shrpx front-end proxy error: decryption_failed(21).

zwChan commented 9 years ago

(get the file from http://pan.baidu.com/s/1mgNx5Mg)

I use shrpx as a front-end proxy, connect to another spdy proxy. But encounter a error of decryption_failed(21). I try google a lot, but there so few material for reading.
The backend server "106.187.39.217,443" is a spdy proxy, and it work OK if I use it in a pac-file on Chrome.

I know not much about openssl, but I make the crt-file by openssl using the following command. openssl genrsa -out ca.key 1024 openssl req -new -key ca.key -out ca.csr openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt

The shrpx option used: src/shrpx -p --backend=106.187.39.217,443 --frontend=0.0.0.0,8808 --log-level=INFO --insecure --cacert=/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt --client-private-key-file=/etc/pki/CA/private/ca.key --client-cert-file=/etc/pki/CA/certs/ca.crt --tls-proto-list=TLSv1.0

It seems no error in the log:

[INFO] Resolving backend address (shrpx.cc:1183) [INFO] Address resolution for 106.187.39.217 succeeded: 106.187.39.217 (shrpx.cc:105) [INFO] Unable to get IPv6 address for 0.0.0.0: Address family for hostname not supported (shrpx.cc:148) [INFO] Listening on 0.0.0.0, port 8808 (shrpx.cc:186) [INFO] Entering event loop (shrpx.cc:299) [INFO] [LISTEN:0x1000260] Accepted connection. fd=9 (shrpx_listen_handler.cc:101) [INFO] [UPSTREAM:0xfe3a00] HTTP request started (shrpx_https_upstream.cc:78) [INFO] [UPSTREAM:0xfe3a00] HTTP request headers completed (shrpx_https_upstream.cc:135) [INFO] [UPSTREAM:0xfe3a00] HTTP request headers CONNECT clients4.google.com:443 HTTP/1.1 Host: clients4.google.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36

   (shrpx_https_upstream.cc:156)

[INFO] [CLIENT_HANDLER:0xfd5dd0] Downstream connection pool is empty. Create new one (shrpx_client_handler.cc:309) [INFO] [DCONN:0xfbd720] Attaching to DOWNSTREAM:0xfd6070 (shrpx_spdy_downstream_connection.cc:101) [INFO] [UPSTREAM:0xfe3a00] Downstream output buffer is full (shrpx_https_upstream.cc:311) [INFO] [DSPDY:0xfd6130] Connecting to downstream server (shrpx_spdy_session.cc:393) [INFO] [DSPDY:0xfd6130] Connection established (shrpx_spdy_session.cc:249) [INFO] [DSPDY:0xfd6130] Negotiated next protocol: (shrpx_spdy_session.cc:1049) [INFO] [DSPDY:0xfd6130] Disconnecting (shrpx_spdy_session.cc:72) [INFO] [DSPDY:0xfd6130] Closing fd=10 (shrpx_spdy_session.cc:103) [INFO] [CLIENT_HANDLER:0xfd5dd0] Deleting (shrpx_client_handler.cc:173) [INFO] [DOWNSTREAM:0xfd6070] Deleting (shrpx_downstream.cc:67) [INFO] [DCONN:0xfbd720] Deleting (shrpx_spdy_downstream_connection.cc:59) [INFO] [DCONN:0xfbd720] Deleted (shrpx_spdy_downstream_connection.cc:76) [INFO] [DOWNSTREAM:0xfd6070] Deleted (shrpx_downstream.cc:77) [INFO] [CLIENT_HANDLER:0xfd5dd0] Deleted (shrpx_client_handler.cc:202) [INFO] [LISTEN:0x1000260] Accepted connection. fd=9 (shrpx_listen_handler.cc:101)

