The post_handhake_auth is not wired into ATS yet. Please file an issue and/or put up a PR.
Susan On Fri, Dec 11, 2020 at 12:54 AM <[email protected]> wrote: > Yes, of course I have. > > CONFIG proxy.config.ssl.client.cert.path STRING /etc/ssl/certs/ > CONFIG proxy.config.ssl.client.cert.filename STRING xxx.pem > > CONFIG proxy.config.ssl.client.CA.cert.path STRING /etc/ssl/certs/ > CONFIG proxy.config.ssl.client.CA.cert.filename STRING xxx_CA.pem > > Question is if ATS is able send verify_client_post_handshake as extension > in TLS Client Hello. > Contrary if ATS do not send "post_handshake_auth" extension then > according to RFC 8446 > <https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_rfc8446&d=DwMFaQ&c=sWW_bEwW_mLyN3Kx2v57Q8e-CRbmiT9yOhqES_g_wVY&r=GAqM_xZpxNbVqsR-aGvQBjOG3d33Y2-i4ynL-JkEouY&m=dHiiPqkyyHSl-9b3vx4X8tOb71wAdz3SNhxib3Tauyg&s=6Q5EKRjUtEXxv8fI9KLh89HQ5GAttKLWqVHzpke5NIc&e=> > : > > The "post_handshake_auth" extension is used to indicate that a client > is willing to perform post-handshake authentication (Section 4.6.2 > <https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_rfc8446-23section-2D4.6.2&d=DwMFaQ&c=sWW_bEwW_mLyN3Kx2v57Q8e-CRbmiT9yOhqES_g_wVY&r=GAqM_xZpxNbVqsR-aGvQBjOG3d33Y2-i4ynL-JkEouY&m=dHiiPqkyyHSl-9b3vx4X8tOb71wAdz3SNhxib3Tauyg&s=UaAaGrnlwZ93nZ_vsBQXTPCWYegpOTWhdMVL3BciksU&e=>). > Servers MUST NOT send a post-handshake CertificateRequest to clients > which do not offer this extension. Servers MUST NOT send this extension. > > > > On Thu, Dec 10, 2020 at 5:48 PM Susan Hinrichs <[email protected]> > wrote: > >> Sounds like the origin is requesting a client certificate which ATS is >> not providing. >> >> Do you have your ATS configured to specify a client certificate if the >> origin requests one? This can be configured by the records.config setting >> proxy.config.ssl.client.cert.filename (and related) These settings can also >> be overridden on a per remap basis by using conf_remap.so. >> >> https://docs.trafficserver.apache.org/en/latest/admin-guide/files/records.config.en.html?#proxy-config-ssl-client-cert-filename >> <https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.trafficserver.apache.org_en_latest_admin-2Dguide_files_records.config.en.html-3F-23proxy-2Dconfig-2Dssl-2Dclient-2Dcert-2Dfilename&d=DwMFaQ&c=sWW_bEwW_mLyN3Kx2v57Q8e-CRbmiT9yOhqES_g_wVY&r=GAqM_xZpxNbVqsR-aGvQBjOG3d33Y2-i4ynL-JkEouY&m=dHiiPqkyyHSl-9b3vx4X8tOb71wAdz3SNhxib3Tauyg&s=2sCMMIzJ0LCafkVukFlHimKew6Redksmb8Jd30eiGuM&e=> >> >> >> On Thu, Dec 10, 2020 at 7:17 AM <[email protected]> wrote: >> >>> Hi, >>> I found a explanation how Wireshark presents TLSv1.3 and it seems my >>> configuration is OK and TLSv1.3 is used. >>> >>> However I have another problem with origin server. >>> It send me bag "403 Forbidden" because of : >>> >>> SSL Library Error: error:14268117:SSL >>> routines:SSL_verify_client_post_handshake:extension not received >>> >>> >>> As I understand ATS do not send in Client Hello >>> "verify_client_post_handshake " extension. >>> >>> Is it possible to configure somehow? >>> >>> >>> Thanks Peter >>> >>
