I restored our pound boxes from backup.
It's now working correctly with centos 6.3, kernel 2.6.32-279,
openssl-1.0.0-20.el6_2.5.i686 and Pound 2.7b
I was using Centos 6.5, kernel-2.6.32-431 and openssl-1.0.1e-15.el6.i686
which did not work.
I didn't try downgrading to openssl-1.0.0-20
I guess i'm going to stay on centos 6.3 for the time being.
Karl
On 12/5/2013, 4:21 PM, Scott McKeown wrote:
Hi Karl,
I only noticed yesterday that Centos now has OpenSSL 1.0.1e (I think
it was) in the repository so you maybe looking in the wrong place as
before it was on 0.9.8 I think.
It might be worth just double checking the versions.
On 5 December 2013 21:48, Karl Rossing <[email protected]
<mailto:[email protected]>> wrote:
I am running into the same issue below since upgrading from Centos
6.4 to 6.5.
I was running Pound 2.7a. I also tried with Pound 2.7b and I'm
still getting
BIO_do_handshake with <SERVER IP>:443 failed: error:1412F152:SSL
routines:SSL_PARSE_SERVERHELLO_TLSEXT:unsafe legacy renegotiation
disabled
The <Server IP> is a windows box. I tried disabling the cyphers using
https://www.nartac.com/Products/IISCrypto/Default.aspx
and selected "Best Practices" which is pretty much the screenshot
on the page.
I might have to restore Centos 6.4 but i would prefer not to.
Any suggestions would be appreciated.
Karl
On 10/8/2012, 11:00 AM, Thomas M Steenholdt wrote:
On 10/08/2012 11:10 AM, Thomas M Steenholdt wrote:
Hi there,
I have a pound 2.6 installation with a HTTPS listener and
several HTTPS BackEnds.
The HTTPS BackEnds are mostly using self-signed
certificates, which should be fine for our needs, but one
of them is failing with the error:
pound: BIO_do_handshake with <IP ADDRESS REMOVED>:443
failed: error:1412F152:SSL
routines:SSL_PARSE_SERVERHELLO_TLSEXT:unsafe legacy
renegotiation disabled
Although I'm not sure, I guess this is an error with the
certificate on the BackEnd HTTPS server. But is there some
way to get more information on the error or perhaps just
make pound ignore the error all together?
Thanks in advance.
/Thomas
Turned out to be an unpatched Windows 2003 server. The problem
was fixed for Windows in September of 2010:
http://technet.microsoft.com/en-us/security/bulletin/MS10-049
Applying this fix solved the problem.
/Thomas
--
To unsubscribe send an email with subject unsubscribe to
[email protected] <mailto:[email protected]>.
Please contact [email protected] <mailto:[email protected]> for
questions.
--
To unsubscribe send an email with subject unsubscribe to
[email protected] <mailto:[email protected]>.
Please contact [email protected] <mailto:[email protected]> for questions.
--
With Kind Regards.
Scott McKeown
Loadbalancer.org
http://www.loadbalancer.org
CONFIDENTIALITY NOTICE: This communication (including all attachments) is
confidential and is intended for the use of the named addressee(s) only and
may contain information that is private, confidential, privileged, and
exempt from disclosure under law. All rights to privilege are expressly
claimed and reserved and are not waived. Any use, dissemination,
distribution, copying or disclosure of this message and any attachments, in
whole or in part, by anyone other than the intended recipient(s) is strictly
prohibited. If you have received this communication in error, please notify
the sender immediately, delete this communication from all data storage
devices and destroy all hard copies.
