3

I am trying to setup Apache Trafficserver as a reverse proxy. (Debian Stretch, ATS 7.0.0 (also tried 7.1.2 from backports), openssl 1.1.0f)

Everything went fine so far, until I came accross configuring TLS. I added port 443 for SSL in records.config, set the cert-paths, created a local test-certificate, which I defined as default in ssl_multicert.config and also tried to fiddle with cipher_list.

But no matter which cipher_list I use (commented out with a #, default value from package, just one cipher, NULL for all ciphers), the trafficserver does not give a single cipher in the handshake response. Firefox gives a "no cipher overlap" as a consequence, sslscan gives the following output:

user@host:~$ sslscan https://testats.mycompany.com
Version: 1.11.5
OpenSSL 1.0.2l  25 May 2017

OpenSSL version does not support SSLv2
SSLv2 ciphers will not be detected

OpenSSL version does not support SSLv3
SSLv3 ciphers will not be detected
Testing SSL server testats.mycompany.com on port 443

  TLS renegotiation:
Session renegotiation not supported

  TLS Compression:
OpenSSL version does not support compression
Rebuild with zlib1g-dev package for zlib support

  Heartbleed:
TLS 1.2 not vulnerable to heartbleed
TLS 1.1 not vulnerable to heartbleed
TLS 1.0 not vulnerable to heartbleed

  Supported Server Cipher(s):
user@host:~$

A test with sslscan against the origin webserver, which ATS should remap to, is working fine.

Any ideas?

chrikru
  • 31
  • 2

0 Answers0