Yes, of course I have. CONFIG proxy.config.ssl.client.cert.path STRING /etc/ssl/certs/ CONFIG proxy.config.ssl.client.cert.filename STRING xxx.pem
CONFIG proxy.config.ssl.client.CA.cert.path STRING /etc/ssl/certs/ CONFIG proxy.config.ssl.client.CA.cert.filename STRING xxx_CA.pem Question is if ATS is able send verify_client_post_handshake as extension in TLS Client Hello. Contrary if ATS do not send "post_handshake_auth" extension then according to RFC 8446 <https://tools.ietf.org/html/rfc8446>: The "post_handshake_auth" extension is used to indicate that a client is willing to perform post-handshake authentication (Section 4.6.2 <https://tools.ietf.org/html/rfc8446#section-4.6.2>). Servers MUST NOT send a post-handshake CertificateRequest to clients which do not offer this extension. Servers MUST NOT send this extension. On Thu, Dec 10, 2020 at 5:48 PM Susan Hinrichs <[email protected]> wrote: > Sounds like the origin is requesting a client certificate which ATS is not > providing. > > Do you have your ATS configured to specify a client certificate if the > origin requests one? This can be configured by the records.config setting > proxy.config.ssl.client.cert.filename (and related) These settings can also > be overridden on a per remap basis by using conf_remap.so. > > https://docs.trafficserver.apache.org/en/latest/admin-guide/files/records.config.en.html?#proxy-config-ssl-client-cert-filename > > > On Thu, Dec 10, 2020 at 7:17 AM <[email protected]> wrote: > >> Hi, >> I found a explanation how Wireshark presents TLSv1.3 and it seems my >> configuration is OK and TLSv1.3 is used. >> >> However I have another problem with origin server. >> It send me bag "403 Forbidden" because of : >> >> SSL Library Error: error:14268117:SSL >> routines:SSL_verify_client_post_handshake:extension not received >> >> >> As I understand ATS do not send in Client Hello >> "verify_client_post_handshake " extension. >> >> Is it possible to configure somehow? >> >> >> Thanks Peter >> >
