You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@trafficserver.apache.org by Reindl Harald <h....@thelounge.net> on 2013/08/07 01:54:17 UTC
ssl termination does not work
Hi
anybody an idea what's wrong here?
see errors from "traffic.out" blow
trafficserver-3.2.5-3.fc19.20130803.rh.x86_64
finally i want paly around with having apache only on 127.0.0.1
without mod_ssl and trafficserver making the ssl-termination, in
the first step ip-based like httpd and if possible finally with
SNI for more than one vhost, well but i do not get the basics work
Firefox:
An error occurred during a connection to rhsoft.testserver.
Cannot communicate securely with peer: no common encryption algorithm(s).
(Error code: ssl_error_no_cypher_overlap)
________________________________________________
CONFIG proxy.config.ssl.enabled INT 1
CONFIG proxy.config.ssl.server_port INT 443
CONFIG proxy.config.ssl.SSLv2 INT 0
CONFIG proxy.config.ssl.SSLv3 INT 1
CONFIG proxy.config.ssl.TLSv1 INT 1
CONFIG proxy.config.ssl.compression INT 0
CONFIG proxy.config.ssl.server.cipher_suite STRING
ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM:!SSLV2:!eNUL
CONFIG proxy.config.ssl.client.certification_level INT 0
CONFIG proxy.config.ssl.server.cert.filename STRING testserver.rhsoft.net.pem
CONFIG proxy.config.ssl.server.cert.path STRING /etc/trafficserver/ssl
CONFIG proxy.config.ssl.server.private_key.filename STRING testserver.rhsoft.net.pem
CONFIG proxy.config.ssl.server.private_key.path STRING /etc/trafficserver/ssl
________________________________________________
[Aug 7 01:49:01.962] Server {0x2aaab5e01700} ERROR: SSL ERROR: SSL_ServerHandShake.
[Aug 7 01:49:01.962] Server {0x2aaab5e01700} ERROR: SSL::13:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no
shared cipher:s3_srvr.c:1355:
[Aug 7 01:49:01.963] Server {0x2aaab5e01700} ERROR: SSL ERROR: SSL_ServerHandShake.
[Aug 7 01:49:01.963] Server {0x2aaab5e01700} ERROR: SSL::13:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no
shared cipher:s3_srvr.c:1355:
[Aug 7 01:49:01.985] Server {0x2aaab5f02700} ERROR: SSL ERROR: SSL_ServerHandShake.
[Aug 7 01:49:01.985] Server {0x2aaab5f02700} ERROR: SSL::14:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no
shared cipher:s3_srvr.c:1355:
[Aug 7 01:49:01.985] Server {0x2aaab5f02700} ERROR: SSL ERROR: SSL_ServerHandShake.
[Aug 7 01:49:01.985] Server {0x2aaab5f02700} ERROR: SSL::14:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no
shared cipher:s3_srvr.c:1355:
[Aug 7 01:49:03.487] Server {0x2aaab7100700} ERROR: SSL ERROR: SSL_ServerHandShake.
[Aug 7 01:49:03.488] Server {0x2aaab7100700} ERROR: SSL::15:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no
shared cipher:s3_srvr.c:1355:
[Aug 7 01:49:03.490] Server {0x2aaab7100700} ERROR: SSL ERROR: SSL_ServerHandShake.
[Aug 7 01:49:03.490] Server {0x2aaab7100700} ERROR: SSL::15:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no
shared cipher:s3_srvr.c:1355:
[Aug 7 01:49:03.491] Server {0x2aaab7201700} ERROR: SSL ERROR: SSL_ServerHandShake.
[Aug 7 01:49:03.491] Server {0x2aaab7201700} ERROR: SSL::16:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no
shared cipher:s3_srvr.c:1355:
[Aug 7 01:49:03.491] Server {0x2aaab7201700} ERROR: SSL ERROR: SSL_ServerHandShake.
[Aug 7 01:49:03.491] Server {0x2aaab7201700} ERROR: SSL::16:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no
shared cipher:s3_srvr.c:1355:
Re: ssl termination does not work
Posted by "Alan M. Carroll" <am...@network-geographics.com>.
The configuration
CONFIG proxy.config.http.server_ports ssl:443
will work in all version of 3.2, and in 3.4.
