That was it! Thank you!
On Fri, Nov 2, 2018 at 2:05 PM Susan Hinrichs <shinr...@oath.com.invalid>
wrote:
> Do you have a dest_ip=* default line in your ssl_multicert.config file?
>
> Your query doesn't have the SNI set, so you need a default. Use the
> -servername option for s_client if you want to set the SNI.
>
> On Fri, Nov 2, 2018 at 3:50 PM Dk Jack <dnj0...@gmail.com> wrote:
>
> > Hi Alan,
> > Thanks for responding. I've pasted the output from openssl s_client. I
> > don't understand the error it's giving because I can see in the ATS
> loading
> > my certificate in the debug logs. I've prefixed the important lines in
> the
> > debug log with '=>'.
> >
> > Dk.
> >
> > ----------------------------------------------------------
> > > openssl s_client -host 10.3.27.19 -port 7453
> > CONNECTED(00000003)
> > 140260354160280:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3
> > alert handshake failure:s23_clnt.c:769:
> > ---
> > no peer certificate available
> > ---
> > No client certificate CA names sent
> > ---
> > SSL handshake has read 7 bytes and written 305 bytes
> > ---
> > New, (NONE), Cipher is (NONE)
> > Secure Renegotiation IS NOT supported
> > Compression: NONE
> > Expansion: NONE
> > No ALPN negotiated
> > SSL-Session:
> > Protocol : TLSv1.2
> > Cipher : 0000
> > Session-ID:
> > Session-ID-ctx:
> > Master-Key:
> > Key-Arg : None
> > PSK identity: None
> > PSK identity hint: None
> > SRP username: None
> > Start Time: 1541190685
> > Timeout : 300 (sec)
> > Verify return code: 0 (ok)
> > ---
> >
> > ATS Config:
> >
> >
> ----------------------------------------------------------------------------------
> > CONFIG proxy.config.http.server_ports STRING 8080 7453:ssl
> > ...
> > CONFIG proxy.config.ssl.SSLv2 INT 0
> > CONFIG proxy.config.ssl.SSLv3 INT 1
> > CONFIG proxy.config.ssl.TLSv1 INT 1
> > CONFIG proxy.config.ssl.TLSv1_1 INT 1
> > CONFIG proxy.config.ssl.TLSv1_2 INT 1
> > CONFIG proxy.config.ssl.server.cipher_suite STRING
> > AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-
> >
> >
> SHA:DES-CBC3-SHA:!aNULL:!eNULL:!LOW:!MD5:!SSLV2:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-
> > CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
> > CONFIG proxy.config.ssl.server.honor_cipher_order INT 1
> > CONFIG proxy.config.ssl.compression INT 0
> >
> >
> ----------------------------------------------------------------------------------
> >
> > root@5a09849699ac:/opt/trafficserver/bin# ./traffic_server -T ssl
> > traffic_server: using root directory '/opt/trafficserver'
> > [Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG:
> <SSLSessionCache.cc:42
> > (SSLSessionCache)> (ssl.session_cache) Created new ssl session cache
> > 0x19de710 with 256 buckets each with size max size 400
> > [Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1304
> > (SSLInitServerContext)> (ssl.session_cache) ssl context=0x19e4a50: using
> > session cache options, enabled=2, size=102400, num_buckets=256,
> > skip_on_contention=0, timeout=0, auto_clear=1
> > [Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1326
> > (SSLInitServerContext)> (ssl.session_cache) enabling SSL session cache
> with
> > ATS implementation
> > [Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1340
> > (SSLInitServerContext)> (ssl) enabling SSL_MODE_RELEASE_BUFFERS
> > [Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1532
> > (SSLInitServerContext)> (ssl) Using 'emadisonisland.crt' in hash for
> > session id context
> > [Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1281
> > (SSLCheckServerCertNow)> (ssl) server certificate emadisonisland.crt
> passed
> > accessibility and date checks
> > [Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1808
> > (ssl_store_ssl_context)> (ssl) ssl ocsp stapling is disabled
> > => [Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1819
> > (ssl_store_ssl_context)> (ssl) importing SNI names from
> emadisonisland.crt
> > => [Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1633
> > (ssl_index_certificate)> (ssl) mapping 'www.emadisonisland.com' to
> > certificate emadisonisland.crt
> > [Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG:
> <SSLCertLookup.cc:380
> > (insert)> (ssl) indexed 'www.emadisonisland.com' with SSL_CTX 0x19e4a50
> > [0]
> > [Nov 2 20:31:22.998] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1304
> > (SSLInitServerContext)> (ssl.session_cache) ssl context=0x19e9be0: using
> > session cache options, enabled=2, size=102400, num_buckets=256,
> > skip_on_contention=0, timeout=0, auto_clear=1
> > [Nov 2 20:31:22.998] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1326
> > (SSLInitServerContext)> (ssl.session_cache) enabling SSL session cache
> with
> > ATS implementation
