On Fri, March 25, 2016 7:15 am, Lampshade wrote:
> When it works fine, but without certificate verification:
>
> $ cat /etc/relayd.conf
> tcp protocol proto_wp {
> # tls ca file "/etc/ssl/cert.pem"
> tls tlsv1.1
> pass
> }
>
> relay connect_to_mail_wp {
> protocol proto_wp
> listen on 127.0.0.1 port 5555
> forward with tls to imap.wp.pl port 993
> }
> # relayd -d -vvv -f /etc/relayd.conf
> startup
> socket_rlimit: max open files 1024
> socket_rlimit: max open files 1024
> socket_rlimit: max open files 1024
> relay_privinit: adding relay connect_to_mail_wp
> protocol 1: name proto_wp
> flags: used, relay flags: tls client
> tls flags: tlsv1.1, tlsv1.2, cipher-server-preference,
> client-renegotiation
> type: tcp
> pass request
> ca_engine_init: using RSA privsep engine
> socket_rlimit: max open files 1024
> ca_engine_init: using RSA privsep engine
> ca_engine_init: using RSA privsep engine
> ca_engine_init: using RSA privsep engine
> relay_launch: running relay connect_to_mail_wp
> relay_launch: running relay connect_to_mail_wp
> relay_launch: running relay connect_to_mail_wp
> relay connect_to_mail_wp, tls session 1 connected (1 active)
> relay connect_to_mail_wp, session 1 (1 active), 0, 127.0.0.1 ->
> 212.77.101.140:993, done
>
> ***
>
> When if fails:
>
> $ cat /etc/relayd.conf
> tcp protocol proto_wp {
> tls ca file "/etc/ssl/cert.pem"
> tls tlsv1.1
> pass
> }
>
> relay connect_to_mail_wp {
> protocol proto_wp
> listen on 127.0.0.1 port 5555
> forward with tls to imap.wp.pl port 993
> }
> # relayd -d -vvv -f /etc/relayd.conf
> startup
> socket_rlimit: max open files 1024
> relay_load_certfiles: using ca /etc/ssl/cert.pem
> socket_rlimit: max open files 1024
> socket_rlimit: max open files 1024
> socket_rlimit: max open files 1024
> relay_privinit: adding relay connect_to_mail_wp
> protocol 1: name proto_wp
> flags: used, relay flags: tls client
> tls flags: tlsv1.1, tlsv1.2, cipher-server-preference,
> client-renegotiation
> type: tcp
> pass request
> ca_engine_init: using RSA privsep engine
> ca_engine_init: using RSA privsep engine
> ca_engine_init: using RSA privsep engine
> ca_engine_init: using RSA privsep engine
>
I can confirm that 'ca file' doesn't seem to be working correctly. I have
a TLS server and client relay for web traffic. Without 'ca file' defined,
I can connect and get relayed through to the backend service. With 'ca
file' defined. I can't even complete a connection to relayd. The initial
TCP connection happens then it hangs there. Confirmed via s_client and
tcpdump.
I'll need to replicate this at home to be able to get more info.
Tim.
