Apologies for using the wrong email list. Its Monday and autocomplete got the better of me
—Eric > On Apr 30, 2018, at 9:51 AM, Eric Friedrich (efriedri) <efrie...@cisco.com> > wrote: > > Someone else may find this useful, so I thought I would share. > > > Configuring TLS Client Authentication in Traffic Control (Experimental > Testing Procedure) > ========= > Note: Trafficserver does not currently allow per-Delivery Service (per-remap) > configuration of client authentication. The below instructions will enable > client authentication for all HTTPS services on a given profile/cache. > > 1) In TrafficOps, configure the Edge cache “Profile” to turn on client > authentication. Set the following parameters: > - name: CONFIG proxy.config.ssl.client.certification_level > - file: records.config > - value: INT 2 > Screenshot: https://cisco.box.com/s/lxtlfbfrbpnaa17cnp4dddj2p0wwzril > > - name: CONFIG proxy.config.ssl.CA.cert.filename > - file: records.config > - value: STRING etc/trafficserver/ssl/ca.crt > Screenshot: https://cisco.box.com/s/hq7vubwd9z0k1g8705eaagbvdg0aokjc > See below for instructions on generating the Certificate Authority (CA), > Certificate and private key. > > > You can add the CA file via TrafficOps, but its a painful process. Please > see the screenshot. If you wish to skip this step, you can scp the file > directly to the cache (/opt/trafficserver/etc/trafficserver/ssl/client_ca.crt) > Screenshot: https://cisco.box.com/s/849imlapxj1e30zi6y63a8fwd31swv21 > (Now that I know what a take and bake is, I think I was better off before. > Configuring a whole SSL Cert in here is pretty painful, but thanks to Jeff > for the help on this step) > > > 2) Queue and run ORT On caches to get updated settings > > 3) Verify by making a curl request > $ curl -k --cert ~/client_auth/client.crt --key ~/client_auth/client.key > -v https://edge-cache-1.cdn.cisco.com/test.m3u8 > > On success, you will receive the content. > > On failure, you will see something like: > [cloud-user trafficserver]$ curl -k -v > https://edge-cache-1.cdn.cisco.com/test.m3u8 > * About to connect() to localhost port 443 (#0) > * Trying ::1... > * Connected to localhost (::1) port 443 (#0) > * Initializing NSS with certpath: sql:/etc/pki/nssdb > * skipping SSL peer certificate verification > * NSS: client certificate not found (nickname not specified) > * NSS error -12227 (SSL_ERROR_HANDSHAKE_FAILURE_ALERT) > * SSL peer was unable to negotiate an acceptable set of security parameters. > * Closing connection 0 > curl: (35) NSS: client certificate not found (nickname not specified) > > > Generating a Certificate Authority and Client Certificate (optional) > ========= > 1) Create the Certificate Authority Key > $ openssl genrsa -out client_ca.key 2048 > > 2) Generate the Certificate Authority Cert > $ openssl req -new -x509 -key ./client_ca.key -out client_ca.crt > > 2) Generate the Client Key and Certificate Signing Request > $ openssl req -newkey rsa:2048 -nodes -keyout client.key -out client.csr > > 3) Use the Certificate Authority to sign the client certificate signing > request > $ openssl x509 -req -in ./client.csr -CA ./client_ca.crt -CAkey > ./client_ca.key -CAcreateserial -out client.crt > > 4) The client_ca.crt file is copied to the Trafficserver. The client (curl) > is given client.crt and client.key
