Re: ssl handshake failure

Thanks Pushkar. I had a config error in my multi cert config file. I was missing ‘dest_ip=*’ Dk. > On Nov 2, 2018, at 11:53 AM, Pushkar Pradhan > wrote: > > Is your client sending a TLSv1.2 handshake? Maybe it's a lower version or > non TLS. > >> On Fri, Nov 2, 2018 at 11:41 AM Dk Jack wro

Re: ssl handshake failure

Is your client sending a TLSv1.2 handshake? Maybe it's a lower version or non TLS. On Fri, Nov 2, 2018 at 11:41 AM Dk Jack wrote: > Hi, > I enabled SSL on my ATS and my ssl requests are failing with handshake > error. From the logs I can tell that it loaded my cert/key correct. When I > started

Re: ssl handshake failure

That was it! Thank you! On Fri, Nov 2, 2018 at 2:05 PM Susan Hinrichs wrote: > Do you have a dest_ip=* default line in your ssl_multicert.config file? > > Your query doesn't have the SNI set, so you need a default. Use the > -servername option for s_client if you want to set the SNI. > > On Fr

Re: ssl handshake failure

Do you have a dest_ip=* default line in your ssl_multicert.config file? Your query doesn't have the SNI set, so you need a default. Use the -servername option for s_client if you want to set the SNI. On Fri, Nov 2, 2018 at 3:50 PM Dk Jack wrote: > Hi Alan, > Thanks for responding. I've pasted

Re: ssl handshake failure

Hi Alan, Thanks for responding. I've pasted the output from openssl s_client. I don't understand the error it's giving because I can see in the ATS loading my certificate in the debug logs. I've prefixed the important lines in the debug log with '=>'. Dk. -

Re: ssl handshake failure

I'd start with "openssl s_client" to get more debug information, followed possibly by a packet capture to be sure the user agent is connecting with TLS to a TLS enabled proxy port. On Fri, Nov 2, 2018 at 1:41 PM Dk Jack wrote: > Hi, > I enabled SSL on my ATS and my ssl requests are failing with

Re: ssl session cache timeout

Thanks Susan! On Wed, Oct 10, 2018 at 7:50 AM Susan Hinrichs wrote: > Digging through the ATS and the openssl code, the > proxy.confg.ssl.session_cache.timeout always has effect regardless of > whether we are using the openssl cache (proxy.config.ssl.session_cache == > 1) or the Traffic Server ca

Re: ssl session cache timeout

Digging through the ATS and the openssl code, the proxy.confg.ssl.session_cache.timeout always has effect regardless of whether we are using the openssl cache (proxy.config.ssl.session_cache == 1) or the Traffic Server cache (proxy.config.ssl.session_cache == 2). In either case SSL_CTX_set_timeout

Re: ssl conn and http

All, I've created a PR to address issue #2380 (Missing ssl session close hook) and #2388 (Ability to add contextual data on (Net)VConnections). Would appreciate a review. The PR includes includes API documentation as well for #2388 and hence would appreciate a review for the documentation as well.

Re: ssl conn and http

Never mind, I figured out the issue. Please ignore... thanks. On Mon, Oct 9, 2017 at 5:13 PM, Dk Jack wrote: > Alan, > I've been working on the issues we discussed. I have most of it working. > I've added two things: > > - Allow plugins to add user data to conn. > bool TSVConnSetUserData(TSVC

Re: ssl conn and http

Alan, I've been working on the issues we discussed. I have most of it working. I've added two things: - Allow plugins to add user data to conn. bool TSVConnSetUserData(TSVConn connp, const char* name, void* data); void* TSVConnGetUserData(TSVConn connp, const char* name); Did not bother wit

Re: ssl conn and http

I don't think I'd do it for TLS_CLOSE, but VCONN_CLOSE would likely be worth it. There's an issue on that, linked from the issue I mentioned above. It's about the same thing - plugin wants to attach data during TLS handshake for later retrieval at the HTTP level that can be cleaned up if something

Re: ssl conn and http

Yeah, I was thinking along similar lines... Do you think, it'd be a worth while effort to add a ssl-close event hook? On Wed, Sep 27, 2017 at 1:31 PM, Alan Carroll < solidwallofc...@oath.com.invalid> wrote: > I'd probably put a time stamp in and update it during the hook processing. > If you wai

