*-- added some formatting for clarity .. sorry for repeat post !* *Q. Do you really have 'CONFIG proxy.config.ssl.client.CA <http://proxy.config.ssl.client.ca/>.**cert.filename STRING ca.pem' twice in your records.config? Also, I don't think ATS verifies the client certificate unless told to do so and I don't see that in your records.config. -* *A. Yes I can see the entry twice in the records.conf file - should I keep only one entry ?*
*Q. I'm not sure what the units of the "configured handshake_timer" are. *= *A. it is 20* CONFIG proxy.config.ssl.handshake_timeout_in INT 20 CONFIG proxy.config.ssl.client.certification_level INT 2 CONFIG proxy.config.ssl.client.verify.server INT 0 also I have the parameters CONFIG proxy.config.ssl.client.cert.path STRING and CONFIG proxy.config.ssl.client.CA.cert.path configured - is it really required - or will it create any issue ? Thanks Salil On 21 February 2018 at 06:54, salil GK <[email protected]> wrote: > Do you really have 'CONFIG proxy.config.ssl.client.CA > <http://proxy.config.ssl.client.ca/>.cert.filename STRING ca.pem' twice > in your records.config? Also, I don't think ATS verifies the client > certificate unless told to do so and I don't see that in your > records.config. - Yes I can see the entry twice in the records.conf file - > should I keep only one entry ? > > I'm not sure what the units of the "configured handshake_timer" are. = it > is 20 > > CONFIG proxy.config.ssl.handshake_timeout_in INT 20 > > CONFIG proxy.config.ssl.client.certification_level INT 2 > > CONFIG proxy.config.ssl.client.verify.server INT 0 > > also I have the parameters CONFIG proxy.config.ssl.client.cert.path > STRING and CONFIG proxy.config.ssl.client.CA.cert.path configured - is > it really required - or will it create any issue ? > > Thanks > Salil > > > On 21 February 2018 at 06:30, Alan Carroll <[email protected]> > wrote: > >> Based on just this, I would say it is the client rejecting the >> certificate provided by ATS. I'm not sure what the units of the "configured >> handshake_timer" are. You should also see a lot more logging data than >> just this. In particular there should be messages about ATS loading up the >> certificates, both client and server. >> >> Do you really have 'CONFIG proxy.config.ssl.client.CA.cert.filename >> STRING ca.pem' twice in your records.config? Also, I don't think ATS >> verifies the client certificate unless told to do so and I don't see that >> in your records.config. >> >> On Tue, Feb 20, 2018 at 5:55 PM, salil GK <[email protected]> wrote: >> >>> I can see the following lines in the ATS logs. >>> >>> >>> >>> >>> 2018-02-20T10:46:49.496+00:00 gmt-dvor-vcsc1 traffic_server[7634]: >>> {0x7f66f43fb740} DEBUG: <SSLUtils.cc:1687 (ssl_callback_info)> (ssl) >>> ssl_callback_info ssl: 0x557514e03a00 where: 8194 ret: -1 >>> >>> 2018-02-20T10:46:49.496+00:00 gmt-dvor-vcsc1 traffic_server[7634]: >>> {0x7f66f43fb740} DEBUG: <SSLNetVConnection.cc:1102 >>> (sslServerHandShakeEvent)> (ssl) trace=FALSE >>> >>> 2018-02-20T10:46:49.496+00:00 gmt-dvor-vcsc1 traffic_server[7634]: >>> {0x7f66f43fb740} DEBUG: <SSLNetVConnection.cc:1106 >>> (sslServerHandShakeEvent)> (ssl) SSL handshake error: SSL_ERROR_WANT_READ >>> (2), errno=0 >>> >>> 2018-02-20T10:46:49.496+00:00 gmt-dvor-vcsc1 traffic_server[7634]: >>> {0x7f66f43fb740} DEBUG: <SSLNetVConnection.cc:514 (net_read_io)> (ssl) ssl >>> handshake for vc 0x55751507fca0, took 0.583 seconds, configured >>> handshake_timer: 20 >>> >>> 2018-02-20T10:46:49.496+00:00 gmt-dvor-vcsc1 traffic_server[7634]: >>> {0x7f66f43fb740} DEBUG: <SSLNetVConnection.cc:1095 >>> (sslServerHandShakeEvent)> (ssl) SSL handshake error: EOF >>> >>> <<< >>> >>> >>> Is there any indication from this information - or do we need any more >>> information from the system ? >>> >>> could this be the issue with handshake timeout window ? just wondering. >>> >>> >>> Regs >>> >>> ~S >>> >>> On 20 February 2018 at 01:57, Alan Carroll <[email protected]> >>> wrote: >>> >>>> You can enable the debug tag 'ssl' to get more data. >>>> >>>> See >>>> https://docs.trafficserver.apache.org/en/7.1.x/developer-gui >>>> de/debugging/debug-tags.en.html?highlight=debug%20enable#oth >>>> er-useful-internal-debug-tags >>>> https://docs.trafficserver.apache.org/en/7.1.x/admin-guide/f >>>> iles/records.config.en.html?highlight=debug%20enable#proxy.c >>>> onfig.diags.debug.enabled >>>> >>>> On Mon, Feb 19, 2018 at 11:12 AM, gksalil <[email protected]> wrote: >>>> >>>>> Hello >>>>> >>>>> I have setup a MTLS forward proxy with ATS. But what happens is - >>>>> connection to forward proxy is getting reset - I mean ATS is sending >>>>> RST >>>>> message to the client. >>>>> I have verified the certificate that client is sending with the root CA >>>>> certificate that ATS using for verifying the client certificate. That >>>>> shows >>>>> verified. >>>>> >>>>> ~ # openssl verify -CAfile /tmp/ca.pem /tmp/tomcat.pem >>>>> /tmp/tomcat.pem: OK >>>>> >>>>> But from Wireshark I can see the following sequence >>>>> >>>>> client to server -> Certificate , client key exchange, certificate >>>>> verify >>>>> client to server -> Change Cipher spec, Encrypted handshake message >>>>> Server to client -> [RST, ACK] >>>>> >>>>> How do I fix this issue - any clues ? >>>>> >>>>> from my records.conf >>>>> >>>>> CONFIG proxy.config.ssl.client.CA.cert.filename STRING ca.pem >>>>> CONFIG proxy.config.ssl.CA.cert.filename STRING ca.pem >>>>> CONFIG proxy.config.ssl.server.cert.path STRING <location where >>>>> certificates >>>>> are stored> >>>>> >>>>> CONFIG proxy.config.ssl.client.CA.cert.filename STRING ca.pem >>>>> CONFIG proxy.config.ssl.client.CA.cert.path STRING <location where >>>>> certificates are stored> >>>>> >>>>> Is there any way I can make ATS log more ssl logs ? >>>>> >>>>> Thanks in advance >>>>> ~S >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Sent from: http://apache-traffic-server.24303.n7.nabble.com/ >>>>> >>>> >>>> >>> >> >
