RE: SSL handshake

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

RE: SSL handshake

Megan Wilhite

So I ran both of those openssl commands and they match up.  

So I think I will try upgradiong to 4.0.2. Is there any upgrade path from 3.2.0 to 4.0.2?

 

From: Igor Galić [mailto:[hidden email]]
Sent: Wednesday, October 23, 2013 12:33 PM
To: [hidden email]
Subject: Re: SSL handshake

 

Hi Megan,

 

first, and fore-most: "My ATS version is 3.2.0", our current latest stable is 4.0.2, and we highly recommend upgrading to that version (we also appreciate reports about why you won't or cannot upgrade)

 

The reason curl is giving you these errors is because SSL isn't actually configured properly because:

 

"""ERROR: SSL ERROR: Cannot use server private key file: /usr/local/etc/trafficserver/domain2.key"""

 

These errors have been completely reworked in 4.x (I had to switch to the 3.2.x code to even find it), but generally it means we were unable to load the certificate, as you're not getting a permission error, and as the path exists the only explanation left is that the certificate and the key don't match up.

 

You an verify that with:

 

openssl x509 -in path-to-certificate -noout -modulus

 

vs

 

openssl rsa -in path-to-key -noout -modulus

 

 

One final remark: """dest_ip=ipaddressofdomain2:443 ssl_cert_name=domain2.cer ssl_key_name=domain2.key""", 443 is default, you can leave that out.

 

 

That's all from me,

 

so long,

 

i

 


I am trying to use SSL for both Client/Traffic Server and Traffic Server/Origin Server connections. Every time I try to connecting with curl –vvv –k https://domain1.com or a web browser I get the message Success with a 502 error.

In the logs it states I get the following errors: ERROR: SSL::2:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1063:

 

Also when I restart ATS I get the following error in the logs:

 

ERROR: SSL ERROR: Cannot use server private key file: /usr/local/etc/trafficserver/domain2.key

I am certain I am using the right certificate and key for domain 2 and domain 1. And I am sure they are both validated. In fact I setup SSL on the domain2 and tested from the ATS server with curl –vvv –k https://domain2.com and it works. I am using the same certificate and key from this server.

 

Did I setup something incorrectly?

 

Here is my remap.config file settings:

 

Map http://domain1.com:80 http://domain2.com:80

map https://domain1.com:443 https://domain2.com:443

 

My ssl_multicert.config

dest_ip=ipaddressofdomain2:443 ssl_cert_name=domain2.cer ssl_key_name=domain2.key

dest_ip=ipaddressofdomain1:443 ssl_cert_name=domain1.cer ssl_key_name=domain1.key

 

My records.config

CONFIG proxy.config.ssl.enabled INT 1

CONFIG proxy.config.ssl.number.threads INT 0

CONFIG proxy.config.ssl.SSLv2 INT 0

CONFIG proxy.config.ssl.SSLv3 INT 1

CONFIG proxy.config.ssl.TLSv1 INT 1

CONFIG proxy.config.ssl.server.honor_cipher_order INT 0

CONFIG proxy.config.ssl.compression INT 1

CONFIG proxy.config.ssl.server_ports ssl:443

CONFIG proxy.config.ssl.client.certification_level INT 0

CONFIG proxy.config.ssl.server.cert_chain.filename STRING NULL

# CONFIG proxy.config.ssl.server.cert.filename

CONFIG proxy.config.ssl.server.cert.path STRING etc/trafficserver

CONFIG proxy.config.ssl.server.private_key.path STRING etc/trafficserver

# CONFIG proxy.config.ssl.server.private_key.filename

CONFIG proxy.config.ssl.CA.cert.filename STRING NULL

CONFIG proxy.config.ssl.CA.cert.path STRING etc/trafficserver

CONFIG proxy.config.ssl.client.verify.server INT 1

# CONFIG proxy.config.ssl.client.cert.filename STRING

CONFIG proxy.config.ssl.client.cert.path STRING etc/trafficserver

# CONFIG proxy.config.ssl.client.private_key.filename STRING

CONFIG proxy.config.ssl.client.private_key.path STRING /usr/local/etc/trafficserver

CONFIG proxy.config.ssl.client.CA.cert.filename STRING NULL

CONFIG proxy.config.ssl.client.CA.cert.path etc/trafficserver

 

Each of the certificates and keys have 644 permissions for the same user running traffic_manager/traffic_server

 

My ATS version is 3.2.0

 

Any help with why I am getting these errors would be greatly appreciated.

 

Thanks,

Megan

 

 

 

 

--

Igor Galić

 

Tel: +43 (0) 664 886 22 883
Mail: [hidden email]
URL: http://brainsware.org/
GPG: 6880 4155 74BD FD7C B515  2EA5 4B1D 9E08 A097 C9AE

Reply | Threaded
Open this post in threaded view
|

Re: SSL handshake

Igor Galić-2

Well! With 4.1.1 now real soon to be out, you could directly upgrade to that.