Re: ssl conn and http

I'd probably put a time stamp in and update it during the hook processing. If you waited 5 minutes or so before clearing, that should be enough. If it's been 5 minutes since the last activity the connection should be dead, unless you're shipping big files. Or, alternatively, in READ_REQUEST_HDR_HO

Re: ssl conn and http

I did try to see if there was a n openssl hook that gets invoked when the connection is closed. However, I couldn't find one. I guess it doesn't make sense to have one from openssl perspective since connection close is is always initiated by the application. What I need is a i.e a callback from SS

Re: ssl conn and http

Unfortunately I don't know of a reliable way to do clean up, which is one reason I would think of a plugin maintained table which at least has the possibility of cleanup. This does point out a problem with the mentioned issue - if that is done there must be some reliable way to clean it up. I'm no

Re: ssl conn and http

Hi Alan, Thanks for the response. After looking at the code a bit more, I figured I can do something like this: TSHttpHookAdd(TS_EVENT_VCONN_PRE_ACCEPT, pre_accept_cb); pre_accept_callback(TSCont /*contp*/, TSEvent /*event*/, void *edata) { TSVConn ssl_vc = reinterpret_cast(edata); Connecti

Re: ssl conn and http

This is a known problem, see https://github.com/apache/trafficserver/issues/2388 . The point of that feature request is to be able to store data on the TSNetVConn (which you have in the SSL hook) and then retrieve it later in an HTTP hook (from which you can get to the same TSNetVConn). Currently I

Re: SSL decryption in forward proxy mode

Thanks Susan. Karthik On 3/30/16, 6:44 AM, "Susan Hinrichs" wrote: >Yes, you can decrypt and proxy SSL traffic in forward mode. Typically >(always?) this is done in transparent mode. > >http://trafficserver.readthedocs.org/en/latest/admin-guide/configuration/transparent-forward-proxying.en.

Re: ssl

Thanks Susan, I'll check that out. > On Apr 13, 2016, at 6:35 AM, Susan Hinrichs > wrote: > > I'm assuming you are referring to the handshake between ATS and the user > agent. You can set a call back before the server certificate is selected. > > TSHttpHookAdd(TS_SSL_CERT_HOOK, cb_cert); >

Re: ssl

I'm assuming you are referring to the handshake between ATS and the user agent. You can set a call back before the server certificate is selected. TSHttpHookAdd(TS_SSL_CERT_HOOK, cb_cert); There are several example plugins and the basic elements are documented in the API docs. Here is the or

Re: SSL decryption in forward proxy mode

Yes, you can decrypt and proxy SSL traffic in forward mode. Typically (always?) this is done in transparent mode. http://trafficserver.readthedocs.org/en/latest/admin-guide/configuration/transparent-forward-proxying.en.html You need to do the same termination of the SSL connection on the ATS bo

Re: SSL issues since last summit

The main round of benchmarking for SSL was done in Q1 and Q2 of this year to determine what our hardware requirements would be for a hardware refresh. The benchmarking was done on modern hardware, for our standards, and with the latest Cavium card at the time. I can pull up my numbers at the Summ

Re: SSL issues since last summit

I have a slide to talk about alternative SSL implementations (boringssl, s2n, and libressl). I know that Bryan has done some analysis on the bottlenecks of the openssl implementation as we use it. At a minimal we can launch into a discussion based on his and others performance analysis experi

Re: SSL issues since last summit

I'd think it would be interesting to talk about SSL performance. As I (probably don't) understand it, OpenSSL's TLS significantly impairs several aspects of ATS's performance.  Is there anything we can do about that? Would alternative TLS implementations (amazon's s2n; boringssl, anything else?)

Re: SSL issues since last summit

Thanks Steven, I added a slide to talk about your issues with scaling. Susan On 11/10/2015 11:34 AM, Steven R. Feltner wrote: Susan... I don't know if this is what you are looking for, but here is a list of SSL issues I have been working with: - Memory consumption reading lots of SSL certs.

