Discussion:
Certificate mimicking/spoofing in ATS
vishu_54
6 years ago
Permalink
Hi all,
I am new to apache traffic server. I am trying to configure ATS as a forward
proxy and wanted to do SSL termination on both ends - client/traffic server
and traffic server/origin server connections.

It is mentioned in the documentation that when SSL termination is enabled on
both ends, "then Traffic Server re-encrypts the content and sends it to the
client via HTTPS, where it is decrypted and displayed. " How does ATS handle
getting the reply back to the client? Does it mimick the server certificate
and communicate with the client pretending to be the origin server with
respect to the client?

Secondly, does traffic server allow mentioning client certificate from self
signed CA in recors.config/ssl_multicert.config ??




--
Sent from: http://apache-traffic-server.24303.n7.nabble.com/
Alan Carroll
6 years ago
Permalink
Currently you would need to manually install certificates on the ATS box
that match the upstream destinations. This works well for reverse proxy but
is somewhat problematic in the forward case. There is an experimental
plugin, "plugins/experimental/certifier" in the ATS 9.0 release which
should be able to do this. It should compile and run on ATS 7.x or ATS 8.x.
You would still need to create your own root certificate and install that
on the user agents.
...
--
*Beware the fisherman who's casting out his line in to a dried up riverbed.*
*Oh don't try to tell him 'cause he won't believe. Throw some bread to the
ducks instead.*
*It's easier that way. *- Genesis : Duke : VI 25-28
vishu_54
6 years ago
Permalink
Hi Alan,
Thank you for hinting on the certifier plugin. However, I have some issues
configuring it. I doubt if I am missing anything in configuration for it to
work fully.
HTTP works fine with the following config. HTTPS fails with a crash. I have
attached the log file and stack trace details.

/plugin.config/
/usr/local/libexec/trafficserver/certifier.so --sign-cert
etc/trafficserver/certs/my-selfsigned.crt --sign-key
/etc/trafficserver/private/my-selfsigned.key

/records.config/
changed the following lines from default config

CONFIG proxy.config.http.server_ports STRING 3129 3130:ssl
CONFIG proxy.config.reverse_proxy.enabled INT 0
CONFIG proxy.config.url_remap.remap_required INT 0

CONFIG proxy.config.ssl.client.verify.server INT 1
CONFIG proxy.config.ssl.server.cert.path STRING etc/trafficserver/certs
CONFIG proxy.config.ssl.server.private_key.path STRING
etc/trafficserver/private

CONFIG proxy.config.diags.debug.enabled INT 1
CONFIG proxy.config.diags.debug.tags STRING http.*|dns.*|ssl.*

/ssl_multicert.config/
dest_ip=* ssl_cert_name=my-selfsigned.crt
ssl_key_name=my-selfsigned.key

/ diags.log /

[Sep 4 14:51:37.140] Server {0x2aaaaaafa300} STATUS: opened
/usr/local/var/log/trafficserver/diags.log
[Sep 4 14:51:37.140] Server {0x2aaaaaafa300} NOTE: updated diags config
[Sep 4 14:51:37.142] Server {0x2aaaaaafa300} NOTE: cache clustering
disabled
[Sep 4 14:51:37.147] Server {0x2aaaaaafa300} NOTE: ip_allow.config updated,
reloading
[Sep 4 14:51:37.151] Server {0x2aaaaaafa300} NOTE: cache clustering
disabled
[Sep 4 14:51:37.152] Server {0x2aaaaaafa300} NOTE: logging initialized[3],
logging_mode = 3
*[Sep 4 14:51:37.152] Server {0x2aaaaaafa300} NOTE: loading plugin
'/usr/local/libexec/trafficserver/certifier.so'*
[Sep 4 14:51:37.154] Server {0x2aaaaaafa300} NOTE: loading SSL certificate
configuration from /usr/local/etc/trafficserver/ssl_multicert.config
[Sep 4 14:51:37.154] Server {0x2aaaaaafa300} NOTE: ssl_multicert.config
done reloading!
[Sep 4 14:51:37.161] Server {0x2aaaaaafa300} NOTE: traffic server running
[Sep 4 14:51:37.215] Server {0x2aaab239a700} NOTE: cache enabled


My client request:
curl -vvv https://vip.test-proxy.com/ --insecure
* Hostname was NOT found in DNS cache
* Trying 10.239.141.25...
* Connected to vip.test-proxy.com (10.239.141.25) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* Unknown SSL protocol error in connection to vip.test-proxy.com:443
* Closing connection 0
lookup: 0.004
connect: 0.005
appconnect: 0.000
pretransfer: 0.000
redirect: 0.000
starttransfer: 0.000
total: 0.093
remote_ip: 10.239.141.25
curl: (35) Unknown SSL protocol error in connection to
vip.test-proxy.com:443

traffic.zip
<http://apache-traffic-server.24303.n7.nabble.com/file/t382/traffic.zip>



--
Sent from: http://apache-traffic-server.24303.n7.nabble.com/

Continue reading on narkive:
Loading...