You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@trafficserver.apache.org by Ketan Mehta <Ke...@rankinteractive.com> on 2013/04/08 13:18:23 UTC
RE: Trafficserver and HTTPS (SSL Termination)
HI,
Finally, I got it working, problem was with server certificate, replaced it and it started working.
Thanks,
Ketan
-----Original Message-----
From: James Peach [mailto:jpeach@apache.org]
Sent: 25 March 2013 17:44
To: users@trafficserver.apache.org
Subject: Re: Trafficserver and HTTPS (SSL Termination)
On Mar 25, 2013, at 10:37 AM, Ketan Mehta <Ke...@rankinteractive.com> wrote:
> Hi All,
>
> I'm not sure why SSL handshake freezes after Client hello. I did some changes in SSL Termination section.
>
> [root@cacheserver trafficserver]# curl -3kvI https://www.web1.com
> * About to connect() to www.web1.com port 443
> * Trying 172.16.89.32... connected
> * Connected to www.web1.com (172.16.89.32) port 443
> * successfully set certificate verify locations:
> * CAfile: /etc/pki/tls/certs/ca-bundle.crt
> CApath: none
> * SSLv3, TLS handshake, Client hello (1):
On the Traffic Server side, enable the 'ssl' diagnostic tag; that might show something interesting. lso, you don't show it, but I assume that you are using ssl_multivert.config to specify which certificates should be served?
https://cwiki.apache.org/confluence/display/TS/Upgrading+to+3.2
>
> ######################################################################
> ########
> #
> # SSL Termination
> #
> ######################################################################
> ######## CONFIG proxy.config.ssl.client.certification_level INT 0
> CONFIG proxy.config.ssl.server.cert.filename STRING www-web1.crt
> CONFIG proxy.config.ssl.server.cert.path STRING etc/trafficserver/ssl
> CONFIG proxy.config.ssl.server.cert_chain.filename STRING NULL CONFIG
> proxy.config.ssl.server.private_key.filename STRING www-web1.key
> CONFIG proxy.config.ssl.server.private_key.path STRING
> etc/trafficserver/ssl CONFIG proxy.config.ssl.CA.cert.filename STRING
> NULL CONFIG proxy.config.ssl.CA.cert.path STRING NULL
> ################################
> # client related configuration #
> ################################
> CONFIG proxy.config.ssl.client.verify.server INT 0 CONFIG
> proxy.config.ssl.client.cert.filename STRING NULL CONFIG
> proxy.config.ssl.client.cert.path STRING etc/trafficserver/ssl CONFIG
> proxy.config.ssl.client.private_key.filename STRING NULL CONFIG
> proxy.config.ssl.client.private_key.path STRING etc/trafficserver/ssl
> CONFIG proxy.config.ssl.client.CA.cert.filename STRING NULL CONFIG
> proxy.config.ssl.client.CA.cert.path STRING etc/trafficserver
>
> ######################################################################
> ########
> #
> # Remap.config
> #
> ##############################################################################
> map https://www.web1.com:443 http://webserver:4000
> reverse_map http://webserver:4000 https://www.web1.com
>
> Thanks,
> Ketan
> From: Ketan Mehta [mailto:Ketan.Mehta@rankinteractive.com]
> Sent: 22 March 2013 17:33
> To: users@trafficserver.apache.org
> Subject: RE: Trafficserver and HTTPS (SSL Termination)
>
> Thanks J
>
> From: ansh.prat@gmail.com [mailto:ansh.prat@gmail.com] On Behalf Of
> Anshu Prateek
> Sent: 22 March 2013 17:20
> To: users@trafficserver.apache.org
> Subject: RE: Trafficserver and HTTPS (SSL Termination)
>
> Hi Ketan,
> I ll try to get you the perms I used.
>
> Regards
> Anshu Prateek
>
> On Mar 22, 2013 7:29 PM, "Ketan Mehta" <Ke...@rankinteractive.com> wrote:
> Hi Anshu,
>
> The permission are same for cert/key on both the server.
>
> @marswrk,
>
> I changed the certificate to PEM format with no password and restarted Traffiserver and webserver, but still it is not working. I'm not using ssl_multicert.config.