> > [Nov 2 20:31:22.998] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1340
> > (SSLInitServerContext)> (ssl) enabling SSL_MODE_RELEASE_BUFFERS
> > [Nov 2 20:31:22.998] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1532
> > (SSLInitServerContext)> (ssl) Using '(null)' in hash for session id
> context
> > [Nov 2 20:31:22.998] Server {0x7fad4b72e740} DEBUG:
> <SSLCertLookup.cc:380
> > (insert)> (ssl) indexed '*' with SSL_CTX 0x19e9be0 [1]
> > [Nov 2 20:31:22.998] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1808
> > (ssl_store_ssl_context)> (ssl) ssl ocsp stapling is disabled
> > [Nov 2 20:31:22.998] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1819
> > (ssl_store_ssl_context)> (ssl) importing SNI names from (null)
> > [Nov 2 20:31:22.999] Server {0x7fad4b72e740} DEBUG:
> > <SSLNetProcessor.cc:100 (start)> (ssl) Disabling ET_SSL threads (config
> is
> > set to -1), using thread group ET_NET=0
> > [Nov 2 20:31:23.007] Server {0x7fad4b72e740} DEBUG:
> > <SSLNextProtocolSet.cc:65 (create_npn_advertisement)> (ssl) advertising
> > protocol http/1.0
> > [Nov 2 20:31:23.007] Server {0x7fad4b72e740} DEBUG:
> > <SSLNextProtocolSet.cc:65 (create_npn_advertisement)> (ssl) advertising
> > protocol http/1.1
> > [Nov 2 20:31:23.007] Server {0x7fad4b72e740} DEBUG:
> > <SSLNextProtocolSet.cc:65 (create_npn_advertisement)> (ssl) advertising
> > protocol http/1.0
> > [Nov 2 20:31:25.986] Server {0x7fad44366700} DEBUG:
> > <SSLNextProtocolAccept.cc:129 (mainEvent)> (ssl)
> > [SSLNextProtocolAccept:mainEvent] event 202 netvc 0x7fad4002b800
> > => [Nov 2 20:31:25.986] Server {0x7fad44366700} DEBUG:
> > <SSLNetVConnection.cc:981 (sslStartHandShake)> (ssl) IP context is (nil)
> > for [10.3.28.146:39712] -> [172.19.0.2:7453], default context 0x19e9be0
> > [Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:1671
> > (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7facf4021100 where:
> 16
> > ret: 1
> > [Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:1671
> > (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7facf4021100 where:
> > 8193 ret: 1
> > [Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:284
> > (set_context_cert)> (ssl) set_context_cert ssl=0x7facf4021100
> server=(null)
> > handshake_complete=0
> > [Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:336
> > (set_context_cert)> (ssl) ssl_cert_callback using SSL context 0x19e9be0
> for
> > requested name '(null)'
> > [Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG:
> > <SSLNetVConnection.cc:1462 (callHooks)> (ssl) callHooks
> > sslHandshakeHookState=0
> > [Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:1671
> > (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7facf4021100 where:
> > 16392 ret: 552
> > [Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:1671
> > (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7facf4021100 where:
> > 8194 ret: -1
> > [Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:1671
> > (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7facf4021100 where:
> > 8194 ret: -1
> > => [Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:2126
> > (SSLAccept)> (ssl.error.accept) SSL accept returned -1, ssl_error=1,
> > ERR_get_error=336109761 (error:1408A0C1:SSL
> > routines:ssl3_get_client_hello:no shared cipher)
> > [Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG:
> > <SSLNetVConnection.cc:1105 (sslServerHandShakeEvent)> (ssl) trace=FALSE
> > => [Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG:
> > <SSLNetVConnection.cc:1109 (sslServerHandShakeEvent)> (ssl)
> > SSL::140382150485760:error:1408A0C1:SSL routines:ssl3_get_client_hello:no
> > shared cipher:s3_srvr.c:1417: peer address is 10.3.28.146
> > [Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG:
> > <SSLNetVConnection.cc:1109 (sslServerHandShakeEvent)> (ssl) SSL handshake
> > error: SSL_ERROR_SSL (1), errno=0
> > [Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG:
> > <SSLNetVConnection.cc:1237 (sslServerHandShakeEvent)> (ssl)
> > SSLNetVConnection::sslServerHandShakeEvent, SSL_ERROR_SSL errno=0
> > ^Ctraffic_server: Interrupt (Signal sent by the kernel 0 0)
> >
> >
> > On Fri, Nov 2, 2018 at 12:24 PM Alan Carroll
> > <solidwallofc...@oath.com.invalid> wrote:
> >
> > > I'd start with "openssl s_client" to get more debug information,
> followed
> > > possibly by a packet capture to be sure the user agent is connecting
> with
> > > TLS to a TLS enabled proxy port.
> > >
> > > On Fri, Nov 2, 2018 at 1:41 PM Dk Jack <dnj0...@gmail.com> wrote:
> > >
> > > > Hi,
> > > > I enabled SSL on my ATS and my ssl requests are failing with
> handshake
> > > > error. From the logs I can tell that it loaded my cert/key correct.
