I have assigned these variables also the same values - CONFIG proxy.config.ssl.CA.cert.filename STRING ca.pem
CONFIG proxy.config.ssl.CA.cert.path STRING /directory/where/ca.pem # and CONFIG proxy.config.ssl.client.CA.cert.filename STRING ca.pem CONFIG proxy.config.ssl.client.CA.cert.path STRING /directory/where/ca.pem On 21 February 2018 at 22:48, Persia Aziz <persia.a...@yahoo.com> wrote: > Hi, > > What you want is 'proxy.config.ssl.CA.cert.filename' and > proxy.config.ssl.CA.cert.path not the client.CA configs. I know it is a > bit confusing. The client.CA ones are used to verify origin server > certificates. Try the configs and see if that works. > > Docs for the configs: > > records.config — Apache Traffic Server 8.0.0 documentation > <https://docs.trafficserver.apache.org/en/latest/admin-guide/files/records.config.en.html?highlight=proxy%20config%20ssl%20ca%20cert%20filename#proxy.config.ssl.CA.cert.filename> > > records.config — Apache Traffic Server 8.0.0 documentation > > > <https://docs.trafficserver.apache.org/en/latest/admin-guide/files/records.config.en.html?highlight=proxy%20config%20ssl%20ca%20cert%20filename#proxy.config.ssl.CA.cert.filename> > > > > - Sincerely > Syeda Persia Aziz > Software Developer > Yahoo! Inc. > Champaign, Illinois > > > On Wednesday, February 21, 2018, 10:41:32 AM CST, Alan Carroll < > solidwallofc...@oath.com> wrote: > > > I meant more what *units* the handshake_timer is. Looking at the code, it > seems to be in seconds meaning it is unlikely that is the problem (if the > handshake took .5s with a 20s timeout). > > I'd recommend having any configuration value at most once, although I > don't think it would break anything. > > Looking at the code, it appears the client cert verify callback was hit > (SSLUtils.cc:1687) with a failure reported by openSSL. I'd look at debug > messages much earlier, during process start, to see if the certs are > getting loaded correctly. > > >