RE: SSL issues since last summit

Susan... I don't know if this is what you are looking for, but here is a list of SSL issues I have been working with: - Memory consumption reading lots of SSL certs. I compiled a separate openssl-1.0.2d package compiled in /usr/lib64/trafficserver/openssl so it doesn’t mess with other package

Re: SSL issues since last summit

I wouldn't call it a requirement for blacklisting ciphers and more of a suggestion because of the "MAY" usage. However, it is a good feature to have. Appendix A . TLS 1.2 Cipher Suite Black List An HTTP/2 implementation MAY treat the negotiation

Re: SSL issues since last summit

> On Nov 9, 2015, at 11:46 AM, Susan Hinrichs > wrote: > > Hi All, > > I'm organizing a discussion of SSL issues in ATS since we last met. Please > let me know if you have been working on SSL issues that you feel should be > discussed. One thing that’s indirectly SSL related is more contro

Re: SSL Session Plugin API proposal

Updated the pull request. On 6/11/2015 1:57 PM, Susan Hinrichs wrote: Replies inline On 6/11/2015 12:28 PM, James Peach wrote: On Jun 11, 2015, at 8:09 AM, Susan Hinrichs wrote: James, thanks for the comments. I had some old references and as you noted did not discuss how memory is tracke

Re: SSL Session Plugin API proposal

Replies inline On 6/11/2015 12:28 PM, James Peach wrote: On Jun 11, 2015, at 8:09 AM, Susan Hinrichs wrote: James, thanks for the comments. I had some old references and as you noted did not discuss how memory is tracked through the API's. Thanks Susan. I actually find it pretty difficult

Re: SSL Session Plugin API proposal

> On Jun 11, 2015, at 8:09 AM, Susan Hinrichs > wrote: > > James, thanks for the comments. I had some old references and as you noted > did not discuss how memory is tracked through the API's. Thanks Susan. I actually find it pretty difficult to review API changes from documentation. It wou

Re: SSL Session Plugin API proposal

James, thanks for the comments. I had some old references and as you noted did not discuss how memory is tracked through the API's. I've updated the document http://network-geographics.com/ats/docs/ssl-session-api.en.html On my branch, I have a very simple example plugin which exercises the

Re: SSL Session Plugin API proposal

> On Jun 10, 2015, at 3:24 PM, Susan Hinrichs > wrote: > > I haven't heard anything about this. We did discuss it at the Austin Summit. > There was general agreement to the idea. I've updated the document to > reflect what I have implemented. I will create a pull request with the code >

Re: SSL Session Plugin API proposal

I haven't heard anything about this. We did discuss it at the Austin Summit. There was general agreement to the idea. I've updated the document to reflect what I have implemented. I will create a pull request with the code changes later this evening. The details of the API are at http://ne

Re: SSL hook ordering

> On Mar 23, 2015, at 4:15 PM, Susan Hinrichs > wrote: > > I don't have an issue with the re-arrangement. Such a re-arrangement will > require plugins to be recompiled. Is that something we try to avoid until > major releases? Certainly can't break it within a major release. And we sho

Re: SSL hook ordering

> On Mar 23, 2015, at 12:48 PM, Brian Geffon wrote: > > Hi, > When looking at apidefs ( > https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;a=blob;f=lib/ts/apidefs.h.in;h=329adf27f9d0fc3fc677c21d5be38e39456dab73;hb=HEAD#l291) > the SSL hooks appear to be at the end of the hook list. Wh

Re: SSL hook ordering

I don't have an issue with the re-arrangement. Such a re-arrangement will require plugins to be recompiled. Is that something we try to avoid until major releases? Alternatively, we could insert additional pseudo enum's like we currently have for last to mark ranges of hooks. On 3/23/2015

Re: SSL support extensions - design review request

On Aug 19, 2014, at 12:46 PM, Susan Hinrichs wrote: > James, > > Thanks for the feedback. I think Alan already addressed most of the issues. > Here are my comments on the remaining items. > > >> >> Why do TSSslCertFindByName() and TSSslCertFindByAddress() take a TSSslVConn >> argument? >

Re: SSL support extensions - design review request

On Aug 19, 2014, at 10:13 AM, Alan M. Carroll wrote: > James, > > I can answer a few of these. > >> Thanks for the docs, this looks very promising. When you are ready to submit >> patches, this will need API review >> . > >

