Discussion:
ssl handshake failure
Dk Jack
2018-11-02 18:41:30 UTC
Permalink
Hi,
I enabled SSL on my ATS and my ssl requests are failing with handshake
error. From the logs I can tell that it loaded my cert/key correct. When I
started traffic server in debug mode (./traffic_server -T ssl), I am seeing
the following error

SSL routines:ssl3_get_client_hello:no shared cipher

My TLS config is shown below. My cert is a self signed signed cert. My ATS
version is 6.2.1. I'd appreciate any pointers on how to resolve this.
Thanks.

Dk.

CONFIG proxy.config.ssl.SSLv2 INT 0
CONFIG proxy.config.ssl.SSLv3 INT 1
CONFIG proxy.config.ssl.TLSv1 INT 1
CONFIG proxy.config.ssl.TLSv1_1 INT 1
CONFIG proxy.config.ssl.TLSv1_2 INT 1
CONFIG proxy.config.ssl.server.cipher_suite STRING
AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!LOW:!MD5:!SSLV2:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
CONFIG proxy.config.ssl.server.honor_cipher_order INT 1
CONFIG proxy.config.ssl.compression INT 0


Debug logs:
[Nov 2 18:16:07.664] Server {0x7f8822572700} DEBUG:
<SSLNextProtocolAccept.cc:129 (mainEvent)> (ssl)
[SSLNextProtocolAccept:mainEvent] event 202 netvc 0x7f8820072800
[Nov 2 18:16:07.664] Server {0x7f8822572700} DEBUG:
<SSLNetVConnection.cc:981 (sslStartHandShake)> (ssl) IP context is (nil)
for [10.3.28.146:39678] -> [172.19.0.2:7453], default context 0x2d82bc0
[Nov 2 18:16:07.664] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
(ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7f87d4021100 where: 16
ret: 1
[Nov 2 18:16:07.664] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
(ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7f87d4021100 where:
8193 ret: 1
[Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
<SSLNetVConnection.cc:1402 (select_next_protocol)> (ssl) selected ALPN
protocol http/1.1
[Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:284
(set_context_cert)> (ssl) set_context_cert ssl=0x7f87d4021100 server=(null)
handshake_complete=0
[Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:336
(set_context_cert)> (ssl) ssl_cert_callback using SSL context 0x2d82bc0 for
requested name '(null)'
[Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
<SSLNetVConnection.cc:1462 (callHooks)> (ssl) callHooks
sslHandshakeHookState=0
[Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
(ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7f87d4021100 where:
16392 ret: 552
[Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
(ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7f87d4021100 where:
8194 ret: -1
[Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
(ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7f87d4021100 where:
8194 ret: -1
[Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:2126
(SSLAccept)> (ssl.error.accept) SSL accept returned -1, ssl_error=1,
ERR_get_error=336109761 (error:1408A0C1:SSL
routines:ssl3_get_client_hello:no shared cipher)
[Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
<SSLNetVConnection.cc:1105 (sslServerHandShakeEvent)> (ssl) trace=FALSE
[Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
<SSLNetVConnection.cc:1109 (sslServerHandShakeEvent)> (ssl)
SSL::140222668416768:error:1408A0C1:SSL routines:ssl3_get_client_hello:no
shared cipher:s3_srvr.c:1417: peer address is 10.3.28.146
[Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
<SSLNetVConnection.cc:1109 (sslServerHandShakeEvent)> (ssl) SSL handshake
error: SSL_ERROR_SSL (1), errno=0
[Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG:
<SSLNetVConnection.cc:1237 (sslServerHandShakeEvent)> (ssl)
SSLNetVConnection::sslServerHandShakeEvent, SSL_ERROR_SSL errno=0
^Ctraffic_server: Interrupt (Signal sent by the kernel 0 0)
Alan Carroll
2018-11-02 19:24:17 UTC
Permalink
I'd start with "openssl s_client" to get more debug information, followed
possibly by a packet capture to be sure the user agent is connecting with
TLS to a TLS enabled proxy port.
Post by Dk Jack
Hi,
I enabled SSL on my ATS and my ssl requests are failing with handshake
error. From the logs I can tell that it loaded my cert/key correct. When I
started traffic server in debug mode (./traffic_server -T ssl), I am seeing
the following error
SSL routines:ssl3_get_client_hello:no shared cipher
My TLS config is shown below. My cert is a self signed signed cert. My ATS
version is 6.2.1. I'd appreciate any pointers on how to resolve this.
Thanks.
Dk.
