You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "Igor Galić (JIRA)" <ji...@apache.org> on 2010/08/13 02:26:16 UTC
[jira] Commented: (TS-405) SSL Termination not working
[ https://issues.apache.org/jira/browse/TS-405?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12898019#action_12898019 ]
Igor Galić commented on TS-405:
-------------------------------
I'm currently using trunk. Before, with 2.1.1 I've been struggling with the same issue.
Aside from using trunk, it seems that the sane solution here is to put the server certificate and the server key in the same pem file:
i.galic@pheme /etc/bw/trafficserver % uncomment records.config|grep ssl.server|grep -v NULL
CONFIG proxy.config.ssl.server_port INT 443
CONFIG proxy.config.ssl.server.cert.filename STRING multi.brainsware.org.bundle.pem
CONFIG proxy.config.ssl.server.cert.path STRING /etc/bw/certs
CONFIG proxy.config.ssl.server.private_key.path STRING /etc/bw/certs
This, evidently: https://roscm.esotericsystems.at/ works.
> SSL Termination not working
> ---------------------------
>
> Key: TS-405
> URL: https://issues.apache.org/jira/browse/TS-405
> Project: Traffic Server
> Issue Type: Bug
> Components: Core
> Affects Versions: 2.1.1
> Environment: Red Hat Enterprise Linux AS release 4 (Nahant Update 6) - x86_64
> Reporter: Anirban Roy
> Fix For: 2.1.2
>
>
> Turned on SSL termination with Apache TS-2.1.1 (proxy.config.ssl.enabled) with other config options left as the default settings. The packages is shipped with a certificate (server.pm) which is used for SSL session. With this default setting, the SSL termination does not seem to work. See the error below -
> [anirbanr@llf531136 trafficserver]$ https_proxy=localhost:443 wget -d --no-check-certificate https://login/yahoo.com
> Setting --check-certificate (checkcertificate) to 0
> DEBUG output created by Wget 1.10.2 (Red Hat modified) on linux-gnu.
> --11:24:41-- https://login/yahoo.com
> => `yahoo.com'
> Resolving localhost... 127.0.0.1
> Caching localhost => 127.0.0.1
> Connecting to localhost|127.0.0.1|:443... connected.
> Created socket 3.
> Releasing 0x0000000000552380 (new refcount 1).
> ---request begin---
> CONNECT login:443 HTTP/1.0
> User-Agent: Wget/1.10.2 (Red Hat modified)
> ---request end---
> Failed reading proxy response: Connection reset by peer
> Closed fd 3
> Retrying.
> ==========================================================================================
> syslog output
> ==========================================================================================
> [anirbanr@llf531136 ats-test]$ tail -f /var/log/messages | grep traffic
> Jul 27 11:02:22 llf531136 traffic_manager[20264]: {182924636832} ERROR: (last system error 9: Bad file descriptor)
> Jul 27 11:24:18 llf531136 traffic_cop[25036]: --- Cop Starting [Version: Apache Traffic Server - traffic_cop - 2.1.1-unstable - (build # 62010 on Jul 20 2010 at 10:17:13)] ---
> Jul 27 11:24:18 llf531136 traffic_cop[25036]: traffic_manager not running, making sure traffic_server is dead
> Jul 27 11:24:18 llf531136 traffic_cop[25036]: spawning traffic_manager
> Jul 27 11:24:18 llf531136 traffic_manager[25037]: NOTE: --- Manager Starting ---
> Jul 27 11:24:18 llf531136 traffic_manager[25037]: NOTE: Manager Version: Apache Traffic Server - traffic_manager - 2.1.1-unstable - (build # 62010 on Jul 20 2010 at 10:17:39)
> Jul 27 11:24:18 llf531136 traffic_manager[25037]: {182924636832} NOTE: updated diags config
> Jul 27 11:24:18 llf531136 traffic_manager[25037]: {182924636832} NOTE: [Rollback::openFile] Open of cache.config failed: Permission denied
> Jul 27 11:24:18 llf531136 traffic_manager[25037]: {182924636832} NOTE: [Rollback::Rollback] Config file is read-only : cache.config
