LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Ldirectord Redhat EL3 SSL checking problem

To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: Ldirectord Redhat EL3 SSL checking problem
From: Philip Hayward <Philip.Hayward@xxxxxxxxxxxxxx>
Date: Wed, 27 Oct 2004 17:27:59 +0100
Hi,

I had a pair of ultramonkey loadbalancers running Redhat 8. I rebuilt the
secondary with Redhat EL3 Update 3, installed the UM packages and
ldirectord1.92 and copied over the old ldirectord config. The EL3 server is
now failing to make the SSL tests that the RH8 box is still doing.

The webservers (Redhat9 Apache/2.0.40 and IIS4) being SSL polled by EL3 are
logging successful requests:
[27/Oct/2004:15:33:34 +0100] <EL3 ultramonkey IP> TLSv1 DHE-RSA-AES256-SHA
"GET /hello.html HTTP/1.0" 5

The only difference I can see between the ultramonkey servers performance
that is that the RH8 server is defaulting to a different cipher:
EDH-RSA-DES-CBC3-SHA. However, I know that EL3's cipher (DHE-RSA-AES256-SHA)
is working correctly because OpenSSL's s_client uses it successfully against
the same server.

I've had fun with Redhat and SSL before, but I'm really not sure what's
going wrong here. I suspect the penultimate error log line below holds the
key, though I havn't been able to fathom it.

Below is ldirectord's relevant config and a debug log. Any ideas or pointers
gratefully received.

Thanks,

Phil



virtual=213.86.49.195:53443
        real=213.86.49.162:53443 masq
        service=https
        checktype=negotiate
        scheduler=wlc
        request="hello.html"
        receive="HELOO"
        persistent=300
        protocol=tcp


DEBUG2: Checking negotiate: real
server=negotiate:https:tcp:213.86.49.162:53443:::\/hello\.html:HELOO
virtual=tcp:213.86.49.195:53443)
DEBUG2: Checking https url="https://213.86.49.162:53443/hello.html";
virtualhost="213.86.49.162"
DEBUG2: Testing: 213.86.49.162, 53443, /hello.html
Opening connection to 213.86.49.162:53443 (213.86.49.162) at
blib/lib/Net/SSLeay.pm (autosplit into
blib/lib/auto/Net/SSLeay/open_tcp_connection.al) line 1463.
Creating SSL 0 context...
Creating SSL connection (context was '170208264')...
Setting fd (ctx 170208264, con 170210688)...
Entering SSL negotiation phase...
Cipher list: DHE-RSA-AES256-SHA, DHE-RSA-AES256-SHA, DHE-DSS-AES256-SHA,
AES256-SHA, EDH-RSA-DES-CBC3-SHA, EDH-DSS-DES-CBC3-SHA, DES-CBC3-SHA,
DES-CBC3-MD5, DHE-RSA-AES128-SHA, DHE-DSS-AES128-SHA, AES128-SHA,
RC2-CBC-MD5, DHE-DSS-RC4-SHA, EXP-KRB5-RC4-MD5, EXP-KRB5-RC4-SHA,
KRB5-RC4-MD5, KRB5-RC4-SHA, RC4-SHA, RC4-MD5, RC4-MD5, KRB5-DES-CBC3-MD5,
KRB5-DES-CBC3-SHA, RC4-64-MD5, EXP1024-DHE-DSS-DES-CBC-SHA,
EXP1024-DES-CBC-SHA, EXP1024-RC2-CBC-MD5, KRB5-DES-CBC-MD5,
KRB5-DES-CBC-SHA, EDH-RSA-DES-CBC-SHA, EDH-DSS-DES-CBC-SHA, DES-CBC-SHA,
DES-CBC-MD5, EXP1024-DHE-DSS-RC4-SHA, EXP1024-RC4-SHA, EXP1024-RC4-MD5,
EXP-KRB5-RC2-CBC-MD5, EXP-KRB5-DES-CBC-MD5, EXP-KRB5-RC2-CBC-SHA,
EXP-KRB5-DES-CBC-SHA, EXP-EDH-RSA-DES-CBC-SHA, EXP-EDH-DSS-DES-CBC-SHA,
EXP-DES-CBC-SHA, EXP-RC2-CBC-MD5, EXP-RC2-CBC-MD5, EXP-RC4-MD5,
EXP-RC4-MD5\n at blib/lib/Net/SSLeay.pm (autosplit into
blib/lib/auto/Net/SSLeay/sslcat.al) line 1779.
SSLeay connect returned 1
Cipher `DHE-RSA-AES256-SHA'
Subject Name: /C=GB/ST=London/L=London/O=Digital Rum
Limited/OU=Imaging/CN=dg.digitalrum.com
Issuer  Name: /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification
Authority
sslcat 19231: sending 62 bytes...
  write_all VM at entry=vm_unknown
  written so far 62:62 bytes (VM=vm_unknown)
waiting for reply...
  got 245:0 bytes (VM=vm_unknown).
  got 5:245 bytes (VM=vm_unknown).
  got 0:250 bytes (VM=vm_unknown).
Got 250 bytes.
DEBUG2: Result: HTTP/1.1 200 OK
DEBUG2: Status: 16777215
DEBUG2: Disabled server=213.86.49.162



Below is the end of the of an openssl s_client handshake:

SSL handshake has read 1416 bytes and written 340 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID:
2F06745BD482C6F766A69A442C0255FC63FE8EB42ECF9D0E4130AE7CEDFA7FD9
    Session-ID-ctx:
    Master-Key:
7DAED7B09F20638E93EE7DFE9A48D659D2752892FE3F8C7E6C9E63FEEF54E192FD712A5C518C
BCAEE762DF35C287C3E8
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1098893480
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
GET /hello.html HTTP/1.0

HTTP/1.1 200 OK
Date: Wed, 27 Oct 2004 16:19:08 GMT
Server: Apache
Last-Modified: Thu, 15 Jul 2004 16:02:55 GMT
ETag: "c-5-d5ecc9c0"
Accept-Ranges: bytes
Content-Length: 5
Connection: close
Content-Type: text/html; charset=ISO-8859-1

HELOOread:errno=0
<Prev in Thread] Current Thread [Next in Thread>