Do you have a dest_ip=* default line in your ssl_multicert.config file?
Your query doesn't have the SNI set, so you need a default. Use the
-servername option for s_client if you want to set the SNI.
On Fri, Nov 2, 2018 at 3:50 PM Dk Jack <dnj0...@gmail.com> wrote:
> Hi Alan,
> Thanks for responding. I've pasted the output from openssl s_client. I
> don't understand the error it's giving because I can see in the ATS loading
> my certificate in the debug logs. I've prefixed the important lines in the
> debug log with '=>'.
>
> Dk.
>
> ----------------------------------------------------------
> > openssl s_client -host 10.3.27.19 -port 7453
> CONNECTED(00000003)
> 140260354160280:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3
> alert handshake failure:s23_clnt.c:769:
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 7 bytes and written 305 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
> Protocol : TLSv1.2
> Cipher : 0000
> Session-ID:
> Session-ID-ctx:
> Master-Key:
> Key-Arg : None
> PSK identity: None
> PSK identity hint: None
> SRP username: None
> Start Time: 1541190685
> Timeout : 300 (sec)
> Verify return code: 0 (ok)
> ---
>
> ATS Config:
>
> ----------------------------------------------------------------------------------
> CONFIG proxy.config.http.server_ports STRING 8080 7453:ssl
> ...
> CONFIG proxy.config.ssl.SSLv2 INT 0
> CONFIG proxy.config.ssl.SSLv3 INT 1
> CONFIG proxy.config.ssl.TLSv1 INT 1
> CONFIG proxy.config.ssl.TLSv1_1 INT 1
> CONFIG proxy.config.ssl.TLSv1_2 INT 1
> CONFIG proxy.config.ssl.server.cipher_suite STRING
> AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-
>
> SHA:DES-CBC3-SHA:!aNULL:!eNULL:!LOW:!MD5:!SSLV2:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-
> CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
> CONFIG proxy.config.ssl.server.honor_cipher_order INT 1
> CONFIG proxy.config.ssl.compression INT 0
>
> ----------------------------------------------------------------------------------
>
> root@5a09849699ac:/opt/trafficserver/bin# ./traffic_server -T ssl
> traffic_server: using root directory '/opt/trafficserver'
> [Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLSessionCache.cc:42
> (SSLSessionCache)> (ssl.session_cache) Created new ssl session cache
> 0x19de710 with 256 buckets each with size max size 400
> [Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1304
> (SSLInitServerContext)> (ssl.session_cache) ssl context=0x19e4a50: using
> session cache options, enabled=2, size=102400, num_buckets=256,
> skip_on_contention=0, timeout=0, auto_clear=1
> [Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1326
> (SSLInitServerContext)> (ssl.session_cache) enabling SSL session cache with
> ATS implementation
> [Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1340
> (SSLInitServerContext)> (ssl) enabling SSL_MODE_RELEASE_BUFFERS
> [Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1532
> (SSLInitServerContext)> (ssl) Using 'emadisonisland.crt' in hash for
> session id context
> [Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1281
> (SSLCheckServerCertNow)> (ssl) server certificate emadisonisland.crt passed
> accessibility and date checks
> [Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1808
> (ssl_store_ssl_context)> (ssl) ssl ocsp stapling is disabled
> => [Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1819
> (ssl_store_ssl_context)> (ssl) importing SNI names from emadisonisland.crt
> => [Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1633
> (ssl_index_certificate)> (ssl) mapping 'www.emadisonisland.com' to
> certificate emadisonisland.crt
> [Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLCertLookup.cc:380
> (insert)> (ssl) indexed 'www.emadisonisland.com' with SSL_CTX 0x19e4a50
> [0]
> [Nov 2 20:31:22.998] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1304
> (SSLInitServerContext)> (ssl.session_cache) ssl context=0x19e9be0: using
> session cache options, enabled=2, size=102400, num_buckets=256,
> skip_on_contention=0, timeout=0, auto_clear=1
> [Nov 2 20:31:22.998] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1326
> (SSLInitServerContext)> (ssl.session_cache) enabling SSL session cache with
> ATS implementation
> [Nov 2 20:31:22.998] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1340
> (SSLInitServerContext)> (ssl) enabling SSL_MODE_RELEASE_BUFFERS