CONFIG proxy.config.ssl.SSLv2 INT 0
CONFIG proxy.config.ssl.SSLv3 INT 1
CONFIG proxy.config.ssl.TLSv1 INT 1
CONFIG proxy.config.ssl.TLSv1_1 INT 1
CONFIG proxy.config.ssl.TLSv1_2 INT 1
CONFIG proxy.config.ssl.server.cipher_suite STRING
AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!LOW:!MD5:!SSLV2:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
CONFIG proxy.config.ssl.server.honor_cipher_order INT 1
CONFIG proxy.config.ssl.compression INT 0
<SSLNextProtocolAccept.cc:129 (mainEvent)> (ssl)
[SSLNextProtocolAccept:mainEvent] event 202 netvc 0x7f8820072800
<SSLNetVConnection.cc:981 (sslStartHandShake)> (ssl) IP context is (nil)
for [10.3.28.146:39678] -> [172.19.0.2:7453], default context 0x2d82bc0
[Nov 2 18:16:07.664] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
(ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7f87d4021100 where: 16
ret: 1
[Nov 2 18:16:07.664] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
8193 ret: 1
<SSLNetVConnection.cc:1402 (select_next_protocol)> (ssl) selected ALPN
protocol http/1.1
[Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:284
(set_context_cert)> (ssl) set_context_cert ssl=0x7f87d4021100 server=(null)
handshake_complete=0
[Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:336
(set_context_cert)> (ssl) ssl_cert_callback using SSL context 0x2d82bc0 for
requested name '(null)'
<SSLNetVConnection.cc:1462 (callHooks)> (ssl) callHooks
sslHandshakeHookState=0
[Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
16392 ret: 552
[Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
8194 ret: -1
[Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
8194 ret: -1
[Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:2126
(SSLAccept)> (ssl.error.accept) SSL accept returned -1, ssl_error=1,
ERR_get_error=336109761 (error:1408A0C1:SSL
routines:ssl3_get_client_hello:no shared cipher)
<SSLNetVConnection.cc:1105 (sslServerHandShakeEvent)> (ssl) trace=FALSE
<SSLNetVConnection.cc:1109 (sslServerHandShakeEvent)> (ssl)
SSL::140222668416768:error:1408A0C1:SSL routines:ssl3_get_client_hello:no
shared cipher:s3_srvr.c:1417: peer address is 10.3.28.146
<SSLNetVConnection.cc:1109 (sslServerHandShakeEvent)> (ssl) SSL handshake
error: SSL_ERROR_SSL (1), errno=0
<SSLNetVConnection.cc:1237 (sslServerHandShakeEvent)> (ssl)
SSLNetVConnection::sslServerHandShakeEvent, SSL_ERROR_SSL errno=0
^Ctraffic_server: Interrupt (Signal sent by the kernel 0 0)
--
*Beware the fisherman who's casting out his line in to a dried up riverbed.*
*Oh don't try to tell him 'cause he won't believe. Throw some bread to the
ducks instead.*
*It's easier that way. *- Genesis : Duke : VI 25-28
Dk Jack
2018-11-02 20:50:03 UTC
Permalink
Hi Alan,
Thanks for responding. I've pasted the output from openssl s_client. I
don't understand the error it's giving because I can see in the ATS loading
my certificate in the debug logs. I've prefixed the important lines in the
debug log with '=>'.

Dk.

----------------------------------------------------------
openssl s_client -host 10.3.27.19 -port 7453
CONNECTED(00000003)
140260354160280:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3
alert handshake failure:s23_clnt.c:769:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 305 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1541190685
Timeout : 300 (sec)
Verify return code: 0 (ok)
---

ATS Config:
----------------------------------------------------------------------------------
CONFIG proxy.config.http.server_ports STRING 8080 7453:ssl
...
CONFIG proxy.config.ssl.SSLv2 INT 0
CONFIG proxy.config.ssl.SSLv3 INT 1
CONFIG proxy.config.ssl.TLSv1 INT 1
CONFIG proxy.config.ssl.TLSv1_1 INT 1
CONFIG proxy.config.ssl.TLSv1_2 INT 1
CONFIG proxy.config.ssl.server.cipher_suite STRING
AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-
SHA:DES-CBC3-SHA:!aNULL:!eNULL:!LOW:!MD5:!SSLV2:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-
CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
CONFIG proxy.config.ssl.server.honor_cipher_order INT 1
CONFIG proxy.config.ssl.compression INT 0
----------------------------------------------------------------------------------

***@5a09849699ac:/opt/trafficserver/bin# ./traffic_server -T ssl
traffic_server: using root directory '/opt/trafficserver'
[Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLSessionCache.cc:42
(SSLSessionCache)> (ssl.session_cache) Created new ssl session cache
0x19de710 with 256 buckets each with size max size 400
[Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1304
(SSLInitServerContext)> (ssl.session_cache) ssl context=0x19e4a50: using
session cache options, enabled=2, size=102400, num_buckets=256,
skip_on_contention=0, timeout=0, auto_clear=1
[Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1326
(SSLInitServerContext)> (ssl.session_cache) enabling SSL session cache with
ATS implementation
[Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1340
(SSLInitServerContext)> (ssl) enabling SSL_MODE_RELEASE_BUFFERS
[Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1532
(SSLInitServerContext)> (ssl) Using 'emadisonisland.crt' in hash for
session id context
[Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1281
(SSLCheckServerCertNow)> (ssl) server certificate emadisonisland.crt passed
accessibility and date checks
[Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1808
(ssl_store_ssl_context)> (ssl) ssl ocsp stapling is disabled
=> [Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1819
(ssl_store_ssl_context)> (ssl) importing SNI names from emadisonisland.crt
=> [Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1633
(ssl_index_certificate)> (ssl) mapping 'www.emadisonisland.com' to
certificate emadisonisland.crt
[Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLCertLookup.cc:380
(insert)> (ssl) indexed 'www.emadisonisland.com' with SSL_CTX 0x19e4a50 [0]
[Nov 2 20:31:22.998] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1304
(SSLInitServerContext)> (ssl.session_cache) ssl context=0x19e9be0: using
session cache options, enabled=2, size=102400, num_buckets=256,
skip_on_contention=0, timeout=0, auto_clear=1
[Nov 2 20:31:22.998] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1326
(SSLInitServerContext)> (ssl.session_cache) enabling SSL session cache with
ATS implementation
[Nov 2 20:31:22.998] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1340
(SSLInitServerContext)> (ssl) enabling SSL_MODE_RELEASE_BUFFERS
[Nov 2 20:31:22.998] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1532
(SSLInitServerContext)> (ssl) Using '(null)' in hash for session id context
[Nov 2 20:31:22.998] Server {0x7fad4b72e740} DEBUG: <SSLCertLookup.cc:380
(insert)> (ssl) indexed '*' with SSL_CTX 0x19e9be0 [1]
[Nov 2 20:31:22.998] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1808
(ssl_store_ssl_context)> (ssl) ssl ocsp stapling is disabled
