debugging ssl passthrough+haproxy

Brian Menges Tue, 18 Nov 2014 11:13:44 -0800

I'm trying to debug some ssl haproxy issue (we're not terminating at the proxy).


It appears to dislike the SSL connection (client to VIP, and VIP to real 
server). I'm trying to figure out if this is a configuration issue (which 
doesn't seem likely, we have private signed certs that are working), a real 
server issue, an haproxy issue, or hell find the issue period.

Client connections terminate rather quickly (curl tests show 'empty reply'), 
HAProxy health checks seem to send the HELLO but there's a RST reply; shows as 
SOCKERR in the admin stats page. Curl gives the same reply (listed below) 
whether I use --tlsv1 or not (found some threads in the mail list suggesting to 
try this).

Installed:

*         Haproxy 1.4.15-1

*         Openssl 1.0.1-4

Client is using a GoDaddy SSL certificate; direct client to real server 
connectivity works as expected.

Anything else that could help you help me?

--- BEGIN TESTS
$ curl --ssl --ciphers ALL -v 216.121.28.78:443
* Rebuilt URL to: 216.121.28.78:443/
* Hostname was NOT found in DNS cache
*   Trying 216.121.28.78...
* Connected to 216.121.28.78 (216.121.28.78) port 443 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.35.0
> Host: 216.121.28.78:443
> Accept: */*
>
* Empty reply from server
* Connection #0 to host 216.121.28.78 left intact
curl: (52) Empty reply from server

$ openssl s_client -connect 216.121.28.78:443
CONNECTED(00000003)
139688202438312:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake 
failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 308 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

$ openssl s_client -tls1 -connect 216.121.28.78:443
CONNECTED(00000003)
140553076700840:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake 
failure:s3_pkt.c:596:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1416334720
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

