Also i would try something like tcpdump while connecting to a new machine with https.
On Thu, 26 Mar 2015 23:55 Theodore Wynnychenko <[email protected]> wrote: > Quoting Kevin Chadwick <[email protected]>: > > > On Thu, 26 Mar 2015 08:30:23 +0100 > > mxb wrote: > > > >> > > >> > Thank you for the suggestion. I was not aware of "pound." > >> > >> I?d rather go for relayd. Which is out of the box. No need to install > ?yet > >> another port and make sure it is up2date?. > > > > httpd is based on relayd code which would reduce the scope of the test > > (a cluestick). > > > >>> When I try "https://10.0.128.67/index.html"; - I get a nice message > from > >>> firefox asking me to accept a problem certificate (this was expected, > >>> the certificate is the "correct" one), and when I do accept the > >>> certificate, I get the index page. > > > >>> So, I am not sure what is wrong, but it appears httpd is not responding > >>> to https requests, even with the "listen on tls" line in the > >>> configuration file. > > > >>> Is there anything for me to look at/consider in trying to correct this? > > > > I don't understand what you are saying by '"correct" one' but to me this > > suggests you have issues even with pound and perhaps I would try > > another browser or firefox on another client and try another > > certificate perhaps from another CA or install a newer snapshot or > > re-install a release before wondering if there is an issue with httpd > > or libressl whilst monitoring the list to see if anyone else has an > > issue? > > > > Thankfully re-install on OpenBSD is super quick but you do have to > > follow www.openbsd.org/current.html for snapshots and I think > > www.openbsd.org/plus.html for release upgrades (4.5 -> 4.6 etc.) > > > > > > Hello: > I am sorry, I have been unable to try some of the suggestions today as > of yet. I am a bit busy at work, and probably won't be able to look > at this until tomorrow. > However, I wanted to clarify my comment. > When I said "correct" one in regards to the certificate working with > https and pound, my comment was intended only to imply that any > "issues" were purposefully induced ones. > > As I said, the new machine with the httpd issue is going to replace > another machine. To make my like easy going forward, I installed a > certificate for the machine as it will be in the future, not as it is > now. > So, when firefox connects with https to the machine, it is connecting > to 10.0.128.67, but gets a certificate back saying 10.0.128.100; and > warns me of the inconsistency. This is a completely expected issue, > and I do verify that the "10.0.128.100" certificate is being presented > form the "10.0.128.67" machine. > > There was NO other problem using pound. With pound, as well as a > https connection to the "old" machine with the "new" certificate, the > browser opens the https connection with no problems. Also, as I noted > yesterday, the browser's hanging behaivor stops the second afer I kill > the httpd process. > > I have also tried to connect with IE from a windows machine, and get > the same results (http is ok, https hangs). > > I missed the "-d -v" flags for httpd (i feel a bit stupid, it's right > there in the man page), and was going to fire up httpd and see what > happens when the secure connection is initiated. Hopefully, tomorrow. > > Thanks > Ted
