You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@trafficserver.apache.org by Ethan Lai <yz...@yahoo.com> on 2011/09/01 05:22:45 UTC
Weird (and different) behavior of ssl.server.cert.path & ssl.server.private_key.path
Hey guys,
I'm testing multicert SSL termination feature of ATS 3.0.1
But, found weird behavior of ssl.server.cert.path &
ssl.server.private_key.path
Maybe some of you have meet similar issue and might already have some ideas.
Here are my configurations:
Test config1:
records.config:
> CONFIG proxy.config.ssl.server.cert.filename STRING cert1.pem
> CONFIG proxy.config.ssl.server.cert.path STRING /usr/local/etc/ats-cert
> CONFIG proxy.config.ssl.server.private_key.filename STRING cert1.key
> CONFIG proxy.config.ssl.server.private_key.path STRING
> /usr/local/etc/ats-cert
ssl_multicert.config:
> dest_ip=172.16.192.168 ssl_cert_name=cert2.pem ssl_key_name=cert2.key
traffic.out:
> ERROR: SSL::0:error:02001002:system library:fopen:No such file or
> directory:bss_file.c:352:fopen('/usr/local/etc/ats-certcert2.pem','r')
My observation:
> *Trailing slash of ssl.server.cert.path not automatic added?*
Test config2:
records.config:
> CONFIG proxy.config.ssl.server.cert.filename STRING cert1.pem
> CONFIG proxy.config.ssl.server.cert.path STRING /usr/local/etc/ats-cert/
> CONFIG proxy.config.ssl.server.private_key.filename STRING cert1.key
> CONFIG proxy.config.ssl.server.private_key.path STRING
> /usr/local/etc/ats-cert/
ssl_multicert.config:
> dest_ip=172.16.192.168 ssl_cert_name=cert2.pem ssl_key_name=cert2.key
traffic.out:
> ERROR: SSL::0:error:02001002:system library:fopen:No such file or
> directory:bss_file.c:352:fopen('/usr/local/etc/ats-certcert2.pem','r')
My observation:
> *Trailing slash of ssl.server.cert.path trimmed. *
Test config3:
records.config:
> CONFIG proxy.config.ssl.server.cert.filename STRING cert1.pem
> CONFIG proxy.config.ssl.server.cert.path STRING /usr/local/etc/ats-cert
> CONFIG proxy.config.ssl.server.private_key.filename STRING cert1.key
> CONFIG proxy.config.ssl.server.private_key.path STRING
> /usr/local/etc/ats-cert
ssl_multicert.config:
> dest_ip=210.71.204.149 ssl_cert_name=/cert2.pem ssl_key_name=cert2.key
traffic.out:
> ERROR: SSL::0:error:02001002:system library:fopen:No such file or
> directory:bss_file.c:352:fopen('cert2.key','r')
My observation:
> *ssl.server.private_key.path config value not effective ? *
Test config4:
records.config:
> CONFIG proxy.config.ssl.server.cert.filename STRING
> /usr/local/etc/ats-cert/cert1.pem
> CONFIG proxy.config.ssl.server.cert.path STRING NULL
> CONFIG proxy.config.ssl.server.private_key.filename STRING
> /usr/local/etc/ats-cert/cert1.key
> CONFIG proxy.config.ssl.server.private_key.path STRING NULL
ssl_multicert.config:
> dest_ip=210.71.204.149 ssl_cert_name=/usr/local/etc/ats-cert/cert2.pem
> ssl_key_name=/usr/local/etc/ats-cert/cert2.key
traffic.out:
> ERROR: SSL::0:error:02001002:system library:fopen:No such file or
> directory:bss_file.c:352:fopen('/usr/local/usr/local/etc/ats-cert/cert2.pem','r')
My observation:
> *prefix added before ssl_cert_name while ssl.server.cert.path not set *
Test config5:
records.config:
