Date: Mon, 22 Dec 2008 16:05:53 GMT From: "uday m." <umoorjani.msv@gmail.com> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/129859: net/relayd - ssl random number generation Message-ID: <200812221605.mBMG5rEK004646@www.freebsd.org> Resent-Message-ID: <200812221610.mBMGA4ih090763@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 129859 >Category: ports >Synopsis: net/relayd - ssl random number generation >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Dec 22 16:10:04 UTC 2008 >Closed-Date: >Last-Modified: >Originator: uday m. >Release: FreeBSD 7.0-RELEASE >Organization: i represent myself >Environment: FreeBSD ******.med******.net 7.0-RELEASE FreeBSD 7.0-RELEASE #0: Sun Feb 24 19:59:52 UTC 2008 root@logan.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 >Description: The issue concerns relayd with ssl. I've followed the man by the letter in configuring this and I still come up with the same error message. I'm trying to loadbalance and proxy ssl connections to non ssl servers something like this : HTTPS CLIENT <==> RELAYD SSL REVERSE PROXY :443 <---> NON-SSL WEB SERVER :80 A fairly simple setup that I tested with "pound", another reverse proxy with ssl capabilities, that worked like charm. With relayd, I've generated a certificate with GoDaddy, I have the certificates in the directories the man page mentions, the private key /etc/ssl/private/192.168.172.77.key and the certificate in /etc/ssl/192.168.172.77.key where the ip is the frontal relay ip configured in relayd.conf. The problem occurs when trying to initiate the SSL handshake, relayd has a hard time generating the random number and recieves a weird error : SSL library error: httpproxy: relay_ssl_accept: error:140B512D:SSL routines:SSL_GET_NEW_SESSION:ssl session id callback failed relay httpproxy, session 1 (1 active), 0, 192.168.180.253 -> :80, SSL accept error I tried the exacte same configuration (copy/paste) on an OpenBSD box and the SSL handshake works just fine. >How-To-Repeat: I've configured pf with the following 2 directives with nothing else in the file just like what the man page suggests: rdr-anchor "relayd/*" anchor "relayd/*" I've configured relayd with the following directives : relayd_addr="192.168.172.77" relayd_port="443" web_port="80" table <web_hosts> { 192.168.190.53 } interval 10 timeout 200 prefork 5 http protocol "httpfilter" { return error header append "$REMOTE_ADDR" to "X-Forwarded-For" header append "$SERVER_ADDR:$SERVER_PORT" to "X-Forwarded-By" header change "Keep-Alive" to "$TIMEOUT" header change "Connection" to "close" response header change "Server" to "Server1" ssl { sslv3, tlsv1, ciphers "HIGH:!ADH", no sslv2 ] } relay httpproxy { listen on $relayd_addr port $relayd_port ssl protocol "httpfilter" forward to <web_hosts> port $web_port mode loadbalance check icmp } Now when I remove the ssl directive from the protocol specs "httpfilter" and from the "listen" directive within the "relay" section I forward to my webserver just like a charm. But when I use the configuration as specified above I get this error when I try to connect to "https://192.168.172.77": SSL library error: httpproxy: relay_ssl_accept: error:140B512D:SSL routines:SSL_GET_NEW_SESSION:ssl session id callback failed relay httpproxy, session 1 (1 active), 0, 192.168.180.253 -> :80, SSL accept error Now when I researched this error it referred to being and error with the random number generation so I double checked the rights on /dev/random and /dev/urandom and both were ok (/dev/urandom being a symlink to /dev/random). I even sued as _relayd user and tested if I could generate random number and I could : [_relayd@myserver /etc/ssl]$ od -D -A n /dev/random | head -2 2530374051 2874409472 1650458018 3736200264 1776311775 448067355 3385764049 245858356 >Fix: I really don't know. >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200812221605.mBMG5rEK004646>