>
> [root@webserver ~]# netstat -tanp
> Active Internet connections (servers and established)
> Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
> tcp 0 0 0.0.0.0:4000 0.0.0.0:* LISTEN 26418/httpd
> tcp 0 0 0.0.0.0:4001 0.0.0.0:* LISTEN 26418/httpd
> tcp 0 0 0.0.0.0:5000 0.0.0.0:* LISTEN 26418/httpd
> tcp 0 0 0.0.0.0:5001 0.0.0.0:* LISTEN 26418/httpd
>
> [root@cacheserver trafficserver]# netstat -tanp Active Internet
> connections (servers and established)
> Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
> tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 22332/traffic_manag
> tcp 0 0 0.0.0.0:8083 0.0.0.0:* LISTEN 22332/traffic_manag
> tcp 0 0 127.0.0.1:8084 0.0.0.0:* LISTEN 22341/traffic_serve
> tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 22332/traffic_manag
>
> From: marswrk@gmail.com [mailto:marswrk@gmail.com]
> Sent: 22 March 2013 02:32
> To: users@trafficserver.apache.org
> Subject: Re: Trafficserver and HTTPS (SSL Termination)
>
> I had a problem with my https too. I fixed by making sure certificate file in PEM format. Also removed password that was used to protect cert.
> Did you restart trafficserver? My first config did not take effect and the port was not actually listening yet.
>
> And since it was a work network also needed to get the firewall permissions updated.
>
> I joined recently did I miss the ssl_multicert.config post?
> Were there any relevant error messages in the log files?
> Sent on the Sprint(r) Now Network from my BlackBerry(r)
> From: Anshu Prateek <an...@gmail.com>
> Sender: ansh.prat@gmail.com
> Date: Thu, 21 Mar 2013 23:08:18 +0530
> To: <us...@trafficserver.apache.org>
> ReplyTo: users@trafficserver.apache.org
> Subject: Re: Trafficserver and HTTPS (SSL Termination)
>
> Had seen this issue a while back, the file permissions of the SSL cert files/keys were the main culprit. The file permisssion for the certs/keys should be the same as how they are under http server. (the read permission to all for key was one of the problems).
>
> regards
> Anshu Prateek
>
>
> On Thu, Mar 21, 2013 at 8:46 PM, Ketan Mehta <Ke...@rankinteractive.com> wrote:
> Hi All,
>
> I'm trying to build the cache solution using Apache Traffic Server (ATS). I'm trying to build a test environment with 2 servers. I have installed ATS-3.2 on one of the server (Cacheserver) and Apache web on the other (Webserver).
>
> On Webserver, I have configure two website www.web1.com and www.web2.com. It is configured to listen on port 4000, 40001 for HTTP requests and 5000, 5001 for HTTPS requests. I'm using self-signed certificate for those website.
>
> On Cacheserver, I have configured Traffic Server to listen on port 80 and 443 for HTTP and HTTPS requests.
>
> Both the websites are working fine when I point web browser to webserver(HTTP & HTPPS requests), but when I point it to Cacheserver HTTP request works, but HTTPS requests end up with error.
>
> [root@cacheserver ~]# curl -k -v https://www.web1.com
> * About to connect() to www.web1.com port 443
> * Trying 172.16.89.32... connected
> * Connected to www.web1.com (172.16.89.32) port 443
> * successfully set certificate verify locations:
> * CAfile: /etc/pki/tls/certs/ca-bundle.crt
> CApath: none
> * SSLv2, Client hello (1):
> error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
> * Closing connection #0
> curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
> protocol
>
> All the certificates and keys are located under etc/trafficserver/ssl on Cacheserver. I've copied webserver-cert.crt and webserver-key.key from the Webserver.
>
> [root@cacheserver ls -l /opt/ats/etc/trafficserver/ssl
> -rw-r--r-- 1 root root 6334 Mar 21 14:48 cachesvr-bundle.crt
> -rw-r--r-- 1 root root 6146 Mar 21 14:43 originsvr-bundle.crt
> -rw-r--r-- 1 root root 887 Mar 21 14:46 www.web1.com.key
> -rw-r--r-- 1 root root 887 Mar 21 14:46 www.web2.com.key
>
> Below are the configuration of remap.config and records.config files.
>
> #### Record.config ##########
> CONFIG proxy.config.ssl.number.threads INT 0 CONFIG
> proxy.config.ssl.SSLv2 INT 0 CONFIG proxy.config.ssl.SSLv3 INT 1
> CONFIG proxy.config.ssl.TLSv1 INT 1 CONFIG
> proxy.config.ssl.server.cipher_suite STRING
> RC4+RSA:AES128-SHA:AES256-SHA:CAMELLIA128-SHA:!eNULL:!aNULL:!EXP:!LOW:
> !ADH:!EDH CONFIG proxy.config.ssl.server.honor_cipher_order INT 0
> CONFIG proxy.config.ssl.compression INT 0 CONFIG
> proxy.config.ssl.client.certification_level INT 1 CONFIG
> proxy.config.ssl.server.cert_chain.filename STRING
> cachesvr-bundle.crt CONFIG proxy.config.ssl.server.cert.path STRING
> etc/trafficserver/ssl CONFIG proxy.config.ssl.server.private_key.path
> STRING etc/trafficserver/ssl CONFIG proxy.config.ssl.CA.cert.filename
> STRING NULL CONFIG proxy.config.ssl.CA.cert.path STRING etc/trafficserver
> ################################
> # client related configuration #
> ################################
> CONFIG proxy.config.ssl.client.verify.server INT 0 CONFIG
> proxy.config.ssl.client.cert.filename STRING originsvr-bundle.crt
> CONFIG proxy.config.ssl.client.cert.path STRING etc/trafficserver/ssl
> CONFIG proxy.config.ssl.client.private_key.filename STRING NULL CONFIG
> proxy.config.ssl.client.private_key.path STRING etc/trafficserver
> CONFIG proxy.config.ssl.client.CA.cert.filename STRING NULL CONFIG
> proxy.config.ssl.client.CA.cert.path STRING etc/trafficserver
>
> #### remap.config #####
> map http://www.web1.com http://webserver:4000
> reverse_map http://webserver:4000 http://www.web1.com
> map http://www.web2.com http://webserver:4001
> reverse_map http://webserver:4001 http://www.web2.com
> map https://www.web1.com https://webserver:5000
> reverse_map http://webserver:5000 https://www.web1.com
> map https://www.web2.com https://webserver:5001
> reverse_map https://webserver:5001 https://www.web2.com
>
> What I'm trying to achieve is
>
> Client --Http--> Cache server --Http-->Origin server
> (http://www.web1.com and http://www.web2.com) Client --Https--> Cache
> server --Https-->Origin server (http://www.web1.com and
> http://www.web2.com)
>
> But it doesn't work with https. What I'm doing wrong here.
>
> Let me know if anything is not clear.
>
> Thanks,
> Ketan
>
>
> Save Paper - do you really need to print this email?
>
> Confidentiality
> The contents of this e-mail is intended for the named addressee only.
> It contains information which may be confidential and which may also be legally privileged.
> Unless you are the named addressee (or authorised to receive for the addressee) you may not copy or use it, or disclose it to anyone else. If you received it in error please notify us immediately and then destroy it.
>
> Viruses
> Although we have taken steps to ensure that this email and attachments are free from any virus, we advise that in keeping with good computing practice the recipient should ensure they are actually virus free.
>
> Opinions
> Unless expressly stated, opinions in this message are those of the individual sender and not of The Rank Group Plc. The Rank Group Plc accepts no liability or responsibility for any onward transmission or use of e-mails and attachment having left The Rank Group Plc domain.
>
> The Rank Group Plc - Company Registration No. 03140769; Rank Leisure Holdings Limited - Company Registration No. 01841255; Rank Group Gaming Division Limited - Company Registration No. 03213743; Grosvenor Casinos Limited - Company Registration No. 00877080; Mecca Bingo Limited - Company Registration No. 01854120; Rank Leisure Limited - Company Registration No. 03417930; Rank Limited - Company Registration No. 03211794, all of which are registered in England and Wales and have their registered office at: Statesman House, Stafferton Way, Maidenhead, SL6 1AY, England.
> This email message has been delivered safely by Mimecast.
> For more information please visit http://www.mimecast.com
>
>
>
> Save Paper - do you really need to print this email?
>
> Confidentiality
> The contents of this e-mail is intended for the named addressee only.
> It contains information which may be confidential and which may also be legally privileged.
> Unless you are the named addressee (or authorised to receive for the addressee) you may not copy or use it, or disclose it to anyone else. If you received it in error please notify us immediately and then destroy it.
>
> Viruses
> Although we have taken steps to ensure that this email and attachments are free from any virus, we advise that in keeping with good computing practice the recipient should ensure they are actually virus free.
>
> Opinions
> Unless expressly stated, opinions in this message are those of the individual sender and not of The Rank Group Plc. The Rank Group Plc accepts no liability or responsibility for any onward transmission or use of e-mails and attachment having left The Rank Group Plc domain.
>
> The Rank Group Plc - Company Registration No. 03140769; Rank Leisure Holdings Limited - Company Registration No. 01841255; Rank Group Gaming Division Limited - Company Registration No. 03213743; Grosvenor Casinos Limited - Company Registration No. 00877080; Mecca Bingo Limited - Company Registration No. 01854120; Rank Leisure Limited - Company Registration No. 03417930; Rank Limited - Company Registration No. 03211794, all of which are registered in England and Wales and have their registered office at: Statesman House, Stafferton Way, Maidenhead, SL6 1AY, England.
> This email message has been delivered safely by Mimecast.
> For more information please visit http://www.mimecast.com
>
>
> Save Paper - do you really need to print this email?
>
> Confidentiality
> The contents of this e-mail is intended for the named addressee only.
> It contains information which may be confidential and which may also be legally privileged.
> Unless you are the named addressee (or authorised to receive for the addressee) you may not copy or use it, or disclose it to anyone else. If you received it in error please notify us immediately and then destroy it.
>
> Viruses
> Although we have taken steps to ensure that this email and attachments are free from any virus, we advise that in keeping with good computing practice the recipient should ensure they are actually virus free.
>
> Opinions
> Unless expressly stated, opinions in this message are those of the individual sender and not of The Rank Group Plc. The Rank Group Plc accepts no liability or responsibility for any onward transmission or use of e-mails and attachment having left The Rank Group Plc domain.
>
> The Rank Group Plc - Company Registration No. 03140769; Rank Leisure Holdings Limited - Company Registration No. 01841255; Rank Group Gaming Division Limited - Company Registration No. 03213743; Grosvenor Casinos Limited - Company Registration No. 00877080; Mecca Bingo Limited - Company Registration No. 01854120; Rank Leisure Limited - Company Registration No. 03417930; Rank Limited - Company Registration No. 03211794, all of which are registered in England and Wales and have their registered office at: Statesman House, Stafferton Way, Maidenhead, SL6 1AY, England.
> This email message has been delivered safely by Mimecast.
> For more information please visit http://www.mimecast.com
>
>
> Save Paper - do you really need to print this email?
>
> Confidentiality
> The contents of this e-mail is intended for the named addressee only.
> It contains information which may be confidential and which may also be legally privileged.
> Unless you are the named addressee (or authorised to receive for the addressee) you may not copy or use it, or disclose it to anyone else. If you received it in error please notify us immediately and then destroy it.
>
> Viruses
> Although we have taken steps to ensure that this email and attachments are free from any virus, we advise that in keeping with good computing practice the recipient should ensure they are actually virus free.
>
> Opinions
> Unless expressly stated, opinions in this message are those of the individual sender and not of The Rank Group Plc. The Rank Group Plc accepts no liability or responsibility for any onward transmission or use of e-mails and attachment having left The Rank Group Plc domain.
>
> The Rank Group Plc - Company Registration No. 03140769; Rank Leisure Holdings Limited - Company Registration No. 01841255; Rank Group Gaming Division Limited - Company Registration No. 03213743; Grosvenor Casinos Limited - Company Registration No. 00877080; Mecca Bingo Limited - Company Registration No. 01854120; Rank Leisure Limited - Company Registration No. 03417930; Rank Limited - Company Registration No. 03211794, all of which are registered in England and Wales and have their registered office at: Statesman House, Stafferton Way, Maidenhead, SL6 1AY, England.
> This email message has been delivered safely by Mimecast.
> For more information please visit http://www.mimecast.com
Save Paper - do you really need to print this email?
Confidentiality
The contents of this e-mail is intended for the named addressee only.
It contains information which may be confidential and which may also be legally privileged.
Unless you are the named addressee (or authorised to receive for the
addressee) you may not copy or use it, or disclose it to anyone else. If you received it in error please notify us immediately and then destroy it.
Viruses
Although we have taken steps to ensure that this email and attachments are free from any virus, we advise that in keeping with good computing
practice the recipient should ensure they are actually virus free.
Opinions
Unless expressly stated, opinions in this message are those of the individual sender and not of The Rank Group Plc. The Rank Group Plc
ccepts no liability or responsibility for any onward transmission or use of e-mails and attachment having left The Rank Group Plc domain.
The Rank Group Plc - Company Registration No. 03140769 Rank Leisure Holdings Limited - Company Registration No. 01841255 Rank Group Gaming
Division Limited - Company Registration No. 03213743 Grosvenor Casinos Limited - Company Registration No. 00877080 Mecca Bingo Limited -
Company Registration No. 01854120 All of which are registered in England and Wales and have their registered office at: Statesman House,
Stafferton Way, Maidenhead, Berkshire SL6 1AY.
-----------------------------------------------------------------------------------------------------------------------------------------
This email message has been delivered safely and archived online by Mimecast.
For more information please visit http://www.mimecast.com
-----------------------------------------------------------------------------------------------------------------------------------------