Do you really have 'CONFIG proxy.config.ssl.client.CA <http://proxy.config.ssl.client.ca/>.cert.filename STRING ca.pem' twice in your records.config? Also, I don't think ATS verifies the client certificate unless told to do so and I don't see that in your records.config. - Yes I can see the entry twice in the records.conf file - should I keep only one entry ?
I'm not sure what the units of the "configured handshake_timer" are. = it is 20 CONFIG proxy.config.ssl.handshake_timeout_in INT 20 CONFIG proxy.config.ssl.client.certification_level INT 2 CONFIG proxy.config.ssl.client.verify.server INT 0 also I have the parameters CONFIG proxy.config.ssl.client.cert.path STRING and CONFIG proxy.config.ssl.client.CA.cert.path configured - is it really required - or will it create any issue ? Thanks Salil On 21 February 2018 at 06:30, Alan Carroll <[email protected]> wrote: > Based on just this, I would say it is the client rejecting the certificate > provided by ATS. I'm not sure what the units of the "configured > handshake_timer" are. You should also see a lot more logging data than > just this. In particular there should be messages about ATS loading up the > certificates, both client and server. > > Do you really have 'CONFIG proxy.config.ssl.client.CA.cert.filename > STRING ca.pem' twice in your records.config? Also, I don't think ATS > verifies the client certificate unless told to do so and I don't see that > in your records.config. > > On Tue, Feb 20, 2018 at 5:55 PM, salil GK <[email protected]> wrote: > >> I can see the following lines in the ATS logs. >> >> >>> >> >> 2018-02-20T10:46:49.496+00:00 gmt-dvor-vcsc1 traffic_server[7634]: >> {0x7f66f43fb740} DEBUG: <SSLUtils.cc:1687 (ssl_callback_info)> (ssl) >> ssl_callback_info ssl: 0x557514e03a00 where: 8194 ret: -1 >> >> 2018-02-20T10:46:49.496+00:00 gmt-dvor-vcsc1 traffic_server[7634]: >> {0x7f66f43fb740} DEBUG: <SSLNetVConnection.cc:1102 >> (sslServerHandShakeEvent)> (ssl) trace=FALSE >> >> 2018-02-20T10:46:49.496+00:00 gmt-dvor-vcsc1 traffic_server[7634]: >> {0x7f66f43fb740} DEBUG: <SSLNetVConnection.cc:1106 >> (sslServerHandShakeEvent)> (ssl) SSL handshake error: SSL_ERROR_WANT_READ >> (2), errno=0 >> >> 2018-02-20T10:46:49.496+00:00 gmt-dvor-vcsc1 traffic_server[7634]: >> {0x7f66f43fb740} DEBUG: <SSLNetVConnection.cc:514 (net_read_io)> (ssl) ssl >> handshake for vc 0x55751507fca0, took 0.583 seconds, configured >> handshake_timer: 20 >> >> 2018-02-20T10:46:49.496+00:00 gmt-dvor-vcsc1 traffic_server[7634]: >> {0x7f66f43fb740} DEBUG: <SSLNetVConnection.cc:1095 >> (sslServerHandShakeEvent)> (ssl) SSL handshake error: EOF >> >> <<< >> >> >> Is there any indication from this information - or do we need any more >> information from the system ? >> >> could this be the issue with handshake timeout window ? just wondering. >> >> >> Regs >> >> ~S >> >> On 20 February 2018 at 01:57, Alan Carroll <[email protected]> >> wrote: >> >>> You can enable the debug tag 'ssl' to get more data. >>> >>> See >>> https://docs.trafficserver.apache.org/en/7.1.x/developer-gui >>> de/debugging/debug-tags.en.html?highlight=debug%20enable#oth >>> er-useful-internal-debug-tags >>> https://docs.trafficserver.apache.org/en/7.1.x/admin-guide/f >>> iles/records.config.en.html?highlight=debug%20enable#proxy. >>> config.diags.debug.enabled >>> >>> On Mon, Feb 19, 2018 at 11:12 AM, gksalil <[email protected]> wrote: >>> >>>> Hello >>>> >>>> I have setup a MTLS forward proxy with ATS. But what happens is - >>>> connection to forward proxy is getting reset - I mean ATS is sending RST >>>> message to the client. >>>> I have verified the certificate that client is sending with the root CA >>>> certificate that ATS using for verifying the client certificate. That >>>> shows >>>> verified. >>>> >>>> ~ # openssl verify -CAfile /tmp/ca.pem /tmp/tomcat.pem >>>> /tmp/tomcat.pem: OK >>>> >>>> But from Wireshark I can see the following sequence >>>> >>>> client to server -> Certificate , client key exchange, certificate >>>> verify >>>> client to server -> Change Cipher spec, Encrypted handshake message >>>> Server to client -> [RST, ACK] >>>> >>>> How do I fix this issue - any clues ? >>>> >>>> from my records.conf >>>> >>>> CONFIG proxy.config.ssl.client.CA.cert.filename STRING ca.pem >>>> CONFIG proxy.config.ssl.CA.cert.filename STRING ca.pem >>>> CONFIG proxy.config.ssl.server.cert.path STRING <location where >>>> certificates >>>> are stored> >>>> >>>> CONFIG proxy.config.ssl.client.CA.cert.filename STRING ca.pem >>>> CONFIG proxy.config.ssl.client.CA.cert.path STRING <location where >>>> certificates are stored> >>>> >>>> Is there any way I can make ATS log more ssl logs ? >>>> >>>> Thanks in advance >>>> ~S >>>> >>>> >>>> >>>> >>>> >>>> -- >>>> Sent from: http://apache-traffic-server.24303.n7.nabble.com/ >>>> >>> >>> >> >
