You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@trafficserver.apache.org by Dk Jack <dn...@gmail.com> on 2018/11/02 18:41:30 UTC
ssl handshake failure
Hi,
I enabled SSL on my ATS and my ssl requests are failing with handshake
error. From the logs I can tell that it loaded my cert/key correct. When I
started traffic server in debug mode (./traffic_server -T ssl), I am seeing
the following error
SSL routines:ssl3_get_client_hello:no shared cipher
My TLS config is shown below. My cert is a self signed signed cert. My ATS
version is 6.2.1. I'd appreciate any pointers on how to resolve this.
Thanks.
Dk.
CONFIG proxy.config.ssl.SSLv2 INT 0
CONFIG proxy.config.ssl.SSLv3 INT 1
CONFIG proxy.config.ssl.TLSv1 INT 1
CONFIG proxy.config.ssl.TLSv1_1 INT 1
CONFIG proxy.config.ssl.TLSv1_2 INT 1
CONFIG proxy.config.ssl.server.cipher_suite STRING
AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!LOW:!MD5:!SSLV2:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
CONFIG proxy.config.ssl.server.honor_cipher_order INT 1
CONFIG proxy.config.ssl.compression INT 0
Debug logs:
[Nov 2 18:16:07.664] Server {0x7f8822572700} DEBUG:
<SSLNextProtocolAccept.cc:129 (mainEvent)> (ssl)
[SSLNextProtocolAccept:mainEvent] event 202 netvc 0x7f8820072800
[Nov 2 18:16:07.664] Server {0x7f8822572700} DEBUG:
<SSLNetVConnection.cc:981 (sslStartHandShake)> (ssl) IP context is (nil)
for [10.3.28.146:39678] -> [172.19.0.2:7453], default context 0x2d82bc0
[Nov 2 18:16:07.664] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
(ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7f87d4021100 where: 16
ret: 1
[Nov 2 18:16:07.664] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
(ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7f87d4021100 where:
8193 ret: 1
[Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
<SSLNetVConnection.cc:1402 (select_next_protocol)> (ssl) selected ALPN
protocol http/1.1
[Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:284
(set_context_cert)> (ssl) set_context_cert ssl=0x7f87d4021100 server=(null)
handshake_complete=0
[Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:336
(set_context_cert)> (ssl) ssl_cert_callback using SSL context 0x2d82bc0 for
requested name '(null)'
[Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
<SSLNetVConnection.cc:1462 (callHooks)> (ssl) callHooks
sslHandshakeHookState=0
[Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
(ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7f87d4021100 where:
16392 ret: 552
[Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
(ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7f87d4021100 where:
8194 ret: -1
[Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
(ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7f87d4021100 where:
8194 ret: -1
[Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:2126
(SSLAccept)> (ssl.error.accept) SSL accept returned -1, ssl_error=1,
ERR_get_error=336109761 (error:1408A0C1:SSL
routines:ssl3_get_client_hello:no shared cipher)
[Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
<SSLNetVConnection.cc:1105 (sslServerHandShakeEvent)> (ssl) trace=FALSE
[Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
<SSLNetVConnection.cc:1109 (sslServerHandShakeEvent)> (ssl)
SSL::140222668416768:error:1408A0C1:SSL routines:ssl3_get_client_hello:no
shared cipher:s3_srvr.c:1417: peer address is 10.3.28.146
[Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
<SSLNetVConnection.cc:1109 (sslServerHandShakeEvent)> (ssl) SSL handshake
error: SSL_ERROR_SSL (1), errno=0
[Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
<SSLNetVConnection.cc:1237 (sslServerHandShakeEvent)> (ssl)
SSLNetVConnection::sslServerHandShakeEvent, SSL_ERROR_SSL errno=0
^Ctraffic_server: Interrupt (Signal sent by the kernel 0 0)
Re: ssl handshake failure
Posted by Dk Jack <dn...@gmail.com>.
That was it! Thank you!
On Fri, Nov 2, 2018 at 2:05 PM Susan Hinrichs <sh...@oath.com.invalid>
wrote:
> Do you have a dest_ip=* default line in your ssl_multicert.config file?
>
> Your query doesn't have the SNI set, so you need a default. Use the
> -servername option for s_client if you want to set the SNI.
>
> On Fri, Nov 2, 2018 at 3:50 PM Dk Jack <dn...@gmail.com> wrote:
>
> > Hi Alan,
> > Thanks for responding. I've pasted the output from openssl s_client. I
> > don't understand the error it's giving because I can see in the ATS
> loading
> > my certificate in the debug logs. I've prefixed the important lines in
> the
> > debug log with '=>'.
> >
> > Dk.
> >
> > ----------------------------------------------------------
> > > openssl s_client -host 10.3.27.19 -port 7453
> > CONNECTED(00000003)
> > 140260354160280:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3
> > alert handshake failure:s23_clnt.c:769:
> > ---
> > no peer certificate available
> > ---
> > No client certificate CA names sent
> > ---
> > SSL handshake has read 7 bytes and written 305 bytes
> > ---
> > New, (NONE), Cipher is (NONE)
> > Secure Renegotiation IS NOT supported
> > Compression: NONE
> > Expansion: NONE
> > No ALPN negotiated
> > SSL-Session:
> > Protocol : TLSv1.2
> > Cipher : 0000
> > Session-ID:
> > Session-ID-ctx:
> > Master-Key:
> > Key-Arg : None
> > PSK identity: None
> > PSK identity hint: None
> > SRP username: None
> > Start Time: 1541190685
> > Timeout : 300 (sec)
> > Verify return code: 0 (ok)
> > ---
> >
> > ATS Config:
> >
> >
> ----------------------------------------------------------------------------------
> > CONFIG proxy.config.http.server_ports STRING 8080 7453:ssl
> > ...