So long,

i


So I ran both of those openssl commands and they match up.  

So I think I will try upgradiong to 4.0.2. Is there any upgrade path from 3.2.0 to 4.0.2?

 

From: Igor Galić [mailto:[hidden email]]
Sent: Wednesday, October 23, 2013 12:33 PM
To: [hidden email]
Subject: Re: SSL handshake

 

Hi Megan,

 

first, and fore-most: "My ATS version is 3.2.0", our current latest stable is 4.0.2, and we highly recommend upgrading to that version (we also appreciate reports about why you won't or cannot upgrade)

 

The reason curl is giving you these errors is because SSL isn't actually configured properly because:

 

"""ERROR: SSL ERROR: Cannot use server private key file: /usr/local/etc/trafficserver/domain2.key"""

 

These errors have been completely reworked in 4.x (I had to switch to the 3.2.x code to even find it), but generally it means we were unable to load the certificate, as you're not getting a permission error, and as the path exists the only explanation left is that the certificate and the key don't match up.

 

You an verify that with:

 

openssl x509 -in path-to-certificate -noout -modulus

 

vs

 

openssl rsa -in path-to-key -noout -modulus

 

 

One final remark: """dest_ip=ipaddressofdomain2:443 ssl_cert_name=domain2.cer ssl_key_name=domain2.key""", 443 is default, you can leave that out.

 

 

That's all from me,

 

so long,

 

i

 


I am trying to use SSL for both Client/Traffic Server and Traffic Server/Origin Server connections. Every time I try to connecting with curl –vvv –k https://domain1.com or a web browser I get the message Success with a 502 error.

In the logs it states I get the following errors: ERROR: SSL::2:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1063:

 

Also when I restart ATS I get the following error in the logs:

 

ERROR: SSL ERROR: Cannot use server private key file: /usr/local/etc/trafficserver/domain2.key

I am certain I am using the right certificate and key for domain 2 and domain 1. And I am sure they are both validated. In fact I setup SSL on the domain2 and tested from the ATS server with curl –vvv –k https://domain2.com and it works. I am using the same certificate and key from this server.

 

Did I setup something incorrectly?

 

Here is my remap.config file settings:

 

Map http://domain1.com:80 http://domain2.com:80

map https://domain1.com:443 https://domain2.com:443

 

My ssl_multicert.config

dest_ip=ipaddressofdomain2:443 ssl_cert_name=domain2.cer ssl_key_name=domain2.key

dest_ip=ipaddressofdomain1:443 ssl_cert_name=domain1.cer ssl_key_name=domain1.key

 

My records.config

CONFIG proxy.config.ssl.enabled INT 1

CONFIG proxy.config.ssl.number.threads INT 0

CONFIG proxy.config.ssl.SSLv2 INT 0

CONFIG proxy.config.ssl.SSLv3 INT 1

CONFIG proxy.config.ssl.TLSv1 INT 1

CONFIG proxy.config.ssl.server.honor_cipher_order INT 0

CONFIG proxy.config.ssl.compression INT 1

CONFIG proxy.config.ssl.server_ports ssl:443

CONFIG proxy.config.ssl.client.certification_level INT 0

CONFIG proxy.config.ssl.server.cert_chain.filename STRING NULL

# CONFIG proxy.config.ssl.server.cert.filename

CONFIG proxy.config.ssl.server.cert.path STRING etc/trafficserver

CONFIG proxy.config.ssl.server.private_key.path STRING etc/trafficserver

# CONFIG proxy.config.ssl.server.private_key.filename

CONFIG proxy.config.ssl.CA.cert.filename STRING NULL

CONFIG proxy.config.ssl.CA.cert.path STRING etc/trafficserver

CONFIG proxy.config.ssl.client.verify.server INT 1

# CONFIG proxy.config.ssl.client.cert.filename STRING

CONFIG proxy.config.ssl.client.cert.path STRING etc/trafficserver

# CONFIG proxy.config.ssl.client.private_key.filename STRING

CONFIG proxy.config.ssl.client.private_key.path STRING /usr/local/etc/trafficserver

CONFIG proxy.config.ssl.client.CA.cert.filename STRING NULL

CONFIG proxy.config.ssl.client.CA.cert.path etc/trafficserver

 

Each of the certificates and keys have 644 permissions for the same user running traffic_manager/traffic_server

 

My ATS version is 3.2.0

 

Any help with why I am getting these errors would be greatly appreciated.

 

Thanks,

Megan

 

 

 

 

--

Igor Galić

 

Tel: +43 (0) 664 886 22 883
Mail: [hidden email]
URL: http://brainsware.org/
GPG: 6880 4155 74BD FD7C B515  2EA5 4B1D 9E08 A097 C9AE




--
Igor Galić

Tel: +43 (0) 664 886 22 883
Mail: [hidden email]
URL: http://brainsware.org/
GPG: 8716 7A9F 989B ABD5 100F  4008 F266 55D6 2998 1641