[Nov 2 20:31:22.998] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1819
(ssl_store_ssl_context)> (ssl) importing SNI names from (null)
[Nov 2 20:31:22.999] Server {0x7fad4b72e740} DEBUG:
<SSLNetProcessor.cc:100 (start)> (ssl) Disabling ET_SSL threads (config is
set to -1), using thread group ET_NET=0
[Nov 2 20:31:23.007] Server {0x7fad4b72e740} DEBUG:
<SSLNextProtocolSet.cc:65 (create_npn_advertisement)> (ssl) advertising
protocol http/1.0
[Nov 2 20:31:23.007] Server {0x7fad4b72e740} DEBUG:
<SSLNextProtocolSet.cc:65 (create_npn_advertisement)> (ssl) advertising
protocol http/1.1
[Nov 2 20:31:23.007] Server {0x7fad4b72e740} DEBUG:
<SSLNextProtocolSet.cc:65 (create_npn_advertisement)> (ssl) advertising
protocol http/1.0
[Nov 2 20:31:25.986] Server {0x7fad44366700} DEBUG:
<SSLNextProtocolAccept.cc:129 (mainEvent)> (ssl)
[SSLNextProtocolAccept:mainEvent] event 202 netvc 0x7fad4002b800
=> [Nov 2 20:31:25.986] Server {0x7fad44366700} DEBUG:
<SSLNetVConnection.cc:981 (sslStartHandShake)> (ssl) IP context is (nil)
for [10.3.28.146:39712] -> [172.19.0.2:7453], default context 0x19e9be0
[Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:1671
(ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7facf4021100 where: 16
ret: 1
[Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:1671
(ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7facf4021100 where:
8193 ret: 1
[Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:284
(set_context_cert)> (ssl) set_context_cert ssl=0x7facf4021100 server=(null)
handshake_complete=0
[Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:336
(set_context_cert)> (ssl) ssl_cert_callback using SSL context 0x19e9be0 for
requested name '(null)'
[Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG:
<SSLNetVConnection.cc:1462 (callHooks)> (ssl) callHooks
sslHandshakeHookState=0
[Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:1671
(ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7facf4021100 where:
16392 ret: 552
[Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:1671
(ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7facf4021100 where:
8194 ret: -1
[Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:1671
(ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7facf4021100 where:
8194 ret: -1
=> [Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:2126
(SSLAccept)> (ssl.error.accept) SSL accept returned -1, ssl_error=1,
ERR_get_error=336109761 (error:1408A0C1:SSL
routines:ssl3_get_client_hello:no shared cipher)
[Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG:
<SSLNetVConnection.cc:1105 (sslServerHandShakeEvent)> (ssl) trace=FALSE
=> [Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG:
<SSLNetVConnection.cc:1109 (sslServerHandShakeEvent)> (ssl)
SSL::140382150485760:error:1408A0C1:SSL routines:ssl3_get_client_hello:no
shared cipher:s3_srvr.c:1417: peer address is 10.3.28.146
[Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG:
<SSLNetVConnection.cc:1109 (sslServerHandShakeEvent)> (ssl) SSL handshake
error: SSL_ERROR_SSL (1), errno=0
[Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG:
<SSLNetVConnection.cc:1237 (sslServerHandShakeEvent)> (ssl)
SSLNetVConnection::sslServerHandShakeEvent, SSL_ERROR_SSL errno=0
^Ctraffic_server: Interrupt (Signal sent by the kernel 0 0)


On Fri, Nov 2, 2018 at 12:24 PM Alan Carroll
I'd start with "openssl s_client" to get more debug information, followed
possibly by a packet capture to be sure the user agent is connecting with
TLS to a TLS enabled proxy port.
Post by Dk Jack
Hi,
I enabled SSL on my ATS and my ssl requests are failing with handshake
error. From the logs I can tell that it loaded my cert/key correct. When
I
Post by Dk Jack
started traffic server in debug mode (./traffic_server -T ssl), I am
seeing
Post by Dk Jack
the following error
SSL routines:ssl3_get_client_hello:no shared cipher
My TLS config is shown below. My cert is a self signed signed cert. My
ATS
Post by Dk Jack
version is 6.2.1. I'd appreciate any pointers on how to resolve this.
Thanks.
Dk.
CONFIG proxy.config.ssl.SSLv2 INT 0
CONFIG proxy.config.ssl.SSLv3 INT 1
CONFIG proxy.config.ssl.TLSv1 INT 1
CONFIG proxy.config.ssl.TLSv1_1 INT 1
CONFIG proxy.config.ssl.TLSv1_2 INT 1
CONFIG proxy.config.ssl.server.cipher_suite STRING
AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!LOW:!MD5:!SSLV2:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
Post by Dk Jack
CONFIG proxy.config.ssl.server.honor_cipher_order INT 1
CONFIG proxy.config.ssl.compression INT 0
<SSLNextProtocolAccept.cc:129 (mainEvent)> (ssl)
[SSLNextProtocolAccept:mainEvent] event 202 netvc 0x7f8820072800
<SSLNetVConnection.cc:981 (sslStartHandShake)> (ssl) IP context is (nil)
for [10.3.28.146:39678] -> [172.19.0.2:7453], default context 0x2d82bc0
[Nov 2 18:16:07.664] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
16
Post by Dk Jack
ret: 1
[Nov 2 18:16:07.664] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
8193 ret: 1
<SSLNetVConnection.cc:1402 (select_next_protocol)> (ssl) selected ALPN
protocol http/1.1
[Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:284
(set_context_cert)> (ssl) set_context_cert ssl=0x7f87d4021100
server=(null)
Post by Dk Jack
handshake_complete=0
[Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:336
(set_context_cert)> (ssl) ssl_cert_callback using SSL context 0x2d82bc0
for
Post by Dk Jack
requested name '(null)'
<SSLNetVConnection.cc:1462 (callHooks)> (ssl) callHooks
sslHandshakeHookState=0
[Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
16392 ret: 552
[Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
8194 ret: -1
[Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
8194 ret: -1
[Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:2126
(SSLAccept)> (ssl.error.accept) SSL accept returned -1, ssl_error=1,
ERR_get_error=336109761 (error:1408A0C1:SSL
routines:ssl3_get_client_hello:no shared cipher)
<SSLNetVConnection.cc:1105 (sslServerHandShakeEvent)> (ssl) trace=FALSE
<SSLNetVConnection.cc:1109 (sslServerHandShakeEvent)> (ssl)
SSL::140222668416768:error:1408A0C1:SSL routines:ssl3_get_client_hello:no
shared cipher:s3_srvr.c:1417: peer address is 10.3.28.146
<SSLNetVConnection.cc:1109 (sslServerHandShakeEvent)> (ssl) SSL handshake
error: SSL_ERROR_SSL (1), errno=0
<SSLNetVConnection.cc:1237 (sslServerHandShakeEvent)> (ssl)
SSLNetVConnection::sslServerHandShakeEvent, SSL_ERROR_SSL errno=0
^Ctraffic_server: Interrupt (Signal sent by the kernel 0 0)
--
*Beware the fisherman who's casting out his line in to a dried up riverbed.*
*Oh don't try to tell him 'cause he won't believe. Throw some bread to the
ducks instead.*
*It's easier that way. *- Genesis : Duke : VI 25-28
Susan Hinrichs
2018-11-02 21:04:41 UTC
Permalink
Do you have a dest_ip=* default line in your ssl_multicert.config file?