> > CONFIG proxy.config.ssl.SSLv2 INT 0
> > CONFIG proxy.config.ssl.SSLv3 INT 1
> > CONFIG proxy.config.ssl.TLSv1 INT 1
> > CONFIG proxy.config.ssl.TLSv1_1 INT 1
> > CONFIG proxy.config.ssl.TLSv1_2 INT 1
> > CONFIG proxy.config.ssl.server.cipher_suite STRING
> > AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-
> >
> >
> SHA:DES-CBC3-SHA:!aNULL:!eNULL:!LOW:!MD5:!SSLV2:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-
> > CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
> > CONFIG proxy.config.ssl.server.honor_cipher_order INT 1
> > CONFIG proxy.config.ssl.compression INT 0
> >
> >
> ----------------------------------------------------------------------------------
> >
> > root@5a09849699ac:/opt/trafficserver/bin# ./traffic_server -T ssl
> > traffic_server: using root directory '/opt/trafficserver'
> > [Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG:
> <SSLSessionCache.cc:42
> > (SSLSessionCache)> (ssl.session_cache) Created new ssl session cache
> > 0x19de710 with 256 buckets each with size max size 400
> > [Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1304
> > (SSLInitServerContext)> (ssl.session_cache) ssl context=0x19e4a50: using
> > session cache options, enabled=2, size=102400, num_buckets=256,
> > skip_on_contention=0, timeout=0, auto_clear=1
> > [Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1326
> > (SSLInitServerContext)> (ssl.session_cache) enabling SSL session cache
> with
> > ATS implementation
> > [Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1340
> > (SSLInitServerContext)> (ssl) enabling SSL_MODE_RELEASE_BUFFERS
> > [Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1532
> > (SSLInitServerContext)> (ssl) Using 'emadisonisland.crt' in hash for
> > session id context
> > [Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1281
> > (SSLCheckServerCertNow)> (ssl) server certificate emadisonisland.crt
> passed
> > accessibility and date checks
> > [Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1808
> > (ssl_store_ssl_context)> (ssl) ssl ocsp stapling is disabled
> > => [Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1819
> > (ssl_store_ssl_context)> (ssl) importing SNI names from
> emadisonisland.crt
> > => [Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1633
> > (ssl_index_certificate)> (ssl) mapping 'www.emadisonisland.com' to
> > certificate emadisonisland.crt
> > [Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG:
> <SSLCertLookup.cc:380
> > (insert)> (ssl) indexed 'www.emadisonisland.com' with SSL_CTX 0x19e4a50
> > [0]
> > [Nov 2 20:31:22.998] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1304
> > (SSLInitServerContext)> (ssl.session_cache) ssl context=0x19e9be0: using
> > session cache options, enabled=2, size=102400, num_buckets=256,
> > skip_on_contention=0, timeout=0, auto_clear=1
> > [Nov 2 20:31:22.998] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1326
> > (SSLInitServerContext)> (ssl.session_cache) enabling SSL session cache
> with
> > ATS implementation
> > [Nov 2 20:31:22.998] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1340
> > (SSLInitServerContext)> (ssl) enabling SSL_MODE_RELEASE_BUFFERS
> > [Nov 2 20:31:22.998] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1532
> > (SSLInitServerContext)> (ssl) Using '(null)' in hash for session id
> context
> > [Nov 2 20:31:22.998] Server {0x7fad4b72e740} DEBUG:
> <SSLCertLookup.cc:380
> > (insert)> (ssl) indexed '*' with SSL_CTX 0x19e9be0 [1]
> > [Nov 2 20:31:22.998] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1808
> > (ssl_store_ssl_context)> (ssl) ssl ocsp stapling is disabled
> > [Nov 2 20:31:22.998] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1819
> > (ssl_store_ssl_context)> (ssl) importing SNI names from (null)
> > [Nov 2 20:31:22.999] Server {0x7fad4b72e740} DEBUG:
> > <SSLNetProcessor.cc:100 (start)> (ssl) Disabling ET_SSL threads (config
> is
> > set to -1), using thread group ET_NET=0
> > [Nov 2 20:31:23.007] Server {0x7fad4b72e740} DEBUG:
> > <SSLNextProtocolSet.cc:65 (create_npn_advertisement)> (ssl) advertising
> > protocol http/1.0
> > [Nov 2 20:31:23.007] Server {0x7fad4b72e740} DEBUG:
> > <SSLNextProtocolSet.cc:65 (create_npn_advertisement)> (ssl) advertising
> > protocol http/1.1
> > [Nov 2 20:31:23.007] Server {0x7fad4b72e740} DEBUG:
> > <SSLNextProtocolSet.cc:65 (create_npn_advertisement)> (ssl) advertising
> > protocol http/1.0
> > [Nov 2 20:31:25.986] Server {0x7fad44366700} DEBUG:
> > <SSLNextProtocolAccept.cc:129 (mainEvent)> (ssl)
> > [SSLNextProtocolAccept:mainEvent] event 202 netvc 0x7fad4002b800
> > => [Nov 2 20:31:25.986] Server {0x7fad44366700} DEBUG:
> > <SSLNetVConnection.cc:981 (sslStartHandShake)> (ssl) IP context is (nil)
> > for [10.3.28.146:39712] -> [172.19.0.2:7453], default context 0x19e9be0
> > [Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:1671
> > (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7facf4021100 where:
> 16
> > ret: 1
> > [Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:1671
> > (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7facf4021100 where:
> > 8193 ret: 1
> > [Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:284
> > (set_context_cert)> (ssl) set_context_cert ssl=0x7facf4021100
> server=(null)
> > handshake_complete=0
> > [Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:336
> > (set_context_cert)> (ssl) ssl_cert_callback using SSL context 0x19e9be0
> for
> > requested name '(null)'
> > [Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG:
> > <SSLNetVConnection.cc:1462 (callHooks)> (ssl) callHooks
> > sslHandshakeHookState=0
> > [Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:1671
> > (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7facf4021100 where:
> > 16392 ret: 552
> > [Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:1671
> > (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7facf4021100 where:
> > 8194 ret: -1
> > [Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:1671
> > (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7facf4021100 where:
> > 8194 ret: -1
> > => [Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:2126
> > (SSLAccept)> (ssl.error.accept) SSL accept returned -1, ssl_error=1,
> > ERR_get_error=336109761 (error:1408A0C1:SSL
> > routines:ssl3_get_client_hello:no shared cipher)
> > [Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG:
> > <SSLNetVConnection.cc:1105 (sslServerHandShakeEvent)> (ssl) trace=FALSE
> > => [Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG:
> > <SSLNetVConnection.cc:1109 (sslServerHandShakeEvent)> (ssl)
> > SSL::140382150485760:error:1408A0C1:SSL routines:ssl3_get_client_hello:no
> > shared cipher:s3_srvr.c:1417: peer address is 10.3.28.146
> > [Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG:
> > <SSLNetVConnection.cc:1109 (sslServerHandShakeEvent)> (ssl) SSL handshake
> > error: SSL_ERROR_SSL (1), errno=0
> > [Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG:
> > <SSLNetVConnection.cc:1237 (sslServerHandShakeEvent)> (ssl)
> > SSLNetVConnection::sslServerHandShakeEvent, SSL_ERROR_SSL errno=0
> > ^Ctraffic_server: Interrupt (Signal sent by the kernel 0 0)
> >
> >
> > On Fri, Nov 2, 2018 at 12:24 PM Alan Carroll
> > <so...@oath.com.invalid> wrote:
> >
> > > I'd start with "openssl s_client" to get more debug information,
> followed
> > > possibly by a packet capture to be sure the user agent is connecting
> with
> > > TLS to a TLS enabled proxy port.
> > >
> > > On Fri, Nov 2, 2018 at 1:41 PM Dk Jack <dn...@gmail.com> wrote:
> > >
> > > > Hi,
> > > > I enabled SSL on my ATS and my ssl requests are failing with
> handshake
> > > > error. From the logs I can tell that it loaded my cert/key correct.
> > When
> > > I
> > > > started traffic server in debug mode (./traffic_server -T ssl), I am
> > > seeing
> > > > the following error
> > > >
> > > > SSL routines:ssl3_get_client_hello:no shared cipher
> > > >
> > > > My TLS config is shown below. My cert is a self signed signed cert.
> My
> > > ATS
> > > > version is 6.2.1. I'd appreciate any pointers on how to resolve this.
> > > > Thanks.
> > > >
> > > > Dk.
