Date: Sat, 22 Mar 2014 14:33:38 -0500 From: Thomas Johnson <tommyj27@gmail.com> To: freebsd-net@freebsd.org Subject: relayd ssl failure Message-ID: <CAMwYC7aFbn=zhqTNui4k7bCEMC4ZSopa7xtmo36m0PGQ0jkj8g@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hello, I've been trying to sort out an issue with relayd, and I'm just not having any luck. I am setting up a new load-balancer using net/relayd (5.4.20131122_2) on 10.0-RELEASE. My configuration is pretty simple; a pair of web servers <web>, sitting behind the relayd host. I have a httpd instance running on the relayd host as a backup "sorry" server. The following configuration snippet from relayd.conf is literally a copy-paste job from the working http (no ssl) check; essentially just s/http/https/ redirect wwws { listen on $web_addr port https interface em0 tag RELAYD forward to <web> check https "/" code 302 forward to <sorry> check https "/favicon.ico" code 200 timeout 100 } With this configuration, my check always fails with the following error: hce_notify_done: 1.2.3.4 (ssl connect failed) host 1.2.3.4, check http code use ssl (5ms), state down -> down, availability 0.00% Looking at tcpdump, I see the beginning of an SSL handshake, then the connection is terminated by relayd. I have verified that the web servers are working correctly. Unfortunately, relayd doesn't seem to offer debugging to explain WHY the check is failing. I don't know how relevant it is, but I also have a relayd instance running on a 9.1-RELEASE host (same version of relayd). The topology and relayd config is virtually identical; the web servers are identical images. This instance has it's own quirks (one problem at a time), but the https check is working. Comparing traffic dumps, I see that relayd sends a different (shorter) list of available ciphers in the ssl client hello, and a different cipher is selected by the apache instance in each case, on 9.1: TLS_RSA_WITH_RC4_128_SHA (0x0005) on 10.0: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011) In the latter case, the dump shows the server sending it's certificate, and the relayd client disconnecting immediately thereafter. It looks like a problem with the certificate, except the certificate is valid, and the same as the 9.1 setup. Any thoughts would be much appreciated. Tom
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAMwYC7aFbn=zhqTNui4k7bCEMC4ZSopa7xtmo36m0PGQ0jkj8g>