ssl debugging
Elliott A. Johnson
elliott at iparadigms.com
Tue Apr 1 05:02:08 UTC 2008
I'm having a few issues centering around ssl.
The setup involves a perlbal 1.70 instance running as a reverse_proxy to two dynamic webservers and also running as a static web_server with ssl enabled (IO-Socket-SSL 1.13 / perl 5.8.8 / openssl 0.9.8g). I've attached my config.
Firstly I was wondering if there is a way to increase the debugging information perlbal produces?
Secondly I have a cert that unfortunately requires a cert chain. I cat'ed the intermediate cert and the actual cert into a new file and gave that path in my 'ssl_cert_file' service parameters. It's a wildcard cert, so I'm using the same cert for all perlbal services.
I restarted perlbal and tested, but I get the following when testing with openssl:
elliott at rad ~ $ openssl s_client -host testing.host.com -port 443
CONNECTED(00000003)
write:errno=104
Trying to open it in firefox results in "The connection was interrupted. The connection to testing.host.com was interrupted while the page was loading."
Is this the correct way to load a chained cert? If I remove the intermediate cert from the file I can actually load the page (but with an invalid cert warning).
Thirdly even with the intermediate cert removed I can't seem to serve https static web content from the ssl enabled web_server service. Http traffic loads up fine, but the https side of things just doesn't work. When I try to wget a static image I get the following loop:
elliott at rad ~ $ wget https://static.host.com/static/icons/common/custom/asterick.gif --no-check-certificate
--21:36:53-- https://static.host.com/static/icons/common/custom/asterick.gif
=> `asterick.gif.2'
Resolving static.host.com... 69.69.69.70
Connecting to static.host.com|69.69.69.70|:443... connected.
WARNING: Certificate verification error for static.host.com: unable to get local issuer certificate
HTTP request sent, awaiting response... 200 OK
Length: 49 [image/gif]
0% [ ] 0 --.--K/s
21:36:53 (0.00 B/s) - Read error at byte 0/49 (Success). Retrying.
--21:36:54-- https://static.host.com/static/icons/common/custom/asterick.gif
(try: 2) => `asterick.gif.2'
Connecting to static.host.com|69.69.69.70|:443... connected.
WARNING: Certificate verification error for static.host.com: unable to get local issuer certificate
HTTP request sent, awaiting response... 200 OK
Length: 49 [image/gif]
asterick.gif.2 has sprung into existence.
Retrying.
...
http GETs of the same content are retrieved fine:
elliott at rad ~ $ wget http://static.host.com/static/icons/common/custom/asterick.gif
--21:56:11-- http://static.host.com/static/icons/common/custom/asterick.gif
=> `asterick.gif.3'
Resolving static.ithenticate.com... 69.69.69.70
Connecting to static.ithenticate.com|69.69.69.70|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 49 [image/gif]
100%[===========================================================================================================================================================>] 49 --.--K/s
21:56:11 (5.36 MB/s) - `asterick.gif.3' saved [49/49]
When vising a https dynamic page I get the dynamic content ok, but when the static content attempts to load I get several of the following error messages in firefox "testing.host.com has sent an incorrect or unexpected message. Error Code: -12263." and one of these "Error establishing an encrypted connection to testing.host.com. Error Code: -12217.". Using the openssl s_client I can connect, but much like the wget queries I don't get any content back and the connection closes :(
I've been banging my head on these for the last few days. Any words of advice on ssl or debugging perlbal would be a great help.
Thanks,
elliott
-------------- next part --------------
A non-text attachment was scrubbed...
Name: perlbal.conf
Type: application/octet-stream
Size: 1825 bytes
Desc: not available
Url : http://lists.danga.com/pipermail/perlbal/attachments/20080331/678c84f1/perlbal.obj
More information about the perlbal
mailing list