Your query doesn't have the SNI set, so you need a default. Use the
-servername option for s_client if you want to set the SNI.
Post by Dk Jack
Hi Alan,
Thanks for responding. I've pasted the output from openssl s_client. I
don't understand the error it's giving because I can see in the ATS loading
my certificate in the debug logs. I've prefixed the important lines in the
debug log with '=>'.
Dk.
----------------------------------------------------------
openssl s_client -host 10.3.27.19 -port 7453
CONNECTED(00000003)
140260354160280:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 305 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Protocol : TLSv1.2
Cipher : 0000
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1541190685
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
----------------------------------------------------------------------------------
CONFIG proxy.config.http.server_ports STRING 8080 7453:ssl
...
CONFIG proxy.config.ssl.SSLv2 INT 0
CONFIG proxy.config.ssl.SSLv3 INT 1
CONFIG proxy.config.ssl.TLSv1 INT 1
CONFIG proxy.config.ssl.TLSv1_1 INT 1
CONFIG proxy.config.ssl.TLSv1_2 INT 1
CONFIG proxy.config.ssl.server.cipher_suite STRING
AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-
SHA:DES-CBC3-SHA:!aNULL:!eNULL:!LOW:!MD5:!SSLV2:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-
CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
CONFIG proxy.config.ssl.server.honor_cipher_order INT 1
CONFIG proxy.config.ssl.compression INT 0
----------------------------------------------------------------------------------
traffic_server: using root directory '/opt/trafficserver'
[Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLSessionCache.cc:42
(SSLSessionCache)> (ssl.session_cache) Created new ssl session cache
0x19de710 with 256 buckets each with size max size 400
[Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1304
(SSLInitServerContext)> (ssl.session_cache) ssl context=0x19e4a50: using
session cache options, enabled=2, size=102400, num_buckets=256,
skip_on_contention=0, timeout=0, auto_clear=1
[Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1326
(SSLInitServerContext)> (ssl.session_cache) enabling SSL session cache with
ATS implementation
[Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1340
(SSLInitServerContext)> (ssl) enabling SSL_MODE_RELEASE_BUFFERS
[Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1532
(SSLInitServerContext)> (ssl) Using 'emadisonisland.crt' in hash for
session id context
[Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1281
(SSLCheckServerCertNow)> (ssl) server certificate emadisonisland.crt passed
accessibility and date checks
[Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1808
(ssl_store_ssl_context)> (ssl) ssl ocsp stapling is disabled
=> [Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1819
(ssl_store_ssl_context)> (ssl) importing SNI names from emadisonisland.crt
=> [Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1633
(ssl_index_certificate)> (ssl) mapping 'www.emadisonisland.com' to
certificate emadisonisland.crt
[Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLCertLookup.cc:380
(insert)> (ssl) indexed 'www.emadisonisland.com' with SSL_CTX 0x19e4a50 [0]
[Nov 2 20:31:22.998] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1304
(SSLInitServerContext)> (ssl.session_cache) ssl context=0x19e9be0: using
session cache options, enabled=2, size=102400, num_buckets=256,
skip_on_contention=0, timeout=0, auto_clear=1
[Nov 2 20:31:22.998] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1326
(SSLInitServerContext)> (ssl.session_cache) enabling SSL session cache with
ATS implementation
[Nov 2 20:31:22.998] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1340
(SSLInitServerContext)> (ssl) enabling SSL_MODE_RELEASE_BUFFERS
[Nov 2 20:31:22.998] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1532
(SSLInitServerContext)> (ssl) Using '(null)' in hash for session id context
[Nov 2 20:31:22.998] Server {0x7fad4b72e740} DEBUG: <SSLCertLookup.cc:380
(insert)> (ssl) indexed '*' with SSL_CTX 0x19e9be0 [1]
[Nov 2 20:31:22.998] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1808
(ssl_store_ssl_context)> (ssl) ssl ocsp stapling is disabled
[Nov 2 20:31:22.998] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1819
(ssl_store_ssl_context)> (ssl) importing SNI names from (null)
<SSLNetProcessor.cc:100 (start)> (ssl) Disabling ET_SSL threads (config is
set to -1), using thread group ET_NET=0
<SSLNextProtocolSet.cc:65 (create_npn_advertisement)> (ssl) advertising
protocol http/1.0
<SSLNextProtocolSet.cc:65 (create_npn_advertisement)> (ssl) advertising
protocol http/1.1
<SSLNextProtocolSet.cc:65 (create_npn_advertisement)> (ssl) advertising
protocol http/1.0
<SSLNextProtocolAccept.cc:129 (mainEvent)> (ssl)
[SSLNextProtocolAccept:mainEvent] event 202 netvc 0x7fad4002b800
<SSLNetVConnection.cc:981 (sslStartHandShake)> (ssl) IP context is (nil)
for [10.3.28.146:39712] -> [172.19.0.2:7453], default context 0x19e9be0
[Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:1671
(ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7facf4021100 where: 16
ret: 1
[Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:1671
8193 ret: 1
[Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:284
(set_context_cert)> (ssl) set_context_cert ssl=0x7facf4021100 server=(null)
handshake_complete=0
[Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:336
(set_context_cert)> (ssl) ssl_cert_callback using SSL context 0x19e9be0 for
requested name '(null)'
<SSLNetVConnection.cc:1462 (callHooks)> (ssl) callHooks
sslHandshakeHookState=0
[Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:1671
16392 ret: 552
[Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:1671
8194 ret: -1
[Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:1671
8194 ret: -1
=> [Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:2126
(SSLAccept)> (ssl.error.accept) SSL accept returned -1, ssl_error=1,
ERR_get_error=336109761 (error:1408A0C1:SSL
routines:ssl3_get_client_hello:no shared cipher)
<SSLNetVConnection.cc:1105 (sslServerHandShakeEvent)> (ssl) trace=FALSE
<SSLNetVConnection.cc:1109 (sslServerHandShakeEvent)> (ssl)
SSL::140382150485760:error:1408A0C1:SSL routines:ssl3_get_client_hello:no
shared cipher:s3_srvr.c:1417: peer address is 10.3.28.146
<SSLNetVConnection.cc:1109 (sslServerHandShakeEvent)> (ssl) SSL handshake
error: SSL_ERROR_SSL (1), errno=0
<SSLNetVConnection.cc:1237 (sslServerHandShakeEvent)> (ssl)
SSLNetVConnection::sslServerHandShakeEvent, SSL_ERROR_SSL errno=0
^Ctraffic_server: Interrupt (Signal sent by the kernel 0 0)
On Fri, Nov 2, 2018 at 12:24 PM Alan Carroll
I'd start with "openssl s_client" to get more debug information, followed
possibly by a packet capture to be sure the user agent is connecting with
TLS to a TLS enabled proxy port.
