Hi,
I am trying to Setup TS with a self signed certificate as forwarding Proxy who
should terminate all ssl Connections to origin Servers and then if necessary
act as ssl Client to the origin Server.
I created the cert with openssl and also imported in Firefox.
When I try with openssl as Client I get the following Output:
ONNECTED(00000003)
depth=0 CN = ssst.fritz.box
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = ssst.fritz.box
verify return:1
---
Certificate chain
0 s:/CN=ssst.fritz.box
i:/CN=ssst.fritz.box
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFBTCCAu2gAwIBAgIJAOhY4Knu31BbMA0GCSqGSIb3DQEBCwUAMBkxFzAVBgNV
BAMMDnNzc3QuZnJpdHouYm94MB4XDTE5MDIyNDAwMTc0OVoXDTIwMDIyNDAwMTc0
OVowGTEXMBUGA1UEAwwOc3NzdC5mcml0ei5ib3gwggIiMA0GCSqGSIb3DQEBAQUA
A4ICDwAwggIKAoICAQC1BS6l4aya1z/7Z+ZgL8o7qGwXrU0oAr/CEL0vSl8u7JxH
j4QFkPuu1BBzw7MWgVzQtxCs9Igq8SHS6g1HUY9IxeAC+1U3E3uC2cetQTEVerbb
4EC+zMbzBT6LoGquw96NYkoNW4CLh0CFkHS5Jx9stRNdbi1Y2U6nyo7ijU1JPWYN
/dkDcOoXrxfXqBY8IuJldIXwWjM8A/YNxSr1bTQh9Eta73+OimoWY22a4ScMufLE
r3Grvh3xcXSfuEZzHaag06LfPRiVTdYiD8h1LFHcEno8DJrHTagzHZw5Y/+QtlPr
4zkSJEw4TwknUyPx0qdSoRo4PTZLUOzXd8t/2bOTLRM3W6WZQ9Wjk4++DmLgFAzh
MC5WLlfn8/B9tZUnTbIbyL1FARc0bNyuWbBMsln/8nrW6XpiPbhlaNVwOX1kgFBX
vyoOsZ4EjXQpzExYcm1G09C/PiiEpBEDzZLSojENgPnvwRjsR4Dswuqc6HxyxEv4
hjXq+MnLrR66n3kZASwQX0DB533kk+bQFkeQ1/VHR0RpOt0hkf4HL70J6+F2e3sR
QqzvFulpaWFl8ZI8XFIvJRDZuCd/MwVskurxVvzof9P31nrb6mSJkgYIlguX+zVi
L6ppvnDtgYIHEmnFq7AbgfAswlH9/z7e234flBfg1Mp9QDlweUvi6w97UugR+wID
AQABo1AwTjAdBgNVHQ4EFgQUyEqcFYmUz0PhwTUsyc1IsryaPBowHwYDVR0jBBgw
FoAUyEqcFYmUz0PhwTUsyc1IsryaPBowDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0B
AQsFAAOCAgEAoRybmMudIuymPWN9PwKD0xah8UvdVBxCQwrV0O9yS7VzqL7zhexh
wvl6148082ORHSuDQogcOukzXKLr4DUBGXE6KcUeLbCuXT3S3RbcJ+D+Or5js467
F66Ov7wu96CUediANqW8+4PBbbDOvmkJb2tqzXoKNbCwWiOy8WmDq19AKmOxb7B8
wW6yPNnoMuXKm3MzioYVVxlzY2dVTlz2ra1chnzchGwNGSZopu6rlCs2fawRAUjE
yGYjWOyvPsGnrAF4J/w13bQsxpHmreLIHTzwUYUk/sIyrNYLwLCpzsx2AyM6kFwC
3klAWoZ9FOkzFdeeUWPacQG9S5XVfrc0WbanZWawEDoNwn5yg5DfPDBEvg5ocwNL
6YvRkcGhatNJhT82jU6enCoWNvEO/UG/EP5+rgXgUkxA6KvEsScoK9n/c1PTqISt
0dQCNyxOSlgaUYpl6Cb8E+ESy2ztO0HjpHVQnQF0jKYQhXM5+6vj5pjKPiD3Os75
PFz9FjD1hjUsNVNiaHxvxjPcK3N3OgbN+66ZaquiC0avZ9u9twRylKtI/mbKmUda
ns9xdhWP5YnnwYm7SCII5pHvdp69tm4tWtjyUxlA5w/YAazhiR5v2uHceKyIOoXB
NckowYPTiPRtM3LGPPf7qYWJB6jDlCL3bGAYSh5vY2fczusCemF/eak=
-----END CERTIFICATE-----
subject=/CN=ssst.fritz.box
issuer=/CN=ssst.fritz.box
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2236 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 7BB8424C6E8024BD53629BA955FD8F6D7EBFBE9D93F1F04D7714DF807AF37396
Session-ID-ctx:
Master-Key:
2BEC5E965363094EEAF067E098EE817654AC8653040A4A0321F140642C395DC43E72FB3C9FED44E9F65397ECC0D10B60
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 0f 05 62 e6 0d 6b 7e d0-c4 12 a8 72 1a 4d 13 e7 ..b..k~....r.M..
