----- Original Message -----
> From: "Conor McCarthy" <[email protected]>
> To: [email protected]
> Sent: Tuesday, 23 July, 2013 4:45:04 PM
> Subject: Re: [Pound Mailing List] SSL Read Error
>
> [...]
> > The output of an ab -v 2 gives rise to an "interesting" message...
> >
> > Compression: 1 (zlib compression)
> > Start Time: 1374581735
> > Timeout : 300 (sec)
> > Verify return code: 19 (self signed certificate in certificate chain)
> > SSL read failed - closing connection
> > Benchmarking 192.168.156.138 (be patient)...INFO: POST header ==
> >
> >
> > Buuuuut...
> > It's not a self-signed...
> > Unless you count the fact that one of the certs in the Chain - is signed by
> > the authority that made the chain.....
>
> That's it exactly. There are probably no certs in the default root store, and
> I'm not sure ab is bothered in any case. I see code 19 with a working ab,
> (it's an OpenSSL error code), and it just carries on.
>
> >
> > I am going to test this using another, non EV certificate - and see what
> > happens - and report back.
> >
> > Cheers for the help so-far.
>
> I would expect an error code for the read error. No matter.
OK - so not an issue, will ignore that for the moment then.
> It's not common that SSL compression is enabled, it also has security issues
> (CRIME). This is distinct to HTTP compression.
>
> First, check that there's nothing fundamental wrong, try:
> openssl s_client -connect 1.2.3.4:443
>
> where 1.2.3.4 is the server IP, port 443.
root@sound:/etc/pound# openssl s_client -connect 192.168.156.138:443 >> wibble
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN =
AddTrust External CA Root
verify error:num=19:self signed certificate in certificate chain
verify return:0
read:errno=0
>From the file.
root@sound:/etc/pound# head wibble
CONNECTED(00000003)
---
Certificate chain
0 s:/serialNumber= <Obfuscated Certificate Data from actual EV Certificate>
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO
Extended Validation Secure Server CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO
Extended Validation Secure Server CA
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO
Certification Authority
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO
Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External
CA Root
3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External
CA Root
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External
CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
Certificate bits...
Certificate bits...
-----END CERTIFICATE-----
subject=/serialNumber= <Obfuscated Certificate Data from actual EV Certificate>
---
No client certificate CA names sent
---
SSL handshake has read 6655 bytes and written 519 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol : TLSv1.2
Cipher : DHE-RSA-AES256-GCM-SHA384
Session-ID: 122F3F44EDDC4F01786C92CF0C0F4020AEEC1286C937320B5CC67307084FA5E5
Session-ID-ctx:
Master-Key: <LONG STRING>
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 11 d7 99 ba 4d 0e 99 a7-0b 00 88 0a 21 27 ad f0 ....M.......!'..
0010 - 4c fd 24 b8 30 1a ff 3e-b0 c0 81 19 7c 0e 5b c0 L.$.0..>....|.[.
0020 - d7 f0 c8 3f 71 29 5c ba-6e 0b 07 d9 fc 0d 3c db ...?q)\.n.....<.
0030 - eb a1 0e 5a b1 0d 91 74-51 3e bb 8f 9e 77 7a fb ...Z...tQ>...wz.
0040 - 5d 20 af 82 74 f0 9f c6-5f 30 ca a2 67 a6 88 1a ] ..t..._0..g...
0050 - 81 fb cf c0 62 c9 5f e9-b3 44 29 fa 3d 98 89 8f ....b._..D).=...
0060 - b8 3b 41 16 54 8d 08 cb-e2 23 0b ad d7 cc 2f 90 .;A.T....#..../.
0070 - 07 a3 05 f9 1f 08 9d 03-87 f7 32 5c af 48 f4 6e ..........2\.H.n
0080 - 9d ef e1 41 76 cf a5 8f-cb f7 78 5e 0f 76 63 0a ...Av.....x^.vc.