Post by Dk Jack
Hi,
I enabled SSL on my ATS and my ssl requests are failing with handshake
error. From the logs I can tell that it loaded my cert/key correct.
When
I
Post by Dk Jack
started traffic server in debug mode (./traffic_server -T ssl), I am
seeing
Post by Dk Jack
the following error
SSL routines:ssl3_get_client_hello:no shared cipher
My TLS config is shown below. My cert is a self signed signed cert. My
ATS
Post by Dk Jack
version is 6.2.1. I'd appreciate any pointers on how to resolve this.
Thanks.
Dk.
CONFIG proxy.config.ssl.SSLv2 INT 0
CONFIG proxy.config.ssl.SSLv3 INT 1
CONFIG proxy.config.ssl.TLSv1 INT 1
CONFIG proxy.config.ssl.TLSv1_1 INT 1
CONFIG proxy.config.ssl.TLSv1_2 INT 1
CONFIG proxy.config.ssl.server.cipher_suite STRING
AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!LOW:!MD5:!SSLV2:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
Post by Dk Jack
CONFIG proxy.config.ssl.server.honor_cipher_order INT 1
CONFIG proxy.config.ssl.compression INT 0
<SSLNextProtocolAccept.cc:129 (mainEvent)> (ssl)
[SSLNextProtocolAccept:mainEvent] event 202 netvc 0x7f8820072800
<SSLNetVConnection.cc:981 (sslStartHandShake)> (ssl) IP context is
(nil)
Post by Dk Jack
for [10.3.28.146:39678] -> [172.19.0.2:7453], default context
0x2d82bc0
Post by Dk Jack
[Nov 2 18:16:07.664] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
16
Post by Dk Jack
ret: 1
[Nov 2 18:16:07.664] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
8193 ret: 1
<SSLNetVConnection.cc:1402 (select_next_protocol)> (ssl) selected ALPN
protocol http/1.1
[Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:284
(set_context_cert)> (ssl) set_context_cert ssl=0x7f87d4021100
server=(null)
Post by Dk Jack
handshake_complete=0
[Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:336
(set_context_cert)> (ssl) ssl_cert_callback using SSL context 0x2d82bc0
for
Post by Dk Jack
requested name '(null)'
<SSLNetVConnection.cc:1462 (callHooks)> (ssl) callHooks
sslHandshakeHookState=0
[Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
16392 ret: 552
[Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
8194 ret: -1
[Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
8194 ret: -1
[Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:2126
(SSLAccept)> (ssl.error.accept) SSL accept returned -1, ssl_error=1,
ERR_get_error=336109761 (error:1408A0C1:SSL
routines:ssl3_get_client_hello:no shared cipher)
<SSLNetVConnection.cc:1105 (sslServerHandShakeEvent)> (ssl) trace=FALSE
<SSLNetVConnection.cc:1109 (sslServerHandShakeEvent)> (ssl)
SSL::140222668416768:error:1408A0C1:SSL
routines:ssl3_get_client_hello:no
Post by Dk Jack
shared cipher:s3_srvr.c:1417: peer address is 10.3.28.146
<SSLNetVConnection.cc:1109 (sslServerHandShakeEvent)> (ssl) SSL
handshake
Post by Dk Jack
error: SSL_ERROR_SSL (1), errno=0
<SSLNetVConnection.cc:1237 (sslServerHandShakeEvent)> (ssl)
SSLNetVConnection::sslServerHandShakeEvent, SSL_ERROR_SSL errno=0
^Ctraffic_server: Interrupt (Signal sent by the kernel 0 0)
--
*Beware the fisherman who's casting out his line in to a dried up riverbed.*
*Oh don't try to tell him 'cause he won't believe. Throw some bread to
the
ducks instead.*
*It's easier that way. *- Genesis : Duke : VI 25-28
Dk Jack
2018-11-02 21:08:09 UTC
Permalink
That was it! Thank you!
Post by Susan Hinrichs
Do you have a dest_ip=* default line in your ssl_multicert.config file?
Your query doesn't have the SNI set, so you need a default. Use the
-servername option for s_client if you want to set the SNI.
Post by Dk Jack
Hi Alan,
Thanks for responding. I've pasted the output from openssl s_client. I
don't understand the error it's giving because I can see in the ATS
loading
Post by Dk Jack
my certificate in the debug logs. I've prefixed the important lines in
the
Post by Dk Jack
debug log with '=>'.
Dk.
----------------------------------------------------------
openssl s_client -host 10.3.27.19 -port 7453
CONNECTED(00000003)
140260354160280:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 305 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Protocol : TLSv1.2
Cipher : 0000
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1541190685
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
----------------------------------------------------------------------------------
Post by Dk Jack
CONFIG proxy.config.http.server_ports STRING 8080 7453:ssl
...
