ssl debugging

hachi hachi at kuiki.net
Tue Apr 1 17:19:29 UTC 2008


You can set PERLBAL_DEBUG in your environment before starting up perlbal 
to an integer where higher numbers are more verbose. I believe the 
highest debug value that exists right now is 4.

Elliott A. Johnson wrote:
> I'm having a few issues centering around ssl.
>
> The setup involves a perlbal 1.70 instance running as a reverse_proxy to two dynamic webservers and also running as a static web_server with ssl enabled (IO-Socket-SSL 1.13 / perl 5.8.8 / openssl 0.9.8g).  I've attached my config.
>
> Firstly I was wondering if there is a way to increase the debugging information perlbal produces?
>
> Secondly I have a cert that unfortunately requires a cert chain.  I cat'ed the intermediate cert and the actual cert into a new file and gave that path in my 'ssl_cert_file' service parameters.  It's a wildcard cert, so I'm using the same cert for all perlbal services.
>
> I restarted perlbal and tested, but I get the following when testing with openssl:
>
>  elliott at rad ~ $ openssl s_client -host testing.host.com -port 443
>  CONNECTED(00000003)
>  write:errno=104
>
> Trying to open it in firefox results in "The connection was interrupted.  The connection to testing.host.com was interrupted while the page was loading."
>
> Is this the correct way to load a chained cert?  If I remove the intermediate cert from the file I can actually load the page (but with an invalid cert warning).
>
> Thirdly even with the intermediate cert removed I can't seem to serve https static web content from the ssl enabled web_server service.  Http traffic loads up fine, but the https side of things just doesn't work.  When I try to wget a static image I get the following loop:
>
>   elliott at rad ~ $ wget https://static.host.com/static/icons/common/custom/asterick.gif --no-check-certificate
>   --21:36:53--  https://static.host.com/static/icons/common/custom/asterick.gif
>            => `asterick.gif.2'
>   Resolving static.host.com... 69.69.69.70
>   Connecting to static.host.com|69.69.69.70|:443... connected.
>   WARNING: Certificate verification error for static.host.com: unable to get local issuer certificate
>   HTTP request sent, awaiting response... 200 OK
>   Length: 49 [image/gif]
>
>    0% [                                                                                                                                                           ] 0             --.--K/s             
>
>   21:36:53 (0.00 B/s) - Read error at byte 0/49 (Success). Retrying.
>
>   --21:36:54--  https://static.host.com/static/icons/common/custom/asterick.gif
>     (try: 2) => `asterick.gif.2'
>   Connecting to static.host.com|69.69.69.70|:443... connected.
>   WARNING: Certificate verification error for static.host.com: unable to get local issuer certificate
>   HTTP request sent, awaiting response... 200 OK
>   Length: 49 [image/gif]
>   asterick.gif.2 has sprung into existence.
>   Retrying.
>
>   ...
>
> http GETs of the same content are retrieved fine:
>
>   elliott at rad ~ $ wget http://static.host.com/static/icons/common/custom/asterick.gif
>   --21:56:11--  http://static.host.com/static/icons/common/custom/asterick.gif
>            => `asterick.gif.3'
>   Resolving static.ithenticate.com... 69.69.69.70
>   Connecting to static.ithenticate.com|69.69.69.70|:80... connected.
>   HTTP request sent, awaiting response... 200 OK
>   Length: 49 [image/gif]
>
>   100%[===========================================================================================================================================================>] 49            --.--K/s             
>
>   21:56:11 (5.36 MB/s) - `asterick.gif.3' saved [49/49]
>
> When vising a https dynamic page I get the dynamic content ok, but when the static content attempts to load I get several of the following error messages in firefox "testing.host.com has sent an incorrect or unexpected message.  Error Code: -12263." and one of these "Error establishing an encrypted connection to testing.host.com.  Error Code: -12217.".  Using the openssl s_client I can connect, but much like the wget queries I don't get any content back and the connection closes :(
>
> I've been banging my head on these for the last few days.  Any words of advice on ssl or debugging perlbal would be a great help.
>
> Thanks,
>
> elliott
>   



More information about the perlbal mailing list