You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@trafficserver.apache.org by Susan Hinrichs <sh...@verizonmedia.com> on 2020/12/10 16:47:57 UTC
Re: [E] Force trafficserver to TLSv1.3
Sounds like the origin is requesting a client certificate which ATS is not
providing.
Do you have your ATS configured to specify a client certificate if the
origin requests one? This can be configured by the records.config setting
proxy.config.ssl.client.cert.filename (and related) These settings can also
be overridden on a per remap basis by using conf_remap.so.
https://docs.trafficserver.apache.org/en/latest/admin-guide/files/records.config.en.html?#proxy-config-ssl-client-cert-filename
On Thu, Dec 10, 2020 at 7:17 AM <mi...@gmail.com> wrote:
> Hi,
> I found a explanation how Wireshark presents TLSv1.3 and it seems my
> configuration is OK and TLSv1.3 is used.
>
> However I have another problem with origin server.
> It send me bag "403 Forbidden" because of :
>
> SSL Library Error: error:14268117:SSL
> routines:SSL_verify_client_post_handshake:extension not received
>
>
> As I understand ATS do not send in Client Hello
> "verify_client_post_handshake " extension.
>
> Is it possible to configure somehow?
>
>
> Thanks Peter
>
Re: [E] Force trafficserver to TLSv1.3
Posted by Susan Hinrichs <sh...@verizonmedia.com>.
The post_handhake_auth is not wired into ATS yet. Please file an issue
and/or put up a PR.
Susan
On Fri, Dec 11, 2020 at 12:54 AM <mi...@gmail.com> wrote:
> Yes, of course I have.
>
> CONFIG proxy.config.ssl.client.cert.path STRING /etc/ssl/certs/
> CONFIG proxy.config.ssl.client.cert.filename STRING xxx.pem
>
> CONFIG proxy.config.ssl.client.CA.cert.path STRING /etc/ssl/certs/
> CONFIG proxy.config.ssl.client.CA.cert.filename STRING xxx_CA.pem
>
> Question is if ATS is able send verify_client_post_handshake as extension
> in TLS Client Hello.
> Contrary if ATS do not send "post_handshake_auth" extension then
> according to RFC 8446
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_rfc8446&d=DwMFaQ&c=sWW_bEwW_mLyN3Kx2v57Q8e-CRbmiT9yOhqES_g_wVY&r=GAqM_xZpxNbVqsR-aGvQBjOG3d33Y2-i4ynL-JkEouY&m=dHiiPqkyyHSl-9b3vx4X8tOb71wAdz3SNhxib3Tauyg&s=6Q5EKRjUtEXxv8fI9KLh89HQ5GAttKLWqVHzpke5NIc&e=>
> :
>
> The "post_handshake_auth" extension is used to indicate that a client
> is willing to perform post-handshake authentication (Section 4.6.2 <https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_rfc8446-23section-2D4.6.2&d=DwMFaQ&c=sWW_bEwW_mLyN3Kx2v57Q8e-CRbmiT9yOhqES_g_wVY&r=GAqM_xZpxNbVqsR-aGvQBjOG3d33Y2-i4ynL-JkEouY&m=dHiiPqkyyHSl-9b3vx4X8tOb71wAdz3SNhxib3Tauyg&s=UaAaGrnlwZ93nZ_vsBQXTPCWYegpOTWhdMVL3BciksU&e=>).
> Servers MUST NOT send a post-handshake CertificateRequest to clients
> which do not offer this extension. Servers MUST NOT send this extension.
>
>
>
> On Thu, Dec 10, 2020 at 5:48 PM Susan Hinrichs <sh...@verizonmedia.com>
> wrote:
>
>> Sounds like the origin is requesting a client certificate which ATS is
>> not providing.
>>
>> Do you have your ATS configured to specify a client certificate if the
>> origin requests one? This can be configured by the records.config setting
>> proxy.config.ssl.client.cert.filename (and related) These settings can also
>> be overridden on a per remap basis by using conf_remap.so.