> > > >
> > > > CONFIG proxy.config.ssl.SSLv2 INT 0
> > > > CONFIG proxy.config.ssl.SSLv3 INT 1
> > > > CONFIG proxy.config.ssl.TLSv1 INT 1
> > > > CONFIG proxy.config.ssl.TLSv1_1 INT 1
> > > > CONFIG proxy.config.ssl.TLSv1_2 INT 1
> > > > CONFIG proxy.config.ssl.server.cipher_suite STRING
> > > >
> > > >
> > >
> >
> AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!LOW:!MD5:!SSLV2:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
> > > > CONFIG proxy.config.ssl.server.honor_cipher_order INT 1
> > > > CONFIG proxy.config.ssl.compression INT 0
> > > >
> > > >
> > > > Debug logs:
> > > > [Nov 2 18:16:07.664] Server {0x7f8822572700} DEBUG:
> > > > <SSLNextProtocolAccept.cc:129 (mainEvent)> (ssl)
> > > > [SSLNextProtocolAccept:mainEvent] event 202 netvc 0x7f8820072800
> > > > [Nov 2 18:16:07.664] Server {0x7f8822572700} DEBUG:
> > > > <SSLNetVConnection.cc:981 (sslStartHandShake)> (ssl) IP context is
> > (nil)
> > > > for [10.3.28.146:39678] -> [172.19.0.2:7453], default context
> > 0x2d82bc0
> > > > [Nov 2 18:16:07.664] Server {0x7f8822572700} DEBUG:
> <SSLUtils.cc:1671
> > > > (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7f87d4021100
> where:
> > > 16
> > > > ret: 1
> > > > [Nov 2 18:16:07.664] Server {0x7f8822572700} DEBUG:
> <SSLUtils.cc:1671
> > > > (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7f87d4021100
> where:
> > > > 8193 ret: 1
> > > > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
> > > > <SSLNetVConnection.cc:1402 (select_next_protocol)> (ssl) selected
> ALPN
> > > > protocol http/1.1
> > > > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:284
> > > > (set_context_cert)> (ssl) set_context_cert ssl=0x7f87d4021100
> > > server=(null)
> > > > handshake_complete=0
> > > > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:336
> > > > (set_context_cert)> (ssl) ssl_cert_callback using SSL context
> 0x2d82bc0
> > > for
> > > > requested name '(null)'
> > > > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
> > > > <SSLNetVConnection.cc:1462 (callHooks)> (ssl) callHooks
> > > > sslHandshakeHookState=0
> > > > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
> <SSLUtils.cc:1671
> > > > (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7f87d4021100
> where:
> > > > 16392 ret: 552
> > > > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
> <SSLUtils.cc:1671
> > > > (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7f87d4021100
> where:
> > > > 8194 ret: -1
> > > > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
> <SSLUtils.cc:1671
> > > > (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7f87d4021100
> where:
> > > > 8194 ret: -1
> > > > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
> <SSLUtils.cc:2126
> > > > (SSLAccept)> (ssl.error.accept) SSL accept returned -1, ssl_error=1,
> > > > ERR_get_error=336109761 (error:1408A0C1:SSL
> > > > routines:ssl3_get_client_hello:no shared cipher)
> > > > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
> > > > <SSLNetVConnection.cc:1105 (sslServerHandShakeEvent)> (ssl)
> trace=FALSE
> > > > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
> > > > <SSLNetVConnection.cc:1109 (sslServerHandShakeEvent)> (ssl)
> > > > SSL::140222668416768:error:1408A0C1:SSL
> > routines:ssl3_get_client_hello:no
> > > > shared cipher:s3_srvr.c:1417: peer address is 10.3.28.146
> > > > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
> > > > <SSLNetVConnection.cc:1109 (sslServerHandShakeEvent)> (ssl) SSL
> > handshake
> > > > error: SSL_ERROR_SSL (1), errno=0
> > > > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
> > > > <SSLNetVConnection.cc:1237 (sslServerHandShakeEvent)> (ssl)
> > > > SSLNetVConnection::sslServerHandShakeEvent, SSL_ERROR_SSL errno=0
> > > > ^Ctraffic_server: Interrupt (Signal sent by the kernel 0 0)
> > > >
> > >
> > >
> > > --
> > > *Beware the fisherman who's casting out his line in to a dried up
> > > riverbed.*
> > > *Oh don't try to tell him 'cause he won't believe. Throw some bread to
> > the
> > > ducks instead.*
> > > *It's easier that way. *- Genesis : Duke : VI 25-28
> > >
> >
>
Re: ssl handshake failure
Posted by Susan Hinrichs <sh...@oath.com.INVALID>.
Do you have a dest_ip=* default line in your ssl_multicert.config file?
Your query doesn't have the SNI set, so you need a default. Use the
-servername option for s_client if you want to set the SNI.
On Fri, Nov 2, 2018 at 3:50 PM Dk Jack <dn...@gmail.com> wrote:
> Hi Alan,
> Thanks for responding. I've pasted the output from openssl s_client. I
> don't understand the error it's giving because I can see in the ATS loading
> my certificate in the debug logs. I've prefixed the important lines in the
> debug log with '=>'.
>
> Dk.
>
> ----------------------------------------------------------
> > openssl s_client -host 10.3.27.19 -port 7453
> CONNECTED(00000003)
> 140260354160280:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3
> alert handshake failure:s23_clnt.c:769:
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 7 bytes and written 305 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
> Protocol : TLSv1.2
> Cipher : 0000
> Session-ID:
> Session-ID-ctx:
> Master-Key:
> Key-Arg : None
> PSK identity: None
> PSK identity hint: None
> SRP username: None
> Start Time: 1541190685
> Timeout : 300 (sec)
> Verify return code: 0 (ok)
> ---
>
> ATS Config:
>
> ----------------------------------------------------------------------------------
> CONFIG proxy.config.http.server_ports STRING 8080 7453:ssl
> ...
