i'm not sure if this ever even made it to the list, but the problem was
that my ssl virtualhost line was _default_:5083, so apache didn't know
that dest ports of 443 were ssl-wrapped. changing the virtualhost to
_default_:443 solves this. note that "listen 5083" should still be in
there, however. my bad. silly mistake.
anyway, for the curious / in case anyone has similar problems...
-tcl.
On Tue, 21 Nov 2000, tc lewis wrote:
>
> i'm having some issues with https and i'm not sure why.
>
> i have lvs directing port 443 traffic for my VIP to my 2 real servers
> using direct routing:
>
> TCP 64.211.224.165:443 lc persistent 360
> -> 192.168.1.101:443 Route 1 0 0
> -> 192.168.1.102:443 Route 1 0 0
>
> on the real servers i'm using horms' ipchains redirect method to accept
> traffic for that ip, and also to redirect it to a non-privileged port:
>
> REDIRECT tcp ------ 0.0.0.0/0 64.211.224.165 * ->
> 443 => 5083
>
> the real servers' gateways are set to the router in front of the lvs
> machine. i use this same setup for port 80 traffic and it works as
> expected. but something's wrong with this 443 https traffic.
>
> the packets appear to be arriving to the real server, and the real server
> even processes them, but something is going awry in the process:
>
> from CIP:
> [tcl@jam tcl]$ openssl s_client -connect 64.211.224.165:443
> CONNECTED(00000003)
> 9395:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
> protocol:s23_clnt.c:458:
>
> apache even shows a strange request, but i didn't make one yet:
> ==> ./logs/access_log <==
> 64.211.151.249 - - [21/Nov/2000:18:59:07 -0800] "z" 200 11644
> ^^
> ^^
> some funky character(s) in there.
>
>
> doing it from the real server to the unprivileged port works fine,
> however:
>
> [mybiz@sfo /mybiz]$ ./bin/openssl s_client -connect localhost:5083
> CONNECTED(00000003)
> depth=0 /C=US/ST=California/L=Sunnyvale/O=mybiz Technologies,
> Inc./CN=www.mybiz.com
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 /C=US/ST=California/L=Sunnyvale/O=mybiz Technologies,
> Inc./CN=www.mybiz.com
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0 /C=US/ST=California/L=Sunnyvale/O=mybiz Technologies,
> Inc./CN=www.mybiz.com
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ---
> Certificate chain
> 0 s:/C=US/ST=California/L=Sunnyvale/O=mybiz Technologies,
> Inc./CN=www.mybiz.com
> i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
> cc/OU=Certification Services Division/CN=Thawte Server
> CA/Email=server-certs@xxxxxxxxxx
> ---
> [snip snip snip]
>
>
> i tried adding:
> REDIRECT tcp ------ 0.0.0.0/0 0.0.0.0 * ->
> 443 => 5083
>
> to test from localhost, but that doesn't fly:
>
> [mybiz@sfo /mybiz]$ ./bin/openssl s_client -connect localhost:443
> connect: Connection refused
> connect:errno=111
> [mybiz@sfo /mybiz]$ ./bin/openssl s_client -connect sfo:443
> connect: Connection refused
> connect:errno=111
>
>
> from the CIP, netscape says
> "
> A network error occured while Netscape was receiving data.
> (Network Error: I/O error)
>
> Try connecting again.
> "
>
>
> i'm wondering if anyone has ideas on what i might be missing. does ssl
> have issues with a port redirect (i can't see why)? could i be missing
> something in my apache/mod_ssl config? hmm.
>
> thanks.
>
> -tcl.
>
>
|