>>
>> https://docs.trafficserver.apache.org/en/latest/admin-guide/files/records.config.en.html?#proxy-config-ssl-client-cert-filename
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.trafficserver.apache.org_en_latest_admin-2Dguide_files_records.config.en.html-3F-23proxy-2Dconfig-2Dssl-2Dclient-2Dcert-2Dfilename&d=DwMFaQ&c=sWW_bEwW_mLyN3Kx2v57Q8e-CRbmiT9yOhqES_g_wVY&r=GAqM_xZpxNbVqsR-aGvQBjOG3d33Y2-i4ynL-JkEouY&m=dHiiPqkyyHSl-9b3vx4X8tOb71wAdz3SNhxib3Tauyg&s=2sCMMIzJ0LCafkVukFlHimKew6Redksmb8Jd30eiGuM&e=>
>>
>>
>> On Thu, Dec 10, 2020 at 7:17 AM <mi...@gmail.com> wrote:
>>
>>> Hi,
>>> I found a explanation how Wireshark presents TLSv1.3 and it seems my
>>> configuration is OK and TLSv1.3 is used.
>>>
>>> However I have another problem with origin server.
>>> It send me bag "403 Forbidden" because of :
>>>
>>> SSL Library Error: error:14268117:SSL
>>> routines:SSL_verify_client_post_handshake:extension not received
>>>
>>>
>>> As I understand ATS do not send in Client Hello
>>> "verify_client_post_handshake " extension.
>>>
>>> Is it possible to configure somehow?
>>>
>>>
>>> Thanks Peter
>>>
>>
Re: [E] Force trafficserver to TLSv1.3
Posted by mi...@gmail.com.
Yes, of course I have.
CONFIG proxy.config.ssl.client.cert.path STRING /etc/ssl/certs/
CONFIG proxy.config.ssl.client.cert.filename STRING xxx.pem
CONFIG proxy.config.ssl.client.CA.cert.path STRING /etc/ssl/certs/
CONFIG proxy.config.ssl.client.CA.cert.filename STRING xxx_CA.pem
Question is if ATS is able send verify_client_post_handshake as extension
in TLS Client Hello.
Contrary if ATS do not send "post_handshake_auth" extension then according
to RFC 8446 <https://tools.ietf.org/html/rfc8446>:
The "post_handshake_auth" extension is used to indicate that a client
is willing to perform post-handshake authentication (Section 4.6.2
<https://tools.ietf.org/html/rfc8446#section-4.6.2>).
Servers MUST NOT send a post-handshake CertificateRequest to clients
which do not offer this extension. Servers MUST NOT send this extension.
On Thu, Dec 10, 2020 at 5:48 PM Susan Hinrichs <sh...@verizonmedia.com>
wrote:
> Sounds like the origin is requesting a client certificate which ATS is not
> providing.
>
> Do you have your ATS configured to specify a client certificate if the
> origin requests one? This can be configured by the records.config setting
> proxy.config.ssl.client.cert.filename (and related) These settings can also
> be overridden on a per remap basis by using conf_remap.so.
>
> https://docs.trafficserver.apache.org/en/latest/admin-guide/files/records.config.en.html?#proxy-config-ssl-client-cert-filename
>
>
> On Thu, Dec 10, 2020 at 7:17 AM <mi...@gmail.com> wrote:
>
>> Hi,
>> I found a explanation how Wireshark presents TLSv1.3 and it seems my
>> configuration is OK and TLSv1.3 is used.
>>
>> However I have another problem with origin server.
>> It send me bag "403 Forbidden" because of :
>>
>> SSL Library Error: error:14268117:SSL
>> routines:SSL_verify_client_post_handshake:extension not received
>>
>>
>> As I understand ATS do not send in Client Hello
>> "verify_client_post_handshake " extension.
>>
>> Is it possible to configure somehow?
>>
>>
>> Thanks Peter
>>
>