> CONFIG proxy.config.ssl.SSLv2 INT 0
> CONFIG proxy.config.ssl.SSLv3 INT 1
> CONFIG proxy.config.ssl.TLSv1 INT 1
> CONFIG proxy.config.ssl.TLSv1_1 INT 1
> CONFIG proxy.config.ssl.TLSv1_2 INT 1
> CONFIG proxy.config.ssl.server.cipher_suite STRING
> AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-
>
> SHA:DES-CBC3-SHA:!aNULL:!eNULL:!LOW:!MD5:!SSLV2:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-
> CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
> CONFIG proxy.config.ssl.server.honor_cipher_order INT 1
> CONFIG proxy.config.ssl.compression INT 0
>
> ----------------------------------------------------------------------------------
>
> root@5a09849699ac:/opt/trafficserver/bin# ./traffic_server -T ssl
> traffic_server: using root directory '/opt/trafficserver'
> [Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLSessionCache.cc:42
> (SSLSessionCache)> (ssl.session_cache) Created new ssl session cache
> 0x19de710 with 256 buckets each with size max size 400
> [Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1304
> (SSLInitServerContext)> (ssl.session_cache) ssl context=0x19e4a50: using
> session cache options, enabled=2, size=102400, num_buckets=256,
> skip_on_contention=0, timeout=0, auto_clear=1
> [Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1326
> (SSLInitServerContext)> (ssl.session_cache) enabling SSL session cache with
> ATS implementation
> [Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1340
> (SSLInitServerContext)> (ssl) enabling SSL_MODE_RELEASE_BUFFERS
> [Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1532
> (SSLInitServerContext)> (ssl) Using 'emadisonisland.crt' in hash for
> session id context
> [Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1281
> (SSLCheckServerCertNow)> (ssl) server certificate emadisonisland.crt passed
> accessibility and date checks
> [Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1808
> (ssl_store_ssl_context)> (ssl) ssl ocsp stapling is disabled
> => [Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1819
> (ssl_store_ssl_context)> (ssl) importing SNI names from emadisonisland.crt
> => [Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1633
> (ssl_index_certificate)> (ssl) mapping 'www.emadisonisland.com' to
> certificate emadisonisland.crt
> [Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLCertLookup.cc:380
> (insert)> (ssl) indexed 'www.emadisonisland.com' with SSL_CTX 0x19e4a50
> [0]
> [Nov 2 20:31:22.998] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1304
> (SSLInitServerContext)> (ssl.session_cache) ssl context=0x19e9be0: using
> session cache options, enabled=2, size=102400, num_buckets=256,
> skip_on_contention=0, timeout=0, auto_clear=1
> [Nov 2 20:31:22.998] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1326
> (SSLInitServerContext)> (ssl.session_cache) enabling SSL session cache with
> ATS implementation
> [Nov 2 20:31:22.998] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1340
> (SSLInitServerContext)> (ssl) enabling SSL_MODE_RELEASE_BUFFERS
> [Nov 2 20:31:22.998] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1532
> (SSLInitServerContext)> (ssl) Using '(null)' in hash for session id context
> [Nov 2 20:31:22.998] Server {0x7fad4b72e740} DEBUG: <SSLCertLookup.cc:380
> (insert)> (ssl) indexed '*' with SSL_CTX 0x19e9be0 [1]
> [Nov 2 20:31:22.998] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1808
> (ssl_store_ssl_context)> (ssl) ssl ocsp stapling is disabled
> [Nov 2 20:31:22.998] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1819
> (ssl_store_ssl_context)> (ssl) importing SNI names from (null)
> [Nov 2 20:31:22.999] Server {0x7fad4b72e740} DEBUG:
> <SSLNetProcessor.cc:100 (start)> (ssl) Disabling ET_SSL threads (config is
> set to -1), using thread group ET_NET=0
> [Nov 2 20:31:23.007] Server {0x7fad4b72e740} DEBUG:
> <SSLNextProtocolSet.cc:65 (create_npn_advertisement)> (ssl) advertising
> protocol http/1.0
> [Nov 2 20:31:23.007] Server {0x7fad4b72e740} DEBUG:
> <SSLNextProtocolSet.cc:65 (create_npn_advertisement)> (ssl) advertising
> protocol http/1.1
> [Nov 2 20:31:23.007] Server {0x7fad4b72e740} DEBUG:
> <SSLNextProtocolSet.cc:65 (create_npn_advertisement)> (ssl) advertising
> protocol http/1.0
> [Nov 2 20:31:25.986] Server {0x7fad44366700} DEBUG:
> <SSLNextProtocolAccept.cc:129 (mainEvent)> (ssl)
> [SSLNextProtocolAccept:mainEvent] event 202 netvc 0x7fad4002b800
> => [Nov 2 20:31:25.986] Server {0x7fad44366700} DEBUG:
> <SSLNetVConnection.cc:981 (sslStartHandShake)> (ssl) IP context is (nil)
> for [10.3.28.146:39712] -> [172.19.0.2:7453], default context 0x19e9be0
> [Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:1671
> (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7facf4021100 where: 16
> ret: 1
> [Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:1671
> (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7facf4021100 where:
> 8193 ret: 1
> [Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:284
> (set_context_cert)> (ssl) set_context_cert ssl=0x7facf4021100 server=(null)
> handshake_complete=0
> [Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:336
> (set_context_cert)> (ssl) ssl_cert_callback using SSL context 0x19e9be0 for
> requested name '(null)'
> [Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG:
> <SSLNetVConnection.cc:1462 (callHooks)> (ssl) callHooks
> sslHandshakeHookState=0
> [Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:1671
> (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7facf4021100 where:
> 16392 ret: 552
> [Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:1671
> (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7facf4021100 where:
> 8194 ret: -1
> [Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:1671
> (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7facf4021100 where:
> 8194 ret: -1
> => [Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:2126
> (SSLAccept)> (ssl.error.accept) SSL accept returned -1, ssl_error=1,
> ERR_get_error=336109761 (error:1408A0C1:SSL
> routines:ssl3_get_client_hello:no shared cipher)
> [Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG:
> <SSLNetVConnection.cc:1105 (sslServerHandShakeEvent)> (ssl) trace=FALSE
> => [Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG:
> <SSLNetVConnection.cc:1109 (sslServerHandShakeEvent)> (ssl)
> SSL::140382150485760:error:1408A0C1:SSL routines:ssl3_get_client_hello:no
> shared cipher:s3_srvr.c:1417: peer address is 10.3.28.146
> [Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG:
> <SSLNetVConnection.cc:1109 (sslServerHandShakeEvent)> (ssl) SSL handshake
> error: SSL_ERROR_SSL (1), errno=0
> [Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG:
> <SSLNetVConnection.cc:1237 (sslServerHandShakeEvent)> (ssl)
> SSLNetVConnection::sslServerHandShakeEvent, SSL_ERROR_SSL errno=0
> ^Ctraffic_server: Interrupt (Signal sent by the kernel 0 0)
>
>
> On Fri, Nov 2, 2018 at 12:24 PM Alan Carroll
> <so...@oath.com.invalid> wrote:
>
> > I'd start with "openssl s_client" to get more debug information, followed
> > possibly by a packet capture to be sure the user agent is connecting with
> > TLS to a TLS enabled proxy port.
> >
> > On Fri, Nov 2, 2018 at 1:41 PM Dk Jack <dn...@gmail.com> wrote:
> >
> > > Hi,
> > > I enabled SSL on my ATS and my ssl requests are failing with handshake
> > > error. From the logs I can tell that it loaded my cert/key correct.
> When
> > I
> > > started traffic server in debug mode (./traffic_server -T ssl), I am
> > seeing
> > > the following error
> > >
> > > SSL routines:ssl3_get_client_hello:no shared cipher
> > >
> > > My TLS config is shown below. My cert is a self signed signed cert. My
> > ATS
> > > version is 6.2.1. I'd appreciate any pointers on how to resolve this.
> > > Thanks.
> > >
> > > Dk.
