> On Jul 18, 2016, at 5:37 PM, Chee, Anthony [COMP] <[email protected]> > wrote: > > I am using the CentOS 7 as the OS. The version of trafficserver is v5.3.0 > which come from EPEL 7. CentOS 7 is updated with all patches. > > I would like to set a reverse proxy which listen on 80 and 443. It accepts > SSL connection host, with mapping the connection to internal host also with > SSL. > > The below is the portion of records.conf I modified. > > CONFIG proxy.config.ssl.client.cert.filename STRING mycert.crt > CONFIG proxy.config.ssl.client.private_key.filename STRING mykey.key
This is specifying the certificate Traffic Server will present to “internalhost”. Did you add a ssl_multicert.config entry with the certificate and key for “publichost”? > #CONFIG proxy.config.ssl.allow_client_renegotiation INT 1 > CONFIG proxy.config.ssl.SSLv2 INT 0 > CONFIG proxy.config.ssl.SSLv3 INT 0 > CONFIG proxy.config.ssl.TLSv1 INT 1 > CONFIG proxy.config.ssl.TLSv1_1 INT 1 > CONFIG proxy.config.ssl.TLSv1_2 INT 1 > CONFIG proxy.config.ssl.client.verify.server INT 0 > CONFIG proxy.config.ssl.client.CA.cert.filename STRING NULL > CONFIG proxy.config.ssl.server.cipher_suite > EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 > CONFIG proxy.config.diags.debug.enabled INT 1 > CONFIG proxy.config.diags.debug.tags STRING http.*|dns.*|ssl.* > > > Below is the remap.conf I modified. > > map https://publichost https://internalhost/path > > I used Chrome to connect to https://publichost and give me the following > > ERR_SSL_VERSION_OR_CIPHER_MISMATCH > The client and server don't support a common SSL protocol version or cipher > suite. This is likely to be caused when the server needs RC4, which is no > longer considered secure. > > From my understanding, RC4 should already disabled in above cipher_suite > setting. I would like to ask if there is anything I missed. I tested with > non-SSL reverse proxy and seems OK. > > Regards, > Anthony > > > [http://mlm.polyu.edu.hk/intimate/templates/images/PolyU/PolyU_Email_Signature.jpg] > > Disclaimer: > > This message (including any attachments) contains confidential information > intended for a specific individual and purpose. If you are not the intended > recipient, you should delete this message and notify the sender and The Hong > Kong Polytechnic University (the University) immediately. Any disclosure, > copying, or distribution of this message, or the taking of any action based > on it, is strictly prohibited and may be unlawful. > > The University specifically denies any responsibility for the accuracy or > quality of information obtained through University E-mail Facilities. Any > views and opinions expressed are only those of the author(s) and do not > necessarily represent those of the University and the University accepts no > liability whatsoever for any losses or damages incurred or caused to any > party as a result of the use of such information.
