You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@trafficserver.apache.org by vishu_54 <vi...@viptela.com> on 2018/09/05 00:10:18 UTC

Re: Certificate mimicking/spoofing in ATS

Hi Alan,
Thank you for hinting on the certifier plugin. However, I have some issues
configuring it. I doubt if I am missing anything in configuration for it to
work fully. 
HTTP works fine with the following config. HTTPS fails with a crash. I have
attached the log file and stack trace details.

/plugin.config/
/usr/local/libexec/trafficserver/certifier.so --sign-cert
etc/trafficserver/certs/my-selfsigned.crt --sign-key
/etc/trafficserver/private/my-selfsigned.key

/records.config/
changed the following lines from default config

CONFIG proxy.config.http.server_ports STRING 3129 3130:ssl
CONFIG proxy.config.reverse_proxy.enabled INT 0
CONFIG proxy.config.url_remap.remap_required INT 0

CONFIG proxy.config.ssl.client.verify.server INT 1
CONFIG proxy.config.ssl.server.cert.path STRING etc/trafficserver/certs
CONFIG proxy.config.ssl.server.private_key.path STRING
etc/trafficserver/private

CONFIG proxy.config.diags.debug.enabled INT 1
CONFIG proxy.config.diags.debug.tags STRING http.*|dns.*|ssl.*

/ssl_multicert.config/
dest_ip=*       ssl_cert_name=my-selfsigned.crt
ssl_key_name=my-selfsigned.key

/ diags.log /

[Sep  4 14:51:37.140] Server {0x2aaaaaafa300} STATUS: opened
/usr/local/var/log/trafficserver/diags.log
[Sep  4 14:51:37.140] Server {0x2aaaaaafa300} NOTE: updated diags config
[Sep  4 14:51:37.142] Server {0x2aaaaaafa300} NOTE: cache clustering
disabled
[Sep  4 14:51:37.147] Server {0x2aaaaaafa300} NOTE: ip_allow.config updated,
reloading
[Sep  4 14:51:37.151] Server {0x2aaaaaafa300} NOTE: cache clustering
disabled
[Sep  4 14:51:37.152] Server {0x2aaaaaafa300} NOTE: logging initialized[3],
logging_mode = 3
*[Sep  4 14:51:37.152] Server {0x2aaaaaafa300} NOTE: loading plugin
'/usr/local/libexec/trafficserver/certifier.so'*
[Sep  4 14:51:37.154] Server {0x2aaaaaafa300} NOTE: loading SSL certificate
configuration from /usr/local/etc/trafficserver/ssl_multicert.config
[Sep  4 14:51:37.154] Server {0x2aaaaaafa300} NOTE: ssl_multicert.config
done reloading!
[Sep  4 14:51:37.161] Server {0x2aaaaaafa300} NOTE: traffic server running
[Sep  4 14:51:37.215] Server {0x2aaab239a700} NOTE: cache enabled


My client request:
curl -vvv https://vip.test-proxy.com/ --insecure
* Hostname was NOT found in DNS cache
*   Trying 10.239.141.25...
* Connected to vip.test-proxy.com (10.239.141.25) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* Unknown SSL protocol error in connection to vip.test-proxy.com:443
* Closing connection 0
lookup:        0.004
connect:       0.005
appconnect:    0.000
pretransfer:   0.000
redirect:      0.000
starttransfer: 0.000
total:         0.093
remote_ip:       10.239.141.25
curl: (35) Unknown SSL protocol error in connection to
vip.test-proxy.com:443

traffic.zip
<http://apache-traffic-server.24303.n7.nabble.com/file/t382/traffic.zip>  



--
Sent from: http://apache-traffic-server.24303.n7.nabble.com/