*Thank you for the quick reply! My thoughts/questions are below...* On Monday, 17 September 2012 14:10:18 UTC-6, roba wrote: > > On 09/17/2012 09:02 PM, Mark Hayden wrote: > > What kind of magic is the client performing when it decides to use HTTPS > > or HTTP? > > As far as I know, the client tries to use HTTPS and if that fails it > falls back to HTTP. The fingerprint (if any) is saved in the known_hosts > file and can cause some trouble when experimenting (see below). > > *I did indeed figure out the fingerprint thing when switching between ssl and non-ssl, as well as switching certs away from Debian's "snakeoil" certs, and thought that may be what was causing issues. I now erase the tryton client config entirely when I make changes of this sort on the server.*
> > Why does the magic fail when the proxy-pass server is in the > > way? > > Nginx is not the problem. We are using the same architecture you describe. > > *Well, I am relieved to hear someone has made it work! I do know nginx seems to be doing its job when I try poking at it with wget or a web browser. My thought is it is a certificate issue maybe? Wget fails unless I do --no-check-certificate and the browser warns me of invalid certificate, since it is a self signed cert.* > > How can I force the Tryton client to NOT attempt insecure connections? > > As far as I know you can't. > *That might rub some people the wrong way...I know to look for the little golden padlock though, and as is apparent my server won't accept non-ssl... * > > > But has anyone seen this kind of problem? Is there a special > > trick to make proxy-pass work with SSL the way it does without it? > > Just a guess: Have you tried removing the corresponding line in > ~/.config/tryton/2.4/known_hosts? When the fingerprint there does not > match the server's, it looks like you cannot connect and no meaningful > error is reported. > > *I have tried removing the line, removing the whole file and even the whole .config/tryton directory and still find no joy. But the fingerprint thing and the negotiation process the client does cause me to think about the self signed certificate. Does the Tryton client check the certificate when negotiating SSL (I would think it does by default, though some googling suggests at least in the past it did not)? Perhaps SSL fails because I need to import a ca.crt to my client and trust it for SSL to be successful and not fall back to plain http? >From my investgation it is quite clear that with nginx in the middle (with encryption on--it works without) the client's connection never makes it to the Tryton server in any way--it stops at the NGINX server with a 400 error, though it isn't clear what is happening to make SSL fail. I will try to extract logs and configs later tonight. Thanks again for your response! * > > Regards, > Robin Baumgartner > > -- -- [email protected] mailing list
