Ldirectord Redhat EL3 SSL checking problem

Philip Hayward Philip.Hayward at digitalrum.com
Wed Oct 27 17:37:36 BST 2004


Sorry, error in my report. The RH8 servers are running ldirectord1.90 and
1.90 runs correctly on EL3. I guess the problem lies in the changes in 1.91.
If I can help in debugging please mail me.

Thanks,

Phil 

-----Original Message-----
From: Philip Hayward [mailto:Philip.Hayward at digitalrum.com] 
Sent: 27 October 2004 17:28
To: lvs-users at linuxvirtualserver.org
Subject: Ldirectord Redhat EL3 SSL checking problem


Hi,

I had a pair of ultramonkey loadbalancers running Redhat 8. I rebuilt the
secondary with Redhat EL3 Update 3, installed the UM packages and
ldirectord1.92 and copied over the old ldirectord config. The EL3 server is
now failing to make the SSL tests that the RH8 box is still doing.

The webservers (Redhat9 Apache/2.0.40 and IIS4) being SSL polled by EL3 are
logging successful requests: [27/Oct/2004:15:33:34 +0100] <EL3 ultramonkey
IP> TLSv1 DHE-RSA-AES256-SHA "GET /hello.html HTTP/1.0" 5

The only difference I can see between the ultramonkey servers performance
that is that the RH8 server is defaulting to a different cipher:
EDH-RSA-DES-CBC3-SHA. However, I know that EL3's cipher (DHE-RSA-AES256-SHA)
is working correctly because OpenSSL's s_client uses it successfully against
the same server.

I've had fun with Redhat and SSL before, but I'm really not sure what's
going wrong here. I suspect the penultimate error log line below holds the
key, though I havn't been able to fathom it.

Below is ldirectord's relevant config and a debug log. Any ideas or pointers
gratefully received.

Thanks,

Phil



virtual=213.86.49.195:53443
        real=213.86.49.162:53443 masq
        service=https
        checktype=negotiate
        scheduler=wlc
        request="hello.html"
        receive="HELOO"
        persistent=300
        protocol=tcp


DEBUG2: Checking negotiate: real
server=negotiate:https:tcp:213.86.49.162:53443:::\/hello\.html:HELOO
virtual=tcp:213.86.49.195:53443)
DEBUG2: Checking https url="https://213.86.49.162:53443/hello.html"
virtualhost="213.86.49.162"
DEBUG2: Testing: 213.86.49.162, 53443, /hello.html
Opening connection to 213.86.49.162:53443 (213.86.49.162) at
blib/lib/Net/SSLeay.pm (autosplit into
blib/lib/auto/Net/SSLeay/open_tcp_connection.al) line 1463. Creating SSL 0
context... Creating SSL connection (context was '170208264')... Setting fd
(ctx 170208264, con 170210688)... Entering SSL negotiation phase... Cipher
list: DHE-RSA-AES256-SHA, DHE-RSA-AES256-SHA, DHE-DSS-AES256-SHA,
AES256-SHA, EDH-RSA-DES-CBC3-SHA, EDH-DSS-DES-CBC3-SHA, DES-CBC3-SHA,
DES-CBC3-MD5, DHE-RSA-AES128-SHA, DHE-DSS-AES128-SHA, AES128-SHA,
RC2-CBC-MD5, DHE-DSS-RC4-SHA, EXP-KRB5-RC4-MD5, EXP-KRB5-RC4-SHA,
KRB5-RC4-MD5, KRB5-RC4-SHA, RC4-SHA, RC4-MD5, RC4-MD5, KRB5-DES-CBC3-MD5,
KRB5-DES-CBC3-SHA, RC4-64-MD5, EXP1024-DHE-DSS-DES-CBC-SHA,
EXP1024-DES-CBC-SHA, EXP1024-RC2-CBC-MD5, KRB5-DES-CBC-MD5,
KRB5-DES-CBC-SHA, EDH-RSA-DES-CBC-SHA, EDH-DSS-DES-CBC-SHA, DES-CBC-SHA,
DES-CBC-MD5, EXP1024-DHE-DSS-RC4-SHA, EXP1024-RC4-SHA, EXP1024-RC4-MD5,
EXP-KRB5-RC2-CBC-MD5, EXP-KRB5-DES-CBC-MD5, EXP-KRB5-RC2-CBC-SHA,
EXP-KRB5-DES-CBC-SHA, EXP-EDH-RSA-DES-CBC-SHA, EXP-EDH-DSS-DES-CBC-SHA,
EXP-DES-CBC-SHA, EXP-RC2-CBC-MD5, EXP-RC2-CBC-MD5, EXP-RC4-MD5,
EXP-RC4-MD5\n at blib/lib/Net/SSLeay.pm (autosplit into
blib/lib/auto/Net/SSLeay/sslcat.al) line 1779.
SSLeay connect returned 1
Cipher `DHE-RSA-AES256-SHA'
Subject Name: /C=GB/ST=London/L=London/O=Digital Rum
Limited/OU=Imaging/CN=dg.digitalrum.com
Issuer  Name: /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification
Authority sslcat 19231: sending 62 bytes...
  write_all VM at entry=vm_unknown
  written so far 62:62 bytes (VM=vm_unknown)
waiting for reply...
  got 245:0 bytes (VM=vm_unknown).
  got 5:245 bytes (VM=vm_unknown).
  got 0:250 bytes (VM=vm_unknown).
Got 250 bytes.
DEBUG2: Result: HTTP/1.1 200 OK
DEBUG2: Status: 16777215
DEBUG2: Disabled server=213.86.49.162



Below is the end of the of an openssl s_client handshake:

SSL handshake has read 1416 bytes and written 340 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID:
2F06745BD482C6F766A69A442C0255FC63FE8EB42ECF9D0E4130AE7CEDFA7FD9
    Session-ID-ctx:
    Master-Key:
7DAED7B09F20638E93EE7DFE9A48D659D2752892FE3F8C7E6C9E63FEEF54E192FD712A5C518C
BCAEE762DF35C287C3E8
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1098893480
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
GET /hello.html HTTP/1.0

HTTP/1.1 200 OK
Date: Wed, 27 Oct 2004 16:19:08 GMT
Server: Apache
Last-Modified: Thu, 15 Jul 2004 16:02:55 GMT
ETag: "c-5-d5ecc9c0"
Accept-Ranges: bytes
Content-Length: 5
Connection: close
Content-Type: text/html; charset=ISO-8859-1

HELOOread:errno=0 _______________________________________________
LinuxVirtualServer.org mailing list - lvs-users at LinuxVirtualServer.org Send
requests to lvs-users-request at LinuxVirtualServer.org
or go to http://www.in-addr.de/mailman/listinfo/lvs-users


More information about the lvs-users mailing list