0010 - 77 6c 20 32 42 96 d3 49-4e cc 29 ca a9 e8 95 ef wl 2B..IN.).....
0020 - 13 69 6f 31 63 74 f4 1f-c6 62 54 11 5a a9 ff 62 .io1ct...bT.Z..b
0030 - 5c b1 d3 9f 3e 9f 16 e5-0b 25 c8 e4 de 6c 00 fd \...>....%...l..
0040 - 79 c4 07 c3 4b b8 8d cd-de c7 dc a9 b6 c7 ce 06 y...K...........
0050 - a3 1f 39 3d b2 9b ab 39-2d da 4d f5 bc b8 96 aa ..9=...9-.M.....
0060 - 52 d0 67 34 84 5b b9 c0-1c 0d d3 4d 6a 97 33 ac R.g4.[.....Mj.3.
0070 - aa 9f 73 ef 0a c4 41 87-0c 43 98 48 4c f6 e7 5a ..s...A..C.HL..Z
0080 - 77 ff 3c 8e 8b 61 3b 8f-59 cc fa fb 13 73 68 14 w.<..a;.Y....sh.
0090 - f7 89 fa b2 6f 9d fb e6-d5 12 5e a2 11 bd a8 04 ....o.....^.....
00a0 - 61 4a ad 11 e5 49 7b 17-a7 a5 a5 a8 a2 61 a4 d1 aJ...I{......a..
00b0 - b6 6d ba 7c 0a 9f 9e 96-bf e7 94 34 33 d1 71 96 .m.|.......43.q.
Start Time: 1550971360
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
But when I try to open any Website in Firefox i get Error secure Connection
failed.
At the same time TS write the following debug Output:
[Feb 24 02:25:03.773] {0x7fca02a4c700} DEBUG: <SSLNetVConnection.cc:997
(sslStartHandShake)> (ssl) IP context is (nil) for [192.168.1.47:61867] ->
[192.168.1.58:8080], default context 0x1042710
[Feb 24 02:25:03.773] {0x7fca02a4c700} DEBUG: <SSLNetVConnection.cc:1105
(sslServerHandShakeEvent)> (ssl) Initialize preaccept curHook from NULL
[Feb 24 02:25:03.773] {0x7fca02a4c700} DEBUG: <SSLNetVConnection.cc:1139
(sslServerHandShakeEvent)> (ssl) Go on with the handshake state=2
[Feb 24 02:25:03.773] {0x7fca02a4c700} DEBUG: <SSLNetVConnection.cc:1146
(sslServerHandShakeEvent)> (ssl) 0x7fc9b001f460 first read
[Feb 24 02:25:03.773] {0x7fca02a4c700} DEBUG: <SSLNetVConnection.cc:445
(read_raw_data)> (ssl) 0x7fc9b001f460 read r=213 total=4096 bio=213
[Feb 24 02:25:03.773] {0x7fca02a4c700} DEBUG: <SSLUtils.cc:1510
(ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7fc9f802ee80 where: 16 ret:
1 State: before/accept initialization
[Feb 24 02:25:03.773] {0x7fca02a4c700} DEBUG: <SSLUtils.cc:1510
(ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7fc9f802ee80 where: 8193
ret: 1 State: before/accept initialization
[Feb 24 02:25:03.773] {0x7fca02a4c700} DEBUG: <SSLUtils.cc:1510
(ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7fc9f802ee80 where: 8194
ret: -1 State: SSLv2/v3 read client hello A
[Feb 24 02:25:03.773] {0x7fca02a4c700} DEBUG: <SSLUtils.cc:2352 (SSLAccept)>
(ssl.error.accept) SSL accept returned -1, ssl_error=1, ERR_get_error=336027803
(error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request)
[Feb 24 02:25:03.773] {0x7fca02a4c700} DEBUG: <SSLNetVConnection.cc:1213
(sslServerHandShakeEvent)> (ssl-diag) SSL::140505604474624:error:1407609B:SSL
routines:SSL23_GET_CLIENT_HELLO:https proxy request:s23_srvr.c:397: peer