[INFO] [CLIENT_HANDLER:0xfd5dd0] EOF (shrpx_client_handler.cc:83) [INFO] [CLIENT_HANDLER:0xfd5dd0] Deleting (shrpx_client_handler.cc:173) [INFO] [CLIENT_HANDLER:0xfd5dd0] Deleted (shrpx_client_handler.cc:202) [INFO] [LISTEN:0x1000260] Accepted connection. fd=9 (shrpx_listen_handler.cc:101) [INFO] [UPSTREAM:0x101d470] HTTP request started (shrpx_https_upstream.cc:78) [INFO] [UPSTREAM:0x101d470] HTTP request headers completed (shrpx_httpsupstream.cc:135) [INFO] [UPSTREAM:0x101d470] HTTP request headers GET http://www.baidu.com/ HTTP/1.1 Host: www.baidu.com Proxy-Connection: keep-alive Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/_;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Accept-Encoding: gzip,deflate,sdch Accept-Language: zh-CN,zh;q=0.8 Cookie: BAIDUID=1BA2C2A8FF4226E396526FE4BE6B740E:FG=1; BAIDUPSID=1BA2C2A8FF4226E396526FE4BE6B740E; BD_HOME=0; H_PS_PSSID=10382_1444_10571_10211_10501_10496_10753_10646_10459_10219_10687_10356_10666_10596_10096_10657_10443_10699_10403_10360_10617_10702_10627; BD_UPN=1b314353

   (shrpx_https_upstream.cc:156)

[INFO] [CLIENT_HANDLER:0xfd5dd0] Downstream connection pool is empty. Create new one (shrpx_client_handler.cc:309) [INFO] [DCONN:0xf2f400] Attaching to DOWNSTREAM:0xfed6c0 (shrpx_spdy_downstream_connection.cc:101) [INFO] [UPSTREAM:0x101d470] HTTP request completed (shrpx_https_upstream.cc:227) [INFO] [DSPDY:0xfd6130] Connecting to downstream server (shrpx_spdy_session.cc:393) [INFO] [LISTEN:0x1000260] Accepted connection. fd=11 (shrpx_listen_handler.cc:101) [INFO] [UPSTREAM:0x10177f0] HTTP request started (shrpx_https_upstream.cc:78) [INFO] [UPSTREAM:0x10177f0] HTTP request headers completed (shrpx_https_upstream.cc:135)

zwChan commented 9 years ago

It seems nobody pay attention to this ...

tatsuhiro-t commented 9 years ago

From the log, I see SPDY protocol is not negotiated in backend. Check that backend SPDY proxy supports NPN. For SSL/TLS stuff, check tls version and cipher suites.

zwChan commented 9 years ago

In fact, I know little about the proxy (I buy the service of the proxy, but it just support Chrome browser by a plugin), and the proxy works OK when using a pac-script in chrome, like "return 'HTTPS 106.187.39.217:443' ". I capture the packets, and it occur exactly the same negotiation(including tls version and cipher suites), without decryption_failed(21). So I think something wrong with the key-file or cacert. I don't understand the options " --cacert , --client-private-key-file, --client-cert-file" very much, not much info i can get about them in the help-info. Now I create cacert/client-key/client-cert using the above openssl command on my linux server. Should it work ? Could you offer more hint?

The debugging info in Chrome is really cool! When it works OK, I get the SPDY session info as follow : SPDY Enabled: true Use Alternate Protocol: true Force SPDY Always: false Force SPDY Over SSL: true Next Protocols: http/1.1,spdy/3,spdy/3.1

87493: SPDY_SESSION maps.google.com:443 (HTTPS ipad1826.pw:443) Start Time: 2014-12-30 01:50:33.010