New TCP connection #1: 192.168.3.2(34536) <-> 216.121.28.78(443)
1 1  0.0010 (0.0010)  C>SV3.1(182)  Handshake
      ClientHello
        Version 3.3
        random[32]=
         0f 22 2a 65 60 30 f0 dd 5b 7e 8a cc 47 aa ca e9
          a0 c0 b5 2a 78 3a 67 ba 7e 4a 98 fb 63 da f9 bc
        cipher suites
        Unknown value 0xc02b
        Unknown value 0xc02f
        Unknown value 0x9e
        Unknown value 0xc00a
        Unknown value 0xc009
        Unknown value 0xc013
        Unknown value 0xc014
        Unknown value 0xc007
        Unknown value 0xc011
        TLS_DHE_RSA_WITH_AES_128_CBC_SHA
        TLS_DHE_DSS_WITH_AES_128_CBC_SHA
        TLS_DHE_RSA_WITH_AES_256_CBC_SHA
        Unknown value 0x9c
        TLS_RSA_WITH_AES_128_CBC_SHA
        TLS_RSA_WITH_AES_256_CBC_SHA
        TLS_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_RSA_WITH_RC4_128_SHA
        TLS_RSA_WITH_RC4_128_MD5
        compression methods
                  NULL
1    0.0014 (0.0003)  S>C  TCP FIN
1    0.0016 (0.0002)  C>S  TCP FIN
New TCP connection #2: 192.168.3.2(34537) <-> 216.121.28.78(443)
2 1  0.0009 (0.0009)  C>SV3.1(154)  Handshake
      ClientHello
        Version 3.2
        random[32]=
          2a d5 f7 90 0b 48 0d d2 b3 bf 75 4c 38 4f 75 f5
          ed a8 6e ca cd a4 64 bd dd 07 d0 44 b1 6d 00 a2
        cipher suites
        Unknown value 0x5600
        Unknown value 0xc00a
        Unknown value 0xc009
        Unknown value 0xc013
        Unknown value 0xc014
        Unknown value 0xc007
        Unknown value 0xc011
        TLS_DHE_RSA_WITH_AES_128_CBC_SHA
        TLS_DHE_DSS_WITH_AES_128_CBC_SHA
        TLS_DHE_RSA_WITH_AES_256_CBC_SHA
        TLS_RSA_WITH_AES_128_CBC_SHA
        TLS_RSA_WITH_AES_256_CBC_SHA
        TLS_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_RSA_WITH_RC4_128_SHA
        TLS_RSA_WITH_RC4_128_MD5
        compression methods
                  NULL
2    0.0013 (0.0003)  S>C  TCP FIN
2    0.0014 (0.0001)  C>S  TCP FIN
New TCP connection #3: 192.168.3.2(34538) <-> 216.121.28.78(443)
3 1  0.0009 (0.0009)  C>SV3.1(154)  Handshake
      ClientHello
        Version 3.1
        random[32]=
          a5 97 ab 65 85 39 7d d9 b5 51 ad ac 77 90 d0 67
          fe 41 3c 7b 3c 47 a0 8f e6 0a cd 11 a5 f2 da 90
        cipher suites
        Unknown value 0x5600
        Unknown value 0xc00a
        Unknown value 0xc009
        Unknown value 0xc013
        Unknown value 0xc014
        Unknown value 0xc007
        Unknown value 0xc011
        TLS_DHE_RSA_WITH_AES_128_CBC_SHA
        TLS_DHE_DSS_WITH_AES_128_CBC_SHA
        TLS_DHE_RSA_WITH_AES_256_CBC_SHA
        TLS_RSA_WITH_AES_128_CBC_SHA
        TLS_RSA_WITH_AES_256_CBC_SHA
        TLS_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_RSA_WITH_RC4_128_SHA
        TLS_RSA_WITH_RC4_128_MD5
        compression methods
                  NULL
3    0.0015 (0.0005)  S>C  TCP FIN
3    0.0016 (0.0000)  C>S  TCP FIN
New TCP connection #4: 192.168.3.2(34539) <-> 216.121.28.78(443)
4 1  0.0009 (0.0009)  C>SV3.0(63)  Handshake
      ClientHello
        Version 3.0
        random[32]=
          08 a5 6f fa df 5d 28 d2 f8 2c 2d 00 5f 70 1d 03
          ce 0e 0c d7 50 ae 76 5b 94 b7 df 1f 8b 96 32 4a
        cipher suites
        Unknown value 0xff
        Unknown value 0x5600
        SSL_DHE_RSA_WITH_AES_128_CBC_SHA
        SSL_DHE_DSS_WITH_AES_128_CBC_SHA
        SSL_DHE_RSA_WITH_AES_256_CBC_SHA
        SSL_RSA_WITH_AES_128_CBC_SHA
        SSL_RSA_WITH_AES_256_CBC_SHA
        SSL_RSA_WITH_3DES_EDE_CBC_SHA
        SSL_RSA_WITH_RC4_128_SHA
        SSL_RSA_WITH_RC4_128_MD5
        compression methods
                  NULL
4    0.0012 (0.0003)  S>C  TCP FIN
4    0.0013 (0.0000)  C>S  TCP FIN
New TCP connection #7: 192.168.3.2(34540) <-> 216.121.28.78(443)
New TCP connection #8: 192.168.3.2(34541) <-> 216.121.28.78(443)
7    0.0014 (0.0014)  S>C  TCP FIN
8    0.0013 (0.0013)  S>C  TCP FIN
7    0.0039 (0.0025)  C>S  TCP FIN
8    0.0038 (0.0024)  C>S  TCP FIN
New TCP connection #9: 192.168.3.2(34542) <-> 216.121.28.78(443)
9    0.0015 (0.0015)  S>C  TCP FIN
9    0.0075 (0.0059)  C>S  TCP FIN
--- END TESTS

Configuration:
listen proxyREDACTED-REDACTED-REDACTED 216.121.28.78:443
        # REDACTED
        # REDACTED
        # REDACTED
        # Primary VIP
        balance roundrobin
        source 216.121.28.78
        mode tcp
        timeout check 5000
        option ssl-hello-chk
        server REDACTED-REDACTED-REDACTED 216.121.17.252:443 check weight 100 
inter 10000
        server REDACTED-REDACTED-REDACTED 216.121.17.232:443 check weight 100 
inter 10000

- Brian Menges


________________________________

The information contained in this message, and any attachments, may contain 
confidential and legally privileged material. It is solely for the use of the 
person or entity to which it is addressed. Any review, retransmission, 
dissemination, or action taken in reliance upon this information by persons or 
entities other than the intended recipient is prohibited. If you receive this 
in error, please contact the sender and delete the material from any computer.

debugging ssl passthrough+haproxy

Reply via email to