Date: Sat, 22 Mar 2014 14:33:38 -0500 From: Thomas Johnson <tommyj27@gmail.com> To: freebsd-net@freebsd.org Subject: relayd ssl failure Message-ID: <CAMwYC7aFbn=zhqTNui4k7bCEMC4ZSopa7xtmo36m0PGQ0jkj8g@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hello,
I've been trying to sort out an issue with relayd, and I'm just not having
any luck. I am setting up a new load-balancer using net/relayd
(5.4.20131122_2) on 10.0-RELEASE. My configuration is pretty simple; a pair
of web servers <web>, sitting behind the relayd host. I have a httpd
instance running on the relayd host as a backup "sorry" server.
The following configuration snippet from relayd.conf is literally a
copy-paste job from the working http (no ssl) check; essentially just
s/http/https/
redirect wwws {
listen on $web_addr port https interface em0
tag RELAYD
forward to <web> check https "/" code 302
forward to <sorry> check https "/favicon.ico" code 200 timeout 100
}
With this configuration, my check always fails with the following error:
hce_notify_done: 1.2.3.4 (ssl connect failed)
host 1.2.3.4, check http code use ssl (5ms), state down -> down,
availability 0.00%
Looking at tcpdump, I see the beginning of an SSL handshake, then the
connection is terminated by relayd. I have verified that the web servers
are working correctly. Unfortunately, relayd doesn't seem to offer
debugging to explain WHY the check is failing.
I don't know how relevant it is, but I also have a relayd instance running
on a 9.1-RELEASE host (same version of relayd). The topology and relayd
config is virtually identical; the web servers are identical images. This
instance has it's own quirks (one problem at a time), but the https check
is working. Comparing traffic dumps, I see that relayd sends a different
(shorter) list of available ciphers in the ssl client hello, and a
different cipher is selected by the apache instance in each case,
on 9.1: TLS_RSA_WITH_RC4_128_SHA (0x0005)
on 10.0: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
In the latter case, the dump shows the server sending it's certificate, and
the relayd client disconnecting immediately thereafter. It looks like a
problem with the certificate, except the certificate is valid, and the same
as the 9.1 setup.
Any thoughts would be much appreciated.
Tom
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAMwYC7aFbn=zhqTNui4k7bCEMC4ZSopa7xtmo36m0PGQ0jkj8g>