Date: Mon, 22 Dec 2008 16:05:53 GMT From: "uday m." <umoorjani.msv@gmail.com> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/129859: net/relayd - ssl random number generation Message-ID: <200812221605.mBMG5rEK004646@www.freebsd.org> Resent-Message-ID: <200812221610.mBMGA4ih090763@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 129859
>Category: ports
>Synopsis: net/relayd - ssl random number generation
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Dec 22 16:10:04 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: uday m.
>Release: FreeBSD 7.0-RELEASE
>Organization:
i represent myself
>Environment:
FreeBSD ******.med******.net 7.0-RELEASE FreeBSD 7.0-RELEASE #0: Sun Feb 24 19:59:52 UTC 2008 root@logan.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
>Description:
The issue concerns relayd with ssl. I've followed the man by the
letter in configuring this and I still come up with the same error
message. I'm trying to loadbalance and proxy ssl connections to non
ssl servers something like this :
HTTPS CLIENT <==> RELAYD SSL REVERSE PROXY :443 <---> NON-SSL WEB SERVER :80
A fairly simple setup that I tested with "pound", another reverse
proxy with ssl capabilities, that worked like charm.
With relayd, I've generated a certificate with GoDaddy, I have the
certificates in the directories the man page mentions, the private key
/etc/ssl/private/192.168.172.77.key and the certificate in
/etc/ssl/192.168.172.77.key where the ip is the frontal relay ip
configured in relayd.conf.
The problem occurs when trying to initiate the SSL handshake, relayd has a hard time generating the random number and recieves a weird error :
SSL library error: httpproxy: relay_ssl_accept: error:140B512D:SSL routines:SSL_GET_NEW_SESSION:ssl session id callback failed relay httpproxy, session 1 (1 active), 0, 192.168.180.253 -> :80, SSL accept error
I tried the exacte same configuration (copy/paste) on an OpenBSD box and the SSL handshake works just fine.
>How-To-Repeat:
I've configured pf with the following 2 directives with nothing else
in the file just like what the man page suggests:
rdr-anchor "relayd/*"
anchor "relayd/*"
I've configured relayd with the following directives :
relayd_addr="192.168.172.77"
relayd_port="443"
web_port="80"
table <web_hosts> { 192.168.190.53 }
interval 10
timeout 200
prefork 5
http protocol "httpfilter" {
return error
header append "$REMOTE_ADDR" to "X-Forwarded-For"
header append "$SERVER_ADDR:$SERVER_PORT" to "X-Forwarded-By"
header change "Keep-Alive" to "$TIMEOUT"
header change "Connection" to "close"
response header change "Server" to "Server1"
ssl { sslv3, tlsv1, ciphers "HIGH:!ADH", no sslv2 ]
}
relay httpproxy {
listen on $relayd_addr port $relayd_port ssl
protocol "httpfilter"
forward to <web_hosts> port $web_port mode loadbalance check icmp
}
Now when I remove the ssl directive from the protocol specs
"httpfilter" and from the "listen" directive within the "relay"
section I forward to my webserver just like a charm. But when I use
the configuration as specified above I get this error when I try to
connect to "https://192.168.172.77":
SSL library error: httpproxy: relay_ssl_accept: error:140B512D:SSL
routines:SSL_GET_NEW_SESSION:ssl session id callback failed
relay httpproxy, session 1 (1 active), 0, 192.168.180.253 -> :80, SSL
accept error
Now when I researched this error it referred to being and error with
the random number generation so I double checked the rights on
/dev/random and /dev/urandom and both were ok (/dev/urandom being a
symlink to /dev/random). I even sued as _relayd user and tested if I
could generate random number and I could :
[_relayd@myserver /etc/ssl]$ od -D -A n /dev/random | head -2
2530374051 2874409472 1650458018 3736200264
1776311775 448067355 3385764049 245858356
>Fix:
I really don't know.
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200812221605.mBMG5rEK004646>