How does the certificate exchange take place between the polling tentacle and the server? Is the certificate a part of SSL initiation, or is it exchanged later inside HTTP packets?
Hi Arne,
Thanks for getting in touch. I think this page on Tentacle communications describes the exchange fairly well.
For polling Tentacles, the Octopus Server acts as a TLS Server and presents its Server Certificate to verify it’s identity to the Tentacle, and the Tentacle provides its certificate as a Client Certificate to verify its identity with the Octopus Server.
To answer your question specifically, the Octopus Server certificate is used as part of the SSL initiation, and the Tentacle certificate is exchanged inside the HTTP packets as a client certificate.
Hope that helps!
Mike
From the wireshark logs from the Octopus server(appended) it seems like the issue is that the Octopus server dont send information about the certificate when client is a workstation in azure. While it is presented fine when the machine is a polling tentacle operating on the local subnet. As the rest of the communication is running successfully on 10943 and 443 it dont immediately look like a firewall issue. Any common reasons for Octopus server to not exchange certificates?
Problem found it was set as a SSL session on Netscaler, not TCP and certificate was sent inside the https session. Managing it as a TCP session solved the communication problem
Hi Arne,
Thanks for getting back to me with the results of your investigation and I’m glad youo got it working! Being unfamiliar with the Netscaler, does the SSL Session do SSL offloading at the appliance, and TCP simply passes the SSL connection through to the endpoint? If that’s the case this behaviour makes sense since SSL must be terminated at the Octopus/Tentacle so they can be generally certain there is an intact TLS connection from end-to-end.
Also, is there any chance you could dig up the log files for either the Tentacle and/or Octopus Server so I can add any specific error messages to our knowledgebase on this topic?
Thanks for your help!
Mike