Displaying #traffic-server/2015-11-06.log:

Fri Nov 6 00:03:12 2015  _klk_:Joined the channel
Fri Nov 6 00:19:46 2015  shinrich1:Joined the channel
Fri Nov 6 01:08:59 2015  oag:Joined the channel
Fri Nov 6 01:09:32 2015  _klk_:Joined the channel
Fri Nov 6 01:29:06 2015  _klk_:Joined the channel
Fri Nov 6 02:58:49 2015  muralisr:Joined the channel
Fri Nov 6 03:01:19 2015  _klk_:Joined the channel
Fri Nov 6 04:21:37 2015  es:Joined the channel
Fri Nov 6 04:49:30 2015  HVT:Joined the channel
Fri Nov 6 09:26:31 2015  Lethalman:Joined the channel
Fri Nov 6 10:07:58 2015  mturk:Joined the channel
Fri Nov 6 13:54:58 2015  bahumbug:Joined the channel
Fri Nov 6 13:54:58 2015  bahumbug:Joined the channel
Fri Nov 6 14:23:03 2015  Rotonen:Left the channel
Fri Nov 6 14:28:40 2015  davet_:Joined the channel
Fri Nov 6 14:29:47 2015  shinrich1:Joined the channel
Fri Nov 6 14:32:20 2015  esproul:Joined the channel
Fri Nov 6 14:55:03 2015  whyameye:Joined the channel
Fri Nov 6 14:55:48 2015  whyameye:I'm trying to get ssl termination working with traffic server following these directions: https://docs.trafficserver.apache.org/en/stable/admin/security-options.en.html#using-ssl-termination SSL isn't working at all though. Not sure what to check
Fri Nov 6 14:59:36 2015  shinrich1:openssl s_client in verbose mode can give some good indication at what level the handshake is failing.
Fri Nov 6 15:00:04 2015  shinrich1:You could also enable the "ssl" debug tag and look through traffic.out to get some idea of where things are failing.
Fri Nov 6 15:00:24 2015  shinrich1:Does straight http work in your configuration?
Fri Nov 6 15:01:02 2015  whyameye:straight http does work
Fri Nov 6 15:01:52 2015  shinrich1:Any error messages in diags.log? If certs fail to load, I think something will show up there.
Fri Nov 6 15:01:55 2015  whyameye:how do I set openssl s_client in verbose mode?
Fri Nov 6 15:02:26 2015  whyameye:no errors in diags.log
Fri Nov 6 15:03:01 2015  whyameye:in error log I see status 400 (Invalid HTTP Request) for '/'
Fri Nov 6 15:03:16 2015  shinrich1:"openssl s_client -connect myhost.com:443 -debug"
Fri Nov 6 15:03:19 2015  whyameye:and status 404 (Not Found) for 'http://(garbage here)
Fri Nov 6 15:03:36 2015  shinrich1:Should let you test the handshake to myhost.com with some extra messages.
Fri Nov 6 15:05:21 2015  whyameye:it's reporting SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:795
Fri Nov 6 15:05:28 2015  whyameye:then it says "no peer certificate available"
Fri Nov 6 15:05:42 2015  felicity:whyameye: traffic_line -m proxy.config.http.server_ports ?
Fri Nov 6 15:07:09 2015  whyameye:I have this line in records.config: CONFIG proxy.config.http.server_ports STRING 80 443
Fri Nov 6 15:07:26 2015  shinrich1:Add ":ssl" to your 443
Fri Nov 6 15:07:38 2015  shinrich1:CONFIG proxy.config.http.server_ports STRING 80 443:ssl
Fri Nov 6 15:07:55 2015  shinrich1:We need to update that article.
Fri Nov 6 15:08:25 2015  whyameye:I don't understand the traffic_line -m line. -m doesn't seem to be a valid flag
Fri Nov 6 15:09:03 2015  dcarlin:whyameye: what version of ats are you using?
Fri Nov 6 15:09:29 2015  whyameye:dcarlin: how do I figure that out? Sorry this is all very new to me
Fri Nov 6 15:09:47 2015  dcarlin:How did you install ats?