CONFIG proxy.config.ssl.SSLv2 INT 0
CONFIG proxy.config.ssl.SSLv3 INT 1
CONFIG proxy.config.ssl.TLSv1 INT 1
CONFIG proxy.config.ssl.TLSv1_1 INT 1
CONFIG proxy.config.ssl.TLSv1_2 INT 1
CONFIG proxy.config.ssl.server.cipher_suite STRING
AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-
SHA:DES-CBC3-SHA:!aNULL:!eNULL:!LOW:!MD5:!SSLV2:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-
Post by Dk Jack
CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
CONFIG proxy.config.ssl.server.honor_cipher_order INT 1
CONFIG proxy.config.ssl.compression INT 0
----------------------------------------------------------------------------------
Post by Dk Jack
traffic_server: using root directory '/opt/trafficserver'
<SSLSessionCache.cc:42
Post by Dk Jack
(SSLSessionCache)> (ssl.session_cache) Created new ssl session cache
0x19de710 with 256 buckets each with size max size 400
[Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1304
(SSLInitServerContext)> (ssl.session_cache) ssl context=0x19e4a50: using
session cache options, enabled=2, size=102400, num_buckets=256,
skip_on_contention=0, timeout=0, auto_clear=1
[Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1326
(SSLInitServerContext)> (ssl.session_cache) enabling SSL session cache
with
Post by Dk Jack
ATS implementation
[Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1340
(SSLInitServerContext)> (ssl) enabling SSL_MODE_RELEASE_BUFFERS
[Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1532
(SSLInitServerContext)> (ssl) Using 'emadisonisland.crt' in hash for
session id context
[Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1281
(SSLCheckServerCertNow)> (ssl) server certificate emadisonisland.crt
passed
Post by Dk Jack
accessibility and date checks
[Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1808
(ssl_store_ssl_context)> (ssl) ssl ocsp stapling is disabled
=> [Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1819
(ssl_store_ssl_context)> (ssl) importing SNI names from
emadisonisland.crt
Post by Dk Jack
=> [Nov 2 20:31:22.997] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1633
(ssl_index_certificate)> (ssl) mapping 'www.emadisonisland.com' to
certificate emadisonisland.crt
<SSLCertLookup.cc:380
Post by Dk Jack
(insert)> (ssl) indexed 'www.emadisonisland.com' with SSL_CTX 0x19e4a50 [0]
[Nov 2 20:31:22.998] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1304
(SSLInitServerContext)> (ssl.session_cache) ssl context=0x19e9be0: using
session cache options, enabled=2, size=102400, num_buckets=256,
skip_on_contention=0, timeout=0, auto_clear=1
[Nov 2 20:31:22.998] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1326
(SSLInitServerContext)> (ssl.session_cache) enabling SSL session cache
with
Post by Dk Jack
ATS implementation
[Nov 2 20:31:22.998] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1340
(SSLInitServerContext)> (ssl) enabling SSL_MODE_RELEASE_BUFFERS
[Nov 2 20:31:22.998] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1532
(SSLInitServerContext)> (ssl) Using '(null)' in hash for session id
context
<SSLCertLookup.cc:380
Post by Dk Jack
(insert)> (ssl) indexed '*' with SSL_CTX 0x19e9be0 [1]
[Nov 2 20:31:22.998] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1808
(ssl_store_ssl_context)> (ssl) ssl ocsp stapling is disabled
[Nov 2 20:31:22.998] Server {0x7fad4b72e740} DEBUG: <SSLUtils.cc:1819
(ssl_store_ssl_context)> (ssl) importing SNI names from (null)
<SSLNetProcessor.cc:100 (start)> (ssl) Disabling ET_SSL threads (config
is
Post by Dk Jack
set to -1), using thread group ET_NET=0
<SSLNextProtocolSet.cc:65 (create_npn_advertisement)> (ssl) advertising
protocol http/1.0
<SSLNextProtocolSet.cc:65 (create_npn_advertisement)> (ssl) advertising
protocol http/1.1
<SSLNextProtocolSet.cc:65 (create_npn_advertisement)> (ssl) advertising
protocol http/1.0
<SSLNextProtocolAccept.cc:129 (mainEvent)> (ssl)
[SSLNextProtocolAccept:mainEvent] event 202 netvc 0x7fad4002b800
<SSLNetVConnection.cc:981 (sslStartHandShake)> (ssl) IP context is (nil)
for [10.3.28.146:39712] -> [172.19.0.2:7453], default context 0x19e9be0
[Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:1671
16
Post by Dk Jack
ret: 1
[Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:1671
8193 ret: 1
[Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:284
(set_context_cert)> (ssl) set_context_cert ssl=0x7facf4021100
server=(null)
Post by Dk Jack
handshake_complete=0
[Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:336
(set_context_cert)> (ssl) ssl_cert_callback using SSL context 0x19e9be0
for
Post by Dk Jack
requested name '(null)'
<SSLNetVConnection.cc:1462 (callHooks)> (ssl) callHooks
sslHandshakeHookState=0
[Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:1671
16392 ret: 552
[Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:1671
8194 ret: -1
[Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:1671
8194 ret: -1
=> [Nov 2 20:31:25.987] Server {0x7fad44366700} DEBUG: <SSLUtils.cc:2126
(SSLAccept)> (ssl.error.accept) SSL accept returned -1, ssl_error=1,
ERR_get_error=336109761 (error:1408A0C1:SSL
routines:ssl3_get_client_hello:no shared cipher)
<SSLNetVConnection.cc:1105 (sslServerHandShakeEvent)> (ssl) trace=FALSE
<SSLNetVConnection.cc:1109 (sslServerHandShakeEvent)> (ssl)
SSL::140382150485760:error:1408A0C1:SSL routines:ssl3_get_client_hello:no
shared cipher:s3_srvr.c:1417: peer address is 10.3.28.146
<SSLNetVConnection.cc:1109 (sslServerHandShakeEvent)> (ssl) SSL handshake
error: SSL_ERROR_SSL (1), errno=0
<SSLNetVConnection.cc:1237 (sslServerHandShakeEvent)> (ssl)
SSLNetVConnection::sslServerHandShakeEvent, SSL_ERROR_SSL errno=0
^Ctraffic_server: Interrupt (Signal sent by the kernel 0 0)
On Fri, Nov 2, 2018 at 12:24 PM Alan Carroll
I'd start with "openssl s_client" to get more debug information,
followed
Post by Dk Jack
possibly by a packet capture to be sure the user agent is connecting
with
Post by Dk Jack
TLS to a TLS enabled proxy port.