> > >
> > > CONFIG proxy.config.ssl.SSLv2 INT 0
> > > CONFIG proxy.config.ssl.SSLv3 INT 1
> > > CONFIG proxy.config.ssl.TLSv1 INT 1
> > > CONFIG proxy.config.ssl.TLSv1_1 INT 1
> > > CONFIG proxy.config.ssl.TLSv1_2 INT 1
> > > CONFIG proxy.config.ssl.server.cipher_suite STRING
> > >
> > >
> >
> AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!LOW:!MD5:!SSLV2:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
> > > CONFIG proxy.config.ssl.server.honor_cipher_order INT 1
> > > CONFIG proxy.config.ssl.compression INT 0
> > >
> > >
> > > Debug logs:
> > > [Nov 2 18:16:07.664] Server {0x7f8822572700} DEBUG:
> > > <SSLNextProtocolAccept.cc:129 (mainEvent)> (ssl)
> > > [SSLNextProtocolAccept:mainEvent] event 202 netvc 0x7f8820072800
> > > [Nov 2 18:16:07.664] Server {0x7f8822572700} DEBUG:
> > > <SSLNetVConnection.cc:981 (sslStartHandShake)> (ssl) IP context is
> (nil)
> > > for [10.3.28.146:39678] -> [172.19.0.2:7453], default context
> 0x2d82bc0
> > > [Nov 2 18:16:07.664] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
> > > (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7f87d4021100 where:
> > 16
> > > ret: 1
> > > [Nov 2 18:16:07.664] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
> > > (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7f87d4021100 where:
> > > 8193 ret: 1
> > > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
> > > <SSLNetVConnection.cc:1402 (select_next_protocol)> (ssl) selected ALPN
> > > protocol http/1.1
> > > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:284
> > > (set_context_cert)> (ssl) set_context_cert ssl=0x7f87d4021100
> > server=(null)
> > > handshake_complete=0
> > > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:336
> > > (set_context_cert)> (ssl) ssl_cert_callback using SSL context 0x2d82bc0
> > for
> > > requested name '(null)'
> > > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
> > > <SSLNetVConnection.cc:1462 (callHooks)> (ssl) callHooks
> > > sslHandshakeHookState=0
> > > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
> > > (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7f87d4021100 where:
> > > 16392 ret: 552
> > > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
> > > (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7f87d4021100 where:
> > > 8194 ret: -1
> > > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
> > > (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7f87d4021100 where:
> > > 8194 ret: -1
> > > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:2126
> > > (SSLAccept)> (ssl.error.accept) SSL accept returned -1, ssl_error=1,
> > > ERR_get_error=336109761 (error:1408A0C1:SSL
> > > routines:ssl3_get_client_hello:no shared cipher)
> > > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
> > > <SSLNetVConnection.cc:1105 (sslServerHandShakeEvent)> (ssl) trace=FALSE
> > > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
> > > <SSLNetVConnection.cc:1109 (sslServerHandShakeEvent)> (ssl)
> > > SSL::140222668416768:error:1408A0C1:SSL
> routines:ssl3_get_client_hello:no
> > > shared cipher:s3_srvr.c:1417: peer address is 10.3.28.146
> > > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
> > > <SSLNetVConnection.cc:1109 (sslServerHandShakeEvent)> (ssl) SSL
> handshake
> > > error: SSL_ERROR_SSL (1), errno=0
> > > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
> > > <SSLNetVConnection.cc:1237 (sslServerHandShakeEvent)> (ssl)
> > > SSLNetVConnection::sslServerHandShakeEvent, SSL_ERROR_SSL errno=0
> > > ^Ctraffic_server: Interrupt (Signal sent by the kernel 0 0)
> > >
> >
> >
> > --
> > *Beware the fisherman who's casting out his line in to a dried up
> > riverbed.*
> > *Oh don't try to tell him 'cause he won't believe. Throw some bread to
> the
> > ducks instead.*
> > *It's easier that way. *- Genesis : Duke : VI 25-28
> >
>
Re: ssl handshake failure
Posted by Dk Jack <dn...@gmail.com>.
Hi Alan,
Thanks for responding. I've pasted the output from openssl s_client. I
don't understand the error it's giving because I can see in the ATS loading
my certificate in the debug logs. I've prefixed the important lines in the
debug log with '=>'.
Dk.
----------------------------------------------------------
> openssl s_client -host 10.3.27.19 -port 7453
CONNECTED(00000003)
140260354160280:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3
alert handshake failure:s23_clnt.c:769:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 305 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1541190685
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
ATS Config:
----------------------------------------------------------------------------------
CONFIG proxy.config.http.server_ports STRING 8080 7453:ssl
...
CONFIG proxy.config.ssl.SSLv2 INT 0
CONFIG proxy.config.ssl.SSLv3 INT 1
CONFIG proxy.config.ssl.TLSv1 INT 1
CONFIG proxy.config.ssl.TLSv1_1 INT 1
CONFIG proxy.config.ssl.TLSv1_2 INT 1
CONFIG proxy.config.ssl.server.cipher_suite STRING
AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-
SHA:DES-CBC3-SHA:!aNULL:!eNULL:!LOW:!MD5:!SSLV2:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-
CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
CONFIG proxy.config.ssl.server.honor_cipher_order INT 1
CONFIG proxy.config.ssl.compression INT 0
----------------------------------------------------------------------------------
root@5a09849699ac:/opt/trafficserver/bin# ./traffic_server -T ssl
traffic_server: using root directory '/opt/trafficserver'
[Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLSessionCache.cc:42
(SSLSessionCache)> (ssl.session_cache) Created new ssl session cache
0x19de710 with 256 buckets each with size max size 400
[Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1304
(SSLInitServerContext)> (ssl.session_cache) ssl context=0x19e4a50: using
session cache options, enabled=2, size=102400, num_buckets=256,
skip_on_contention=0, timeout=0, auto_clear=1
[Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1326
(SSLInitServerContext)> (ssl.session_cache) enabling SSL session cache with
ATS implementation
[Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1340
(SSLInitServerContext)> (ssl) enabling SSL_MODE_RELEASE_BUFFERS
[Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1532
(SSLInitServerContext)> (ssl) Using 'emadisonisland.crt' in hash for
session id context
[Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1281
(SSLCheckServerCertNow)> (ssl) server certificate emadisonisland.crt passed
accessibility and date checks
[Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1808
(ssl_store_ssl_context)> (ssl) ssl ocsp stapling is disabled
=> [Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1819
(ssl_store_ssl_context)> (ssl) importing SNI names from emadisonisland.crt
=> [Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1633
(ssl_index_certificate)> (ssl) mapping 'www.emadisonisland.com' to
certificate emadisonisland.crt
[Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLCertLookup.cc:380
(insert)> (ssl) indexed 'www.emadisonisland.com' with SSL_CTX 0x19e4a50 [0]
[Nov 2 20:31:22.998] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1304
(SSLInitServerContext)> (ssl.session_cache) ssl context=0x19e9be0: using
session cache options, enabled=2, size=102400, num_buckets=256,
skip_on_contention=0, timeout=0, auto_clear=1
[Nov 2 20:31:22.998] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1326
(SSLInitServerContext)> (ssl.session_cache) enabling SSL session cache with
ATS implementation
[Nov 2 20:31:22.998] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1340
(SSLInitServerContext)> (ssl) enabling SSL_MODE_RELEASE_BUFFERS
[Nov 2 20:31:22.998] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1532
(SSLInitServerContext)> (ssl) Using '(null)' in hash for session id context
[Nov 2 20:31:22.998] Server {0x7fad4b72e740} DEBUG: <SSLCertLookup.cc:380
(insert)> (ssl) indexed '*' with SSL_CTX 0x19e9be0 [1]
[Nov 2 20:31:22.998] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1808
