> To limit verbosity I just captured one full request where it succeeded > and then another when it didn't > > # this is the one that worked as expected > pastebinit dump.1.tls.bin > http://paste.ubuntu.com/11811750/ > > # this is the one that went to default anyway > pastebinit dump.2.tls.bin > http://paste.ubuntu.com/11811751/ > > Both were produced by curl --insecure https://baz.example.com:64443 > > I was expecting that the -k option would require just my server's key > and that it would be able to decrypt data to plaintext, however, I see > that it didn't decrypt, so perhaps I need to convert the keyfile to > another format or bundle the certificate with the keys?
The handshake negotiated a ECDHE cipher suite, so its not possible to decrypt it with "just" the private key. No need to decrypt though, I just wanted to see the actual SNI value of the client hello on the wire (or loopback, in this case). But it looks like ssldump doesn't show the SNI value at all, so this doesn't help. Can you provide a tcpdump capture of the frontend traffic ("tcpdump -ps0 -i lo -w 64443-traffic.cap tcp port 64443")? Also, did you fix the backend IPs in the configuration? Although the particular scenario is supposed to work (because the frontend destination IP is actually 127.0.0.1), I would rather not leave that variable in place while troubleshooting this. Regards, Lukas