Bug 129859 - net/relayd - ssl random number generation
Summary: net/relayd - ssl random number generation
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: Martin Matuska
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-12-22 16:10 UTC by uday m.
Modified: 2010-06-09 22:01 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description uday m. 2008-12-22 16:10:04 UTC
The issue concerns relayd with ssl. I've followed the man by the
letter in configuring this and I still come up with the same error
message. I'm trying to loadbalance and proxy ssl connections to non
ssl servers something like this :

HTTPS CLIENT <==> RELAYD SSL REVERSE PROXY :443 <---> NON-SSL WEB SERVER :80

A fairly simple setup that I tested with "pound", another reverse
proxy with ssl capabilities, that worked like charm.

With relayd, I've generated a certificate with GoDaddy, I have the
certificates in the directories the man page mentions, the private key
/etc/ssl/private/192.168.172.77.key and the certificate in
/etc/ssl/192.168.172.77.key where the ip is the frontal relay ip
configured in relayd.conf.

The problem occurs when trying to initiate the SSL handshake, relayd has a hard time generating the random number and recieves a weird error :

SSL library error: httpproxy: relay_ssl_accept: error:140B512D:SSL routines:SSL_GET_NEW_SESSION:ssl session id callback failed relay httpproxy, session 1 (1 active), 0, 192.168.180.253 -> :80, SSL accept error

I tried the exacte same configuration (copy/paste) on an OpenBSD box and the SSL handshake works just fine.

Fix: 

I really don't know.
How-To-Repeat: I've configured pf with the following 2 directives with nothing else
in the file just like what the man page suggests:

rdr-anchor "relayd/*"
anchor "relayd/*"

I've configured relayd with the following directives :

relayd_addr="192.168.172.77"
relayd_port="443"
web_port="80"
table <web_hosts> { 192.168.190.53  }
interval 10
timeout 200
prefork 5

http protocol "httpfilter" {
 return error
 header append "$REMOTE_ADDR" to "X-Forwarded-For"
 header append "$SERVER_ADDR:$SERVER_PORT" to "X-Forwarded-By"
 header change "Keep-Alive" to "$TIMEOUT"
 header change "Connection" to "close"
 response header change "Server" to "Server1"
 ssl { sslv3, tlsv1, ciphers "HIGH:!ADH", no sslv2 ]
}

relay httpproxy {
 listen on $relayd_addr port $relayd_port ssl
 protocol "httpfilter"
 forward to <web_hosts> port $web_port mode loadbalance check icmp
}

Now when I remove the ssl directive from the protocol specs
"httpfilter" and from the "listen" directive within the "relay"
section I forward to my webserver just like a charm. But when I use
the configuration as specified above I get this error when I try to
connect to "https://192.168.172.77":

SSL library error: httpproxy: relay_ssl_accept: error:140B512D:SSL
routines:SSL_GET_NEW_SESSION:ssl session id callback failed
relay httpproxy, session 1 (1 active), 0, 192.168.180.253 -> :80, SSL
accept error

Now when I researched this error it referred to being and error with
the random number generation so I double checked the rights on
/dev/random and /dev/urandom and both were ok (/dev/urandom being a
symlink to /dev/random). I even sued as _relayd user and tested if I
could generate random number and I could :

[_relayd@myserver /etc/ssl]$ od -D -A n /dev/random | head -2
            2530374051      2874409472      1650458018      3736200264
            1776311775       448067355      3385764049       245858356
Comment 1 Edwin Groothuis freebsd_committer 2008-12-22 16:10:16 UTC
Responsible Changed
From-To: freebsd-ports-bugs->kuriyama

Over to maintainer (via the GNATS Auto Assign Tool)
Comment 2 Jason 2010-03-18 18:56:49 UTC
We are receiving this exact same error when trying to use the relayd
software.

Is there any effort in this being updated to the latest openbsd relayd
source code in the FreeBSD ports tree?

http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/relayd/

The latest update was 3 weeks ago.

Thanks!
Comment 3 Mark Linimon freebsd_committer freebsd_triage 2010-06-03 02:40:07 UTC
Responsible Changed
From-To: kuriyama->mm

Over to new maintainer.
Comment 4 Martin Matuska freebsd_committer 2010-06-03 07:34:07 UTC
Does this error still occur with latest relayd version 4.6.20090813 ?
Comment 5 dfilter service freebsd_committer 2010-06-09 21:58:37 UTC
mm          2010-06-09 20:58:26 UTC

  FreeBSD ports repository

  Modified files:
    net/relayd           Makefile distinfo 
    net/relayd/files     patch-freebsd-relayd 
  Removed files:
    net/relayd/files     relayd.conf.sample 
  Log:
  - Fix SSL session id callback error (seed random before chroot) [1]
  - Use IP_BINDANY if supported
  - Update distfile
  
  PR:             ports/129859 [1]
  Reported by:    umoorjani.msv@gmail.com [1]
  
  Revision  Changes    Path
  1.10      +6 -4      ports/net/relayd/Makefile
  1.3       +3 -3      ports/net/relayd/distinfo
  1.3       +79 -39    ports/net/relayd/files/patch-freebsd-relayd
  1.2       +0 -106    ports/net/relayd/files/relayd.conf.sample (dead)
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 6 Martin Matuska freebsd_committer 2010-06-09 22:01:12 UTC
State Changed
From-To: open->closed

Fixed. Thanks!