Discussion:
SSL for trafficserver
$ubbu
2017-06-30 12:19:04 UTC
Permalink
Hi,



We are using apache traffic server for caching http sites for a quite
long time,recently we had to cache https sites .

I took reference of
https://docs.trafficserver.apache.org/en/latest/admin-guide/security/index.en.html



But unable to work it out.



I have a few questions



1.my origin server has CA signed wild card certificate , so what kind of
certificate should I install on traffic server (ex:self signed or ca
signed) and what are the steps to install certificate?



2.what format of the certificate works (.pem or crt or pfx) ?



3.I have one more link
http://www.quobell.nl/blog/apache-traffic-server-ats-as-reverse-proxy-for-outsystems/

Which I tried with both self signed and ca signed certificates but I
encountered the following error ERR_SSL_VERSION_OR_CIPHER_MISMATCH



Please help me in this process.



Thanks in Advance !!!
--
*Regards*

*Subrahmanya Prasad P*
Reindl Harald
2017-06-30 12:30:36 UTC
Permalink
"my origin server has CA signed wild card certificate, so what kind of
certificate should I install on traffic server (ex:self signed or ca
signed) and what are the steps to install certificate?"

that is a very strange question

a) if you don't want warnings on the clients self-signed
is not a option

b) when you already have CA signed ones just put them on the proxy

c) you don't need any certificate at all on the backend - that's what
TLS-offloading is all about

"what format of the certificate works (.pem or crt or pfx)" - as for
anything else in the openbsource world - PEM - just cat the prvate key,
intermediate-certificates and the certifiate in a file and use it as
it's done for httpd, postfix, dovecot and what not....

with the config below you just put our certificates into
"/etc/trafficserver/ssl/" and list the certs in "ssl_multicert.config"

[***@proxy:~]$ cat /etc/trafficserver/ssl_multicert.config
# optional 'ssl_ca_name=ca_name.crt' when intermediate-certs are not in
the pem-file
ssl_cert_name=thelounge.net.pem

[***@proxy:~]$ cat /etc/trafficserver/remap.config | grep www.thelounge.net
map http://www.thelounge.net http://www.thelounge.net
map https://www.thelounge.net http://www.thelounge.net

[***@proxy:~]$ cat /etc/trafficserver/records.config | grep ssl
CONFIG proxy.config.http.server_ports STRING 80 443:ssl
CONFIG proxy.config.ssl.TLSv1 INT 1
CONFIG proxy.config.ssl.TLSv1_1 INT 1
CONFIG proxy.config.ssl.TLSv1_2 INT 1
CONFIG proxy.config.ssl.client.TLSv1 INT 1
CONFIG proxy.config.ssl.client.TLSv1_1 INT 1
CONFIG proxy.config.ssl.client.TLSv1_2 INT 1
CONFIG proxy.config.ssl.client.certification_level INT 0
CONFIG proxy.config.ssl.server.multicert.filename STRING
ssl_multicert.config
CONFIG proxy.config.ssl.server.cert.path STRING /etc/trafficserver/ssl/
CONFIG proxy.config.ssl.server.private_key.path STRING
/etc/trafficserver/ssl/
CONFIG proxy.config.ssl.CA.cert.path STRING /etc/trafficserver/ssl/
CONFIG proxy.config.ssl.server.cipher_suite STRING
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-CAMELLIA256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:CAMELLIA128-SHA:CAMELLIA256-SHA:!LOW:!MEDIUM
CONFIG proxy.config.ssl.server.honor_cipher_order INT 1
CONFIG proxy.config.ssl.server.dhparams_file STRING
/etc/trafficserver/ssl/dhparams.pem
Post by $ubbu
Hi,
We are using apache traffic server for caching http sites for a
quite long time,recently we had to cache https sites .
I took reference of
https://docs.trafficserver.apache.org/en/latest/admin-guide/security/index.en.html
But unable to work it out.
I have a few questions
1.my origin server has CA signed wild card certificate , so what kind of
certificate should I install on traffic server (ex:self signed or ca
signed) and what are the steps to install certificate?
2.what format of the certificate works (.pem or crt or pfx) ?
3.I have one more link
http://www.quobell.nl/blog/apache-traffic-server-ats-as-reverse-proxy-for-outsystems/
Which I tried with both self signed and ca signed certificates but I
encountered the following error ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Please help me in this process.
Thanks in Advance !!!
$ubbu
2017-07-02 12:49:40 UTC
Permalink
It worked

