Re: [Linux-ha-dev] Fwd: ldirectord fails to test HTTPS real servers.

Fri, 13 Dec 2013 04:39:03 -0800 

On Tue, Dec 03, 2013 at 12:57:24PM +0100, Timur I. Bakeyev wrote:
> Hi guys!
> 
> I've posted bug report regarding ldirectord, can you please review it and
> commit, if possible?
> 
> https://github.com/ClusterLabs/resource-agents/issues/361
> 
> Ldirectord is using LWP for it's negotiate checks for the HTTP/HTTPS sites.
> Since LWP 6.0 by default it verifies the correspondence of the SSL
> certificate and the server hostname. In 99.9% of the cases this is the VIP
> hostname and RIP are identified by their internal hostnames or, most common
> - by their IP addresses.
> 
> That breaks hostname verification and hence - marks HTTPS backends as
> invalid and kicks them off the pool. This problem did hit me in the
> production when we've upgraded from Debian squeeze to Debian wheezy, which
> brought newer version of LWP.
> 
> http://search.cpan.org/~gaas/LWP-Protocol-https-6.04/lib/LWP/Protocol/https.pm
> 
> Luckily, the fix to the problem is easy:
> 
> --- ldirectord.orig     2013-12-03 11:59:11.114983525 +0100
> +++ ldirectord  2013-12-03 11:59:34.703026282 +0100
> @@ -2834,7 +2834,7 @@
>         &ld_debug(2, "check_http: url=\"$$r{url}\" "
>                 . "virtualhost=\"$virtualhost\"");
> 
> -       my $ua = new LWP::UserAgent();
> +       my $ua = new LWP::UserAgent(ssl_opts => { verify_hostname => 0 });
> 
>         my $h = undef;
>         if ($$v{service} eq "http_proxy") {
> 
> I haven't verified that with older version of LWP, but I believe it should
> just ignore unknown parameters to the constructor.

It does ignore, but warn, which will cause all sorts of complaints, I guess.

The more recent LWP::UserAgent states:

    "verify_hostname" => $bool
       When TRUE LWP will for secure protocol schemes ensure it connects
       to servers that have a valid certificate matching the expected
       hostname.  If FALSE no checks are made and you can't be sure that
       you communicate with the expected peer.  The no checks behaviour
       was the default for libwww-perl-5.837 and earlier releases.

       This option is initialized from the PERL_LWP_SSL_VERIFY_HOSTNAME
       environment variable.  If this environment variable isn't set;
       then "verify_hostname" defaults to 1.

So maybe exporting PERL_LWP_SSL_VERIFY_HOSTNAME=0 somewhere
is the more elegant solution?

        Lars

_______________________________________________________
Linux-HA-Dev: Linux-HA-Dev@lists.linux-ha.org
http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev
Home Page: http://linux-ha.org/

Reply via email to