Fri Nov 6 15:10:02 2015  dcarlin:try traffic_line -V
Fri Nov 6 15:10:27 2015  whyameye:Apache Traffic Server - traffic_line - 3.2.4 - (build # 32920 on Apr 29 2013 at 20:40:15)
Fri Nov 6 15:10:36 2015  dcarlin:ooh
Fri Nov 6 15:10:48 2015  whyameye:I'm not sure I have installed ats. I didn't see to do that anywhere?
Fri Nov 6 15:10:59 2015  dcarlin:3.2.4 is really old
Fri Nov 6 15:11:08 2015  amc:I don't know if the :ssl even works in 3.2.4.
Fri Nov 6 15:11:10 2015  dcarlin:SSL was enabled in a different manner back then
Fri Nov 6 15:11:23 2015  whyameye:this is the one in the repo for ubuntu 14.04
Fri Nov 6 15:11:51 2015  dcarlin:I would build it from source
Fri Nov 6 15:11:56 2015  felicity:the current version is 6.0, so it looks like Ubuntu isn't maintaining their package
Fri Nov 6 15:12:34 2015  danielxu:Joined the channel
Fri Nov 6 15:12:38 2015  whyameye:just to back up a minute, the only reason I want to use traffic server is I have the challenge of limiting my fragment packets to 4K for SSL. It looks like using traffic server as a reverse proxy might be the easiest way to do this.
Fri Nov 6 15:14:21 2015  Humbedooh:felicity: that seems to be the case for many projects :\
Fri Nov 6 15:17:48 2015  dcarlin:whyameye: you mean this setting? https://trafficserver.readthedocs.org/en/latest/admin-guide/files/records.config.en.html?highlight=record%20size#proxy-config-ssl-max-record-size
Fri Nov 6 15:17:53 2015  dcarlin:to set tls record size?
Fri Nov 6 15:17:57 2015  whyameye:yes
Fri Nov 6 15:18:01 2015  dcarlin:its not in 3.2.4 :)
Fri Nov 6 15:18:16 2015  dcarlin:I think it was in 5.2+
Fri Nov 6 15:18:40 2015  whyameye:ok I'm trying to update traffic server now. Thanks to everybody for helping me. I was pretty lost
Fri Nov 6 15:19:59 2015  dcarlin:sure n/p
Fri Nov 6 15:20:27 2015  igalic:wheee. i made a commit.
Fri Nov 6 15:32:09 2015  Humbedooh:gasp!
Fri Nov 6 15:43:07 2015  whyameye:hooray. I have 6.0 now. :-)
Fri Nov 6 15:44:21 2015  whyameye:gotta run for now. To be continued. Thanks for the help. I'l be back for more. ;-)
Fri Nov 6 16:17:19 2015  shinrich1:Pull requests!
Fri Nov 6 16:17:30 2015  shinrich1:For ssl_sesssion_reuse_plugin building https://git.corp.yahoo.com/Edge/ATSPlugins/pull/130
Fri Nov 6 16:17:44 2015  dcarlin:shinrich1: wrong irc
Fri Nov 6 16:17:52 2015  sudheerv:lol
Fri Nov 6 16:17:55 2015  shinrich1:Sorry!
Fri Nov 6 16:18:01 2015  shinrich1:Nevermind… :-)
Fri Nov 6 16:18:09 2015  dcarlin:sometimes I join #tm-ops on freenode and wonder where the party at
Fri Nov 6 16:18:24 2015  sudheerv:haha, i do that too
Fri Nov 6 16:18:51 2015  sudheerv:using adium makes it more likely to make that mistake
Fri Nov 6 16:19:30 2015  shinrich1:Off by one click...
Fri Nov 6 16:27:12 2015  gancho:Joined the channel
Fri Nov 6 16:45:33 2015  blattj:Joined the channel
Fri Nov 6 16:57:58 2015  es:Joined the channel
Fri Nov 6 17:02:33 2015  Becoming_:Joined the channel
Fri Nov 6 17:03:57 2015  es1:Joined the channel
Fri Nov 6 17:11:51 2015  sbeards:hey all does anyone have a working config which sends client certs to the origin?