address is 192.168.1.47
[Feb 24 02:25:03.773] {0x7fca02a4c700} DEBUG: <SSLNetVConnection.cc:1213
(sslServerHandShakeEvent)> (ssl-diag) SSL handshake error: SSL_ERROR_SSL (1),
errno=0
[Feb 24 02:25:03.773] {0x7fca02a4c700} DEBUG: <SSLNetVConnection.cc:1339
(sslServerHandShakeEvent)> (ssl-diag)
SSLNetVConnection::sslServerHandShakeEvent, SSL_ERROR_SSL errno=0
[Feb 24 02:25:03.775] {0x7fca026a9700} DEBUG: <SSLNextProtocolAccept.cc:127
(mainEvent)> (ssl) [SSLNextProtocolAccept:mainEvent] event 202 netvc
0x7fc9b001f460
The cipher config in records.config is the Default config:
CONFIG proxy.config.ssl.server.cipher_suite STRING
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
In ssl_multicert.config I have only this line:
dest_ip=* ssl_cert_name=cert.pem ssl_key_name=key.pem
Whould be great If anyone could Point me in the Right direction how to solve or
Analyse this further.
Ps. I first tried it not with a self signed cert but with a cert from an mkcert
ca https://github.com/FiloSottile/mkcert , but I get an segfault immediatly
after Startup with the pem’s from mkcert:
alexander.rabenstein@SSST ats]$ ./bin/traffic_server start
Traffic Server 8.0.2 Feb 18 2019 13:06:18 SSST.fritz.box
traffic_server: using root directory '/opt/ats'
[Feb 24 02:28:27.003] {0x7fcf22f1f880} DEBUG: <DNS.cc:1778 (ink_dns_init)>
(dns) ink_dns_init: called with init_called = 0
[Feb 24 02:28:27.013] {0x7fcf22f1f880} DEBUG: <DNS.cc:284 (dns_init)> (dns)
localhost=SSST.fritz.box
[Feb 24 02:28:27.013] {0x7fcf22f1f880} DEBUG: <DNS.cc:285 (dns_init)> (dns)
Round-robin nameservers = 1
[Feb 24 02:28:27.014] {0x7fcf1c820700} DEBUG: <DNS.cc:539 (startEvent)> (dns)
DNSHandler::startEvent: on thread 0
[Feb 24 02:28:27.014] {0x7fcf1c820700} DEBUG: <DNS.cc:484 (open_con)> (dns)
open_con: opening connection 192.168.1.1:53
[Feb 24 02:28:27.014] {0x7fcf1c820700} DEBUG: <DNSConnection.cc:159 (connect)>
(dns) random port = 0.0.0.0:34498
[Feb 24 02:28:27.014] {0x7fcf1c820700} DEBUG: <DNS.cc:512 (open_con)> (dns)
opening connection 192.168.1.1:53 SUCCEEDED for 0
[Feb 24 02:28:27.014] {0x7fcf1c820700} DEBUG: <DNS.cc:562 (startEvent)>
(dns_pas) opened connection to 192.168.1.1:53, n_con = 1
[Feb 24 02:28:27.018] {0x7fcf22f1f880} DEBUG: <SSLUtils.cc:933
(SSLInitializeLibrary)> (ssl) FIPS_mode: 0
[Feb 24 02:28:27.018] {0x7fcf22f1f880} DEBUG: <SSLConfig.cc:433 (freeCTXmap)>
(ssl) freeing CTX Map
[Feb 24 02:28:27.018] {0x7fcf22f1f880} DEBUG: <SSLSessionCache.cc:40
(SSLSessionCache)> (ssl.session_cache) Created new ssl session cache 0x267e200
with 256 buckets each with size max size 400
[Feb 24 02:28:27.018] {0x7fcf22f1f880} DEBUG: <SSLUtils.cc:2145
(SSLParseCertificateConfiguration)> (ssl) currently parsing dest_ip
[Feb 24 02:28:27.018] {0x7fcf22f1f880} DEBUG: <SSLUtils.cc:1598