Post by Dk Jack
Hi,
I enabled SSL on my ATS and my ssl requests are failing with
handshake
Post by Dk Jack
Post by Dk Jack
error. From the logs I can tell that it loaded my cert/key correct.
When
I
Post by Dk Jack
started traffic server in debug mode (./traffic_server -T ssl), I am
seeing
Post by Dk Jack
the following error
SSL routines:ssl3_get_client_hello:no shared cipher
My TLS config is shown below. My cert is a self signed signed cert.
My
Post by Dk Jack
ATS
Post by Dk Jack
version is 6.2.1. I'd appreciate any pointers on how to resolve this.
Thanks.
Dk.
CONFIG proxy.config.ssl.SSLv2 INT 0
CONFIG proxy.config.ssl.SSLv3 INT 1
CONFIG proxy.config.ssl.TLSv1 INT 1
CONFIG proxy.config.ssl.TLSv1_1 INT 1
CONFIG proxy.config.ssl.TLSv1_2 INT 1
CONFIG proxy.config.ssl.server.cipher_suite STRING
AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!LOW:!MD5:!SSLV2:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
Post by Dk Jack
Post by Dk Jack
CONFIG proxy.config.ssl.server.honor_cipher_order INT 1
CONFIG proxy.config.ssl.compression INT 0
<SSLNextProtocolAccept.cc:129 (mainEvent)> (ssl)
[SSLNextProtocolAccept:mainEvent] event 202 netvc 0x7f8820072800
<SSLNetVConnection.cc:981 (sslStartHandShake)> (ssl) IP context is
(nil)
Post by Dk Jack
for [10.3.28.146:39678] -> [172.19.0.2:7453], default context
0x2d82bc0
<SSLUtils.cc:1671
Post by Dk Jack
Post by Dk Jack
(ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7f87d4021100
16
Post by Dk Jack
ret: 1
<SSLUtils.cc:1671
Post by Dk Jack
Post by Dk Jack
(ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7f87d4021100
8193 ret: 1
<SSLNetVConnection.cc:1402 (select_next_protocol)> (ssl) selected
ALPN
Post by Dk Jack
Post by Dk Jack
protocol http/1.1
[Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:284
(set_context_cert)> (ssl) set_context_cert ssl=0x7f87d4021100
server=(null)
Post by Dk Jack
handshake_complete=0
[Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:336
(set_context_cert)> (ssl) ssl_cert_callback using SSL context
0x2d82bc0
Post by Dk Jack
for
Post by Dk Jack
requested name '(null)'
<SSLNetVConnection.cc:1462 (callHooks)> (ssl) callHooks
sslHandshakeHookState=0
<SSLUtils.cc:1671
Post by Dk Jack
Post by Dk Jack
(ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7f87d4021100
16392 ret: 552
<SSLUtils.cc:1671
Post by Dk Jack
Post by Dk Jack
(ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7f87d4021100
8194 ret: -1
<SSLUtils.cc:1671
Post by Dk Jack
Post by Dk Jack
(ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7f87d4021100
8194 ret: -1
<SSLUtils.cc:2126
Post by Dk Jack
Post by Dk Jack
(SSLAccept)> (ssl.error.accept) SSL accept returned -1, ssl_error=1,
ERR_get_error=336109761 (error:1408A0C1:SSL
routines:ssl3_get_client_hello:no shared cipher)
<SSLNetVConnection.cc:1105 (sslServerHandShakeEvent)> (ssl)
trace=FALSE
Post by Dk Jack
Post by Dk Jack
<SSLNetVConnection.cc:1109 (sslServerHandShakeEvent)> (ssl)
SSL::140222668416768:error:1408A0C1:SSL
routines:ssl3_get_client_hello:no
Post by Dk Jack
shared cipher:s3_srvr.c:1417: peer address is 10.3.28.146
<SSLNetVConnection.cc:1109 (sslServerHandShakeEvent)> (ssl) SSL
handshake
Post by Dk Jack
error: SSL_ERROR_SSL (1), errno=0
<SSLNetVConnection.cc:1237 (sslServerHandShakeEvent)> (ssl)
SSLNetVConnection::sslServerHandShakeEvent, SSL_ERROR_SSL errno=0
^Ctraffic_server: Interrupt (Signal sent by the kernel 0 0)
--
*Beware the fisherman who's casting out his line in to a dried up riverbed.*
*Oh don't try to tell him 'cause he won't believe. Throw some bread to
the
ducks instead.*
*It's easier that way. *- Genesis : Duke : VI 25-28
Pushkar Pradhan
2018-11-02 18:53:59 UTC
Permalink
Is your client sending a TLSv1.2 handshake? Maybe it's a lower version or
non TLS.
Post by Dk Jack
Hi,
I enabled SSL on my ATS and my ssl requests are failing with handshake
error. From the logs I can tell that it loaded my cert/key correct. When I
started traffic server in debug mode (./traffic_server -T ssl), I am seeing
the following error
SSL routines:ssl3_get_client_hello:no shared cipher
My TLS config is shown below. My cert is a self signed signed cert. My ATS
version is 6.2.1. I'd appreciate any pointers on how to resolve this.
Thanks.
Dk.