(ssl_store_ssl_context)> (ssl) ssl ocsp stapling is disabled
[Nov 2 20:31:22.998] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1819
(ssl_store_ssl_context)> (ssl) importing SNI names from (null)
[Nov 2 20:31:22.999] Server {0x7fad4b72e740} DEBUG:
<SSLNetProcessor.cc:100 (start)> (ssl) Disabling ET_SSL threads (config is
set to -1), using thread group ET_NET=0
[Nov 2 20:31:23.007] Server {0x7fad4b72e740} DEBUG:
<SSLNextProtocolSet.cc:65 (create_npn_advertisement)> (ssl) advertising
protocol http/1.0
[Nov 2 20:31:23.007] Server {0x7fad4b72e740} DEBUG:
<SSLNextProtocolSet.cc:65 (create_npn_advertisement)> (ssl) advertising
protocol http/1.1
[Nov 2 20:31:23.007] Server {0x7fad4b72e740} DEBUG:
<SSLNextProtocolSet.cc:65 (create_npn_advertisement)> (ssl) advertising
protocol http/1.0
[Nov 2 20:31:25.986] Server {0x7fad44366700} DEBUG:
<SSLNextProtocolAccept.cc:129 (mainEvent)> (ssl)
[SSLNextProtocolAccept:mainEvent] event 202 netvc 0x7fad4002b800
=> [Nov 2 20:31:25.986] Server {0x7fad44366700} DEBUG:
<SSLNetVConnection.cc:981 (sslStartHandShake)> (ssl) IP context is (nil)
for [10.3.28.146:39712] -> [172.19.0.2:7453], default context 0x19e9be0
[Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:1671
(ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7facf4021100 where: 16
ret: 1
[Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:1671
(ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7facf4021100 where:
8193 ret: 1
[Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:284
(set_context_cert)> (ssl) set_context_cert ssl=0x7facf4021100 server=(null)
handshake_complete=0
[Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:336
(set_context_cert)> (ssl) ssl_cert_callback using SSL context 0x19e9be0 for
requested name '(null)'
[Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG:
<SSLNetVConnection.cc:1462 (callHooks)> (ssl) callHooks
sslHandshakeHookState=0
[Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:1671
(ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7facf4021100 where:
16392 ret: 552
[Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:1671
(ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7facf4021100 where:
8194 ret: -1
[Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:1671
(ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7facf4021100 where:
8194 ret: -1
=> [Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:2126
(SSLAccept)> (ssl.error.accept) SSL accept returned -1, ssl_error=1,
ERR_get_error=336109761 (error:1408A0C1:SSL
routines:ssl3_get_client_hello:no shared cipher)
[Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG:
<SSLNetVConnection.cc:1105 (sslServerHandShakeEvent)> (ssl) trace=FALSE
=> [Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG:
<SSLNetVConnection.cc:1109 (sslServerHandShakeEvent)> (ssl)
SSL::140382150485760:error:1408A0C1:SSL routines:ssl3_get_client_hello:no
shared cipher:s3_srvr.c:1417: peer address is 10.3.28.146
[Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG:
<SSLNetVConnection.cc:1109 (sslServerHandShakeEvent)> (ssl) SSL handshake
error: SSL_ERROR_SSL (1), errno=0
[Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG:
<SSLNetVConnection.cc:1237 (sslServerHandShakeEvent)> (ssl)
SSLNetVConnection::sslServerHandShakeEvent, SSL_ERROR_SSL errno=0
^Ctraffic_server: Interrupt (Signal sent by the kernel 0 0)
On Fri, Nov 2, 2018 at 12:24 PM Alan Carroll
<so...@oath.com.invalid> wrote:
> I'd start with "openssl s_client" to get more debug information, followed
> possibly by a packet capture to be sure the user agent is connecting with
> TLS to a TLS enabled proxy port.
>
> On Fri, Nov 2, 2018 at 1:41 PM Dk Jack <dn...@gmail.com> wrote:
>
> > Hi,
> > I enabled SSL on my ATS and my ssl requests are failing with handshake
> > error. From the logs I can tell that it loaded my cert/key correct. When
> I
> > started traffic server in debug mode (./traffic_server -T ssl), I am
> seeing
> > the following error
> >
> > SSL routines:ssl3_get_client_hello:no shared cipher
> >
> > My TLS config is shown below. My cert is a self signed signed cert. My
> ATS
> > version is 6.2.1. I'd appreciate any pointers on how to resolve this.
> > Thanks.
> >
> > Dk.
> >
> > CONFIG proxy.config.ssl.SSLv2 INT 0
> > CONFIG proxy.config.ssl.SSLv3 INT 1
> > CONFIG proxy.config.ssl.TLSv1 INT 1
> > CONFIG proxy.config.ssl.TLSv1_1 INT 1
> > CONFIG proxy.config.ssl.TLSv1_2 INT 1
> > CONFIG proxy.config.ssl.server.cipher_suite STRING
> >
> >
> AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!LOW:!MD5:!SSLV2:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
> > CONFIG proxy.config.ssl.server.honor_cipher_order INT 1
> > CONFIG proxy.config.ssl.compression INT 0
> >
> >
> > Debug logs:
> > [Nov 2 18:16:07.664] Server {0x7f8822572700} DEBUG:
> > <SSLNextProtocolAccept.cc:129 (mainEvent)> (ssl)
> > [SSLNextProtocolAccept:mainEvent] event 202 netvc 0x7f8820072800
> > [Nov 2 18:16:07.664] Server {0x7f8822572700} DEBUG:
> > <SSLNetVConnection.cc:981 (sslStartHandShake)> (ssl) IP context is (nil)
> > for [10.3.28.146:39678] -> [172.19.0.2:7453], default context 0x2d82bc0
> > [Nov 2 18:16:07.664] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
> > (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7f87d4021100 where:
> 16
> > ret: 1
> > [Nov 2 18:16:07.664] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
> > (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7f87d4021100 where:
> > 8193 ret: 1
> > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
> > <SSLNetVConnection.cc:1402 (select_next_protocol)> (ssl) selected ALPN
> > protocol http/1.1
> > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:284
> > (set_context_cert)> (ssl) set_context_cert ssl=0x7f87d4021100
> server=(null)
> > handshake_complete=0
> > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:336
> > (set_context_cert)> (ssl) ssl_cert_callback using SSL context 0x2d82bc0
> for
> > requested name '(null)'
> > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
> > <SSLNetVConnection.cc:1462 (callHooks)> (ssl) callHooks
> > sslHandshakeHookState=0
> > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
> > (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7f87d4021100 where:
> > 16392 ret: 552
> > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
> > (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7f87d4021100 where:
> > 8194 ret: -1
> > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
> > (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7f87d4021100 where:
> > 8194 ret: -1
> > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:2126
> > (SSLAccept)> (ssl.error.accept) SSL accept returned -1, ssl_error=1,
> > ERR_get_error=336109761 (error:1408A0C1:SSL
> > routines:ssl3_get_client_hello:no shared cipher)
> > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
> > <SSLNetVConnection.cc:1105 (sslServerHandShakeEvent)> (ssl) trace=FALSE
> > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
> > <SSLNetVConnection.cc:1109 (sslServerHandShakeEvent)> (ssl)
> > SSL::140222668416768:error:1408A0C1:SSL routines:ssl3_get_client_hello:no
> > shared cipher:s3_srvr.c:1417: peer address is 10.3.28.146
> > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
> > <SSLNetVConnection.cc:1109 (sslServerHandShakeEvent)> (ssl) SSL handshake
> > error: SSL_ERROR_SSL (1), errno=0
> > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
> > <SSLNetVConnection.cc:1237 (sslServerHandShakeEvent)> (ssl)
> > SSLNetVConnection::sslServerHandShakeEvent, SSL_ERROR_SSL errno=0
> > ^Ctraffic_server: Interrupt (Signal sent by the kernel 0 0)
> >
>
>
> --
> *Beware the fisherman who's casting out his line in to a dried up
> riverbed.*
> *Oh don't try to tell him 'cause he won't believe. Throw some bread to the
> ducks instead.*
> *It's easier that way. *- Genesis : Duke : VI 25-28
>
Re: ssl handshake failure
Posted by Alan Carroll <so...@oath.com.INVALID>.
