relayd ssl failure
Thomas Johnson
tommyj27 at gmail.com
Sat Mar 22 19:33:40 UTC 2014
Hello,
I've been trying to sort out an issue with relayd, and I'm just not having
any luck. I am setting up a new load-balancer using net/relayd
(5.4.20131122_2) on 10.0-RELEASE. My configuration is pretty simple; a pair
of web servers <web>, sitting behind the relayd host. I have a httpd
instance running on the relayd host as a backup "sorry" server.
The following configuration snippet from relayd.conf is literally a
copy-paste job from the working http (no ssl) check; essentially just
s/http/https/
redirect wwws {
listen on $web_addr port https interface em0
tag RELAYD
forward to <web> check https "/" code 302
forward to <sorry> check https "/favicon.ico" code 200 timeout 100
}
With this configuration, my check always fails with the following error:
hce_notify_done: 1.2.3.4 (ssl connect failed)
host 1.2.3.4, check http code use ssl (5ms), state down -> down,
availability 0.00%
Looking at tcpdump, I see the beginning of an SSL handshake, then the
connection is terminated by relayd. I have verified that the web servers
are working correctly. Unfortunately, relayd doesn't seem to offer
debugging to explain WHY the check is failing.
I don't know how relevant it is, but I also have a relayd instance running
on a 9.1-RELEASE host (same version of relayd). The topology and relayd
config is virtually identical; the web servers are identical images. This
instance has it's own quirks (one problem at a time), but the https check
is working. Comparing traffic dumps, I see that relayd sends a different
(shorter) list of available ciphers in the ssl client hello, and a
different cipher is selected by the apache instance in each case,
on 9.1: TLS_RSA_WITH_RC4_128_SHA (0x0005)
on 10.0: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
In the latter case, the dump shows the server sending it's certificate, and
the relayd client disconnecting immediately thereafter. It looks like a
problem with the certificate, except the certificate is valid, and the same
as the 9.1 setup.
Any thoughts would be much appreciated.
Tom
More information about the freebsd-net
mailing list