> Jul 27 11:24:18 llf531136 traffic_manager[25037]: {182924636832} NOTE: [ClusterCom::ClusterCom] Node running on OS: 'Linux' Release: '2.6.9-67.0.22.ELsmp'
> Jul 27 11:24:18 llf531136 traffic_manager[25037]: {182924636832} NOTE: [LocalManager::listenForProxy] Listening on port: 8085
> Jul 27 11:24:18 llf531136 traffic_manager[25037]: {182924636832} NOTE: [LocalManager::listenForProxy] Listening on port: 443
> Jul 27 11:24:18 llf531136 traffic_manager[25037]: {182924636832} NOTE: [TrafficManager] Setup complete
> Jul 27 11:24:19 llf531136 traffic_manager[25037]: {182924636832} NOTE: [LocalManager::startProxy] Launching ts process
> Jul 27 11:24:19 llf531136 traffic_manager[25037]: {182924636832} NOTE: [LocalManager::pollMgmtProcessServer] New process connecting fd '10'
> Jul 27 11:24:19 llf531136 traffic_manager[25037]: {182924636832} NOTE: [Alarms::signalAlarm] Server Process born
> Jul 27 11:24:20 llf531136 traffic_server[25049]: NOTE: --- Server Starting ---
> Jul 27 11:24:20 llf531136 traffic_server[25049]: NOTE: Server Version: Apache Traffic Server - traffic_server - 2.1.1-unstable - (build # 62010 on Jul 20 2010 at 10:17:53)
> Jul 27 11:24:20 llf531136 traffic_server[25049]: {182924636544} NOTE: updated diags config
> Jul 27 11:24:20 llf531136 traffic_server[25049]: {182924636544} NOTE: cache clustering disabled
> Jul 27 11:24:20 llf531136 traffic_server[25049]: {182924636544} NOTE: cache clustering disabled
> Jul 27 11:24:20 llf531136 traffic_server[25049]: {182924636544} NOTE: logging initialized[7], logging_mode = 3
> Jul 27 11:24:20 llf531136 traffic_server[25049]: {182924636544} NOTE: traffic server running
> Jul 27 11:24:32 llf531136 traffic_server[25049]: {1095842144} NOTE: cache enabled
> Jul 27 11:24:41 llf531136 traffic_server[25049]: {1140050272} ERROR: SSL ERROR: SSL_ServerHandShake.
> Jul 27 11:24:41 llf531136 traffic_server[25049]: {1140050272} ERROR: SSL::39:error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request:s23_srvr.c:402:
> Jul 27 11:24:42 llf531136 traffic_server[25049]: {1137944928} ERROR: SSL ERROR: SSL_ServerHandShake.
> Jul 27 11:24:42 llf531136 traffic_server[25049]: {1137944928} ERROR: SSL::37:error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request:s23_srvr.c:402:
> Jul 27 11:24:44 llf531136 traffic_server[25049]: {1142155616} ERROR: SSL ERROR: SSL_ServerHandShake.
> Jul 27 11:24:44 llf531136 traffic_server[25049]: {1142155616} ERROR: SSL::41:error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request:s23_srvr.c:402:
> ==========================================================================================
> traffic.out output
> ==========================================================================================
> [E. Mgmt] log ==> [TrafficManager] using root directory '/export/crawlspace/packages/ats-2.1.1'
> [Jul 27 11:24:18.353] {182924636832} STATUS: opened /export/crawlspace/packages/ats-2.1.1/var/log/trafficserver/manager.log
> [TrafficServer] using root directory '/export/crawlspace/packages/ats-2.1.1'
> [Jul 27 11:24:20.506] {182924636544} STATUS: opened /export/crawlspace/packages/ats-2.1.1/var/log/trafficserver/diags.log
> [Jul 27 11:24:41.676] Server {1140050272} ERROR: SSL ERROR: SSL_ServerHandShake.
> [Jul 27 11:24:41.676] Server {1140050272} ERROR: SSL::39:error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request:s23_srvr.c:402:
> [Jul 27 11:24:42.679] Server {1137944928} ERROR: SSL ERROR: SSL_ServerHandShake.
> [Jul 27 11:24:42.679] Server {1137944928} ERROR: SSL::37:error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request:s23_srvr.c:402:
> [Jul 27 11:24:44.681] Server {1142155616} ERROR: SSL ERROR: SSL_ServerHandShake.
> [Jul 27 11:24:44.681] Server {1142155616} ERROR: SSL::41:error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request:s23_srvr.c:402:
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.