Oh. Thank you. You remind me to modify the ssl_multicert.config. It seems working now.
-----Original Message----- From: James Peach [mailto:[email protected]] Sent: Monday, 18 July 2016 7:19 PM To: [email protected] Subject: Re: SSL and Reverse Proxy > On Jul 18, 2016, at 5:37 PM, Chee, Anthony [COMP] <[email protected]> > wrote: > > I am using the CentOS 7 as the OS. The version of trafficserver is v5.3.0 > which come from EPEL 7. CentOS 7 is updated with all patches. > > I would like to set a reverse proxy which listen on 80 and 443. It accepts > SSL connection host, with mapping the connection to internal host also with > SSL. > > The below is the portion of records.conf I modified. > > CONFIG proxy.config.ssl.client.cert.filename STRING mycert.crt CONFIG > proxy.config.ssl.client.private_key.filename STRING mykey.key This is specifying the certificate Traffic Server will present to “internalhost”. Did you add a ssl_multicert.config entry with the certificate and key for “publichost”? > #CONFIG proxy.config.ssl.allow_client_renegotiation INT 1 CONFIG > proxy.config.ssl.SSLv2 INT 0 CONFIG proxy.config.ssl.SSLv3 INT 0 > CONFIG proxy.config.ssl.TLSv1 INT 1 CONFIG proxy.config.ssl.TLSv1_1 > INT 1 CONFIG proxy.config.ssl.TLSv1_2 INT 1 CONFIG > proxy.config.ssl.client.verify.server INT 0 CONFIG > proxy.config.ssl.client.CA.cert.filename STRING NULL CONFIG > proxy.config.ssl.server.cipher_suite > EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-S > HA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA- > AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128: > ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:E > CDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RS > A-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC > 3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128: > AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD > 5:!PSK:!RC4 CONFIG proxy.config.diags.debug.enabled INT 1 CONFIG > proxy.config.diags.debug.tags STRING http.*|dns.*|ssl.* > > > Below is the remap.conf I modified. > > map https://publichost https://internalhost/path > > I used Chrome to connect to https://publichost and give me the > following > > ERR_SSL_VERSION_OR_CIPHER_MISMATCH > The client and server don't support a common SSL protocol version or cipher > suite. This is likely to be caused when the server needs RC4, which is no > longer considered secure. > > From my understanding, RC4 should already disabled in above cipher_suite > setting. I would like to ask if there is anything I missed. I tested with > non-SSL reverse proxy and seems OK. > > Regards, > Anthony > > > [http://mlm.polyu.edu.hk/intimate/templates/images/PolyU/PolyU_Email_S > ignature.jpg] > > Disclaimer: > > This message (including any attachments) contains confidential information > intended for a specific individual and purpose. If you are not the intended > recipient, you should delete this message and notify the sender and The Hong > Kong Polytechnic University (the University) immediately. Any disclosure, > copying, or distribution of this message, or the taking of any action based > on it, is strictly prohibited and may be unlawful. > > The University specifically denies any responsibility for the accuracy or > quality of information obtained through University E-mail Facilities. Any > views and opinions expressed are only those of the author(s) and do not > necessarily represent those of the University and the University accepts no > liability whatsoever for any losses or damages incurred or caused to any > party as a result of the use of such information. [http://mlm.polyu.edu.hk/intimate/templates/images/PolyU/PolyU_Email_Signature.jpg] Disclaimer: This message (including any attachments) contains confidential information intended for a specific individual and purpose. If you are not the intended recipient, you should delete this message and notify the sender and The Hong Kong Polytechnic University (the University) immediately. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited and may be unlawful. The University specifically denies any responsibility for the accuracy or quality of information obtained through University E-mail Facilities. Any views and opinions expressed are only those of the author(s) and do not necessarily represent those of the University and the University accepts no liability whatsoever for any losses or damages incurred or caused to any party as a result of the use of such information.