CONFIG proxy.config.ssl.SSLv2 INT 0
CONFIG proxy.config.ssl.SSLv3 INT 1
CONFIG proxy.config.ssl.TLSv1 INT 1
CONFIG proxy.config.ssl.TLSv1_1 INT 1
CONFIG proxy.config.ssl.TLSv1_2 INT 1
CONFIG proxy.config.ssl.server.cipher_suite STRING
AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!LOW:!MD5:!SSLV2:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
CONFIG proxy.config.ssl.server.honor_cipher_order INT 1
CONFIG proxy.config.ssl.compression INT 0
<SSLNextProtocolAccept.cc:129 (mainEvent)> (ssl)
[SSLNextProtocolAccept:mainEvent] event 202 netvc 0x7f8820072800
<SSLNetVConnection.cc:981 (sslStartHandShake)> (ssl) IP context is (nil)
for [10.3.28.146:39678] -> [172.19.0.2:7453], default context 0x2d82bc0
[Nov 2 18:16:07.664] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
(ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7f87d4021100 where: 16
ret: 1
[Nov 2 18:16:07.664] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
8193 ret: 1
<SSLNetVConnection.cc:1402 (select_next_protocol)> (ssl) selected ALPN
protocol http/1.1
[Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:284
(set_context_cert)> (ssl) set_context_cert ssl=0x7f87d4021100 server=(null)
handshake_complete=0
[Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:336
(set_context_cert)> (ssl) ssl_cert_callback using SSL context 0x2d82bc0 for
requested name '(null)'
<SSLNetVConnection.cc:1462 (callHooks)> (ssl) callHooks
sslHandshakeHookState=0
[Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
16392 ret: 552
[Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
8194 ret: -1
[Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
8194 ret: -1
[Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:2126
(SSLAccept)> (ssl.error.accept) SSL accept returned -1, ssl_error=1,
ERR_get_error=336109761 (error:1408A0C1:SSL
routines:ssl3_get_client_hello:no shared cipher)
<SSLNetVConnection.cc:1105 (sslServerHandShakeEvent)> (ssl) trace=FALSE
<SSLNetVConnection.cc:1109 (sslServerHandShakeEvent)> (ssl)
SSL::140222668416768:error:1408A0C1:SSL routines:ssl3_get_client_hello:no
shared cipher:s3_srvr.c:1417: peer address is 10.3.28.146
<SSLNetVConnection.cc:1109 (sslServerHandShakeEvent)> (ssl) SSL handshake
error: SSL_ERROR_SSL (1), errno=0
<SSLNetVConnection.cc:1237 (sslServerHandShakeEvent)> (ssl)
SSLNetVConnection::sslServerHandShakeEvent, SSL_ERROR_SSL errno=0
^Ctraffic_server: Interrupt (Signal sent by the kernel 0 0)
--
pushkar
Dk Jack
2018-11-05 02:31:36 UTC
Permalink
Thanks Pushkar. I had a config error in my multi cert config file. I was missing ‘dest_ip=*’

Dk.
Post by Pushkar Pradhan
Is your client sending a TLSv1.2 handshake? Maybe it's a lower version or
non TLS.
Post by Dk Jack
Hi,
I enabled SSL on my ATS and my ssl requests are failing with handshake
error. From the logs I can tell that it loaded my cert/key correct. When I
started traffic server in debug mode (./traffic_server -T ssl), I am seeing
the following error
SSL routines:ssl3_get_client_hello:no shared cipher
My TLS config is shown below. My cert is a self signed signed cert. My ATS
version is 6.2.1. I'd appreciate any pointers on how to resolve this.
Thanks.
Dk.
CONFIG proxy.config.ssl.SSLv2 INT 0
CONFIG proxy.config.ssl.SSLv3 INT 1
CONFIG proxy.config.ssl.TLSv1 INT 1
CONFIG proxy.config.ssl.TLSv1_1 INT 1
CONFIG proxy.config.ssl.TLSv1_2 INT 1
CONFIG proxy.config.ssl.server.cipher_suite STRING
AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!LOW:!MD5:!SSLV2:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
CONFIG proxy.config.ssl.server.honor_cipher_order INT 1
CONFIG proxy.config.ssl.compression INT 0
<SSLNextProtocolAccept.cc:129 (mainEvent)> (ssl)
[SSLNextProtocolAccept:mainEvent] event 202 netvc 0x7f8820072800
<SSLNetVConnection.cc:981 (sslStartHandShake)> (ssl) IP context is (nil)
for [10.3.28.146:39678] -> [172.19.0.2:7453], default context 0x2d82bc0
[Nov 2 18:16:07.664] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
(ssl_callback_info)> (ssl) ssl_callback_info ssl: 0x7f87d4021100 where: 16
ret: 1
[Nov 2 18:16:07.664] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
8193 ret: 1
<SSLNetVConnection.cc:1402 (select_next_protocol)> (ssl) selected ALPN
protocol http/1.1
[Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:284
(set_context_cert)> (ssl) set_context_cert ssl=0x7f87d4021100 server=(null)
handshake_complete=0
[Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:336
(set_context_cert)> (ssl) ssl_cert_callback using SSL context 0x2d82bc0 for
requested name '(null)'
<SSLNetVConnection.cc:1462 (callHooks)> (ssl) callHooks
sslHandshakeHookState=0
[Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
16392 ret: 552
[Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
8194 ret: -1
[Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:1671
8194 ret: -1
[Nov 2 18:16:07.665] Server {0x7f8822572700} DEBUG: <SSLUtils.cc:2126
(SSLAccept)> (ssl.error.accept) SSL accept returned -1, ssl_error=1,
ERR_get_error=336109761 (error:1408A0C1:SSL
routines:ssl3_get_client_hello:no shared cipher)
<SSLNetVConnection.cc:1105 (sslServerHandShakeEvent)> (ssl) trace=FALSE
<SSLNetVConnection.cc:1109 (sslServerHandShakeEvent)> (ssl)
SSL::140222668416768:error:1408A0C1:SSL routines:ssl3_get_client_hello:no
shared cipher:s3_srvr.c:1417: peer address is 10.3.28.146
<SSLNetVConnection.cc:1109 (sslServerHandShakeEvent)> (ssl) SSL handshake
error: SSL_ERROR_SSL (1), errno=0
<SSLNetVConnection.cc:1237 (sslServerHandShakeEvent)> (ssl)
SSLNetVConnection::sslServerHandShakeEvent, SSL_ERROR_SSL errno=0
^Ctraffic_server: Interrupt (Signal sent by the kernel 0 0)
--
pushkar
Loading...