Hello, I have a very simple relayd config:
## Macros # relayd_addr="xx.xx.xx.xx" relayd_port="81" web_port="80" table <web_hosts> { xx.xx.xx.xx } ## Global Options # # Interval in seconds at which the back-end hosts # will be checked (default: 10 seconds) interval 10 # Timeout for back-end servers to respond. Set to # 200 for local servers and around 1000 for servers # on other subnets. (default: 200 milliseconds) timeout 1000 # Number of child processes to run. (default: 5) prefork 5 # Log state notifications after completed host # checks. State can be up, down or unknown. log updates http protocol "httpfilter" { ### TCP performance options tcp { nodelay, sack, socket buffer 65536, backlog 100 } ### Return HTTP/HTML error pages return error ### allow logging of remote client ips to internal web servers header append "$REMOTE_ADDR" to "X-Forwarded-For" ### set Keep-Alive timeout to global timeout header change "Keep-Alive" to "$TIMEOUT" ### close connections upon receipt header change "Connection" to "close" ssl { sslv3, tlsv1, ciphers "HIGH:!ADH:!MD5", no sslv2 } ssl session cache disable } relay httpproxy { listen on $relayd_addr port $relayd_port ssl protocol "httpfilter" forward to <web_hosts> port $web_port mode loadbalance check icmp } Intermittently the client making requests to it get this error. 90% of the time it works without errors. (SSL: error:1408C095:SSL routines:SSL3_GET_FINISHED:digest check failed) while SSL handshaking to upstream, client: THen also.. sometimes my client gets this error.. (this is more rare) (SSL: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking to upstream, client: I have started relayd -vv -n and I dont get any errors.... BUT sometimes for the last error mentioned I get this error in relayd: SSL library error: httpproxy: relay_ssl_accept: error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac I have tried querying from the outside the relayd box directly with this command: openssl s_client -connect ip.of.relayd.box:81 -state -ssl3 -no_ssl2 -no_tls1 I have repeated that 100times and I never get any errors.. My remote client can GET any other SSL website without any problem. The cert installed in relayd is valid with the exception that it doesnt match the hostname being asked for .. but that shouldnt be an issue right?? Please help. Andres