> > When
> > > I
> > > > started traffic server in debug mode (./traffic_server -T ssl), I am
> > > seeing
> > > > the following error
> > > >
> > > > SSL routines:ssl3_get_client_hello:no shared cipher
> > > >
> > > > My TLS config is shown below. My cert is a self signed signed cert.
> My
> > > ATS
> > > > version is 6.2.1. I'd appreciate any pointers on how to resolve this.
> > > > Thanks.
> > > >
> > > > Dk.
> > > >
> > > > CONFIG proxy.config.ssl.SSLv2 INT 0
> > > > CONFIG proxy.config.ssl.SSLv3 INT 1
> > > > CONFIG proxy.config.ssl.TLSv1 INT 1
> > > > CONFIG proxy.config.ssl.TLSv1_1 INT 1
> > > > CONFIG proxy.config.ssl.TLSv1_2 INT 1
> > > > CONFIG proxy.config.ssl.server.cipher_suite STRING
> > > >
> > > >
> > >
> >
> AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!LOW:!MD5:!SSLV2:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
> > > > CONFIG proxy.config.ssl.server.honor_cipher_order INT 1
> > > > CONFIG proxy.config.ssl.compression INT 0
> > > >
> > > >
> > > > Debug logs:
> > > > [Nov 2 18:16:07.664] Server {0x7f8822572700} DEBUG:
> > > > <SSLNextProtocolAccept.cc:129 (mainEvent)> (ssl)
> > > > [SSLNextProtocolAccept:mainEvent] event 202 netvc 0x7f8820072800
> > > > [Nov 2 18:16:07.664] Server {0x7f8822572700} DEBUG:
> > > > <SSLNetVConnection.cc:981 (sslStartHandShake)> (ssl) IP context is
> > (nil)
> > > > for [10.3.28.146:39678] -> [172.19.0.2:7453], default context
> > 0x2d82bc0
> > > > [Nov 2 18:16:07.664] Server {0x7f8822572700} DEBUG:
> <SSLUtils.cc:1671
> > > > (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7f87d4021100
> where:
> > > 16
> > > > ret: 1
> > > > [Nov 2 18:16:07.664] Server {0x7f8822572700} DEBUG:
> <SSLUtils.cc:1671
> > > > (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7f87d4021100
> where:
> > > > 8193 ret: 1
> > > > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
> > > > <SSLNetVConnection.cc:1402 (select_next_protocol)> (ssl) selected
> ALPN
> > > > protocol http/1.1
> > > > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:284
> > > > (set_context_cert)> (ssl) set_context_cert ssl=0x7f87d4021100
> > > server=(null)
> > > > handshake_complete=0
> > > > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:336
> > > > (set_context_cert)> (ssl) ssl_cert_callback using SSL context
> 0x2d82bc0
> > > for
> > > > requested name '(null)'
> > > > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
> > > > <SSLNetVConnection.cc:1462 (callHooks)> (ssl) callHooks
> > > > sslHandshakeHookState=0
> > > > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
> <SSLUtils.cc:1671
> > > > (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7f87d4021100
> where:
> > > > 16392 ret: 552
> > > > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
> <SSLUtils.cc:1671
> > > > (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7f87d4021100
> where:
> > > > 8194 ret: -1
> > > > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
> <SSLUtils.cc:1671
> > > > (ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7f87d4021100
> where:
> > > > 8194 ret: -1
> > > > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
> <SSLUtils.cc:2126
> > > > (SSLAccept)> (ssl.error.accept) SSL accept returned -1, ssl_error=1,
> > > > ERR_get_error=336109761 (error:1408A0C1:SSL
> > > > routines:ssl3_get_client_hello:no shared cipher)
> > > > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
> > > > <SSLNetVConnection.cc:1105 (sslServerHandShakeEvent)> (ssl)
> trace=FALSE
> > > > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
> > > > <SSLNetVConnection.cc:1109 (sslServerHandShakeEvent)> (ssl)
> > > > SSL::140222668416768:error:1408A0C1:SSL
> > routines:ssl3_get_client_hello:no
> > > > shared cipher:s3_srvr.c:1417: peer address is 10.3.28.146
> > > > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
> > > > <SSLNetVConnection.cc:1109 (sslServerHandShakeEvent)> (ssl) SSL
> > handshake
> > > > error: SSL_ERROR_SSL (1), errno=0
> > > > [Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
> > > > <SSLNetVConnection.cc:1237 (sslServerHandShakeEvent)> (ssl)
> > > > SSLNetVConnection::sslServerHandShakeEvent, SSL_ERROR_SSL errno=0
> > > > ^Ctraffic_server: Interrupt (Signal sent by the kernel 0 0)
> > > >
> > >
> > >
> > > --
> > > *Beware the fisherman who's casting out his line in to a dried up
> > > riverbed.*
> > > *Oh don't try to tell him 'cause he won't believe. Throw some bread to
> > the
> > > ducks instead.*
> > > *It's easier that way. *- Genesis : Duke : VI 25-28
> > >
> >
>
