I want to print PostScripts via CUPS/HTTPS on Cloud Foundry. It's working when I'm using HTTP but fails for HTTPS with gorouter's log:
http: TLS handshake error from ...
My cipher_suites:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA:TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
I tried to set router.logging_level to debug (default is info) but it changes nothing...
Is there any chance to get more information? What is the most detailed log level for gorouter?
I solved my problem. In my case mutual TLS was enabled on gourouter:
By default, Gorouter requests but does not require client certificates in TLS handshakes.
https://docs.cloudfoundry.org/adminguide/securing-traffic.html#gorouter_mutual_auth
Add a registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
EventLogging REG_DWORD = 3
https://blogs.technet.microsoft.com/kevinjustin/2017/11/08/schannel-event-logging/
Now you should find event logs that server asks for client certificate but it can't be found.
curlLook at the bold lines:
curl -I -v -H "Connection: close" https://your-app.cloud
- About to connect() to your-app.cloud port 443 (#0)
- Connected to your-app.cloud port 443 (#0)
- Initializing NSS with certpath: sql:/etc/pki/nssdb
- CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none
- NSS: client certificate not found (nickname not specified)
- SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
opensslLook at the bold lines:
openssl s_client -connect your-app.cloud:443 -state
- CONNECTED(00000003)
- SSL_connect:before/connect initialization
- SSL_connect:SSLv2/v3 write client hello A
- SSL_connect:SSLv3 read server hello A
- ...
- verify return:1
- SSL_connect:SSLv3 read server certificate A
- SSL_connect:SSLv3 read server key exchange A
- SSL_connect:SSLv3 read server certificate request A
- SSL_connect:SSLv3 read server done A
- SSL_connect:SSLv3 write client certificate A
- SSL_connect:SSLv3 write client key exchange A
- SSL_connect:SSLv3 write change cipher spec A
- SSL_connect:SSLv3 write finished A
- SSL_connect:SSLv3 flush data
- SSL_connect:SSLv3 read server session ticket A
- SSL_connect:SSLv3 read finished A
Change Gorouter properties using CF deployment manifest:
- name: router
- name: gorouter
release: routing
properties:
router:
forwarded_client_cert: always_forward
client_cert_validation: none
Now you can check if mTLS is enabled again.
Note that these settings didn't for the routing version 0.164.0 but for 0.178.0 it works as expected.