> [Nov 2 20:31:22.998] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1532
> (SSLInitServerContext)> (ssl) Using '(null)' in hash for session id context
> [Nov 2 20:31:22.998] Server {0x7fad4b72e740} DEBUG: <SSLCertLookup.cc:380
> (insert)> (ssl) indexed '*' with SSL_CTX 0x19e9be0 [1]
> [Nov 2 20:31:22.998] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1808
> (ssl_store_ssl_context)> (ssl) ssl ocsp stapling is disabled
> [Nov 2 20:31:22.998] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1819
> (ssl_store_ssl_context)> (ssl) importing SNI names from (null)
> [Nov 2 20:31:22.999] Server {0x7fad4b72e740} DEBUG:
> <SSLNetProcessor.cc:100 (start)> (ssl) Disabling ET_SSL threads (config is
> set to -1), using thread group ET_NET=0
> [Nov 2 20:31:23.007] Server {0x7fad4b72e740} DEBUG:
> <SSLNextProtocolSet.cc:65 (create_npn_advertisement)> (ssl) advertising
> protocol http/1.0
> [Nov 2 20:31:23.007] Server {0x7fad4b72e740} DEBUG:
> <SSLNextProtocolSet.cc:65 (create_npn_advertisement)> (ssl) advertising
> protocol http/1.1
> [Nov 2 20:31:23.007] Server {0x7fad4b72e740} DEBUG:
> <SSLNextProtocolSet.cc:65 (create_npn_advertisement)> (ssl) advertising
> protocol http/1.0
> [Nov 2 20:31:25.986] Server {0x7fad44366700} DEBUG:
> <SSLNextProtocolAccept.cc:129 (mainEvent)> (ssl)
> [SSLNextProtocolAccept:mainEvent] event 202 netvc 0x7fad4002b800
> => [Nov 2 20:31:25.986] Server {0x7fad44366700} DEBUG:
> <SSLNetVConnection.cc:981 (sslStartHandShake)> (ssl) IP context is (nil)
> for [10.3.28.146:39712] -> [172.19.0.2:7453], default context 0x19e9be0
> [Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:1671
> (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7facf4021100 where: 16
> ret: 1
> [Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:1671
> (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7facf4021100 where:
> 8193 ret: 1
> [Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:284
> (set_context_cert)> (ssl) set_context_cert ssl=0x7facf4021100 server=(null)
> handshake_complete=0
> [Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:336
> (set_context_cert)> (ssl) ssl_cert_callback using SSL context 0x19e9be0 for
> requested name '(null)'
> [Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG:
> <SSLNetVConnection.cc:1462 (callHooks)> (ssl) callHooks
> sslHandshakeHookState=0
> [Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:1671
> (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7facf4021100 where:
> 16392 ret: 552
> [Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:1671
> (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7facf4021100 where:
> 8194 ret: -1
> [Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:1671
> (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7facf4021100 where:
> 8194 ret: -1
> => [Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:2126
> (SSLAccept)> (ssl.error.accept) SSL accept returned -1, ssl_error=1,
> ERR_get_error=336109761 (error:1408A0C1:SSL
> routines:ssl3_get_client_hello:no shared cipher)
> [Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG:
> <SSLNetVConnection.cc:1105 (sslServerHandShakeEvent)> (ssl) trace=FALSE
> => [Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG:
> <SSLNetVConnection.cc:1109 (sslServerHandShakeEvent)> (ssl)
> SSL::140382150485760:error:1408A0C1:SSL routines:ssl3_get_client_hello:no
> shared cipher:s3_srvr.c:1417: peer address is 10.3.28.146
> [Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG:
> <SSLNetVConnection.cc:1109 (sslServerHandShakeEvent)> (ssl) SSL handshake
> error: SSL_ERROR_SSL (1), errno=0
> [Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG:
> <SSLNetVConnection.cc:1237 (sslServerHandShakeEvent)> (ssl)
> SSLNetVConnection::sslServerHandShakeEvent, SSL_ERROR_SSL errno=0
> ^Ctraffic_server: Interrupt (Signal sent by the kernel 0 0)
>
>
> On Fri, Nov 2, 2018 at 12:24 PM Alan Carroll
> <solidwallofc...@oath.com.invalid> wrote:
>
> > I'd start with "openssl s_client" to get more debug information, followed
> > possibly by a packet capture to be sure the user agent is connecting with
> > TLS to a TLS enabled proxy port.
> >
> > On Fri, Nov 2, 2018 at 1:41 PM Dk Jack <dnj0...@gmail.com> wrote:
> >
> > > Hi,
> > > I enabled SSL on my ATS and my ssl requests are failing with handshake
> > > error. From the logs I can tell that it loaded my cert/key correct.
