[...] > The output of an ab -v 2 gives rise to an "interesting" message... > > Compression: 1 (zlib compression) > Start Time: 1374581735 > Timeout : 300 (sec) > Verify return code: 19 (self signed certificate in certificate chain) > SSL read failed - closing connection > Benchmarking 192.168.156.138 (be patient)...INFO: POST header == > > > Buuuuut... > It's not a self-signed... > Unless you count the fact that one of the certs in the Chain - is signed by > the authority that made the chain.....
That's it exactly. There are probably no certs in the default root store, and I'm not sure ab is bothered in any case. I see code 19 with a working ab, (it's an OpenSSL error code), and it just carries on. > > I am going to test this using another, non EV certificate - and see what > happens - and report back. > > Cheers for the help so-far. I would expect an error code for the read error. No matter. It's not common that SSL compression is enabled, it also has security issues (CRIME). This is distinct to HTTP compression. First, check that there's nothing fundamental wrong, try: openssl s_client -connect 1.2.3.4:443 where 1.2.3.4 is the server IP, port 443. tshark (wireshark) is the next step, extract the server RSA key to a separate unencrypted file, and try something like: tshark -ta -VO ssl -n -o "ssl.keys_list:1.2.3.4,443,http,server.key" -f "host 1.2.3.4" (optionally add "-o ssl.debug_file:ssldebug.txt" ). Amend the "-f" capture filter according to requirements and whether you're on the client or the server. You'll want to redirect or tee the output to a file. In the output check the "Client Hello" cipher list, and see if there's something up with the cipher set, the chosen cipher, protocol version, or a problem with SNI or secure renegotiation support (TLS extensions). C. > ----- Original Message ----- > From: "Conor McCarthy" <[email protected]> > To: [email protected] > Sent: Friday, July 19, 2013 10:57:13 AM > Subject: Re: [Pound Mailing List] SSL Read Error > > On 18 July 2013 13:25, Kieran Reynolds <[email protected]> > wrote: >> Hello.. >> >> I have the following configuration: >> >> >> Internet -> Pound -> Varnish -> Apache(Drupal). >> >> My intention is to us Varnish to cache, and loadbalance across a number of >> webheads for requests that cannot be cached. >> >> The reason for putting Pound on the outside edge, is to be the SSL >> terminator. >> >> The problem I have run into, using either Pound 2.5.1 or 2.6.2 (From stock >> Debian repositories) is that whist I can get the configuration to work, and >> importantly, speed up page access (cached pages) on port 80, and have tested >> this using apachebench, ab, the configuration of 443/SSL isn't going quite >> so well. >> >> I have set this up as follows >> >> Pound (listen externalip:443) -> HTTP -> Varnish (127.0.0.1:8880) -> HTTP -> >> Apache (127.0.0.20:80) >> >> When I run ab against the external interface, with the FQDN of the site, I >> get SSL Read Error, Connection Closed, but I can't figure out why. > [...] > > Have you tried running ab with "-v 2"? That will dump out additional > SSL info, which might help you track it down. > > Also, make sure you are running a contemporary version of ab, support > for SSL in old versions was a little suspect. > > Regards, > Conor. > -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions.
