11  168 bits  DES-CBC3-SHA
    Accepted  TLS11  128 bits  AES128-SHA
    Accepted  TLS11  128 bits  CAMELLIA128-SHA
    Accepted  TLS12  256 bits  AES256-GCM-SHA384
    Accepted  TLS12  256 bits  AES256-SHA
    Accepted  TLS12  256 bits  CAMELLIA256-SHA
    Accepted  TLS12  168 bits  DES-CBC3-SHA
    Accepted  TLS12  128 bits  AES128-GCM-SHA256
    Accepted  TLS12  128 bits  AES128-SHA
    Accepted  TLS12  128 bits  CAMELLIA128-SHA
_________________________________________________

CONFIG proxy.config.ssl.server.cipher_suite STRING
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-CAMELLIA256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:CAMELLIA128-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA:!LOW:!MEDIUM
_________________________________________________

that cipher suite should result in the following server-preferred order
verified with https://www.ssllabs.com/ssltest/index.html and httpd

Cipher Suites (SSL 3+ suites in server-preferred order, then SSL 2 suites where 
used)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH 256 bits (eq. 3072 bits 
RSA)   FS
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH 256 bits (eq. 3072 bits 
RSA)   FS
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 3072 bits (p: 512, g: 1, Ys: 512) 
  FS
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 3072 bits (p: 512, g: 1, Ys: 512) 
  FS
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH 256 bits (eq. 3072 bits 
RSA)   FS
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH 256 bits (eq. 3072 bits 
RSA)   FS
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH 256 bits (eq. 3072 bits RSA)   
FS
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH 256 bits (eq. 3072 bits RSA)   
FS
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) DH 3072 bits (p: 512, g: 1, Ys: 512) 
  FS
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 3072 bits (p: 512, g: 1, Ys: 512) 
  FS
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 3072 bits (p: 512, g: 1, Ys: 512)   
FS
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 3072 bits (p: 512, g: 1, Ys: 512)   
FS
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x45) DH 3072 bits (p: 512, g: 1, Ys: 
512)   FS
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x88) DH 3072 bits (p: 512, g: 1, Ys: 
512)   FS
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41)
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84)
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) ECDH 256 bits (eq. 3072 bits RSA)  
 FS
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to