Fri Nov 6 17:11:59 2015  sbeards:I see zero bytes being sent in the certificate section
Fri Nov 6 17:20:38 2015  sbeards:hears crickets
Fri Nov 6 17:25:50 2015  Lethalman:Joined the channel
Fri Nov 6 17:32:05 2015  blattj:Joined the channel
Fri Nov 6 17:53:11 2015  bahumbug:Joined the channel
Fri Nov 6 17:53:11 2015  bahumbug:Joined the channel
Fri Nov 6 18:00:37 2015  blattj:Joined the channel
Fri Nov 6 18:07:40 2015  blattj:Joined the channel
Fri Nov 6 18:09:24 2015  es:Joined the channel
Fri Nov 6 18:54:13 2015  jrushford:Joined the channel
Fri Nov 6 18:55:41 2015  jrushford:amc - saw your email and am looking into that compile failure.
Fri Nov 6 18:57:12 2015  amc:It's a trivial fix - just add a virtual destructor.
Fri Nov 6 18:57:22 2015  amc:But it's the kind of thing that causes mysterious problems later.
Fri Nov 6 18:57:31 2015  amc:Other than that your patch compiled.
Fri Nov 6 18:57:50 2015  amc:I'm looking at the code because I have to work on TS-3999, which is in the same area.
Fri Nov 6 18:58:31 2015  jrushford:ok
Fri Nov 6 19:04:17 2015  amc:If you have any comments on the functionality of TS-3999, it would be good to know.
Fri Nov 6 19:05:11 2015  jrushford:okay, i'll take a look at TS-3999 too
Fri Nov 6 19:05:18 2015  jrushford:thanks amc
Fri Nov 6 19:11:35 2015  _klk_:Joined the channel
Fri Nov 6 19:28:57 2015  jrushford:amc - my multi-site origin changes make all host in the parent.config list origins when the parent_is_proxy=false. A specific url could be remapped to use a list of origins in parent.config. Not sure if that satisfies the request in TS-3999
Fri Nov 6 19:48:40 2015  jrushford:amc - i added the virtual destructor.
Fri Nov 6 19:48:51 2015  jrushford:thanks for the heads up
Fri Nov 6 20:02:02 2015  whyameye:Joined the channel
Fri Nov 6 20:02:56 2015  _klk_:Joined the channel
Fri Nov 6 20:09:46 2015  whyameye:I seem to be stuck at an earlier stage with 6.0. It appears trafficserver isn't running even with a /etc/init.d/trafficserver restart. I don't see any error in the logs
Fri Nov 6 20:10:28 2015  whyameye:nm found an error in syslog.
Fri Nov 6 20:24:31 2015  whyameye:trying to get SSL working I'm getting this error "no peer certificate available"
Fri Nov 6 20:32:45 2015  shinrich1:Where do you get that message? What do you have in your ssl_multicert.config file?
Fri Nov 6 20:34:02 2015  whyameye:found this is diags log: fopen:No such file or directory:bss_file.c:169:fopen('/usr/"/etc/apache2/ssl/"/apache.pem','r')
Fri Nov 6 20:34:27 2015  whyameye:I don't know why the /usr is there. It should just be /etc/apache2/ssl
Fri Nov 6 20:35:43 2015  dcarlin:What is proxy.config.ssl.client.cert.path in records.config
Fri Nov 6 20:35:51 2015  dcarlin:and what does ssl_multicert.config look like
Fri Nov 6 20:38:24 2015  whyameye:I had quotes around the path name for the cert path. Oops. I have another error now but I'll see if I can figure it out first
Fri Nov 6 20:39:05 2015  amc:jrushford - No, that wouldn't work. The goal of TS-3999 is to a have pod of machines that are each other's parents without looping.