t=344605 [st= 0] +SPDY_SESSION [dt=?] --> host = "maps.google.com:443" --> proxy = "HTTPS ipad1826.pw:443" t=344605 [st= 0] SPDY_SESSION_INITIALIZED --> protocol = "spdy/3.1" --> source_dependency = 87479 (SOCKET) t=344605 [st= 0] SPDY_SESSION_SEND_SETTINGS --> settings = ["[id:4 flags:0 value:1000]","[id:7 flags:0 value:10485760]"] t=344606 [st= 1] SPDY_STREAM_UPDATE_RECV_WINDOW --> delta = 10420224 --> window_size = 10485760 t=344606 [st= 1] SPDY_SESSION_SENT_WINDOW_UPDATE_FRAME --> delta = 10420224 --> stream_id = 0 t=344608 [st= 3] SPDY_SESSION_SYN_STREAM --> fin = true --> :host: maps.google.com :method: GET :path: /maps?biw=1366&bih=667&q=%E9%99%B6%E7%93%B7%E6%A0%87%E9%A2%98&bav=on.2,or.r_cp.&um=1&ie=UTF-8&sa=X&ei=042hVMTXCtLZoASZ4YDYDA&ved=0CAcQAUoAg :scheme: https :version: HTTP/1.1 accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/_;q=0.8 accept-encoding: gzip, deflate, sdch accept-language: zh-CN,zh;q=0.8,en;q=0.6,zh-TW;q=0.4 cookie: [811 bytes were stripped] ra-sid: CB6EAFB3-20140731-015918-084620-688fb4 ra-ver: 2.8.6 referer: https://www.google.com/ user-agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 x-client-data: CJO2yQEIorbJAQiptskBCMS2yQEInobKAQjwiMoB --> spdy_priority = 0 --> stream_id = 1 --> unidirectional = false t=344791 [st=186] SPDY_SESSION_RECV_SETTINGS --> clear_persisted = false --> host = "maps.google.com:443" t=344791 [st=186] SPDY_SESSION_RECV_SETTING --> flags = 1 --> id = 4 --> value = 100 t=344791 [st=186] SPDY_SESSION_UPDATE_STREAMS_SEND_WINDOW_SIZE --> delta_window_size = 0 t=344791 [st=186] SPDY_SESSION_RECV_SETTING --> flags = 0 --> id = 7 --> value = 65536 t=344791 [st=186] SPDY_SESSION_RECEIVED_WINDOW_UPDATE_FRAME --> delta = 983040 --> stream_id = 0 t=344791 [st=186] SPDY_SESSION_UPDATE_SEND_WINDOW --> delta = 983040 --> window_size = 1048576 t=344848 [st=243] SPDY_SESSION_SYN_REPLY --> fin = false --> :status: 302 Found :version: HTTP/1.1 alternate-protocol: 443:quic,p=0.02 cache-control: private content-length: 391 content-type: text/html; charset=UTF-8 date: Mon, 29 Dec 2014 17:49:57 GMT location: https://www.google.com/maps?biw=1366&bih=667&q=%E9%99%B6%E7%93%B7%E6%A0%87%E9%A2%98&bav=on.2,or.r_cp.&um=1&ie=UTF-8&sa=X&ei=042hVMTXCtLZoASZ4YDYDA&ved=0CAcQ_AUoAg server: gws x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block --> stream_id = 1 t=344849 [st=244] SPDY_SESSION_RECV_DATA --> fin = false --> size = 391 --> stream_id = 1 t=344849 [st=244] SPDY_SESSION_UPDATE_RECV_WINDOW --> delta = -391 --> window_size = 10485369 t=344849 [st=244] SPDY_SESSION_RECV_DATA --> fin = true --> size = 0 --> stream_id = 1 t=344849 [st=244] SPDY_SESSION_PING --> is_ack = false --> type = "received" --> unique_id = 0 t=344849 [st=244] SPDY_SESSION_PING --> is_ack = true --> type = "sent" --> unique_id = 0 t=344851 [st=246] SPDY_STREAM_UPDATE_RECV_WINDOW --> delta = 391 --> window_size = 10485760

87472: CONNECT_JOB ssl/maps.google.com:443 Start Time: 2014-12-30 01:50:32.228

t=343823 [st= 0] +SOCKET_POOL_CONNECT_JOB [dt=103] --> group_name = "ssl/maps.google.com:443" t=343823 [st= 0] +SOCKET_POOL_CONNECT_JOB_CONNECT [dt=103] t=343823 [st= 0] HOST_RESOLVER_IMPL [dt=0] --> source_dependency = 87473 (HOST_RESOLVER_IMPL_REQUEST) t=343823 [st= 0] HOST_RESOLVER_IMPL [dt=0] --> source_dependency = 87476 (HOST_RESOLVER_IMPL_REQUEST) t=343926 [st=103] CONNECT_JOB_SET_SOCKET --> source_dependency = 87479 (SOCKET) t=343926 [st=103] -SOCKET_POOL_CONNECT_JOB_CONNECT t=343926 [st=103] -SOCKET_POOL_CONNECT_JOB 87473: HOST_RESOLVER_IMPL_REQUEST ipad1826.pw:443 Start Time: 2014-12-30 01:50:32.228