I'd start with "openssl s_client" to get more debug information, followed
possibly by a packet capture to be sure the user agent is connecting with
TLS to a TLS enabled proxy port.
On Fri, Nov 2, 2018 at 1:41 PM Dk Jack <dn...@gmail.com> wrote:
> Hi,
> I enabled SSL on my ATS and my ssl requests are failing with handshake
> error. From the logs I can tell that it loaded my cert/key correct. When I
> started traffic server in debug mode (./traffic_server -T ssl), I am seeing
> the following error
>
> SSL routines:ssl3_get_client_hello:no shared cipher
>
> My TLS config is shown below. My cert is a self signed signed cert. My ATS
> version is 6.2.1. I'd appreciate any pointers on how to resolve this.
> Thanks.
>
> Dk.
>
> CONFIG proxy.config.ssl.SSLv2 INT 0
> CONFIG proxy.config.ssl.SSLv3 INT 1
> CONFIG proxy.config.ssl.TLSv1 INT 1
> CONFIG proxy.config.ssl.TLSv1_1 INT 1
> CONFIG proxy.config.ssl.TLSv1_2 INT 1
> CONFIG proxy.config.ssl.server.cipher_suite STRING
>
> AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!LOW:!MD5:!SSLV2:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
> CONFIG proxy.config.ssl.server.honor_cipher_order INT 1
> CONFIG proxy.config.ssl.compression INT 0
>
>
> Debug logs:
> [Nov 2 18:16:07.664] Server {0x7f8822572700} DEBUG:
> <SSLNextProtocolAccept.cc:129 (mainEvent)> (ssl)
> [SSLNextProtocolAccept:mainEvent] event 202 netvc 0x7f8820072800
> [Nov 2 18:16:07.664] Server {0x7f8822572700} DEBUG:
> <SSLNetVConnection.cc:981 (sslStartHandShake)> (ssl) IP context is (nil)
> for [10.3.28.146:39678] -> [172.19.0.2:7453], default context 0x2d82bc0
> [Nov 2 18:16:07.664] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
> (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7f87d4021100 where: 16
> ret: 1
> [Nov 2 18:16:07.664] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
> (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7f87d4021100 where:
> 8193 ret: 1
> [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
> <SSLNetVConnection.cc:1402 (select_next_protocol)> (ssl) selected ALPN
> protocol http/1.1
> [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:284
> (set_context_cert)> (ssl) set_context_cert ssl=0x7f87d4021100 server=(null)
> handshake_complete=0
> [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:336
> (set_context_cert)> (ssl) ssl_cert_callback using SSL context 0x2d82bc0 for
> requested name '(null)'
> [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
> <SSLNetVConnection.cc:1462 (callHooks)> (ssl) callHooks
> sslHandshakeHookState=0
> [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
> (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7f87d4021100 where:
> 16392 ret: 552
> [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
> (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7f87d4021100 where:
> 8194 ret: -1
> [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
> (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7f87d4021100 where:
> 8194 ret: -1
> [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:2126
> (SSLAccept)> (ssl.error.accept) SSL accept returned -1, ssl_error=1,
> ERR_get_error=336109761 (error:1408A0C1:SSL
> routines:ssl3_get_client_hello:no shared cipher)
> [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
> <SSLNetVConnection.cc:1105 (sslServerHandShakeEvent)> (ssl) trace=FALSE
> [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
> <SSLNetVConnection.cc:1109 (sslServerHandShakeEvent)> (ssl)
> SSL::140222668416768:error:1408A0C1:SSL routines:ssl3_get_client_hello:no
> shared cipher:s3_srvr.c:1417: peer address is 10.3.28.146
> [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
> <SSLNetVConnection.cc:1109 (sslServerHandShakeEvent)> (ssl) SSL handshake
> error: SSL_ERROR_SSL (1), errno=0
> [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
> <SSLNetVConnection.cc:1237 (sslServerHandShakeEvent)> (ssl)
> SSLNetVConnection::sslServerHandShakeEvent, SSL_ERROR_SSL errno=0
> ^Ctraffic_server: Interrupt (Signal sent by the kernel 0 0)
>
--
*Beware the fisherman who's casting out his line in to a dried up riverbed.*
*Oh don't try to tell him 'cause he won't believe. Throw some bread to the
ducks instead.*
*It's easier that way. *- Genesis : Duke : VI 25-28
Re: ssl handshake failure
Posted by Dk Jack <dn...@gmail.com>.
Thanks Pushkar. I had a config error in my multi cert config file. I was missing ‘dest_ip=*’
Dk.
> On Nov 2, 2018, at 11:53 AM, Pushkar Pradhan <pp...@oath.com.INVALID> wrote:
>
> Is your client sending a TLSv1.2 handshake? Maybe it's a lower version or
> non TLS.
>
>> On Fri, Nov 2, 2018 at 11:41 AM Dk Jack <dn...@gmail.com> wrote:
>>
>> Hi,
>> I enabled SSL on my ATS and my ssl requests are failing with handshake
>> error. From the logs I can tell that it loaded my cert/key correct. When I
>> started traffic server in debug mode (./traffic_server -T ssl), I am seeing
>> the following error
>>
>> SSL routines:ssl3_get_client_hello:no shared cipher
>>
>> My TLS config is shown below. My cert is a self signed signed cert. My ATS
>> version is 6.2.1. I'd appreciate any pointers on how to resolve this.
>> Thanks.
>>
>> Dk.
