From owner-freebsd-net@FreeBSD.ORG Sat Mar 22 19:33:39 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id EBA01BF9 for ; Sat, 22 Mar 2014 19:33:39 +0000 (UTC) Received: from mail-ve0-x232.google.com (mail-ve0-x232.google.com [IPv6:2607:f8b0:400c:c01::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id AD145EC2 for ; Sat, 22 Mar 2014 19:33:39 +0000 (UTC) Received: by mail-ve0-f178.google.com with SMTP id jw12so3958199veb.23 for ; Sat, 22 Mar 2014 12:33:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=8xWN3748T0PPDdZG9WzL/QRb26TjiQ/Ddbn5Jj4Iep0=; b=P+V3qZgIzhqGtvHhCPNnOcTCtLEWn33/mRqZIN2pM9obwf6aoPhtiDmRZu2ar7xSGi UzKOSJdQa0zzFVn2pfQO0iH+8rY9TtTpp5gZMA1aew/xsQVtZfpID5sDPpZCMyVqCJp8 jBIHhPfsPeDAyIfon8ee3vSUfctLjsqMcxTtjnFSlRcCqhHHnDTfVMis1F04Pwuzs++y sgkQzNU+v135fRq6UdU90TYi/lSG1wO8kKYtdbmKxwAEsTqjOUPK/WNZ6GC14POoaPf3 hLmlxSIRO9qOuoWIcK9NaGrFD3/RD4gA3t5xjv/dxb0Y8mUMXva6VOhHACkBxCBhotdv k/Yw== MIME-Version: 1.0 X-Received: by 10.58.202.106 with SMTP id kh10mr14818vec.31.1395516818890; Sat, 22 Mar 2014 12:33:38 -0700 (PDT) Received: by 10.221.56.6 with HTTP; Sat, 22 Mar 2014 12:33:38 -0700 (PDT) Date: Sat, 22 Mar 2014 14:33:38 -0500 Message-ID: Subject: relayd ssl failure From: Thomas Johnson To: freebsd-net@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.17 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Mar 2014 19:33:40 -0000 Hello, I've been trying to sort out an issue with relayd, and I'm just not having any luck. I am setting up a new load-balancer using net/relayd (5.4.20131122_2) on 10.0-RELEASE. My configuration is pretty simple; a pair of web servers , sitting behind the relayd host. I have a httpd instance running on the relayd host as a backup "sorry" server. The following configuration snippet from relayd.conf is literally a copy-paste job from the working http (no ssl) check; essentially just s/http/https/ redirect wwws { listen on $web_addr port https interface em0 tag RELAYD forward to check https "/" code 302 forward to check https "/favicon.ico" code 200 timeout 100 } With this configuration, my check always fails with the following error: hce_notify_done: 1.2.3.4 (ssl connect failed) host 1.2.3.4, check http code use ssl (5ms), state down -> down, availability 0.00% Looking at tcpdump, I see the beginning of an SSL handshake, then the connection is terminated by relayd. I have verified that the web servers are working correctly. Unfortunately, relayd doesn't seem to offer debugging to explain WHY the check is failing. I don't know how relevant it is, but I also have a relayd instance running on a 9.1-RELEASE host (same version of relayd). The topology and relayd config is virtually identical; the web servers are identical images. This instance has it's own quirks (one problem at a time), but the https check is working. Comparing traffic dumps, I see that relayd sends a different (shorter) list of available ciphers in the ssl client hello, and a different cipher is selected by the apache instance in each case, on 9.1: TLS_RSA_WITH_RC4_128_SHA (0x0005) on 10.0: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011) In the latter case, the dump shows the server sending it's certificate, and the relayd client disconnecting immediately thereafter. It looks like a problem with the certificate, except the certificate is valid, and the same as the 9.1 setup. Any thoughts would be much appreciated. Tom