t=343823 [st=0] +HOST_RESOLVER_IMPL_REQUEST [dt=0] --> address_family = 0 --> allow_cached_response = true --> host = "ipad1826.pw:443" --> is_speculative = false --> source_dependency = 87472 (CONNECT_JOB) t=343823 [st=0] HOST_RESOLVER_IMPL_CACHE_HIT t=343823 [st=0] -HOST_RESOLVER_IMPL_REQUEST 87476: HOST_RESOLVER_IMPL_REQUEST maps.google.com:443 Start Time: 2014-12-30 01:50:32.228

t=343823 [st=0] +HOST_RESOLVER_IMPL_REQUEST [dt=0] --> address_family = 0 --> allow_cached_response = true --> host = "maps.google.com:443" --> is_speculative = false --> source_dependency = 87472 (CONNECT_JOB) t=343823 [st=0] -HOST_RESOLVER_IMPL_REQUEST --> net_error = -804 (ERR_DNS_CACHE_MISS) 87479: SOCKET ssl/maps.google.com:443 Start Time: 2014-12-30 01:50:32.228

t=343823 [st= 0] +SOCKET_ALIVE [dt=225564] --> source_dependency = 87472 (CONNECT_JOB) t=343823 [st= 0] +TCP_CONNECT [dt=103] --> address_list = ["106.187.100.125:443"] t=343824 [st= 1] TCP_CONNECT_ATTEMPT [dt=102] --> address = "106.187.100.125:443" t=343926 [st= 103] -TCP_CONNECT --> source_address = "192.168.0.103:49226" t=343926 [st= 103] +SOCKET_IN_USE [dt=225461] --> source_dependency = 87471 (CONNECT_JOB) t=343926 [st= 103] +SSL_CONNECT [dt=103] t=343926 [st= 103] SOCKET_BYTES_SENT --> byte_count = 217 t=344028 [st= 205] SOCKET_BYTES_RECEIVED --> byte_count = 145 t=344028 [st= 205] SSL_CERTIFICATES_RECEIVED --> certificates = -----BEGIN CERTIFICATE----- MIIFRjCCBC6gAwIBAgIRALshNgnDpv7e6ZgpZKC9YnEwDQYJKoZIhvcNAQELBQAw gZAxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTYwNAYD VQQDEy1DT01PRE8gUlNBIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIg Q0EwHhcNMTQxMTE4MDAwMDAwWhcNMTUxMTE4MjM1OTU5WjBPMSEwHwYDVQQLExhE b21haW4gQ29udHJvbCBWYWxpZGF0ZWQxFDASBgNVBAsTC1Bvc2l0aXZlU1NMMRQw EgYDVQQDEwtpcGFkMTgyNi5wdzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC ggEBANpBHYXRLlR9cRAJLLTmgw0drhQner9ZNcUD5sSgJd20qXfFtMFu0XfunXGX aZgwNl7FdRNdgQQ5+Mx6auFsN6b1lX6COmYMEAEYfnJg9cQVAoyJYtCtvUOWG0i9 4dWiHCswW/KWKUdtW7YxlAuck78xqVVPpBUPfHDbZknP5Ky46QGZjHu1uoJkaZhr 62GdTfeGsTpXtrlMzfCJMngombdsaLQkJAuttABU9J9MUFNOXPJwahfEf5W8M6Am +mz5Jdce6/XLIDCGvw1kGkANVx/0PIfAcPP1vI4vRu96QOBF/MV6E77TYPiBLZbJ hw8sZAa3sbdgmV4FQne1pYOvG/UCAwEAAaOCAdkwggHVMB8GA1UdIwQYMBaAFJCv ajqUWgvYkOoSVnPfQ7Q6KNrnMB0GA1UdDgQWBBQNAo8xiYD8N6kiAb7GGRWzZmQy azAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEF BQcDAQYIKwYBBQUHAwIwTwYDVR0gBEgwRjA6BgsrBgEEAbIxAQICBzArMCkGCCsG AQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8uY29tL0NQUzAIBgZngQwBAgEw VAYDVR0fBE0wSzBJoEegRYZDaHR0cDovL2NybC5jb21vZG9jYS5jb20vQ09NT0RP UlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNybDCBhQYIKwYBBQUH AQEEeTB3ME8GCCsGAQUFBzAChkNodHRwOi8vY3J0LmNvbW9kb2NhLmNvbS9DT01P RE9SU0FEb21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3J0MCQGCCsGAQUF BzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wJwYDVR0RBCAwHoILaXBhZDE4 MjYucHeCD3d3dy5pcGFkMTgyNi5wdzANBgkqhkiG9w0BAQsFAAOCAQEAcl05iAPJ gcEolqt4T9kU3YP3hfK9QhNjTlyYSlaFsSOpOTN7j3sKryQhAZBZY6tlJMr0apsa Y5SBi7UbBhFQMn/zCgyne8VnghuyGVlCz+WGMVss/U+Rbd3lsMzvuk6nrbRp9Da2 /xl9YnDJEQ2U9znLChyha79Cc+QMRbyUM0Wx63mgt5HkHns6x/aSnrGUJTH4Xi07 sBy/26Loo8mHDfyZNLlsuHfLxxrjOH+OGfGp2RC5RP2A80WlZ3pSudNiA0vbnOhs vMmwqVm9Krk5QSwjCwVvFu2ATfgf+DCrnv6IuwMdQ0erSbUKPvsKo2BFktLHUTVo Jiy2Fe4of4orbA== -----END CERTIFICATE-----

