Based on just this, I would say it is the client rejecting the certificate provided by ATS. I'm not sure what the units of the "configured handshake_timer" are. You should also see a lot more logging data than just this. In particular there should be messages about ATS loading up the certificates, both client and server.
Do you really have 'CONFIG proxy.config.ssl.client.CA.cert.filename STRING ca.pem' twice in your records.config? Also, I don't think ATS verifies the client certificate unless told to do so and I don't see that in your records.config. On Tue, Feb 20, 2018 at 5:55 PM, salil GK <[email protected]> wrote: > I can see the following lines in the ATS logs. > > >>> > > 2018-02-20T10:46:49.496+00:00 gmt-dvor-vcsc1 traffic_server[7634]: > {0x7f66f43fb740} DEBUG: <SSLUtils.cc:1687 (ssl_callback_info)> (ssl) > ssl_callback_info ssl: 0x557514e03a00 where: 8194 ret: -1 > > 2018-02-20T10:46:49.496+00:00 gmt-dvor-vcsc1 traffic_server[7634]: > {0x7f66f43fb740} DEBUG: <SSLNetVConnection.cc:1102 > (sslServerHandShakeEvent)> (ssl) trace=FALSE > > 2018-02-20T10:46:49.496+00:00 gmt-dvor-vcsc1 traffic_server[7634]: > {0x7f66f43fb740} DEBUG: <SSLNetVConnection.cc:1106 > (sslServerHandShakeEvent)> (ssl) SSL handshake error: SSL_ERROR_WANT_READ > (2), errno=0 > > 2018-02-20T10:46:49.496+00:00 gmt-dvor-vcsc1 traffic_server[7634]: > {0x7f66f43fb740} DEBUG: <SSLNetVConnection.cc:514 (net_read_io)> (ssl) ssl > handshake for vc 0x55751507fca0, took 0.583 seconds, configured > handshake_timer: 20 > > 2018-02-20T10:46:49.496+00:00 gmt-dvor-vcsc1 traffic_server[7634]: > {0x7f66f43fb740} DEBUG: <SSLNetVConnection.cc:1095 > (sslServerHandShakeEvent)> (ssl) SSL handshake error: EOF > > <<< > > > Is there any indication from this information - or do we need any more > information from the system ? > > could this be the issue with handshake timeout window ? just wondering. > > > Regs > > ~S > > On 20 February 2018 at 01:57, Alan Carroll <[email protected]> > wrote: > >> You can enable the debug tag 'ssl' to get more data. >> >> See >> https://docs.trafficserver.apache.org/en/7.1.x/developer-gui >> de/debugging/debug-tags.en.html?highlight=debug%20enable#oth >> er-useful-internal-debug-tags >> https://docs.trafficserver.apache.org/en/7.1.x/admin-guide/ >> files/records.config.en.html?highlight=debug%20enable#proxy >> .config.diags.debug.enabled >> >> On Mon, Feb 19, 2018 at 11:12 AM, gksalil <[email protected]> wrote: >> >>> Hello >>> >>> I have setup a MTLS forward proxy with ATS. But what happens is - >>> connection to forward proxy is getting reset - I mean ATS is sending RST >>> message to the client. >>> I have verified the certificate that client is sending with the root CA >>> certificate that ATS using for verifying the client certificate. That >>> shows >>> verified. >>> >>> ~ # openssl verify -CAfile /tmp/ca.pem /tmp/tomcat.pem >>> /tmp/tomcat.pem: OK >>> >>> But from Wireshark I can see the following sequence >>> >>> client to server -> Certificate , client key exchange, certificate >>> verify >>> client to server -> Change Cipher spec, Encrypted handshake message >>> Server to client -> [RST, ACK] >>> >>> How do I fix this issue - any clues ? >>> >>> from my records.conf >>> >>> CONFIG proxy.config.ssl.client.CA.cert.filename STRING ca.pem >>> CONFIG proxy.config.ssl.CA.cert.filename STRING ca.pem >>> CONFIG proxy.config.ssl.server.cert.path STRING <location where >>> certificates >>> are stored> >>> >>> CONFIG proxy.config.ssl.client.CA.cert.filename STRING ca.pem >>> CONFIG proxy.config.ssl.client.CA.cert.path STRING <location where >>> certificates are stored> >>> >>> Is there any way I can make ATS log more ssl logs ? >>> >>> Thanks in advance >>> ~S >>> >>> >>> >>> >>> >>> -- >>> Sent from: http://apache-traffic-server.24303.n7.nabble.com/ >>> >> >> >
