Closed beelze closed 11 months ago
upd: Trying to directly request the Caddy server in question by wget, using IP address instead domain name, got same error:
# wget -Sv https://xx.xx.xx.xx/path -O -
--2023-10-21 16:08:12-- https://xx.xx.xx/path
Connecting to xx.xx.xx.xx:443... connected.
OpenSSL: error:0A000438:SSL routines::tlsv1 alert internal error
Unable to establish SSL connection.
Apparently you don't have the corresponding root certificate or keychain. Use Cert
keyword in the Backend
section to supply the missing info.
Sorry if I missed something, but according to docs Cert "filename" is for specifying the certificate that pound will use as a client
The Caddy server in question is a public server and is can be successfully queried by wget
(from the host the pound
is running on) without providing client certificate:
# wget -Sv https:/some.caddy.server/path -O -
--2023-10-21 19:49:14-- https://some.caddy.server/path
Resolving some.caddy.server (some.caddy.server).. xx.xx.xx.xx
Connecting to some.caddy.server (some.caddy.server)|xx.xx.xx.xx|:443... connected.
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Alt-Svc: h3=":443"; ma=2592000
Content-Length: 8
Content-Type: application/json
Date: Sat, 21 Oct 2023 13:49:15 GMT
Server: Caddy
Server: restify
Length: 8 [application/json]
…
More, when I replaced some.caddy.server
to my own test https server (lighttpd), pound
processes backend request successfully.
beelze @.***> ha escrit:
The Caddy server in question is a public server and is can be successfully queried by wget (from the host the pound is running on) without providing client certificate:
In your previous posting you said that:
Trying to directly request the Caddy server in question by wget, using IP address instead domain name, got same error:
Right? That seems to indicate that pound is accessing it by wrong name. If the remote server is using SNI (nowadays most servers do) it will fail the handshake if presented wrong name in the Host: header. That header, in turn, will contain the name client used to access the server pound lives on. In that case you will need to modify the Host: header before sending request to the backend.
Regards, Sergey
pound is accessing it by wrong name
my guess was the same, so I've tried to use SetHeader "Host: some.caddy.server"
inside Service
section, but it changed nothing (same error).
Again, I've checked (on my test server) that this header was actually sent so I really do not know what exactly I'm doing wrong.
`
Here's two real-world configs to reproduce the problem.
Service
SetPath "/tyrian/site-logo.svg"
SetHeader "Host: assets.gentoo.org"
BackEnd
HTTPS
Disable TLSv1_1
Address assets.gentoo.org
Port 443
End
End
this request processed successfully:
pound: xx.xx.xx.xx GET /rotate/akjhnv5m47zx HTTP/1.1 - HTTP/1.1 200 OK (assets.gentoo.org/- -> 185.76.9.19:443) 0.395 sec
But this config is not working:
Service
SetPath "/user_avatar/caddy.community/matt/24/8322_2.png"
SetHeader "Host: caddy.community"
BackEnd
HTTPS
Disable TLSv1_1
Address caddy.community
Port 443
End
End
same error:
pound: BIO_do_handshake with 159.89.152.193:443 failed: error:0A000438:SSL routines::tlsv1 alert internal error
Thanks for the additional info. Please, pull commit
bcb10cbcf1a036b2d9a38cde91b7dfad7577347e. It introduces additional
keyword ServerName
for the Backend
section. With this change, the
following service definition works:
Service
SetPath "/user_avatar/caddy.community/matt/24/8322_2.png"
BackEnd
HTTPS
Disable TLSv1_2
ServerName "caddy.community"
Address caddy.community
Port 443
End
End
Observe the following:
SetHeader
is not needed, since ServerName
implies it for that
particular backend. This means that correct SNI and Host:
header will
be used in case of multiple backends as well.
You can use IP address in the Address
directive as well - it doesn't
affect SNI.
This particular host uses TLSv1_3, so the Disable
statement has been
changed accordingly.
Regards, Sergey
I'm getting error for some Caddy server backends:
pound: BIO_do_handshake with xx.xx.xx.xx:443 failed: error:0A000438:SSL routines::tlsv1 alert internal error
backend configuration (inside https listener) is minimal:
Playing with
Disable TLSx
orCiphers
options (like any other options) changed nothing. Tested with openssl 3.0.9 and 3.1.3 – same results.Here's Qualys report on one of "problematic" sites. Also, this discussion on stackoverflow may be relevant to the issue