thanks for the help :)
Post by Reindl Harald
"my origin server has CA signed wild card certificate, so what kind of
certificate should I install on traffic server (ex:self signed or ca
signed) and what are the steps to install certificate?"
that is a very strange question
a) if you don't want warnings on the clients self-signed
is not a option
b) when you already have CA signed ones just put them on the proxy
c) you don't need any certificate at all on the backend - that's what
TLS-offloading is all about
"what format of the certificate works (.pem or crt or pfx)" - as for
anything else in the openbsource world - PEM - just cat the prvate key,
intermediate-certificates and the certifiate in a file and use it as it's
done for httpd, postfix, dovecot and what not....
with the config below you just put our certificates into
"/etc/trafficserver/ssl/" and list the certs in "ssl_multicert.config"
# optional 'ssl_ca_name=ca_name.crt' when intermediate-certs are not in
the pem-file
ssl_cert_name=thelounge.net.pem
www.thelounge.net
map http://www.thelounge.net http://www.thelounge.net
map https://www.thelounge.net http://www.thelounge.net
CONFIG proxy.config.http.server_ports STRING 80 443:ssl
CONFIG proxy.config.ssl.TLSv1 INT 1
CONFIG proxy.config.ssl.TLSv1_1 INT 1
CONFIG proxy.config.ssl.TLSv1_2 INT 1
CONFIG proxy.config.ssl.client.TLSv1 INT 1
CONFIG proxy.config.ssl.client.TLSv1_1 INT 1
CONFIG proxy.config.ssl.client.TLSv1_2 INT 1
CONFIG proxy.config.ssl.client.certification_level INT 0
CONFIG proxy.config.ssl.server.multicert.filename STRING
ssl_multicert.config
CONFIG proxy.config.ssl.server.cert.path STRING /etc/trafficserver/ssl/
CONFIG proxy.config.ssl.server.private_key.path STRING
/etc/trafficserver/ssl/
CONFIG proxy.config.ssl.CA.cert.path STRING /etc/trafficserver/ssl/
CONFIG proxy.config.ssl.server.cipher_suite STRING
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-
RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-
ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-
SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-
CAMELLIA128-SHA:DHE-RSA-CAMELLIA256-SHA:AES128-GCM-
SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:CAMELLIA128-
SHA:CAMELLIA256-SHA:!LOW:!MEDIUM
CONFIG proxy.config.ssl.server.honor_cipher_order INT 1
CONFIG proxy.config.ssl.server.dhparams_file STRING
/etc/trafficserver/ssl/dhparams.pem
Post by $ubbu
Hi,
We are using apache traffic server for caching http sites for a
quite long time,recently we had to cache https sites .
I took reference of https://docs.trafficserver.apa
che.org/en/latest/admin-guide/security/index.en.html
But unable to work it out.
I have a few questions
1.my origin server has CA signed wild card certificate , so what kind of
certificate should I install on traffic server (ex:self signed or ca
signed) and what are the steps to install certificate?
2.what format of the certificate works (.pem or crt or pfx) ?
3.I have one more link http://www.quobell.nl/blog/apa
che-traffic-server-ats-as-reverse-proxy-for-outsystems/
Which I tried with both self signed and ca signed certificates but I
encountered the following error ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Please help me in this process.
Thanks in Advance !!!
--
*Regards*

*Subrahmanya Prasad P*
sheng
2017-10-12 02:21:15 UTC
Permalink
Hi $ubbu,

It is great to know that your case is working.

Any idea how to put the public cert of the origin server into the traffic
server certificate store?

I am using self-signed certificates for both the origin and traffic servers
and would like to enable two way authentication between the traffic server
and origin server. I can get access into the origin with the client.key and
client.cert via curl, but have ssl connection error via traffic server.

Can you share the records.config and ssl_multicert.config for me to take a
look?

Thank you,

Sheng



--
Sent from: http://apache-traffic-server.24303.n7.nabble.com/

Miles Libbey
2017-06-30 19:08:26 UTC
Permalink
Post by $ubbu
Hi,
We are using apache traffic server for caching http sites for a quite
long time,recently we had to cache https sites .
I took reference of
https://docs.trafficserver.apache.org/en/latest/admin-guide/security/index.en.html
But unable to work it out.
I have a few questions
1.my origin server has CA signed wild card certificate , so what kind of
certificate should I install on traffic server (ex:self signed or ca signed)
and what are the steps to install certificate?
ATS would be acting as a client when talking to your origin server.
So, it would use the machine's CA certificate store (like
https://curl.haxx.se/docs/caextract.html) to verify that your origin's
certificate is valid.
Post by $ubbu
2.what format of the certificate works (.pem or crt or pfx) ?
if this is for
Post by $ubbu
3.I have one more link
http://www.quobell.nl/blog/apache-traffic-server-ats-as-reverse-proxy-for-outsystems/
Which I tried with both self signed and ca signed certificates but I
encountered the following error ERR_SSL_VERSION_OR_CIPHER_MISMATCH
I suppose you are talking about ATS talking to your origin server
here? If so, guess you'd have to add the public key of the origin's
self-signed cert into the CA certificate store.
Post by $ubbu
Please help me in this process.
Thanks in Advance !!!
--
Regards
Subrahmanya Prasad P
Loading...