t=344029 [st= 206] SOCKET_BYTES_SENT --> byte_count = 59 t=344029 [st= 206] SIGNED_CERTIFICATE_TIMESTAMPS_RECEIVED --> embedded_scts = "" --> scts_from_ocsp_response = "" --> scts_from_tls_extension = "" t=344029 [st= 206] SIGNED_CERTIFICATE_TIMESTAMPS_CHECKED --> invalid_scts = [] --> unknown_logs_scts = [] --> verified_scts = [] t=344029 [st= 206] -SSL_CONNECT t=344029 [st= 206] +SOCKET_IN_USE [dt=225358] --> source_dependency = 87467 (CONNECT_JOB) t=344029 [st= 206] +HTTP_TRANSACTION_TUNNEL_SEND_REQUEST [dt=1] t=344029 [st= 206] HTTP_TRANSACTION_SEND_TUNNEL_HEADERS --> CONNECT maps.google.com:443 HTTP/1.1 Host: maps.google.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 t=344029 [st= 206] HTTP_TRANSACTION_SEND_REQUEST_HEADERS --> CONNECT maps.google.com:443 HTTP/1.1 Host: maps.google.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 t=344030 [st= 207] SSL_SOCKET_BYTES_SENT --> byte_count = 220 t=344030 [st= 207] SOCKET_BYTES_SENT --> byte_count = 282 t=344030 [st= 207] -HTTP_TRANSACTION_TUNNEL_SEND_REQUEST t=344030 [st= 207] +HTTP_TRANSACTION_TUNNEL_READ_HEADERS [dt=320] t=344030 [st= 207] +HTTP_STREAM_PARSER_READ_HEADERS [dt=320] t=344350 [st= 527] SOCKET_BYTES_RECEIVED --> byte_count = 69 t=344350 [st= 527] SSL_SOCKET_BYTES_RECEIVED --> byte_count = 39 t=344350 [st= 527] -HTTP_STREAM_PARSER_READ_HEADERS t=344350 [st= 527] HTTP_TRANSACTION_READ_TUNNEL_RESPONSE_HEADERS --> HTTP/1.1 200 Connection established t=344350 [st= 527] -HTTP_TRANSACTION_TUNNEL_READ_HEADERS t=344350 [st= 527] +SOCKET_IN_USE [dt=225037] --> source_dependency = 87466 (CONNECT_JOB) t=344350 [st= 527] +SSL_CONNECT [dt=254] t=344351 [st= 528] SSL_SOCKET_BYTES_SENT --> byte_count = 215 t=344351 [st= 528] SOCKET_BYTES_SENT --> byte_count = 282 t=344567 [st= 744] SOCKET_BYTES_RECEIVED --> byte_count = 3957 t=344567 [st= 744] SSL_SOCKET_BYTES_RECEIVED --> byte_count = 3918 t=344568 [st= 745] SSL_CHANNEL_ID_REQUESTED t=344568 [st= 745] SSL_GET_DOMAIN_BOUND_CERT [dt=0] t=344568 [st= 745] SSL_CHANNEL_ID_PROVIDED t=344579 [st= 756] SSL_CERTIFICATES_RECEIVED --> certificates = -----BEGIN CERTIFICATE----- MIIGxTCCBa2gAwIBAgIIAl5EtcNJFrcwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl cm5ldCBBdXRob3JpdHkgRzIwHhcNMTQxMjEwMTEzMzM3WhcNMTUwMzEwMDAwMDAw WjBmMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEVMBMGA1UEAwwMKi5n b29nbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEmng6ZoVeVmmAplSC 9TcTQkkosO5zaPDTXLuuzQU3Bl5JUSF/11w6dlXdJJHXIQ3cIirUuyd288ORbu93 FrTTTaOCBF0wggRZMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjCCAyYG A1UdEQSCAx0wggMZggwqLmdvb2dsZS5jb22CDSouYW5kcm9pZC5jb22CFiouYXBw ZW5naW5lLmdvb2dsZS5jb22CEiouY2xvdWQuZ29vZ2xlLmNvbYIWKi5nb29nbGUt YW5hbHl0aWNzLmNvbYILKi5nb29nbGUuY2GCCyouZ29vZ2xlLmNsgg4qLmdvb2ds ZS5jby5pboIOKi5nb29nbGUuY28uanCCDiouZ29vZ2xlLmNvLnVrgg8qLmdvb2ds ZS5jb20uYXKCDyouZ29vZ2xlLmNvbS5hdYIPKi5nb29nbGUuY29tLmJygg8qLmdv b2dsZS5jb20uY2+CDyouZ29vZ2xlLmNvbS5teIIPKi5nb29nbGUuY29tLnRygg8q Lmdvb2dsZS5jb20udm6CCyouZ29vZ2xlLmRlggsqLmdvb2dsZS5lc4ILKi5nb29n bGUuZnKCCyouZ29vZ2xlLmh1ggsqLmdvb2dsZS5pdIILKi5nb29nbGUubmyCCyou Z29vZ2xlLnBsggsqLmdvb2dsZS5wdIISKi5nb29nbGVhZGFwaXMuY29tgg8qLmdv b2dsZWFwaXMuY26CFCouZ29vZ2xlY29tbWVyY2UuY29tghEqLmdvb2dsZXZpZGVv LmNvbYIMKi5nc3RhdGljLmNugg0qLmdzdGF0aWMuY29tggoqLmd2dDEuY29tggoq Lmd2dDIuY29tghQqLm1ldHJpYy5nc3RhdGljLmNvbYIMKi51cmNoaW4uY29tghAq LnVybC5nb29nbGUuY29tghYqLnlvdXR1YmUtbm9jb29raWUuY29tgg0qLnlvdXR1 YmUuY29tghYqLnlvdXR1YmVlZHVjYXRpb24uY29tggsqLnl0aW1nLmNvbYILYW5k cm9pZC5jb22CBGcuY2+CBmdvby5nbIIUZ29vZ2xlLWFuYWx5dGljcy5jb22CCmdv b2dsZS5jb22CEmdvb2dsZWNvbW1lcmNlLmNvbYIKdXJjaGluLmNvbYIIeW91dHUu YmWCC3lvdXR1YmUuY29tghR5b3V0dWJlZWR1Y2F0aW9uLmNvbTALBgNVHQ8EBAMC B4AwaAYIKwYBBQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2ds ZS5jb20vR0lBRzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29v Z2xlLmNvbS9vY3NwMB0GA1UdDgQWBBTn6rT+UWACLuZnUas2zTQJkdrq5jAMBgNV HRMBAf8EAjAAMB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMBcGA1Ud IAQQMA4wDAYKKwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtp Lmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQBb4wU7IjXL msvaYqFlYYDKiYZhBUGHxxLkFWR72vFugYkJ7BbMCaKZJdyln5xL4pCdNHiNGfub /3ct2t3sKeruc03EydznLQ78qrHuwNJdqUZfDLJ6ILAQUmpnYEXrnmB7C5chCWR0 OKWRLguwZQQQQlRyjZFtdoISHNveel/UkS/Jwijvpbw/wGg9W4L4En6RjDeD259X zYvNzIwiEq50/5ZQCYE9EH0mWguAji9tuh5NJKPEeaaCQ3lp/UEAkq5uYls7tuSs MTI9LMZRiYFJab/LYbq2uaz4B/lSuE9vku+ikNYA+J2Qv6eqU3U+jmUOSCfYJ2Qt zSl8TUu4bL8a -----END CERTIFICATE-----

