1

We are facing an issue on the client side TLS. As you see below the handshake is done properly but then there is no more data sent from the SG client so the connection is closed.

To test I am using this link https://caplonsgprd-x.integration.ibmcloud.com:xxxx/PATH/ to initiate the request which reaches the client configured for TLS and then I see the below in the logs: 

[Wed Sep 30 14:22:13 2015] [debug] ssl_engine_kernel.c(1907): OpenSSL: Handshake: done
[Wed Sep 30 14:22:13 2015] [info] Connection: Client IP: xx.xx.xx.xx, Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
[Wed Sep 30 14:22:13 2015] [debug] mod_monitoring.c(213): monitor: Update counters for event 'tls:handshake:done'
[Wed Sep 30 14:22:13 2015] [debug] MonitoringCounter.c(375): monitor: MonitoringCounter_updateCounter (null) TLS_HandshakeSucceed 1
[Wed Sep 30 14:22:13 2015] [debug] mod_monitoring.c(213): monitor: Update counters for event 'tls:handshake:exit'

[Wed Sep 30 14:22:13 2015] [debug] ssl_engine_io.c(1952): OpenSSL: I/O error, 5 bytes expected to read on BIO#7f5eb00011e0 [mem: 7f5ef0751de3]  -> Here we expected the client to send the applicative data which is the HTTPS request with the PATH.
[Wed Sep 30 14:22:13 2015] [info] [client xx.xx.xx.xx] (70014)End of file found: SSL input filter read failed.
Alex da Silva
  • 4,552
  • 2
  • 17
  • 25
Prateesh
  • 13
  • 3
  • Can you turn TRACE on in the client and see any additional data? (e.g. cli> l TRACE ) – doktoroblivion Oct 01 '15 at 13:58
  • Could you also provide the info on how you've configured your destination? Did you set the destination to be HTTPS or HTTP, enable client TLS (TLS options under the advanced section of the UI), and upload the cert for the destination if it self signed? The logs on client with TRACE enabled should help to diagnose the issue as Erick pointed out. – Alex Yurkowski Oct 01 '15 at 14:15
  • The SG client TRACE showed us SELF_SIGNED_CERT_IN_CHAIN error.The destination is set with HTTPS, then i clicked on enable client TLS, uploaded the server certificate of the on-premise server (.pem) file. I also tried with the full certificate chain in the pem file (which includes the server certificate, the intermediate CA certificate and the root CA certificate) but still the same error. – Prateesh Oct 01 '15 at 17:46
  • FYI, we are running v1.3.0 of SG client – Prateesh Oct 01 '15 at 18:08

1 Answers1

1

I've gone through the flow in Bluemix US of creating a TCP destination to mongodb with client side TLS enabled with a self signed cert.

If the cert is uploaded, it looks like the client needs to be restarted to pick up the cert and use it. Once the client is restarted, the cert should be recognized and I was able to connect to my SSL enabled mongodb.

Edit: Secure Gateway does not currently support multiple client TLS CA files to be uploaded, so the client will fail to connect if the chain consists of more than one CA cert.

Alex Yurkowski
  • 1,676
  • 1
  • 12
  • 26
  • Thanks for the tip. I will try that. Please can you confirm if the certificate to be uploaded is only the server certificate or the full chain ? – Prateesh Oct 01 '15 at 21:13
  • Could you share a sample PEM file? Does it include thee full chain or only the server certificate? Please note that the certificate we are using is signed by our internal intermediate CA. – Prateesh Oct 02 '15 at 12:01