Sorry, error in my report. The RH8 servers are running ldirectord1.90 and
1.90 runs correctly on EL3. I guess the problem lies in the changes in 1.91.
If I can help in debugging please mail me.
Thanks,
Phil
-----Original Message-----
From: Philip Hayward [mailto:Philip.Hayward@xxxxxxxxxxxxxx]
Sent: 27 October 2004 17:28
To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: Ldirectord Redhat EL3 SSL checking problem
Hi,
I had a pair of ultramonkey loadbalancers running Redhat 8. I rebuilt the
secondary with Redhat EL3 Update 3, installed the UM packages and
ldirectord1.92 and copied over the old ldirectord config. The EL3 server is
now failing to make the SSL tests that the RH8 box is still doing.
The webservers (Redhat9 Apache/2.0.40 and IIS4) being SSL polled by EL3 are
logging successful requests: [27/Oct/2004:15:33:34 +0100] <EL3 ultramonkey
IP> TLSv1 DHE-RSA-AES256-SHA "GET /hello.html HTTP/1.0" 5
The only difference I can see between the ultramonkey servers performance
that is that the RH8 server is defaulting to a different cipher:
EDH-RSA-DES-CBC3-SHA. However, I know that EL3's cipher (DHE-RSA-AES256-SHA)
is working correctly because OpenSSL's s_client uses it successfully against
the same server.
I've had fun with Redhat and SSL before, but I'm really not sure what's
going wrong here. I suspect the penultimate error log line below holds the
key, though I havn't been able to fathom it.
Below is ldirectord's relevant config and a debug log. Any ideas or pointers
gratefully received.
Thanks,
Phil
virtual=213.86.49.195:53443
real=213.86.49.162:53443 masq
service=https
checktype=negotiate
scheduler=wlc
request="hello.html"
receive="HELOO"
persistent=300
protocol=tcp
DEBUG2: Checking negotiate: real
server=negotiate:https:tcp:213.86.49.162:53443:::\/hello\.html:HELOO
virtual=tcp:213.86.49.195:53443)
DEBUG2: Checking https url="https://213.86.49.162:53443/hello.html"
virtualhost="213.86.49.162"
DEBUG2: Testing: 213.86.49.162, 53443, /hello.html
Opening connection to 213.86.49.162:53443 (213.86.49.162) at
blib/lib/Net/SSLeay.pm (autosplit into
blib/lib/auto/Net/SSLeay/open_tcp_connection.al) line 1463. Creating SSL 0
context... Creating SSL connection (context was '170208264')... Setting fd
(ctx 170208264, con 170210688)... Entering SSL negotiation phase... Cipher
list: DHE-RSA-AES256-SHA, DHE-RSA-AES256-SHA, DHE-DSS-AES256-SHA,
AES256-SHA, EDH-RSA-DES-CBC3-SHA, EDH-DSS-DES-CBC3-SHA, DES-CBC3-SHA,
DES-CBC3-MD5, DHE-RSA-AES128-SHA, DHE-DSS-AES128-SHA, AES128-SHA,
RC2-CBC-MD5, DHE-DSS-RC4-SHA, EXP-KRB5-RC4-MD5, EXP-KRB5-RC4-SHA,
KRB5-RC4-MD5, KRB5-RC4-SHA, RC4-SHA, RC4-MD5, RC4-MD5, KRB5-DES-CBC3-MD5,
KRB5-DES-CBC3-SHA, RC4-64-MD5, EXP1024-DHE-DSS-DES-CBC-SHA,
EXP1024-DES-CBC-SHA, EXP1024-RC2-CBC-MD5, KRB5-DES-CBC-MD5,
KRB5-DES-CBC-SHA, EDH-RSA-DES-CBC-SHA, EDH-DSS-DES-CBC-SHA, DES-CBC-SHA,
DES-CBC-MD5, EXP1024-DHE-DSS-RC4-SHA, EXP1024-RC4-SHA, EXP1024-RC4-MD5,
EXP-KRB5-RC2-CBC-MD5, EXP-KRB5-DES-CBC-MD5, EXP-KRB5-RC2-CBC-SHA,
EXP-KRB5-DES-CBC-SHA, EXP-EDH-RSA-DES-CBC-SHA, EXP-EDH-DSS-DES-CBC-SHA,
EXP-DES-CBC-SHA, EXP-RC2-CBC-MD5, EXP-RC2-CBC-MD5, EXP-RC4-MD5,
EXP-RC4-MD5\n at blib/lib/Net/SSLeay.pm (autosplit into
blib/lib/auto/Net/SSLeay/sslcat.al) line 1779.
SSLeay connect returned 1
Cipher `DHE-RSA-AES256-SHA'
Subject Name: /C=GB/ST=London/L=London/O=Digital Rum
Limited/OU=Imaging/CN=dg.digitalrum.com
Issuer Name: /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification
Authority sslcat 19231: sending 62 bytes...
write_all VM at entry=vm_unknown
written so far 62:62 bytes (VM=vm_unknown)
waiting for reply...
got 245:0 bytes (VM=vm_unknown).
got 5:245 bytes (VM=vm_unknown).
got 0:250 bytes (VM=vm_unknown).
Got 250 bytes.
DEBUG2: Result: HTTP/1.1 200 OK
DEBUG2: Status: 16777215
DEBUG2: Disabled server=213.86.49.162
Below is the end of the of an openssl s_client handshake:
SSL handshake has read 1416 bytes and written 340 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID:
2F06745BD482C6F766A69A442C0255FC63FE8EB42ECF9D0E4130AE7CEDFA7FD9
Session-ID-ctx:
Master-Key:
7DAED7B09F20638E93EE7DFE9A48D659D2752892FE3F8C7E6C9E63FEEF54E192FD712A5C518C
BCAEE762DF35C287C3E8
Key-Arg : None
Krb5 Principal: None
Start Time: 1098893480
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
GET /hello.html HTTP/1.0
HTTP/1.1 200 OK
Date: Wed, 27 Oct 2004 16:19:08 GMT
Server: Apache
Last-Modified: Thu, 15 Jul 2004 16:02:55 GMT
ETag: "c-5-d5ecc9c0"
Accept-Ranges: bytes
Content-Length: 5
Connection: close
Content-Type: text/html; charset=ISO-8859-1
HELOOread:errno=0 _______________________________________________
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx Send
requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://www.in-addr.de/mailman/listinfo/lvs-users
|