(SSLInitServerContext)> (ssl.session_cache) ssl context=0x2684710: using
session cache options, enabled=2, size=102400, num_buckets=256,
skip_on_contention=0, timeout=0, auto_clear=1
[Feb 24 02:28:27.018] {0x7fcf22f1f880} DEBUG: <SSLUtils.cc:1620
(SSLInitServerContext)> (ssl.session_cache) enabling SSL session cache with ATS
implementation
[Feb 24 02:28:27.018] {0x7fcf22f1f880} DEBUG: <SSLUtils.cc:1634
(SSLInitServerContext)> (ssl) enabling SSL_MODE_RELEASE_BUFFERS
[Feb 24 02:28:27.023] {0x7fcf22f1f880} DEBUG: <SSLUtils.cc:1806
(SSLInitServerContext)> (ssl) Using 'ssst.fritz.box.pem' in hash for session id
context
[Feb 24 02:28:27.023] {0x7fcf22f1f880} DEBUG: <SSLUtils.cc:1891
(SSLInitServerContext)> (ssl) SSL OCSP Stapling is disabled
[Feb 24 02:28:27.023] {0x7fcf22f1f880} DEBUG: <SSLUtils.cc:1425
(SSLCheckServerCertNow)> (ssl) server certificate ssst.fritz.box.pem passed
accessibility and date checks
[Feb 24 02:28:27.023] {0x7fcf22f1f880} DEBUG: <SSLCertLookup.cc:181
(ticket_block_create)> (ssl) Create 1 ticket key blocks
[Feb 24 02:28:27.024] {0x7fcf22f1f880} DEBUG: <SSLCertLookup.cc:429 (insert)>
(ssl) indexed '*' with SSL_CTX 0x2684710 [0]
[Feb 24 02:28:27.024] {0x7fcf22f1f880} DEBUG: <SSLUtils.cc:2002
(ssl_store_ssl_context)> (ssl) SSL OCSP Stapling is disabled
[Feb 24 02:28:27.024] {0x7fcf22f1f880} DEBUG: <SSLUtils.cc:2013
(ssl_store_ssl_context)> (ssl) importing SNI names from ssst.fritz.box.pem
[Feb 24 02:28:27.025] {0x2ba0907dab00} NOTE: crashlog started, target=38026,
debug=false syslog=true, uid=1000 euid=1000
[Feb 24 02:28:27.025] {0x2ba0907dab00} WARNING: failed to intialize management
API: [5] Error establishing socket connection.
[Feb 24 02:28:27.025] {0x2ba0907dab00} NOTE: logging to 0x1087a40
[Feb 24 02:28:27.025] {0x2ba0907dab00} ERROR: wrote crash log to
/opt/ats/var/log/trafficserver/crash-2019-02-24-022827.log
traffic_server: received signal 11 (Segmentation fault)
traffic_server - STACK TRACE:
./bin/traffic_server(_Z19crash_logger_invokeiP9siginfo_tPv+0x8e)[0x49971e]
/lib64/libpthread.so.0(+0xf5d0)[0x7fcf211335d0]
/lib64/libc.so.6(+0x13e01a)[0x7fcf2047201a]
./bin/traffic_server[0x6f8c3c]
./bin/traffic_server(_Z32SSLParseCertificateConfigurationPK15SSLConfigParamsP13SSLCertLookup+0xaaa)[0x6f9e7a]
./bin/traffic_server(_ZN20SSLCertificateConfig11reconfigureEv+0x5a)[0x6cfaca]
./bin/traffic_server(_ZN20SSLCertificateConfig7startupEv+0xfe)[0x6cfdbe]
./bin/traffic_server(_ZN15SSLNetProcessor5startEim+0x26)[0x6d8896]
./bin/traffic_server(main+0x1921)[0x48b0c1]
/lib64/libc.so.6(__libc_start_main+0xf5)[0x7fcf203563d5]
./bin/traffic_server[0x49472a]
Speicherzugriffsfehler (Speicherabzug geschrieben)
Would be nice to know if somebody can reproduce this.
Kind regards
Alexander Rabenstein