Re: SSL support extensions - design review request

On Aug 20, 2014, at 5:33 AM, Igor Galić wrote: > > > - Original Message - >> James, >> >> Thanks for the feedback. I think Alan already addressed most of the >> issues. Here are my comments on the remaining items. >> >> >>> >>> Why do TSSslCertFindByName() and TSSslCertFindByAddre

Re: SSL support extensions - design review request

Igor, >> I'm using the TSSslVConn to cache a pointer to the global cert table >> (loaded from ssl_multicert.config). Since in theory the >> ssl_multicert.config could be reloaded at any point, we acquire() a copy > does this mean we would now support reloading of the ssl config w/o restart? No.

Re: SSL support extensions - design review request

- Original Message - > James, > > Thanks for the feedback. I think Alan already addressed most of the > issues. Here are my comments on the remaining items. > > > > > > Why do TSSslCertFindByName() and TSSslCertFindByAddress() take a TSSslVConn > > argument? > > I'm using the TSSslV

Re: SSL support extensions - design review request

Updated documents and code to add default hook op and remove the TSSslVConn argument from the FindBy functions. On 8/19/2014 2:46 PM, Susan Hinrichs wrote: James, Thanks for the feedback. I think Alan already addressed most of the issues. Here are my comments on the remaining items. Wh

Re: SSL support extensions - design review request

James, Thanks for the feedback. I think Alan already addressed most of the issues. Here are my comments on the remaining items. Why do TSSslCertFindByName() and TSSslCertFindByAddress() take a TSSslVConn argument? I'm using the TSSslVConn to cache a pointer to the global cert table (l

Re: SSL support extensions - design review request

James, I can answer a few of these. > Thanks for the docs, this looks very promising. When you are ready to submit > patches, this will need API review > . Actually, Susan forgot to mention that you can review the code at https

Re: SSL support extensions - design review request

On Aug 19, 2014, at 7:50 AM, Susan Hinrichs wrote: > Good morning, all. > > I've been working on implementing the SSL plugin extensions described in > TS-3006. Documentation is at > http://network-geographics.com/ats/docs/ssl-api.en.html. The features have > been implemented, and I am in t

Re: SSL Termination in Forward proxy mode.

On Dec 11, 2013, at 9:49 AM, Vikram wrote: > Thanks Alan. It does look like I have to jump through a few hoops to get this > working. > > I might actually go have a look at the code to see why this is not possible > out of the box with ATS. Seems like a useful feature to have. Squid does this

Re: SSL Termination in Forward proxy mode.

Thanks Alan. It does look like I have to jump through a few hoops to get this working. I might actually go have a look at the code to see why this is not possible out of the box with ATS. Seems like a useful feature to have. Squid does this through SslBump I believe. I am new to the ATS code, s

Re: SSL Termination in Forward proxy mode.

> >On Wednesday, December 11, 2013 10:32 AM, Alan M. Carroll > wrote: > > >Because that requires dynamically generating certificates which is a >non-trivial task. I have done some work to extend the SSL support to make this >easier in ATS but I haven't had time recently to write it up for t

Re: SSL Termination in Forward proxy mode.

Hi Alan, Thanks for the info. Yeah, configuring ATS to remap URLs from HTTP to HTTPS could work. Is it possible to do this only on a particular port? So I would then have a port which does not remap, and a port which does, in essence simulating my use case. So it possible to write a remap rule

RE: ssl with transparent proxy

Thank you. -Original Message- From: Leif Hedstrom [mailto:zw...@apache.org] Sent: Sunday, June 17, 2012 9:32 PM To: us...@trafficserver.apache.org Cc: Jacov Koren; dev@trafficserver.apache.org Subject: Re: ssl with transparent proxy On 6/17/12 7:15 AM, Jacov Koren wrote: > > I a

Re: ssl with transparent proxy

On 6/17/12 7:15 AM, Jacov Koren wrote: I am just trying to understand how ssl connection can take place when using transparent proxy. Do I need to intercept the traffic with iptables just like I did for port 80 ? Do I need to configure something else in records.config? It's pretty urgent