0090 - 42 e2 d7 43 fa 82 d6 bf-2d 15 78 09 84 a8 23 e9 B..C....-.x...#.
00a0 - 68 64 01 ce 86 5c a3 3a-d6 49 ff ce 5e ce 85 05 hd...\.:.I..^...
Compression: 1 (zlib compression)
Start Time: 1374756531
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
>
> tshark (wireshark) is the next step, extract the server RSA key to a
> separate
> unencrypted file, and try something like:
>
> tshark -ta -VO ssl -n -o "ssl.keys_list:1.2.3.4,443,http,server.key"
> -f "host 1.2.3.4"
OK - that didn't work at all. :-(
Was using 1.2.7 from Ubuntu 10.04
Use 1.8.2 from Debian Wheezy, gives me lots of data...
What would be "something up" with the cipher set ?
Transmission Control Protocol, Src Port: 33853 (33853), Dst Port: 443 (443),
Seq: 1, Ack: 1, Len: 320
Secure Sockets Layer
SSL Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 315
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 311
Version: TLS 1.2 (0x0303)
Random
gmt_unix_time: Jul 25, 2013 14:06:41.000000000 BST
random_bytes:
52bfeaad24e80a58fe807dc188f67a63a6156bebed69afdf...
Session ID Length: 0
Cipher Suites Length: 158 Cipher Suites (79 suites)
<LIST OF SUITES>
Compression Methods Length: 2
Compression Methods (2 methods)
Compression Method: DEFLATE (1)
Compression Method: null (0)
Extensions Length: 111
Extension: ec_point_formats
Type: ec_point_formats (0x000b)
Length: 4
EC point formats Length: 3
Elliptic curves point formats (3)
EC point format: uncompressed (0)
EC point format: ansiX962_compressed_prime (1)
EC point format: ansiX962_compressed_char2 (2)
Extension: elliptic_curves
Type: elliptic_curves (0x000a)
Length: 52
Elliptic Curves Length: 50
Elliptic curves (25 curves)
Elliptic curve: sect571r1 (0x000e)
Elliptic curve: sect571k1 (0x000d)
Elliptic curve: secp521r1 (0x0019)
Elliptic curve: sect409k1 (0x000b)
Elliptic curve: sect409r1 (0x000c)
Elliptic curve: secp384r1 (0x0018)
Elliptic curve: sect283k1 (0x0009)
Elliptic curve: sect283r1 (0x000a)
Elliptic curve: secp256k1 (0x0016)
Elliptic curve: secp256r1 (0x0017)
Elliptic curve: sect239k1 (0x0008)
Elliptic curve: sect233k1 (0x0006)
Elliptic curve: sect233r1 (0x0007)
Elliptic curve: secp224k1 (0x0014)
Elliptic curve: secp224r1 (0x0015)
Elliptic curve: sect193r1 (0x0004)
Elliptic curve: sect193r2 (0x0005)
Elliptic curve: secp192k1 (0x0012)
Elliptic curve: secp192r1 (0x0013)
Elliptic curve: sect163k1 (0x0001)
Elliptic curve: sect163r1 (0x0002)
Elliptic curve: sect163r2 (0x0003)
Elliptic curve: secp160k1 (0x000f)
Elliptic curve: secp160r1 (0x0010)
Elliptic curve: secp160r2 (0x0011)
Extension: SessionTicket TLS
Type: SessionTicket TLS (0x0023)
Length: 0
Data (0 bytes)
Extension: signature_algorithms
Type: signature_algorithms (0x000d)
Length: 34
Data (34 bytes)
Extension: Heartbeat
Type: Heartbeat (0x000f)
Length: 1
Mode: Peer allowed to send requests (1)
Response back.
Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Server Hello
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 58
Handshake Protocol: Server Hello
Handshake Type: Server Hello (2)
Length: 54
Version: TLS 1.2 (0x0303)
Random
gmt_unix_time: Jul 25, 2013 14:06:41.000000000 BST
random_bytes:
05663b6aa3da23cd1a816f2c9a28ce04c8f0a8f638c5ce90...
