ssl debugging
hachi
hachi at kuiki.net
Tue Apr 1 17:19:29 UTC 2008
You can set PERLBAL_DEBUG in your environment before starting up perlbal
to an integer where higher numbers are more verbose. I believe the
highest debug value that exists right now is 4.
Elliott A. Johnson wrote:
> I'm having a few issues centering around ssl.
>
> The setup involves a perlbal 1.70 instance running as a reverse_proxy to two dynamic webservers and also running as a static web_server with ssl enabled (IO-Socket-SSL 1.13 / perl 5.8.8 / openssl 0.9.8g). I've attached my config.
>
> Firstly I was wondering if there is a way to increase the debugging information perlbal produces?
>
> Secondly I have a cert that unfortunately requires a cert chain. I cat'ed the intermediate cert and the actual cert into a new file and gave that path in my 'ssl_cert_file' service parameters. It's a wildcard cert, so I'm using the same cert for all perlbal services.
>
> I restarted perlbal and tested, but I get the following when testing with openssl:
>
> elliott at rad ~ $ openssl s_client -host testing.host.com -port 443
> CONNECTED(00000003)
> write:errno=104
>
> Trying to open it in firefox results in "The connection was interrupted. The connection to testing.host.com was interrupted while the page was loading."
>
> Is this the correct way to load a chained cert? If I remove the intermediate cert from the file I can actually load the page (but with an invalid cert warning).
>
> Thirdly even with the intermediate cert removed I can't seem to serve https static web content from the ssl enabled web_server service. Http traffic loads up fine, but the https side of things just doesn't work. When I try to wget a static image I get the following loop:
>
> elliott at rad ~ $ wget https://static.host.com/static/icons/common/custom/asterick.gif --no-check-certificate
> --21:36:53-- https://static.host.com/static/icons/common/custom/asterick.gif
> => `asterick.gif.2'
> Resolving static.host.com... 69.69.69.70
> Connecting to static.host.com|69.69.69.70|:443... connected.
> WARNING: Certificate verification error for static.host.com: unable to get local issuer certificate
> HTTP request sent, awaiting response... 200 OK
> Length: 49 [image/gif]
>
> 0% [ ] 0 --.--K/s
>
> 21:36:53 (0.00 B/s) - Read error at byte 0/49 (Success). Retrying.
>
> --21:36:54-- https://static.host.com/static/icons/common/custom/asterick.gif
> (try: 2) => `asterick.gif.2'
> Connecting to static.host.com|69.69.69.70|:443... connected.
> WARNING: Certificate verification error for static.host.com: unable to get local issuer certificate
> HTTP request sent, awaiting response... 200 OK
> Length: 49 [image/gif]
> asterick.gif.2 has sprung into existence.
> Retrying.
>
> ...
>
> http GETs of the same content are retrieved fine:
>
> elliott at rad ~ $ wget http://static.host.com/static/icons/common/custom/asterick.gif
> --21:56:11-- http://static.host.com/static/icons/common/custom/asterick.gif
> => `asterick.gif.3'
> Resolving static.ithenticate.com... 69.69.69.70
> Connecting to static.ithenticate.com|69.69.69.70|:80... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 49 [image/gif]
>
> 100%[===========================================================================================================================================================>] 49 --.--K/s
>
> 21:56:11 (5.36 MB/s) - `asterick.gif.3' saved [49/49]
>
> When vising a https dynamic page I get the dynamic content ok, but when the static content attempts to load I get several of the following error messages in firefox "testing.host.com has sent an incorrect or unexpected message. Error Code: -12263." and one of these "Error establishing an encrypted connection to testing.host.com. Error Code: -12217.". Using the openssl s_client I can connect, but much like the wget queries I don't get any content back and the connection closes :(
>
> I've been banging my head on these for the last few days. Any words of advice on ssl or debugging perlbal would be a great help.
>
> Thanks,
>
> elliott
>
More information about the perlbal
mailing list