> since there exists no stable version greater than 3.2.5
> it would be unwise to configure things with 3.4 settings
> for possible later use in production
Re: ssl termination does not work
Posted by Reindl Harald <h....@thelounge.net>.
Am 07.08.2013 19:00, schrieb Alan M. Carroll:
> Wednesday, August 7, 2013, 10:37:05 AM, you wrote:
>
>> On Aug 6, 2013, at 4:54 PM, Reindl Harald <h....@thelounge.net> wrote:
>
>>> CONFIG proxy.config.ssl.server_port INT 443
>
> This should work for 3.2.5, but it's gone in 3.4 so it's probably best to change to
>
>> CONFIG proxy.config.http.server_ports ssl:443
>
> which will work in 3.4
since there exists no stable version greater than 3.2.5
it would be unwise to configure things with 3.4 settings
for possible later use in production
however, i try to play around tomorrow with this stuff if i
find a free timewindow - for today i am tried and done :-)
Re: ssl termination does not work
Posted by "Alan M. Carroll" <am...@network-geographics.com>.
Wednesday, August 7, 2013, 10:37:05 AM, you wrote:
> On Aug 6, 2013, at 4:54 PM, Reindl Harald <h....@thelounge.net> wrote:
>> CONFIG proxy.config.ssl.server_port INT 443
This should work for 3.2.5, but it's gone in 3.4 so it's probably best to change to
> CONFIG proxy.config.http.server_ports ssl:443
which will work in 3.4.
Re: ssl termination does not work
Posted by James Peach <jp...@apache.org>.
On Aug 6, 2013, at 4:54 PM, Reindl Harald <h....@thelounge.net> wrote:
> Hi
>
> anybody an idea what's wrong here?
> see errors from "traffic.out" blow
> trafficserver-3.2.5-3.fc19.20130803.rh.x86_64
>
> finally i want paly around with having apache only on 127.0.0.1
> without mod_ssl and trafficserver making the ssl-termination, in
> the first step ip-based like httpd and if possible finally with
> SNI for more than one vhost, well but i do not get the basics work
>
> Firefox:
> An error occurred during a connection to rhsoft.testserver.
> Cannot communicate securely with peer: no common encryption algorithm(s).
> (Error code: ssl_error_no_cypher_overlap)
> ________________________________________________
>
> CONFIG proxy.config.ssl.enabled INT 1
> CONFIG proxy.config.ssl.server_port INT 443
> CONFIG proxy.config.ssl.SSLv2 INT 0
> CONFIG proxy.config.ssl.SSLv3 INT 1
> CONFIG proxy.config.ssl.TLSv1 INT 1
> CONFIG proxy.config.ssl.compression INT 0
> CONFIG proxy.config.ssl.server.cipher_suite STRING
> ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM:!SSLV2:!eNUL
> CONFIG proxy.config.ssl.client.certification_level INT 0
> CONFIG proxy.config.ssl.server.cert.filename STRING testserver.rhsoft.net.pem
> CONFIG proxy.config.ssl.server.cert.path STRING /etc/trafficserver/ssl
> CONFIG proxy.config.ssl.server.private_key.filename STRING testserver.rhsoft.net.pem
> CONFIG proxy.config.ssl.server.private_key.path STRING /etc/trafficserver/ssl
https://cwiki.apache.org/confluence/display/TS/Upgrading+to+v3.2
records.config should be:
CONFIG proxy.config.http.server_ports ssl:443
Then in ssl_multicert.config:
ssl_cert_name=testserver.rhsoft.net.pem
Sorry about the misleading admin documentation, I'll try to update it for the 3.4 release ...
> ________________________________________________
>
> [Aug 7 01:49:01.962] Server {0x2aaab5e01700} ERROR: SSL ERROR: SSL_ServerHandShake.
> [Aug 7 01:49:01.962] Server {0x2aaab5e01700} ERROR: SSL::13:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no
> shared cipher:s3_srvr.c:1355:
> [Aug 7 01:49:01.963] Server {0x2aaab5e01700} ERROR: SSL ERROR: SSL_ServerHandShake.
> [Aug 7 01:49:01.963] Server {0x2aaab5e01700} ERROR: SSL::13:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no
> shared cipher:s3_srvr.c:1355:
> [Aug 7 01:49:01.985] Server {0x2aaab5f02700} ERROR: SSL ERROR: SSL_ServerHandShake.
