An update,
I have had a chance to start Relayd with verbose logging to troubleshoot
this, and I get the following on startup with any FQDN longer than 32
characters in relayd.conf (config details are the same as in my previous
email):
SSL library error: ****************.************.com:
relay_ssl_ctx_create: error:140DB111:SSL
routines:SSL_CTX_set_session_id_context:ssl session id context too long
fatal: relay_init: failed to create SSL context: Invalid argument
It doesn't look like there's a hard limit for FQDN length in the source
for relayd, anybody have any ideas?
Thanks,
Andrew Klettke
Systems Admin
Optic Fusion NOC
253-830-2943
On 02/04/2011 04:04 PM, Andrew Klettke wrote:
Hello all,
It looks like we've run into a limit for the length of a SSL hostname
in relayd.
If we define a relay with a hostname that is longer than 32
characters, we get the following:
Feb 1 22:14:00 fw02 relayd[22062]: fatal: relay_init: failed to
create SSL context: No buffer space available
However, shorter hostnames do not cause relayd to throw the error.
We've tested this with multiple domain names.
Is this an expected behavior of relayd?
Here is the defined protocol and the relay giving us the issue in
relayd.conf (FQDN censored):
http protocol "httpsfilter" {
tcp { nodelay, sack, socket buffer 65536, backlog 100 }
return error
header append "$REMOTE_ADDR" to "X-Forwarded-For"
header append "$SERVER_ADDR:$SERVER_PORT" to "X-Forwarded-By"
header change "Keep-Alive" to "$TIMEOUT"
ssl { sslv3, tlsv1, no sslv2, ciphers
"HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM" }
}
relay "****************.************.com" {
listen on "****************.************.com" port 443 ssl
protocol "httpsfilter"
forward to <web_hosts> port 443 mode loadbalance check http "/"
code 200
}