Fri Nov 6 20:39:18 2015  whyameye:the error I get now is from the browser: "Not Found on Accelerator"
Fri Nov 6 20:39:26 2015  amc:remap_required INT 0
Fri Nov 6 20:39:26 2015  dcarlin:at least ats started :)
Fri Nov 6 20:39:42 2015  amc:whyameye - By default ATS won't service a request if there is no remap rule for it.
Fri Nov 6 20:39:54 2015  amc:This prevents people from unknowingly installing open proxies.
Fri Nov 6 20:40:14 2015  amc:You can open it up by settingn the remap_required value to 0.
Fri Nov 6 20:40:29 2015  whyameye:I have a map rule in remap.config. should it map https or http?
Fri Nov 6 20:40:31 2015  amc:Note, this will make it an open proxy and anyone who can access the proxy port can proxy through your box to anywhere else.
Fri Nov 6 20:40:48 2015  amc:Either is fine for ATS.
Fri Nov 6 20:40:50 2015  dcarlin:whyameye: you need one of each in remap.config
Fri Nov 6 20:40:55 2015  dcarlin:to use both
Fri Nov 6 20:41:10 2015  amc:But "Not found on accelerator" means ATS did not find a remap rule for the request.
Fri Nov 6 20:41:29 2015  whyameye:I have a map://myhost:80/ http://127.0.0.1:8080/" and that works for http
Fri Nov 6 20:41:50 2015  whyameye:so is there other "map http://myhost:443 http://127.0.0.1:8080/"?
Fri Nov 6 20:42:36 2015  whyameye:ah I think it had to be https://myhost:443/
Fri Nov 6 20:42:59 2015  whyameye:it seems to be working now! :-)
Fri Nov 6 20:43:22 2015  amc:Nice.
Fri Nov 6 20:43:43 2015  whyameye:does openssl s_client usually not return?
Fri Nov 6 20:45:29 2015  shinrich1:It just negotiates a SSL session, then waits for your to enter commands
Fri Nov 6 20:46:53 2015  whyameye:ok cool. I think everything is happy now. Do you know if there is a way that I can confirm that the ssl.max_record_size parameter in records.config worked?
Fri Nov 6 21:45:56 2015  jpeach:whyameye: you might need to take a packet trace to verify
Fri Nov 6 21:47:23 2015  whyameye:jpeach: is that a fairly straightforward thing to do?
Fri Nov 6 21:48:13 2015  jpeach:should be; use wireshark to capture packets on port 443, it will decode and you will see the SSL records
Fri Nov 6 21:48:28 2015  whyameye:ok. I'll give it a go. Thx
Fri Nov 6 21:50:22 2015  dcarlin:http://blog.fourthbit.com/2014/12/23/traffic-analysis-of-an-ssl-slash-tls-session
Fri Nov 6 21:50:35 2015  dcarlin:might help you navigate what you see in wireshark
Fri Nov 6 21:50:51 2015  dcarlin:specifically, see section 'Record Protocol format'
Fri Nov 6 21:51:09 2015  dcarlin:you're interested in what bytes 3/4 show for length
Fri Nov 6 21:52:01 2015  whyameye:thx. Very helpful
Fri Nov 6 21:52:59 2015  jpeach:hey dxu I wanna squash your pull request to this: http://apaste.info/Vk9
Fri Nov 6 21:54:20 2015  jrushford:Joined the channel
Fri Nov 6 22:09:00 2015  danielxu:jpeach: Sure, that looks good
Fri Nov 6 22:44:03 2015  niq:Joined the channel
Fri Nov 6 23:03:00 2015  blattj:Joined the channel
Fri Nov 6 23:03:45 2015  _klk_:Joined the channel
Fri Nov 6 23:06:35 2015  _klk_1:Joined the channel
Fri Nov 6 23:38:32 2015  kichan:yay…. reached 4000 for jira tickets!
Fri Nov 6 23:42:23 2015  sudheerv:nice :)
Fri Nov 6 23:42:30 2015  sudheerv:TS-4000
Fri Nov 6 23:59:12 2015  jpeach:congratulations dxu!

Comments