Session ID Length: 0
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
Compression Method: DEFLATE (1)
Extensions Length: 14
Extension: renegotiation_info
Type: renegotiation_info (0xff01)
Length: 1
Renegotiation Info extension
Renegotiation info extension length: 0
Extension: SessionTicket TLS
Type: SessionTicket TLS (0x0023)
Length: 0
Data (0 bytes)
Extension: Heartbeat
Type: Heartbeat (0x000f)
Length: 1
Mode: Peer allowed to send requests (1)
[2 Reassembled TCP Segments (6342 bytes): #6(4033), #8(2309)]
Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Certificate
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 5540
Handshake Protocol: Certificate
Handshake Type: Certificate (11)
Length: 5536
Certificates Length: 5533
Certificates (5533 bytes)
Certificate Length: 1880
Certificate ..
<FULL CERT DETAILS - OBFUSCATED>
<INCLUDING CHAIN CA ETC ETC...>
TLSv1.2 Record Layer: Handshake Protocol: Server Key Exchange
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 783
Handshake Protocol: Server Key Exchange
Handshake Type: Server Key Exchange (12)
Length: 779
TLSv1.2 Record Layer: Handshake Protocol: Server Hello Done
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 4
Handshake Protocol: Server Hello Done
Handshake Type: Server Hello Done (14)
Length: 0
SNI - I haven 't got more than 1 required in the ListenHTTPS directive, so
shouldn't be thinking about SNI.
So, sorry, but still a little lost.. and I can't see anything that is obviously
wrong.
Cheers
KR
> (optionally add "-o ssl.debug_file:ssldebug.txt" ). Amend the "-f"
> capture filter
> according to requirements and whether you're on the client or the server.
> You'll want to redirect or tee the output to a file.
>
> In the output check the "Client Hello" cipher list, and see if there's
> something
> up with the cipher set, the chosen cipher, protocol version, or a problem
> with
> SNI or secure renegotiation support (TLS extensions).
>
> C.
>
> > ----- Original Message -----
> > From: "Conor McCarthy" <[email protected]>
> > To: [email protected]
> > Sent: Friday, July 19, 2013 10:57:13 AM
> > Subject: Re: [Pound Mailing List] SSL Read Error
> >
> > On 18 July 2013 13:25, Kieran Reynolds <[email protected]>
> > wrote:
> >> Hello..
> >>
> >> I have the following configuration:
> >>
> >>
> >> Internet -> Pound -> Varnish -> Apache(Drupal).
> >>
> >> My intention is to us Varnish to cache, and loadbalance across a number of
> >> webheads for requests that cannot be cached.
> >>
> >> The reason for putting Pound on the outside edge, is to be the SSL
> >> terminator.
> >>
> >> The problem I have run into, using either Pound 2.5.1 or 2.6.2 (From stock
> >> Debian repositories) is that whist I can get the configuration to work,
> >> and importantly, speed up page access (cached pages) on port 80, and have
> >> tested this using apachebench, ab, the configuration of 443/SSL isn't
> >> going quite so well.
> >>
> >> I have set this up as follows
> >>
> >> Pound (listen externalip:443) -> HTTP -> Varnish (127.0.0.1:8880) -> HTTP
> >> -> Apache (127.0.0.20:80)
> >>
> >> When I run ab against the external interface, with the FQDN of the site, I
> >> get SSL Read Error, Connection Closed, but I can't figure out why.
> > [...]
> >
> > Have you tried running ab with "-v 2"? That will dump out additional
> > SSL info, which might help you track it down.
> >
> > Also, make sure you are running a contemporary version of ab, support
> > for SSL in old versions was a little suspect.
> >
> > Regards,
> > Conor.
> >
>
> --
> To unsubscribe send an email with subject unsubscribe to [email protected].
> Please contact [email protected] for questions.
>
--
To unsubscribe send an email with subject unsubscribe to [email protected].
Please contact [email protected] for questions.
