You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@trafficserver.apache.org by vishu_54 <vi...@viptela.com> on 2018/09/05 00:10:18 UTC
Re: Certificate mimicking/spoofing in ATS
Hi Alan,
Thank you for hinting on the certifier plugin. However, I have some issues
configuring it. I doubt if I am missing anything in configuration for it to
work fully.
HTTP works fine with the following config. HTTPS fails with a crash. I have
attached the log file and stack trace details.
/plugin.config/
/usr/local/libexec/trafficserver/certifier.so --sign-cert
etc/trafficserver/certs/my-selfsigned.crt --sign-key
/etc/trafficserver/private/my-selfsigned.key
/records.config/
changed the following lines from default config
CONFIG proxy.config.http.server_ports STRING 3129 3130:ssl
CONFIG proxy.config.reverse_proxy.enabled INT 0
CONFIG proxy.config.url_remap.remap_required INT 0
CONFIG proxy.config.ssl.client.verify.server INT 1
CONFIG proxy.config.ssl.server.cert.path STRING etc/trafficserver/certs
CONFIG proxy.config.ssl.server.private_key.path STRING
etc/trafficserver/private
CONFIG proxy.config.diags.debug.enabled INT 1
CONFIG proxy.config.diags.debug.tags STRING http.*|dns.*|ssl.*
/ssl_multicert.config/
dest_ip=* ssl_cert_name=my-selfsigned.crt
ssl_key_name=my-selfsigned.key
/ diags.log /
[Sep 4 14:51:37.140] Server {0x2aaaaaafa300} STATUS: opened
/usr/local/var/log/trafficserver/diags.log
[Sep 4 14:51:37.140] Server {0x2aaaaaafa300} NOTE: updated diags config
[Sep 4 14:51:37.142] Server {0x2aaaaaafa300} NOTE: cache clustering
disabled
[Sep 4 14:51:37.147] Server {0x2aaaaaafa300} NOTE: ip_allow.config updated,
reloading
[Sep 4 14:51:37.151] Server {0x2aaaaaafa300} NOTE: cache clustering
disabled
[Sep 4 14:51:37.152] Server {0x2aaaaaafa300} NOTE: logging initialized[3],
logging_mode = 3
*[Sep 4 14:51:37.152] Server {0x2aaaaaafa300} NOTE: loading plugin
'/usr/local/libexec/trafficserver/certifier.so'*
[Sep 4 14:51:37.154] Server {0x2aaaaaafa300} NOTE: loading SSL certificate
configuration from /usr/local/etc/trafficserver/ssl_multicert.config
[Sep 4 14:51:37.154] Server {0x2aaaaaafa300} NOTE: ssl_multicert.config
done reloading!
[Sep 4 14:51:37.161] Server {0x2aaaaaafa300} NOTE: traffic server running
[Sep 4 14:51:37.215] Server {0x2aaab239a700} NOTE: cache enabled
My client request:
curl -vvv https://vip.test-proxy.com/ --insecure
* Hostname was NOT found in DNS cache
* Trying 10.239.141.25...
* Connected to vip.test-proxy.com (10.239.141.25) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* Unknown SSL protocol error in connection to vip.test-proxy.com:443
* Closing connection 0
lookup: 0.004
connect: 0.005
appconnect: 0.000
pretransfer: 0.000
redirect: 0.000
starttransfer: 0.000
total: 0.093
remote_ip: 10.239.141.25
curl: (35) Unknown SSL protocol error in connection to
vip.test-proxy.com:443
traffic.zip
<http://apache-traffic-server.24303.n7.nabble.com/file/t382/traffic.zip>
--
Sent from: http://apache-traffic-server.24303.n7.nabble.com/