Date: Sun, 21 Dec 2008 09:35:31 -0400 From: uday <umoorjani.msv@gmail.com> To: freebsd-ports-bugs@freebsd.org Subject: net/relayd - ssl issues with freebsd 7.0-CURRENT Message-ID: <5a7c743f0812210535h56d60741jfcc5e6c0ee881eee@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hi Guys,
I think I pinpointed a bug in ports/net/relayd for FreeBSD
7.0-CURRENT, I'm posting to this list to know if it can really be
considered as a bug and if it's worth it to submit one or not, if
there is a workaround this.
The issue concerns relayd with ssl. I've followed the man by the
letter in configuring this and I still come up with the same error
message. I'm trying to loadbalance and proxy ssl connections to non
ssl servers something like this :
HTTPS CLIENT <==> RELAYD SSL REVERSE PROXY :443 <---> NON-SSL WEB SERVER :80
A fairly simple setup that I tested with "pound", another reverse
proxy with ssl capabilities, that worked like charm.
With relayd, I've generated a certificate with GoDaddy, I have the
certificates in the directories the man page mentions, the private key
/etc/ssl/private/192.168.172.77.key and the certificate in
/etc/ssl/192.168.172.77.key where the ip is the frontal relay ip
configured in relayd.conf.
I've configured pf with the following 2 directives with nothing else
in the file just like what the man page suggests:
rdr-anchor "relayd/*"
anchor "relayd/*"
I've configured relayd with the following directives :
relayd_addr="192.168.172.77"
relayd_port="443"
web_port="80"
table <web_hosts> { 192.168.190.53 }
interval 10
timeout 200
prefork 5
http protocol "httpfilter" {
return error
header append "$REMOTE_ADDR" to "X-Forwarded-For"
header append "$SERVER_ADDR:$SERVER_PORT" to "X-Forwarded-By"
header change "Keep-Alive" to "$TIMEOUT"
header change "Connection" to "close"
response header change "Server" to "Server1"
ssl { sslv3, tlsv1, ciphers "HIGH:!ADH", no sslv2 ]
}
relay httpproxy {
listen on $relayd_addr port $relayd_port ssl
protocol "httpfilter"
forward to <web_hosts> port $web_port mode loadbalance check icmp
}
Now when I remove the ssl directive from the protocol specs
"httpfilter" and from the "listen" directive within the "relay"
section I forward to my webserver just like a charm. But when I use
the configuration as specified above I get this error when I try to
connect to "https://192.168.172.77":
SSL library error: httpproxy: relay_ssl_accept: error:140B512D:SSL
routines:SSL_GET_NEW_SESSION:ssl session id callback failed
relay httpproxy, session 1 (1 active), 0, 192.168.180.253 -> :80, SSL
accept error
Now when I researched this error it referred to being and error with
the random number generation so I double checked the rights on
/dev/random and /dev/urandom and both were ok (/dev/urandom being a
symlink to /dev/random). I even sued as _relayd user and tested if I
could generate random number and I could :
[_relayd@myserver /etc/ssl]$ od -D -A n /dev/random | head -2
2530374051 2874409472 1650458018 3736200264
1776311775 448067355 3385764049 245858356
So I tried another solution "pound" and it worked just like a pro. At
least I know that the ssl mechanisms work without any issues with my
GoDaddy certificate. So is this a bug ? Should I sumbit it ?
Has anyone encountered this before ?
Uday
P.S
Here is the full log snippet from relayd -d -vv :
init_filter: filter init done
init_tables: created 0 tables
relay_privinit: adding relay httpproxy
protocol 0: name httpfilter
flags: 0x20004
type: tcp
request change "Connection" to "close"
request change "Keep-Alive" to "$TIMEOUT"
request append "$SERVER_ADDR:$SERVER_PORT" to "X-Forwarded-By"
request append "$REMOTE_ADDR" to "X-Forwarded-For"
response change "Server" to "Server1"
relay_init: max open files 11095
relay_ssl_ctx_create: loading certificate
relay_ssl_ctx_create: loading private key
adding 1 hosts from table web_hosts:80
relay_launch: running relay httpproxy
relay_init: max open files 11095
relay_init: max open files 11095
relay_ssl_ctx_create: loading certificate
relay_ssl_ctx_create: loading certificate
relay_ssl_ctx_create: loading private key
adding 1 hosts from table web_hosts:80
relay_ssl_ctx_create: loading private key
adding 1 hosts from table web_hosts:80
relay_launch: running relay httpproxy
relay_launch: running relay httpproxy
relay_init: max open files 11095
relay_init: max open files 11095
relay_ssl_ctx_create: loading certificate
relay_ssl_ctx_create: loading certificate
relay_ssl_ctx_create: loading private key
relay_ssl_ctx_create: loading private key
adding 1 hosts from table web_hosts:80
adding 1 hosts from table web_hosts:80
relay_launch: running relay httpproxy
relay_launch: running relay httpproxy
hce_notify_done: 192.168.190.53 (recv_icmp: done)
host 192.168.190.53, check icmp (0ms), state unknown -> up, availability 100.00%
pfe_dispatch_imsg: state 1 for host 1 192.168.190.53
SSL library error: httpproxy: relay_ssl_accept: error:140B512D:SSL
routines:SSL_GET_NEW_SESSION:ssl session id callback failed
relay httpproxy, session 1 (1 active), 0, 192.168.180.253 -> :80, SSL
accept error
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5a7c743f0812210535h56d60741jfcc5e6c0ee881eee>