>>
>> CONFIG proxy.config.ssl.SSLv2 INT 0
>> CONFIG proxy.config.ssl.SSLv3 INT 1
>> CONFIG proxy.config.ssl.TLSv1 INT 1
>> CONFIG proxy.config.ssl.TLSv1_1 INT 1
>> CONFIG proxy.config.ssl.TLSv1_2 INT 1
>> CONFIG proxy.config.ssl.server.cipher_suite STRING
>>
>> AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!LOW:!MD5:!SSLV2:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
>> CONFIG proxy.config.ssl.server.honor_cipher_order INT 1
>> CONFIG proxy.config.ssl.compression INT 0
>>
>>
>> Debug logs:
>> [Nov 2 18:16:07.664] Server {0x7f8822572700} DEBUG:
>> <SSLNextProtocolAccept.cc:129 (mainEvent)> (ssl)
>> [SSLNextProtocolAccept:mainEvent] event 202 netvc 0x7f8820072800
>> [Nov 2 18:16:07.664] Server {0x7f8822572700} DEBUG:
>> <SSLNetVConnection.cc:981 (sslStartHandShake)> (ssl) IP context is (nil)
>> for [10.3.28.146:39678] -> [172.19.0.2:7453], default context 0x2d82bc0
>> [Nov 2 18:16:07.664] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
>> (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7f87d4021100 where: 16
>> ret: 1
>> [Nov 2 18:16:07.664] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
>> (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7f87d4021100 where:
>> 8193 ret: 1
>> [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
>> <SSLNetVConnection.cc:1402 (select_next_protocol)> (ssl) selected ALPN
>> protocol http/1.1
>> [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:284
>> (set_context_cert)> (ssl) set_context_cert ssl=0x7f87d4021100 server=(null)
>> handshake_complete=0
>> [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:336
>> (set_context_cert)> (ssl) ssl_cert_callback using SSL context 0x2d82bc0 for
>> requested name '(null)'
>> [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
>> <SSLNetVConnection.cc:1462 (callHooks)> (ssl) callHooks
>> sslHandshakeHookState=0
>> [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
>> (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7f87d4021100 where:
>> 16392 ret: 552
>> [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
>> (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7f87d4021100 where:
>> 8194 ret: -1
>> [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
>> (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7f87d4021100 where:
>> 8194 ret: -1
>> [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:2126
>> (SSLAccept)> (ssl.error.accept) SSL accept returned -1, ssl_error=1,
>> ERR_get_error=336109761 (error:1408A0C1:SSL
>> routines:ssl3_get_client_hello:no shared cipher)
>> [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
>> <SSLNetVConnection.cc:1105 (sslServerHandShakeEvent)> (ssl) trace=FALSE
>> [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
>> <SSLNetVConnection.cc:1109 (sslServerHandShakeEvent)> (ssl)
>> SSL::140222668416768:error:1408A0C1:SSL routines:ssl3_get_client_hello:no
>> shared cipher:s3_srvr.c:1417: peer address is 10.3.28.146
>> [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
>> <SSLNetVConnection.cc:1109 (sslServerHandShakeEvent)> (ssl) SSL handshake
>> error: SSL_ERROR_SSL (1), errno=0
>> [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
>> <SSLNetVConnection.cc:1237 (sslServerHandShakeEvent)> (ssl)
>> SSLNetVConnection::sslServerHandShakeEvent, SSL_ERROR_SSL errno=0
>> ^Ctraffic_server: Interrupt (Signal sent by the kernel 0 0)
>>
>
>
> --
> pushkar
Re: ssl handshake failure
Posted by Pushkar Pradhan <pp...@oath.com.INVALID>.
Is your client sending a TLSv1.2 handshake? Maybe it's a lower version or
non TLS.
On Fri, Nov 2, 2018 at 11:41 AM Dk Jack <dn...@gmail.com> wrote:
> Hi,
> I enabled SSL on my ATS and my ssl requests are failing with handshake
> error. From the logs I can tell that it loaded my cert/key correct. When I
> started traffic server in debug mode (./traffic_server -T ssl), I am seeing
> the following error
>
> SSL routines:ssl3_get_client_hello:no shared cipher
>
> My TLS config is shown below. My cert is a self signed signed cert. My ATS
> version is 6.2.1. I'd appreciate any pointers on how to resolve this.
> Thanks.
>
> Dk.
>
> CONFIG proxy.config.ssl.SSLv2 INT 0
> CONFIG proxy.config.ssl.SSLv3 INT 1
> CONFIG proxy.config.ssl.TLSv1 INT 1
> CONFIG proxy.config.ssl.TLSv1_1 INT 1
> CONFIG proxy.config.ssl.TLSv1_2 INT 1
> CONFIG proxy.config.ssl.server.cipher_suite STRING
>
> AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!LOW:!MD5:!SSLV2:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
> CONFIG proxy.config.ssl.server.honor_cipher_order INT 1
> CONFIG proxy.config.ssl.compression INT 0
>
>
> Debug logs:
> [Nov 2 18:16:07.664] Server {0x7f8822572700} DEBUG:
> <SSLNextProtocolAccept.cc:129 (mainEvent)> (ssl)
> [SSLNextProtocolAccept:mainEvent] event 202 netvc 0x7f8820072800
> [Nov 2 18:16:07.664] Server {0x7f8822572700} DEBUG:
> <SSLNetVConnection.cc:981 (sslStartHandShake)> (ssl) IP context is (nil)
> for [10.3.28.146:39678] -> [172.19.0.2:7453], default context 0x2d82bc0
> [Nov 2 18:16:07.664] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
> (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7f87d4021100 where: 16
> ret: 1
> [Nov 2 18:16:07.664] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
> (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7f87d4021100 where:
> 8193 ret: 1
> [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
> <SSLNetVConnection.cc:1402 (select_next_protocol)> (ssl) selected ALPN
> protocol http/1.1
> [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:284
> (set_context_cert)> (ssl) set_context_cert ssl=0x7f87d4021100 server=(null)
> handshake_complete=0
> [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:336
> (set_context_cert)> (ssl) ssl_cert_callback using SSL context 0x2d82bc0 for
> requested name '(null)'
> [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
> <SSLNetVConnection.cc:1462 (callHooks)> (ssl) callHooks
> sslHandshakeHookState=0
> [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
> (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7f87d4021100 where:
> 16392 ret: 552
> [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
> (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7f87d4021100 where:
> 8194 ret: -1
> [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
> (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7f87d4021100 where:
> 8194 ret: -1
> [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:2126
> (SSLAccept)> (ssl.error.accept) SSL accept returned -1, ssl_error=1,
> ERR_get_error=336109761 (error:1408A0C1:SSL
> routines:ssl3_get_client_hello:no shared cipher)
> [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
> <SSLNetVConnection.cc:1105 (sslServerHandShakeEvent)> (ssl) trace=FALSE
> [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
> <SSLNetVConnection.cc:1109 (sslServerHandShakeEvent)> (ssl)
> SSL::140222668416768:error:1408A0C1:SSL routines:ssl3_get_client_hello:no
> shared cipher:s3_srvr.c:1417: peer address is 10.3.28.146
> [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
> <SSLNetVConnection.cc:1109 (sslServerHandShakeEvent)> (ssl) SSL handshake
> error: SSL_ERROR_SSL (1), errno=0
> [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
> <SSLNetVConnection.cc:1237 (sslServerHandShakeEvent)> (ssl)
> SSLNetVConnection::sslServerHandShakeEvent, SSL_ERROR_SSL errno=0
> ^Ctraffic_server: Interrupt (Signal sent by the kernel 0 0)
>
--
pushkar