Re: SSL for trafficserver

[$ubbu <su...@gmail.com>]

It worked

thanks for the help :)

On 30 June 2017 at 05:30, Reindl Harald <h....@thelounge.net> wrote:

> "my origin server has CA signed wild card certificate, so what kind of
> certificate should I install on traffic server (ex:self signed or ca
> signed) and what are the steps to install certificate?"
>
> that is a very strange question
>
> a) if you don't want warnings on the clients self-signed
>    is not a option
>
> b) when you already have CA signed ones just put them on the proxy
>
> c) you don't need any certificate at all on the backend - that's what
> TLS-offloading is all about
>
> "what format of the certificate works (.pem or crt or pfx)" - as for
> anything else in the openbsource world - PEM - just cat the prvate key,
> intermediate-certificates and the certifiate in a file and use it as it's
> done for httpd, postfix, dovecot and what not....
>
> with the config below you just put our certificates into
> "/etc/trafficserver/ssl/" and list the certs in "ssl_multicert.config"
>
> [root@proxy:~]$ cat /etc/trafficserver/ssl_multicert.config
> # optional 'ssl_ca_name=ca_name.crt' when intermediate-certs are not in
> the pem-file
> ssl_cert_name=thelounge.net.pem
>
> [root@proxy:~]$ cat /etc/trafficserver/remap.config | grep
> www.thelounge.net
> map http://www.thelounge.net http://www.thelounge.net
> map https://www.thelounge.net http://www.thelounge.net
>
> [root@proxy:~]$ cat /etc/trafficserver/records.config | grep ssl
> CONFIG proxy.config.http.server_ports STRING 80 443:ssl
> CONFIG proxy.config.ssl.TLSv1 INT 1
> CONFIG proxy.config.ssl.TLSv1_1 INT 1
> CONFIG proxy.config.ssl.TLSv1_2 INT 1
> CONFIG proxy.config.ssl.client.TLSv1 INT 1
> CONFIG proxy.config.ssl.client.TLSv1_1 INT 1
> CONFIG proxy.config.ssl.client.TLSv1_2 INT 1
> CONFIG proxy.config.ssl.client.certification_level INT 0
> CONFIG proxy.config.ssl.server.multicert.filename STRING
> ssl_multicert.config
> CONFIG proxy.config.ssl.server.cert.path STRING /etc/trafficserver/ssl/
> CONFIG proxy.config.ssl.server.private_key.path STRING
> /etc/trafficserver/ssl/
> CONFIG proxy.config.ssl.CA.cert.path STRING /etc/trafficserver/ssl/
> CONFIG proxy.config.ssl.server.cipher_suite STRING
> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-
> RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-
> AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:
> ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-
> SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-
> CAMELLIA128-SHA:DHE-RSA-CAMELLIA256-SHA:AES128-GCM-
> SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:CAMELLIA128-
> SHA:CAMELLIA256-SHA:!LOW:!MEDIUM
> CONFIG proxy.config.ssl.server.honor_cipher_order INT 1
> CONFIG proxy.config.ssl.server.dhparams_file STRING
> /etc/trafficserver/ssl/dhparams.pem
>
>
> Am 30.06.2017 um 14:19 schrieb $ubbu:
>
>> Hi,
>>
>>       We are using apache traffic server for caching http sites for a
>> quite long time,recently we had to cache https sites .
>>
>> I took reference of https://docs.trafficserver.apa
>> che.org/en/latest/admin-guide/security/index.en.html
>>
>> But unable to work it out.
>>
>> I have a few questions
>>
>> 1.my origin server has CA signed wild card certificate , so what kind of
>> certificate should I install on traffic server (ex:self signed or ca
>> signed) and what are the steps to install certificate?
>>
>> 2.what format of the certificate works (.pem or crt or pfx) ?
>>
>> 3.I have one more link http://www.quobell.nl/blog/apa
>> che-traffic-server-ats-as-reverse-proxy-for-outsystems/
>>
>> Which I tried with both self signed and ca signed certificates but I
>> encountered the following error ERR_SSL_VERSION_OR_CIPHER_MISMATCH
>>
>>     Please help me in this process.
>>
>> Thanks in Advance !!!
>>
>


-- 
*Regards*

*Subrahmanya Prasad P*

Re: SSL for trafficserver

[sheng <li...@icloud.com>]

Hi $ubbu,

It is great to know that your case is working.

Any idea how to put the public cert of the origin server into the traffic
server certificate store?

I am using self-signed certificates for both the origin and traffic servers
and would like to enable two way authentication between the traffic server
and origin server. I can get access into the origin with the client.key and
client.cert via curl, but have ssl connection error via traffic server. 

Can you share the records.config and ssl_multicert.config for me to take a
look?

Thank you,

Sheng



--
Sent from: http://apache-traffic-server.24303.n7.nabble.com/