> CONFIG proxy.config.ssl.server.cert.filename STRING
> /usr/local/etc/ats-cert/cert1.pem
> CONFIG proxy.config.ssl.server.cert.path STRING NULL
> CONFIG proxy.config.ssl.server.private_key.filename STRING
> /usr/local/etc/ats-cert/cert1.key
> CONFIG proxy.config.ssl.server.private_key.path STRING NULL
ssl_multicert.config:
> dest_ip=210.71.204.149 ssl_cert_name=/etc/ats-cert/cert2.pem
> ssl_key_name=/etc/ats-cert/cert2.key
traffic.out:
> ERROR: SSL::0:error:02001002:system library:fopen:No such file or
> directory:bss_file.c:352:fopen('/etc/ats-cert/cert2.key','r')
My observation:
> *prefix NOT added before ssl_key_name while ssl.server.private_key.path
> not set *
Worked config:
records.config:
> CONFIG proxy.config.ssl.server.cert.filename STRING cert1.pem
> CONFIG proxy.config.ssl.server.cert.path STRING /usr/local/etc/ats-cert
> CONFIG proxy.config.ssl.server.private_key.filename STRING cert1.key
> CONFIG proxy.config.ssl.server.private_key.path STRING
> /usr/local/etc/ats-cert
ssl_multicert.config:
> dest_ip=210.71.204.149 ssl_cert_name=/cert2.pem
> ssl_key_name=/usr/local/etc/ats-cert
It seems ssl.server.cert.path has different (and weird) behavior with
ssl.server.private_key.path.
Any thoughts is welcome. :)
Thanks,
-Ethan
Re: Weird (and different) behavior of ssl.server.cert.path & ssl.server.private_key.path
Posted by Igor Galić <i....@brainsware.org>.
Ethan,
thank you very much for this report.
Can you please open a Jira ticket for that?
i
----- Original Message -----
>
> Hey guys,
>
>
> I'm testing multicert SSL termination feature of ATS 3.0.1
> But, found weird behavior of ssl.server.cert.path &
> ssl.server.private_key.path
> Maybe some of you have meet similar issue and might already have some
> ideas.
>
>
> Here are my configurations:
>
>
> Test config1:
>
>
> records.config:
>
>
> CONFIG proxy.config.ssl.server.cert.filename STRING cert1.pem
> CONFIG proxy.config.ssl.server.cert.path STRING
> /usr/local/etc/ats-cert
> CONFIG proxy.config.ssl.server.private_key.filename STRING cert1.key
> CONFIG proxy.config.ssl.server.private_key.path STRING
> /usr/local/etc/ats-cert
> ssl_multicert.config:
>
> dest_ip=172.16.192.168 ssl_cert_name=cert2.pem ssl_key_name=cert2.key
>
>
>
>
> traffic.out:
>
> ERROR: SSL::0:error:02001002:system library:fopen:No such file or
> directory:bss_file.c:352:fopen('/usr/local/etc/ats-certcert2.pem','r')
> My observation:
>
> Trailing slash of ssl.server.cert.path not automatic added?
>
>
>
> Test config2:
>
>
> records.config:
>
>
> CONFIG proxy.config.ssl.server.cert.filename STRING cert1.pem
> CONFIG proxy.config.ssl.server.cert.path STRING
> /usr/local/etc/ats-cert/
> CONFIG proxy.config.ssl.server.private_key.filename STRING cert1.key
> CONFIG proxy.config.ssl.server.private_key.path STRING
> /usr/local/etc/ats-cert/
> ssl_multicert.config:
>
> dest_ip=172.16.192.168 ssl_cert_name=cert2.pem ssl_key_name=cert2.key
>
>
>
>
> traffic.out:
>
> ERROR: SSL::0:error:02001002:system library:fopen:No such file or
> directory:bss_file.c:352:fopen('/usr/local/etc/ats-certcert2.pem','r')
> My observation:
>
> Trailing slash of ssl.server.cert.path trimmed.