> [Aug 7 01:49:01.985] Server {0x2aaab5f02700} ERROR: SSL::14:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no
> shared cipher:s3_srvr.c:1355:
> [Aug 7 01:49:01.985] Server {0x2aaab5f02700} ERROR: SSL ERROR: SSL_ServerHandShake.
> [Aug 7 01:49:01.985] Server {0x2aaab5f02700} ERROR: SSL::14:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no
> shared cipher:s3_srvr.c:1355:
> [Aug 7 01:49:03.487] Server {0x2aaab7100700} ERROR: SSL ERROR: SSL_ServerHandShake.
> [Aug 7 01:49:03.488] Server {0x2aaab7100700} ERROR: SSL::15:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no
> shared cipher:s3_srvr.c:1355:
> [Aug 7 01:49:03.490] Server {0x2aaab7100700} ERROR: SSL ERROR: SSL_ServerHandShake.
> [Aug 7 01:49:03.490] Server {0x2aaab7100700} ERROR: SSL::15:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no
> shared cipher:s3_srvr.c:1355:
> [Aug 7 01:49:03.491] Server {0x2aaab7201700} ERROR: SSL ERROR: SSL_ServerHandShake.
> [Aug 7 01:49:03.491] Server {0x2aaab7201700} ERROR: SSL::16:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no
> shared cipher:s3_srvr.c:1355:
> [Aug 7 01:49:03.491] Server {0x2aaab7201700} ERROR: SSL ERROR: SSL_ServerHandShake.
> [Aug 7 01:49:03.491] Server {0x2aaab7201700} ERROR: SSL::16:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no
> shared cipher:s3_srvr.c:1355:
>
>
Re: ssl termination does not work
Posted by Reindl Harald <h....@thelounge.net>.
Am 07.08.2013 05:45, schrieb Leif Hedstrom:
> On Aug 7, 2013, at 1:54 AM, Reindl Harald <h....@thelounge.net> wrote:
>
>> anybody an idea what's wrong here?
>> see errors from "traffic.out" blow
>> trafficserver-3.2.5-3.fc19.20130803.rh.x86_64
>>
>> finally i want paly around with having apache only on 127.0.0.1
>> without mod_ssl and trafficserver making the ssl-termination, in
>> the first step ip-based like httpd and if possible finally with
>> SNI for more than one vhost, well but i do not get the basics work
>>
>> Firefox:
>> An error occurred during a connection to rhsoft.testserver.
>> Cannot communicate securely with peer: no common encryption algorithm(s).
>> (Error code: ssl_error_no_cypher_overlap)
>
> I've typically seen these types of errors if no certificates are loaded.
and that is why i posted the used config snippet because
i am trying this the first time, the documentation is
poor (cipher params) and there are several bugreports
stating this behavior without SNI but they should be
fixed in the recent version
on the other hand the docs do not state how to configure ATS
for SNI nor how do you configure *different* domains with
different certificates and different IP's aka ip-based vhost
what i try to figure out is what config would be needed
if we decide sooner or later ATS in front of SSL websites
and if it is possible giving the ATS machine the ip-addresses
of the sites in question and let it connect unecncrypted to
the origin server which would stay with a single IP from this
moment
BTW: the certifictae has the same permissions as any other ATS config
> Maybe check your logs
there is nothing except the whining of read-only /etc
Re: ssl termination does not work
Posted by Leif Hedstrom <zw...@apache.org>.
On Aug 7, 2013, at 1:54 AM, Reindl Harald <h....@thelounge.net> wrote:
> Hi
>
> anybody an idea what's wrong here?
> see errors from "traffic.out" blow
> trafficserver-3.2.5-3.fc19.20130803.rh.x86_64
>
> finally i want paly around with having apache only on 127.0.0.1
> without mod_ssl and trafficserver making the ssl-termination, in
> the first step ip-based like httpd and if possible finally with
> SNI for more than one vhost, well but i do not get the basics work
>
> Firefox:
> An error occurred during a connection to rhsoft.testserver.
> Cannot communicate securely with peer: no common encryption algorithm(s).
> (Error code: ssl_error_no_cypher_overlap)
I've typically seen these types of errors if no certificates are loaded. Maybe check your logs, and/or run it with a Diags tracer of "ssl" (without quotes) and see if it can give you any details.
-- Leif