Re: debugging ssl passthrough+haproxy

Cyril Bonté Tue, 18 Nov 2014 14:54:36 -0800

Le 18/11/2014 23:16, Brian Menges a écrit :

Oops, thought I did that:


# openssl s_client -connect 216.121.17.252:443


From where did you execute the command ? From the haproxy server ?
Can you verify that haproxy doesn't see your servers as DOWN ?

CONNECTED(00000003)
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = 
http://certificates.godaddy.com/repository, CN = Go Daddy Secure Certification Authority, 
serialNumber = 07969287
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
  0 s:/C=US/ST=Texas/L=Dallas/O=ARTIZONE INC./CN=*.artizone.com
    i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, 
Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure 
Certification Authority/serialNumber=07969287
  1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, 
Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure 
Certification Authority/serialNumber=07969287
    i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification 
Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/C=US/ST=Texas/L=Dallas/O=ARTIZONE INC./CN=*.artizone.com
issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, 
Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure 
Certification Authority/serialNumber=07969287
---
No client certificate CA names sent
---
SSL handshake has read 3247 bytes and written 570 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
     Protocol  : TLSv1.2
     Cipher    : ECDHE-RSA-AES256-SHA384
     Session-ID: 
3E310000B5ECB76581C58C94477A6DA925EB0245BF3EAA9103CA81179289FCAB
     Session-ID-ctx:
     Master-Key: 
60BCC13E943926E284767D695B3B61F47837D1E034DAF28D7AAB4CC557FB73E56AE52FEBFC4D6C717F5DE29550E59F05
     Key-Arg   : None
     PSK identity: None
     PSK identity hint: None
     SRP username: None
     Start Time: 1416348829
     Timeout   : 300 (sec)
     Verify return code: 20 (unable to get local issuer certificate)
---
GET /
... <html> ...

Works both with and without the '-tlsv1' flag.

- Brian Menges
DevOps Architect @ GoGrid, LLC.

-----Original Message-----
From: Lukas Tribus [mailto:[email protected]]
Sent: Tuesday, November 18, 2014 1:51 PM
To: Brian Menges; [email protected]
Subject: RE: debugging ssl passthrough+haproxy

Getting the same sort of reply:
# openssl s_client -connect 216.121.28.78:443


No, I meant to connect to the origin server, not haproxy itself, but from the 
proxy VM:

openssl s_client -connect 216.121.17.252:443



Regards,

Lukas



________________________________

The information contained in this message, and any attachments, may contain 
confidential and legally privileged material. It is solely for the use of the 
person or entity to which it is addressed. Any review, retransmission, 
dissemination, or action taken in reliance upon this information by persons or 
entities other than the intended recipient is prohibited. If you receive this 
in error, please contact the sender and delete the material from any computer.



--
Cyril Bonté

Re: debugging ssl passthrough+haproxy

Reply via email to