t=344579 [st= 756] SSL_SOCKET_BYTES_SENT --> byte_count = 254 t=344579 [st= 756] SOCKET_BYTES_SENT --> byte_count = 330 t=344580 [st= 757] +CERT_VERIFIER_REQUEST [dt=24] t=344580 [st= 757] CERT_VERIFIER_REQUEST_BOUND_TO_JOB --> source_dependency = 87489 (CERT_VERIFIER_JOB) t=344604 [st= 781] -CERT_VERIFIER_REQUEST t=344604 [st= 781] SIGNED_CERTIFICATE_TIMESTAMPS_RECEIVED --> embedded_scts = "" --> scts_from_ocsp_response = "" --> scts_from_tls_extension = "" t=344604 [st= 781] SIGNED_CERTIFICATE_TIMESTAMPS_CHECKED --> invalid_scts = [] --> unknown_logs_scts = [] --> verified_scts = [] t=344604 [st= 781] -SSL_CONNECT t=344604 [st= 781] +SOCKET_IN_USE [dt=224783] --> source_dependency = 87462 (HTTP_STREAM_JOB) t=344606 [st= 783] SSL_SOCKET_BYTES_SENT --> byte_count = 28 t=344606 [st= 783] SSL_SOCKET_BYTES_SENT --> byte_count = 49 t=344606 [st= 783] SOCKET_BYTES_SENT --> byte_count = 122 t=344606 [st= 783] SSL_SOCKET_BYTES_SENT --> byte_count = 16 t=344606 [st= 783] SSL_SOCKET_BYTES_SENT --> byte_count = 37 t=344606 [st= 783] SOCKET_BYTES_SENT --> byte_count = 106 t=344608 [st= 785] SSL_SOCKET_BYTES_SENT --> byte_count = 1423 t=344608 [st= 785] SSL_SOCKET_BYTES_SENT --> byte_count = 1444 t=344608 [st= 785] SOCKET_BYTES_SENT --> byte_count = 1514 t=344791 [st= 968] SOCKET_BYTES_RECEIVED --> byte_count = 389 t=344791 [st= 968] SSL_SOCKET_BYTES_RECEIVED --> byte_count = 356 t=344791 [st= 968] SSL_SOCKET_BYTES_RECEIVED --> byte_count = 44 t=344848 [st= 1025] SOCKET_BYTES_RECEIVED --> byte_count = 853 t=344848 [st= 1025] SSL_SOCKET_BYTES_RECEIVED --> byte_count = 825 t=344848 [st= 1025] SSL_SOCKET_BYTES_RECEIVED --> byte_count = 762 t=344849 [st= 1026] SSL_SOCKET_BYTES_SENT --> byte_count = 12 t=344849 [st= 1026] SSL_SOCKET_BYTES_SENT --> byte_count = 33 t=344849 [st= 1026] SOCKET_BYTES_SENT --> byte_count = 106 t=569385 [st=225562] SOCKET_BYTES_RECEIVED --> byte_count = 133 t=569385 [st=225562] SSL_SOCKET_BYTES_RECEIVED --> byte_count = 94 t=569385 [st=225562] SOCKET_BYTES_RECEIVED --> byte_count = 0 t=569385 [st=225562] SSL_SOCKET_BYTES_RECEIVED --> byte_count = 52 t=569385 [st=225562] SSL_SOCKET_BYTES_RECEIVED --> byte_count = 0 t=569386 [st=225563] SOCKET_CLOSED t=569387 [st=225564] -SOCKET_IN_USE t=569387 [st=225564] -SOCKET_IN_USE t=569387 [st=225564] -SOCKET_IN_USE t=569387 [st=225564] -SOCKET_IN_USE t=569387 [st=225564] -SOCKET_ALIVE

tatsuhiro-t commented 9 years ago

I don't understand the options " --cacert , --client-private-key-file, --client-cert-file" very much, not

--cacert: CA certificates shrpx trusts when connecting backend connection. If backend host uses self-signed certs and you'd like to make sure that it is really is, specify its cert here.

--client-private-key-file and --client-cert-file: Specify client private key and certificate file. They are only required if backend TLS server requires them. Usually backend server service says somethings about this; for example, signing your client certs with their keys.

tatsuhiro-t / spdylay

shrpx front-end proxy error: decryption_failed(21). #124

It seems no error in the log: