You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@trafficcontrol.apache.org by "Eric Friedrich (efriedri)" <ef...@cisco.com> on 2018/04/30 18:49:08 UTC

TLS Client Authentication in Traffic Control

Someone else may find this useful, so I thought I would share. (Apologies for the earlier cross-post)


Configuring TLS Client Authentication in Traffic Control (Experimental Testing Procedure)
=========
Note: Trafficserver does not currently allow per-Delivery Service (per-remap) configuration of client authentication. The below instructions will enable client authentication for all HTTPS services on a given profile/cache.

1) In TrafficOps, configure the Edge cache “Profile” to turn on client authentication. Set the following parameters:
  - name: CONFIG proxy.config.ssl.client.certification_level
  - file: records.config
  - value: INT 2
Screenshot: https://cisco.box.com/s/lxtlfbfrbpnaa17cnp4dddj2p0wwzril

  - name: CONFIG proxy.config.ssl.CA.cert.filename
  - file: records.config
  - value: STRING etc/trafficserver/ssl/ca.crt
Screenshot: https://cisco.box.com/s/hq7vubwd9z0k1g8705eaagbvdg0aokjc
See below for instructions on generating the Certificate Authority (CA), Certificate and private key.


  You can add the CA file via TrafficOps, but its a painful process. Please see the screenshot. If you wish to skip this step, you can scp the file directly to the cache (/opt/trafficserver/etc/trafficserver/ssl/client_ca.crt)
  Screenshot: https://cisco.box.com/s/849imlapxj1e30zi6y63a8fwd31swv21
 (Now that I know what a take and bake is, I think I was better off before. Configuring a whole SSL Cert in here is pretty painful, but thanks to Jeff for the help on this step)


2) Queue and run ORT On caches to get updated settings

3) Verify by making a curl request
    $ curl -k --cert ~/client_auth/client.crt --key ~/client_auth/client.key -v  https://edge-cache-1.cdn.cisco.com/test.m3u8

On success, you will receive the content.

On failure, you will see something like:
[cloud-user trafficserver]$ curl -k -v  https://edge-cache-1.cdn.cisco.com/test.m3u8
* About to connect() to localhost port 443 (#0)
*   Trying ::1...
* Connected to localhost (::1) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* NSS: client certificate not found (nickname not specified)
* NSS error -12227 (SSL_ERROR_HANDSHAKE_FAILURE_ALERT)
* SSL peer was unable to negotiate an acceptable set of security parameters.
* Closing connection 0
curl: (35) NSS: client certificate not found (nickname not specified)


Generating a Certificate Authority and Client Certificate (optional)
=========
1) Create the Certificate Authority Key
    $ openssl genrsa -out client_ca.key 2048

2) Generate the Certificate Authority Cert
    $ openssl req -new -x509 -key ./client_ca.key -out client_ca.crt

2) Generate the Client Key and Certificate Signing Request
    $ openssl req -newkey rsa:2048 -nodes -keyout client.key -out client.csr

3) Use the Certificate Authority to sign the client certificate signing request
   $ openssl x509 -req -in ./client.csr -CA ./client_ca.crt -CAkey ./client_ca.key -CAcreateserial -out client.crt

4) The  client_ca.crt file is copied to the Trafficserver. The client (curl) is given client.crt and client.key

Re: TLS Client Authentication in Traffic Control

Posted by Steve Malenfant <sm...@gmail.com>.

Eric,

Maybe I'm wrong here, but in the new API to generate config files, you can
have a single line separated with __RETURN__ instead of having to provision
a bunch line entries.

Steve

On Mon, Apr 30, 2018 at 2:49 PM, Eric Friedrich (efriedri) <
efriedri@cisco.com> wrote:

> Someone else may find this useful, so I thought I would share. (Apologies
> for the earlier cross-post)
>
>
> Configuring TLS Client Authentication in Traffic Control (Experimental
> Testing Procedure)
> =========
> Note: Trafficserver does not currently allow per-Delivery Service
> (per-remap) configuration of client authentication. The below instructions
> will enable client authentication for all HTTPS services on a given
> profile/cache.
>
> 1) In TrafficOps, configure the Edge cache “Profile” to turn on client
> authentication. Set the following parameters:
>   - name: CONFIG proxy.config.ssl.client.certification_level
>   - file: records.config
>   - value: INT 2
> Screenshot: https://cisco.box.com/s/lxtlfbfrbpnaa17cnp4dddj2p0wwzril
>
>   - name: CONFIG proxy.config.ssl.CA.cert.filename
>   - file: records.config
>   - value: STRING etc/trafficserver/ssl/ca.crt
> Screenshot: https://cisco.box.com/s/hq7vubwd9z0k1g8705eaagbvdg0aokjc
> See below for instructions on generating the Certificate Authority (CA),
> Certificate and private key.
>
>
>   You can add the CA file via TrafficOps, but its a painful process.
> Please see the screenshot. If you wish to skip this step, you can scp the
> file directly to the cache (/opt/trafficserver/etc/
> trafficserver/ssl/client_ca.crt)
>   Screenshot: https://cisco.box.com/s/849imlapxj1e30zi6y63a8fwd31swv21
>  (Now that I know what a take and bake is, I think I was better off
> before. Configuring a whole SSL Cert in here is pretty painful, but thanks
> to Jeff for the help on this step)
>
>
> 2) Queue and run ORT On caches to get updated settings
>
> 3) Verify by making a curl request
>     $ curl -k --cert ~/client_auth/client.crt --key
> ~/client_auth/client.key -v  https://edge-cache-1.cdn.cisco.com/test.m3u8
>
> On success, you will receive the content.
>
> On failure, you will see something like:
> [cloud-user trafficserver]$ curl -k -v  https://edge-cache-1.cdn.
> cisco.com/test.m3u8
> * About to connect() to localhost port 443 (#0)
> *   Trying ::1...
> * Connected to localhost (::1) port 443 (#0)
> * Initializing NSS with certpath: sql:/etc/pki/nssdb
> * skipping SSL peer certificate verification
> * NSS: client certificate not found (nickname not specified)
> * NSS error -12227 (SSL_ERROR_HANDSHAKE_FAILURE_ALERT)
> * SSL peer was unable to negotiate an acceptable set of security
> parameters.
> * Closing connection 0
> curl: (35) NSS: client certificate not found (nickname not specified)
>
>
> Generating a Certificate Authority and Client Certificate (optional)
> =========
> 1) Create the Certificate Authority Key
>     $ openssl genrsa -out client_ca.key 2048
>
> 2) Generate the Certificate Authority Cert
>     $ openssl req -new -x509 -key ./client_ca.key -out client_ca.crt
>
> 2) Generate the Client Key and Certificate Signing Request
>     $ openssl req -newkey rsa:2048 -nodes -keyout client.key -out
> client.csr
>
> 3) Use the Certificate Authority to sign the client certificate signing
> request
>    $ openssl x509 -req -in ./client.csr -CA ./client_ca.crt -CAkey
> ./client_ca.key -CAcreateserial -out client.crt
>
> 4) The  client_ca.crt file is copied to the Trafficserver. The client
> (curl) is given client.crt and client.key
>