>
>
>
> Test config3:
>
>
>
> records.config:
>
>
>
> CONFIG proxy.config.ssl.server.cert.filename STRING cert1.pem
> CONFIG proxy.config.ssl.server.cert.path STRING
> /usr/local/etc/ats-cert
> CONFIG proxy.config.ssl.server.private_key.filename STRING cert1.key
> CONFIG proxy.config.ssl.server.private_key.path STRING
> /usr/local/etc/ats-cert
>
> ssl_multicert.config:
>
>
> dest_ip=210.71.204.149 ssl_cert_name=/cert2.pem
> ssl_key_name=cert2.key
>
>
>
>
>
>
> traffic.out:
>
> ERROR: SSL::0:error:02001002:system library:fopen:No such file or
> directory:bss_file.c:352:fopen('cert2.key','r')
> My observation:
>
> ssl.server.private_key.path config value not effective ?
>
>
>
>
>
> Test config4:
>
>
>
> records.config:
>
>
>
> CONFIG proxy.config.ssl.server.cert.filename STRING
> /usr/local/etc/ats-cert/cert1.pem
> CONFIG proxy.config.ssl.server.cert.path STRING NULL
> CONFIG proxy.config.ssl.server.private_key.filename STRING
> /usr/local/etc/ats-cert/cert1.key
> CONFIG proxy.config.ssl.server.private_key.path STRING NULL
>
>
> ssl_multicert.config:
>
>
> dest_ip=210.71.204.149
> ssl_cert_name=/usr/local/etc/ats-cert/cert2.pem
> ssl_key_name=/usr/local/etc/ats-cert/cert2.key
>
>
>
>
>
>
> traffic.out:
>
> ERROR: SSL::0:error:02001002:system library:fopen:No such file or
> directory:bss_file.c:352:fopen('/usr/local/usr/local/etc/ats-cert/cert2.pem','r')
> My observation:
>
> prefix added before ssl_cert_name while ssl.server.cert.path not set
>
>
>
>
>
>
> Test config5:
>
>
>
>
> records.config:
>
>
>
>
>
>
> CONFIG proxy.config.ssl.server.cert.filename STRING
> /usr/local/etc/ats-cert/cert1.pem
> CONFIG proxy.config.ssl.server.cert.path STRING NULL
> CONFIG proxy.config.ssl.server.private_key.filename STRING
> /usr/local/etc/ats-cert/cert1.key
> CONFIG proxy.config.ssl.server.private_key.path STRING NULL
>
>
>
> ssl_multicert.config:
>
>
>
> dest_ip=210.71.204.149 ssl_cert_name=/etc/ats-cert/cert2.pem
> ssl_key_name=/etc/ats-cert/cert2.key
>
>
>
>
>
>
>
>
> traffic.out:
>
>
> ERROR: SSL::0:error:02001002:system library:fopen:No such file or
> directory:bss_file.c:352:fopen('/etc/ats-cert/cert2.key','r')
> My observation:
>
> prefix NOT added before ssl_key_name while
> ssl.server.private_key.path not set
>
>
>
> Worked config:
>
>
> records.config:
>
>
> CONFIG proxy.config.ssl.server.cert.filename STRING cert1.pem
> CONFIG proxy.config.ssl.server.cert.path STRING
> /usr/local/etc/ats-cert
> CONFIG proxy.config.ssl.server.private_key.filename STRING cert1.key
> CONFIG proxy.config.ssl.server.private_key.path STRING
> /usr/local/etc/ats-cert
>
> ssl_multicert.config:
>
>
> dest_ip=210.71.204.149 ssl_cert_name=/cert2.pem
> ssl_key_name=/usr/local/etc/ats-cert
>
>
>
>
> It seems ssl.server.cert.path has different (and weird) behavior with
> ssl.server.private_key.path.
> Any thoughts is welcome. :)
>
>
>
>
> Thanks,
> -Ethan
--
Igor Galić
Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/
GPG: 571B 8B8A FC97 266D BDA3 EF6F 43AD 80A4 5779 3257