Getting the same sort of reply:
# openssl s_client -connect 216.121.28.78:443
CONNECTED(00000003)
140618544141992:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 320 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
# openssl s_client -tls1 -connect 216.121.28.78:443
CONNECTED(00000003)
139997417043624:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
failure:s3_pkt.c:592:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1416343766
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
This is a very stripped down VM, so there's no curl.
- Brian Menges
-----Original Message-----
From: Lukas Tribus [mailto:[email protected]]
Sent: Tuesday, November 18, 2014 12:21 PM
To: Brian Menges; [email protected]
Subject: RE: debugging ssl passthrough+haproxy
Hi Brian,
> I'm trying to debug some ssl haproxy issue (we're not terminating at
> the proxy).
>
>
>
> It appears to dislike the SSL connection (client to VIP, and VIP to
> real server). I'm trying to figure out if this is a configuration
> issue (which doesn't seem likely, we have private signed certs that
> are working), a real server issue, an haproxy issue, or hell find the
> issue period.
>
>
>
> Client connections terminate rather quickly (curl tests show 'empty
> reply'), HAProxy health checks seem to send the HELLO but there's a
> RST reply; shows as SOCKERR in the admin stats page. Curl gives the
> same reply (listed below) whether I use --tlsv1 or not (found some
> threads in the mail list suggesting to try this).
>
>
>
> Installed:
>
> * Haproxy 1.4.15-1
>
> * Openssl 1.0.1-4
>
>
>
> Client is using a GoDaddy SSL certificate; direct client to real
> server connectivity works as expected.
>
> Anything else that could help you help me?
Sounds like a server issue to me, somehow specific to the proxy box, yet still
a server issue or maybe some middlebox between the proxy and the server.
Try those curl and openssl s_client tests from the actual proxy box
(216.121.28.78?) directly towards the server (216.121.17.252?), lets see what
happens (when the source IP and the network path is the same as from HAProxy).
Regards,
Lukas
________________________________
The information contained in this message, and any attachments, may contain
confidential and legally privileged material. It is solely for the use of the
person or entity to which it is addressed. Any review, retransmission,
dissemination, or action taken in reliance upon this information by persons or
entities other than the intended recipient is prohibited. If you receive this
in error, please contact the sender and delete the material from any computer.
