The issue concerns relayd with ssl. I've followed the man by the letter in configuring this and I still come up with the same error message. I'm trying to loadbalance and proxy ssl connections to non ssl servers something like this : HTTPS CLIENT <==> RELAYD SSL REVERSE PROXY :443 <---> NON-SSL WEB SERVER :80 A fairly simple setup that I tested with "pound", another reverse proxy with ssl capabilities, that worked like charm. With relayd, I've generated a certificate with GoDaddy, I have the certificates in the directories the man page mentions, the private key /etc/ssl/private/192.168.172.77.key and the certificate in /etc/ssl/192.168.172.77.key where the ip is the frontal relay ip configured in relayd.conf. The problem occurs when trying to initiate the SSL handshake, relayd has a hard time generating the random number and recieves a weird error : SSL library error: httpproxy: relay_ssl_accept: error:140B512D:SSL routines:SSL_GET_NEW_SESSION:ssl session id callback failed relay httpproxy, session 1 (1 active), 0, 192.168.180.253 -> :80, SSL accept error I tried the exacte same configuration (copy/paste) on an OpenBSD box and the SSL handshake works just fine. Fix: I really don't know. How-To-Repeat: I've configured pf with the following 2 directives with nothing else in the file just like what the man page suggests: rdr-anchor "relayd/*" anchor "relayd/*" I've configured relayd with the following directives : relayd_addr="192.168.172.77" relayd_port="443" web_port="80" table <web_hosts> { 192.168.190.53 } interval 10 timeout 200 prefork 5 http protocol "httpfilter" { return error header append "$REMOTE_ADDR" to "X-Forwarded-For" header append "$SERVER_ADDR:$SERVER_PORT" to "X-Forwarded-By" header change "Keep-Alive" to "$TIMEOUT" header change "Connection" to "close" response header change "Server" to "Server1" ssl { sslv3, tlsv1, ciphers "HIGH:!ADH", no sslv2 ] } relay httpproxy { listen on $relayd_addr port $relayd_port ssl protocol "httpfilter" forward to <web_hosts> port $web_port mode loadbalance check icmp } Now when I remove the ssl directive from the protocol specs "httpfilter" and from the "listen" directive within the "relay" section I forward to my webserver just like a charm. But when I use the configuration as specified above I get this error when I try to connect to "https://192.168.172.77": SSL library error: httpproxy: relay_ssl_accept: error:140B512D:SSL routines:SSL_GET_NEW_SESSION:ssl session id callback failed relay httpproxy, session 1 (1 active), 0, 192.168.180.253 -> :80, SSL accept error Now when I researched this error it referred to being and error with the random number generation so I double checked the rights on /dev/random and /dev/urandom and both were ok (/dev/urandom being a symlink to /dev/random). I even sued as _relayd user and tested if I could generate random number and I could : [_relayd@myserver /etc/ssl]$ od -D -A n /dev/random | head -2 2530374051 2874409472 1650458018 3736200264 1776311775 448067355 3385764049 245858356
Responsible Changed From-To: freebsd-ports-bugs->kuriyama Over to maintainer (via the GNATS Auto Assign Tool)
We are receiving this exact same error when trying to use the relayd software. Is there any effort in this being updated to the latest openbsd relayd source code in the FreeBSD ports tree? http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/relayd/ The latest update was 3 weeks ago. Thanks!
Responsible Changed From-To: kuriyama->mm Over to new maintainer.
Does this error still occur with latest relayd version 4.6.20090813 ?
mm 2010-06-09 20:58:26 UTC FreeBSD ports repository Modified files: net/relayd Makefile distinfo net/relayd/files patch-freebsd-relayd Removed files: net/relayd/files relayd.conf.sample Log: - Fix SSL session id callback error (seed random before chroot) [1] - Use IP_BINDANY if supported - Update distfile PR: ports/129859 [1] Reported by: umoorjani.msv@gmail.com [1] Revision Changes Path 1.10 +6 -4 ports/net/relayd/Makefile 1.3 +3 -3 ports/net/relayd/distinfo 1.3 +79 -39 ports/net/relayd/files/patch-freebsd-relayd 1.2 +0 -106 ports/net/relayd/files/relayd.conf.sample (dead) _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
State Changed From-To: open->closed Fixed. Thanks!