net/relayd - ssl issues with freebsd 7.0-CURRENT

uday umoorjani.msv at gmail.com
Sun Dec 21 14:07:38 UTC 2008 

Hi Guys,

I think I pinpointed a bug in ports/net/relayd for FreeBSD
7.0-CURRENT, I'm posting to this list to know if it can really be
considered as a bug and if it's worth it to submit one or not, if
there is a workaround this.

The issue concerns relayd with ssl. I've followed the man by the
letter in configuring this and I still come up with the same error
message. I'm trying to loadbalance and proxy ssl connections to non
ssl servers something like this :

HTTPS CLIENT <==> RELAYD SSL REVERSE PROXY :443 <---> NON-SSL WEB SERVER :80

A fairly simple setup that I tested with "pound", another reverse
proxy with ssl capabilities, that worked like charm.

With relayd, I've generated a certificate with GoDaddy, I have the
certificates in the directories the man page mentions, the private key
/etc/ssl/private/192.168.172.77.key and the certificate in
/etc/ssl/192.168.172.77.key where the ip is the frontal relay ip
configured in relayd.conf.

I've configured pf with the following 2 directives with nothing else
in the file just like what the man page suggests:

rdr-anchor "relayd/*"
anchor "relayd/*"

I've configured relayd with the following directives :

relayd_addr="192.168.172.77"
relayd_port="443"
web_port="80"
table <web_hosts> { 192.168.190.53  }
interval 10
timeout 200
prefork 5

http protocol "httpfilter" {
  return error
  header append "$REMOTE_ADDR" to "X-Forwarded-For"
  header append "$SERVER_ADDR:$SERVER_PORT" to "X-Forwarded-By"
  header change "Keep-Alive" to "$TIMEOUT"
  header change "Connection" to "close"
  response header change "Server" to "Server1"
  ssl { sslv3, tlsv1, ciphers "HIGH:!ADH", no sslv2 ]
}

relay httpproxy {
  listen on $relayd_addr port $relayd_port ssl
  protocol "httpfilter"
  forward to <web_hosts> port $web_port mode loadbalance check icmp
}

Now when I remove the ssl directive from the protocol specs
"httpfilter" and from the "listen" directive within the "relay"
section I forward to my webserver just like a charm. But when I use
the configuration as specified above I get this error when I try to
connect to "https://192.168.172.77":

SSL library error: httpproxy: relay_ssl_accept: error:140B512D:SSL
routines:SSL_GET_NEW_SESSION:ssl session id callback failed
relay httpproxy, session 1 (1 active), 0, 192.168.180.253 -> :80, SSL
accept error

Now when I researched this error it referred to being and error with
the random number generation so I double checked the rights on
/dev/random and /dev/urandom and both were ok (/dev/urandom being a
symlink to /dev/random). I even sued as _relayd user and tested if I
could generate random number and I could :

[_relayd at myserver /etc/ssl]$ od -D -A n /dev/random | head -2
             2530374051      2874409472      1650458018      3736200264
             1776311775       448067355      3385764049       245858356

So I tried another solution "pound" and it worked just like a pro. At
least I know that the ssl mechanisms work without any issues with my
GoDaddy certificate. So is this a bug ? Should I sumbit it ?
Has anyone encountered this before ?

Uday

P.S

Here is the full log snippet from relayd -d -vv :

init_filter: filter init done
init_tables: created 0 tables
relay_privinit: adding relay httpproxy
protocol 0: name httpfilter
       flags: 0x20004
       type: tcp
               request change "Connection" to "close"
               request change "Keep-Alive" to "$TIMEOUT"
               request append "$SERVER_ADDR:$SERVER_PORT" to "X-Forwarded-By"
               request append "$REMOTE_ADDR" to "X-Forwarded-For"
               response change "Server" to "Server1"
relay_init: max open files 11095
relay_ssl_ctx_create: loading certificate
relay_ssl_ctx_create: loading private key
adding 1 hosts from table web_hosts:80
relay_launch: running relay httpproxy
relay_init: max open files 11095
relay_init: max open files 11095
relay_ssl_ctx_create: loading certificate
relay_ssl_ctx_create: loading certificate
relay_ssl_ctx_create: loading private key
adding 1 hosts from table web_hosts:80
relay_ssl_ctx_create: loading private key
adding 1 hosts from table web_hosts:80
relay_launch: running relay httpproxy
relay_launch: running relay httpproxy
relay_init: max open files 11095
relay_init: max open files 11095
relay_ssl_ctx_create: loading certificate
relay_ssl_ctx_create: loading certificate
relay_ssl_ctx_create: loading private key
relay_ssl_ctx_create: loading private key
adding 1 hosts from table web_hosts:80
adding 1 hosts from table web_hosts:80
relay_launch: running relay httpproxy
relay_launch: running relay httpproxy
hce_notify_done: 192.168.190.53 (recv_icmp: done)
host 192.168.190.53, check icmp (0ms), state unknown -> up, availability 100.00%
pfe_dispatch_imsg: state 1 for host 1 192.168.190.53
SSL library error: httpproxy: relay_ssl_accept: error:140B512D:SSL
routines:SSL_GET_NEW_SESSION:ssl session id callback failed
relay httpproxy, session 1 (1 active), 0, 192.168.180.253 -> :80, SSL
accept error

More information about the freebsd-ports-bugs mailing list