2013

Holger Just Fri, 26 Apr 2013 10:08:15 -0700

At least on Debian, you need to hack around the includes a bit if youcompile with USE_PCRE=1 and have the libssl-dev package installed.

Because both the PCRE headers and the system-provided openssl headersare located in /usr/include and USE_PCRE adds an include for thatdirectory, the openssl headers there are earlier in the search path thanthe ones defined by ADD_LIB.

I have incorporated that "hack" which "hijacks" the PCRE_DIR argument toload the openssl library into my Chef cookbook to compile HAProxy (andoptionally OpenSSL) from source at


https://github.com/meineerde-cookbooks/haproxy/blob/master/recipes/source.rb#L125-L144

Maybe the Makefile can be adapted to allow an easier override of theOpenSSL path but I'm not completely sure how. Maybe I can have a look later.


--Holger


Connelly, Zachary (CGI Federal) wrote:

Emeric,

I'm not sure about that either actually. We definitely only have 0.9.8~
versions on the box and I explicitly reference the 0.9.8y library when I
compile the executable:

TARGET=linux26 USE_PCRE=1 USE_OPENSSL=1
ADDLIB=-L/usr/local/openssl-0.9.8y/lib LDFLAGS+=-ldl**

Zack

-----Original Message-----
From: Emeric Brun [mailto:[email protected]]
Sent: Friday, April 26, 2013 6:04 AM
To: Connelly, Zachary (CGI Federal)
Cc: Lukas Tribus; Baptiste; [email protected]
Subject: Re: Follow-up on thread 'SSL handshake failure' from 2/5/2013

Hi don't understand:

You said using openssl version 0.9.8y, but haproxy -vv shows OpenSSL 1.0.0a.

Emeric

On 04/25/2013 04:45 PM, Connelly, Zachary (CGI Federal) wrote:

 Lukas (et al),

 Here’s what I have so far:

 1.use latest snapshot from [1] – *I’ll* *work on this today*

 2.provide the output of haproxy –vv – *Output below*

 Sharing sig_handlers with pipe

 Sharing pendconn with pipe

 HA-Proxy version 1.5-dev18 2013/04/03

 Copyright 2000-2013 Willy Tarreau <[email protected] <mailto:[email protected]>>

 Build options :

 TARGET = linux26

 CPU = generic

 CC = gcc

 CFLAGS = -g -O0

 OPTIONS = USE_OPENSSL=1 USE_PCRE=1

 Default settings :

 maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents =

 Encrypted password support via crypt(3): yes

 Built without zlib support (USE_ZLIB not set)

 Compression algorithms supported : identity

 Built with OpenSSL version : OpenSSL 1.0.0a 1 Jun 2010

 OpenSSL library supports TLS extensions : yes

 OpenSSL library supports SNI : yes

 OpenSSL library supports prefer-server-ciphers : yes

 Available polling systems :

 epoll : pref=300, test result OK

 poll : pref=200, test result OK

 select : pref=150, test result OK

 Total: 3 (3 usable), will use epoll.

 3.can you tell us OS, kernel and openssl version? *Linux 5.5,

 2.6.18-164.11.1.el5, openssl version 0.9.8y*

 4.compile haproxy with debug and without compiler optimizations: make

 DEBUG=-DDEBUG_FULL CFLAGS="-g -O0" TARGET=[...] *Done*

 5.catch a backtrace of the crash with gdb (see [2] if you need

 details) – *Will work on this once #1 is complete from above*

 Thanks for the assistance so far,

 Zack

 *From:*Lukas Tribus [mailto:[email protected]]

 *Sent:* Wednesday, April 24, 2013 12:36 PM

 *To:* Connelly, Zachary (CGI Federal); Baptiste

 *Cc:* [email protected] <mailto:[email protected]>

 *Subject:* RE: Follow-up on thread 'SSL handshake failure' from

 2/5/2013

Hi!

> Please also note that the second SOAP call made that fails the

> handshake also causes the HAProxy server to crash.

 Could you:

 - use latest snapshot from [1]

 - provide the output of haproxy -vv

 - can you tell us OS, kernel and openssl version?

 - compile haproxy with debug and without compiler optimizations:

 make DEBUG=-DDEBUG_FULL CFLAGS="-g -O0" TARGET=[...]

 - catch a backtrace of the crash with gdb (see [2] if you need

 details)

 Regards,

 Lukas

 [1] http://haproxy.1wt.eu/download/1.5/src/snapshot/

 [2] http://www.mail-archive.com/[email protected]/msg09472.html

Re: Follow-up on thread 'SSL handshake failure' from 2/5/2013

Reply via email to