> When
> > I
> > > started traffic server in debug mode (./traffic_server -T ssl), I am
> > seeing
> > > the following error
> > >
> > > SSL routines:ssl3_get_client_hello:no shared cipher
> > >
> > > My TLS config is shown below. My cert is a self signed signed cert. My
> > ATS
> > > version is 6.2.1. I'd appreciate any pointers on how to resolve this.
> > > Thanks.
> > >
> > > Dk.
> > >
> > > CONFIG proxy.config.ssl.SSLv2 INT 0
> > > CONFIG proxy.config.ssl.SSLv3 INT 1
> > > CONFIG proxy.config.ssl.TLSv1 INT 1
> > > CONFIG proxy.config.ssl.TLSv1_1 INT 1
> > > CONFIG proxy.config.ssl.TLSv1_2 INT 1
> > > CONFIG proxy.config.ssl.server.cipher_suite STRING
> > >
> > >
> >
> AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!LOW:!MD5:!SSLV2:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
> > > CONFIG proxy.config.ssl.server.honor_cipher_order INT 1
> > > CONFIG proxy.config.ssl.compression INT 0
> > >
> > >
> > > Debug logs:
> > > [Nov 2 18:16:07.664] Server {0x7f8822572700} DEBUG:
> > > <SSLNextProtocolAccept.cc:129 (mainEvent)> (ssl)
> > > [SSLNextProtocolAccept:mainEvent] event 202 netvc 0x7f8820072800
> > > [Nov 2 18:16:07.664] Server {0x7f8822572700} DEBUG:
> > > <SSLNetVConnection.cc:981 (sslStartHandShake)> (ssl) IP context is
> (nil)
> > > for [10.3.28.146:39678] -> [172.19.0.2:7453], default context
> 0x2d82bc0
> > > [Nov 2 18:16:07.664] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
> > > (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7f87d4021100 where:
> > 16
> > > ret: 1
> > > [Nov 2 18:16:07.664] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
> > > (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7f87d4021100 where:
> > > 8193 ret: 1
> > > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
> > > <SSLNetVConnection.cc:1402 (select_next_protocol)> (ssl) selected ALPN
> > > protocol http/1.1
> > > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:284
> > > (set_context_cert)> (ssl) set_context_cert ssl=0x7f87d4021100
> > server=(null)
> > > handshake_complete=0
> > > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:336
> > > (set_context_cert)> (ssl) ssl_cert_callback using SSL context 0x2d82bc0
> > for
> > > requested name '(null)'
> > > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
> > > <SSLNetVConnection.cc:1462 (callHooks)> (ssl) callHooks
> > > sslHandshakeHookState=0
> > > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
> > > (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7f87d4021100 where:
> > > 16392 ret: 552
> > > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
> > > (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7f87d4021100 where:
> > > 8194 ret: -1
> > > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
> > > (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7f87d4021100 where:
> > > 8194 ret: -1
> > > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:2126
> > > (SSLAccept)> (ssl.error.accept) SSL accept returned -1, ssl_error=1,
> > > ERR_get_error=336109761 (error:1408A0C1:SSL
> > > routines:ssl3_get_client_hello:no shared cipher)
> > > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
> > > <SSLNetVConnection.cc:1105 (sslServerHandShakeEvent)> (ssl) trace=FALSE
> > > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
> > > <SSLNetVConnection.cc:1109 (sslServerHandShakeEvent)> (ssl)
> > > SSL::140222668416768:error:1408A0C1:SSL
> routines:ssl3_get_client_hello:no
> > > shared cipher:s3_srvr.c:1417: peer address is 10.3.28.146
> > > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
> > > <SSLNetVConnection.cc:1109 (sslServerHandShakeEvent)> (ssl) SSL
> handshake
> > > error: SSL_ERROR_SSL (1), errno=0
> > > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
> > > <SSLNetVConnection.cc:1237 (sslServerHandShakeEvent)> (ssl)
> > > SSLNetVConnection::sslServerHandShakeEvent, SSL_ERROR_SSL errno=0
> > > ^Ctraffic_server: Interrupt (Signal sent by the kernel 0 0)
> > >
> >
> >
> > --
> > *Beware the fisherman who's casting out his line in to a dried up
> > riverbed.*
> > *Oh don't try to tell him 'cause he won't believe. Throw some bread to
> the
> > ducks instead.*
> > *It's easier that way. *- Genesis : Duke : VI 25-28
> >
>
