To be precise there is a SNI extension to the SSL protocol, that allows selection of the virtual host during negotiation, but it still not(?) widely used. At least, I wouldn't suspect LWP in that :)
http://en.wikipedia.org/wiki/Server_Name_Indication On Wed, Dec 4, 2013 at 5:13 PM, Filipe Cifali <cifali.fil...@gmail.com>wrote: > Yeah the LWP is 6.0.5, but it's working now as intended, probably is > Crypt-SSLeay working then. > > But then again, my setup is working now, and I suspect the virtualhost > clause helped, since the SSL I have the same subdomain (*.domain.ext) so > the virtualhost is always valid on my domain. > > > On Wed, Dec 4, 2013 at 12:43 PM, Timur I. Bakeyev <ti...@com.bat.ru> > wrote: > > > Not sure, how all that mix of SSL modules would work together, but if > > Crypt-SSLeay-0.64-Pc0dMJ took preference then host checks effectively > were > > disabled: > > > > NET::HTTPS states in the code: > > > > if ($cnf->{SSL_verifycn_scheme}) { > > $@ = "Net::SSL from Crypt-SSLeay can't verify hostnames; > either > > install IO::Socket::SSL or turn off verification by setting the > > PERL_LWP_SSL_VERIFY_HOSTNAME environment variable to 0"; > > return undef; > > } > > > > In any case, you should verify which version of LWP you are using, as > host > > check verification occurred there in 6.x only. > > > > With regards, > > Timur. > > > > > > On Wed, Dec 4, 2013 at 12:48 PM, Filipe Cifali <cifali.fil...@gmail.com > > >wrote: > > > > > For me to make this work on my setup I had to install some Perl > Modules, > > if > > > you use Ldirectord -d to debug you will see a internal error on > messages > > > checking SSL > > > > > > My config that works now: > > > > > > virtual = <IP>:443 > > > > > > real = <IP>:443 gate 10 > > > > > > real = <IP>:443 gate 10 > > > > > > real = <IP>:443 gate 10 > > > > > > real = <IP>:443 gate 10 > > > > > > real = <IP>:443 gate 10 > > > > > > real = <IP>:443 gate 10 > > > > > > persistent = 3600 > > > > > > scheduler = wrr > > > > > > service = https > > > > > > checktype = negotiate > > > > > > checkport = 443 > > > > > > request = "server.php" > > > > > > receive = "ok" > > > > > > virtualhost = "<ssl-domain>" > > > > > > > > > The modules I have installed (dunno which worked) > > > > > > > > > Crypt-SSLeay-0.64-Pc0dMJ > > > > > > IO-Socket-SSL-1.953-c7ub4t > > > > > > Net-SSLeay-1.55-8NXQ3I > > > > > > > > > Installed all via cpan. > > > > > > > > > The thing is to always check the debug from ldirectord -d -c > > <config-file> > > > cause it tells you what's failing > > > > > > > > > On Wed, Dec 4, 2013 at 8:33 AM, Malcolm Turnbull > > > <malc...@loadbalancer.org>wrote: > > > > > > > We use the same patch at Loadbalancer.org (or something very similar > > > > anyway). Most of our customers specifically do not want use a virtual > > > > host (for a health check) OR care if the SSL cert is valid. > > > > > > > > > > > > > > > > On 4 December 2013 10:05, Timur I. Bakeyev <ti...@com.bat.ru> wrote: > > > > > Have you tried it, Dennis? Did you look into the ldirectord code? > You > > > > know, > > > > > how SSL is working? > > > > > > > > > > Regards, > > > > > Timur. > > > > > > > > > > > > > > > On Wed, Dec 4, 2013 at 6:09 AM, Dennis Jacobfeuerborn < > > > > denni...@conversis.de > > > > >> wrote: > > > > > > > > > >> On 03.12.2013 12:19, Timur I. Bakeyev wrote: > > > > >> > Hi guys! > > > > >> > > > > > >> > I've posted bug report regarding ldirectord, can you please > review > > > it > > > > and > > > > >> > commit, if possible? > > > > >> > > > > > >> > https://github.com/ClusterLabs/resource-agents/issues/361 > > > > >> > > > > > >> > Ldirectord is using LWP for it's negotiate checks for the > > HTTP/HTTPS > > > > >> sites. > > > > >> > Since LWP 6.0 by default it verifies the correspondence of the > SSL > > > > >> > certificate and the server hostname. In 99.9% of the cases this > is > > > the > > > > >> VIP > > > > >> > hostname and RIP are identified by their internal hostnames or, > > most > > > > >> common > > > > >> > - by their IP addresses. > > > > >> > > > > > >> > That breaks hostname verification and hence - marks HTTPS > backends > > > as > > > > >> > invalid and kicks them off the pool. This problem did hit me in > > the > > > > >> > production when we've upgraded from Debian squeeze to Debian > > wheezy, > > > > >> which > > > > >> > brought newer version of LWP. > > > > >> > > > > > >> > > > > > >> > > > > > > > > > > http://search.cpan.org/~gaas/LWP-Protocol-https-6.04/lib/LWP/Protocol/https.pm > > > > >> > > > > > >> > Luckily, the fix to the problem is easy: > > > > >> > > > > > >> > --- ldirectord.orig 2013-12-03 11:59:11.114983525 +0100 > > > > >> > +++ ldirectord 2013-12-03 11:59:34.703026282 +0100 > > > > >> > @@ -2834,7 +2834,7 @@ > > > > >> > &ld_debug(2, "check_http: url=\"$$r{url}\" " > > > > >> > . "virtualhost=\"$virtualhost\""); > > > > >> > > > > > >> > - my $ua = new LWP::UserAgent(); > > > > >> > + my $ua = new LWP::UserAgent(ssl_opts => { > verify_hostname > > > => 0 > > > > >> }); > > > > >> > > > > > >> > my $h = undef; > > > > >> > if ($$v{service} eq "http_proxy") { > > > > >> > > > > > >> > I haven't verified that with older version of LWP, but I believe > > it > > > > >> should > > > > >> > just ignore unknown parameters to the constructor. > > > > >> > > > > >> I don't think that's a bug but you have to specify the virtualhost > > > > >> parameter to set the Host header for the realservers. > > > > >> > > > > >> Regards, > > > > >> Dennis > > > > >> > > > > >> > > > > >> _______________________________________________ > > > > >> Please read the documentation before posting - it's available at: > > > > >> http://www.linuxvirtualserver.org/ > > > > >> > > > > >> LinuxVirtualServer.org mailing list - > > lvs-users@LinuxVirtualServer.org > > > > >> Send requests to lvs-users-requ...@linuxvirtualserver.org > > > > >> or go to http://lists.graemef.net/mailman/listinfo/lvs-users > > > > >> > > > > > _______________________________________________ > > > > > Please read the documentation before posting - it's available at: > > > > > http://www.linuxvirtualserver.org/ > > > > > > > > > > LinuxVirtualServer.org mailing list - > > lvs-users@LinuxVirtualServer.org > > > > > Send requests to lvs-users-requ...@linuxvirtualserver.org > > > > > or go to http://lists.graemef.net/mailman/listinfo/lvs-users > > > > > > > > > > > > > > > > -- > > > > Regards, > > > > > > > > Malcolm Turnbull. > > > > > > > > Loadbalancer.org Ltd. > > > > Phone: +44 (0)870 443 8779 > > > > http://www.loadbalancer.org/ > > > > > > > > _______________________________________________ > > > > Please read the documentation before posting - it's available at: > > > > http://www.linuxvirtualserver.org/ > > > > > > > > LinuxVirtualServer.org mailing list - > lvs-users@LinuxVirtualServer.org > > > > Send requests to lvs-users-requ...@linuxvirtualserver.org > > > > or go to http://lists.graemef.net/mailman/listinfo/lvs-users > > > > > > > > > > > > > > > > -- > > > [ ]'s > > > > > > Filipe Cifali Stangler > > > _______________________________________________ > > > Please read the documentation before posting - it's available at: > > > http://www.linuxvirtualserver.org/ > > > > > > LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org > > > Send requests to lvs-users-requ...@linuxvirtualserver.org > > > or go to http://lists.graemef.net/mailman/listinfo/lvs-users > > > > > _______________________________________________ > > Please read the documentation before posting - it's available at: > > http://www.linuxvirtualserver.org/ > > > > LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org > > Send requests to lvs-users-requ...@linuxvirtualserver.org > > or go to http://lists.graemef.net/mailman/listinfo/lvs-users > > > > > > -- > [ ]'s > > Filipe Cifali Stangler > _______________________________________________ > Please read the documentation before posting - it's available at: > http://www.linuxvirtualserver.org/ > > LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org > Send requests to lvs-users-requ...@linuxvirtualserver.org > or go to http://lists.graemef.net/mailman/listinfo/lvs-users > _______________________________________________ Please read the documentation before posting - it's available at: http://www.linuxvirtualserver.org/ LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org Send requests to lvs-users-requ...@linuxvirtualserver.org or go to http://lists.graemef.net/mailman/listinfo/lvs-users
