Just fyi - a similar issue from the mailing archives.
http://mail-archives.apache.org/mod_mbox/trafficserver-users/201503.mbox/%[email protected]%3E
From: Dave Thompson <[email protected]>
To: "[email protected]" <[email protected]>
Sent: Tuesday, May 5, 2015 6:55 AM
Subject: Re: Traffic server and ssl termination
Jiri,
This is a client initiated behavior issue. If you want your client to SSL
terminate at ATS, it needs to send an SSL client-hello rather than a CONNECT as
the first message. If you are using curl, a --proxy to an SSL site, will do
a CONNECT rather than SSL terminate. If in doubt, a tcpdump/wireshark can be
used to confirm what client is sending. Perhaps your test browser
configured to proxy tunnel as well.
Dave
On Tuesday, May 5, 2015 6:02 AM, Jiří Podhorský <[email protected]>
wrote:
Hello,
I'm trying to configure traffic server with ssl termination
https://docs.trafficserver.apache.org/en/latest/admin/security-options.en.html
But ssl termination don't work with browsers, wget or curl, because first
request is CONNECT, which is not expected in ssl port and creates log:
SSLv3, TLS handshake, Client hello (1):
error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
Closing connection #0
(plain http request connect is taken as Client hello message of ssl).
I didn't find a way, how to redirect this message to not-ssl port or deny
it.
I tried to find some configuration or patch, but I didn't find any
workarouds for this issue.
Can you help me?
Thanks.
Jiri
