Ok, I found part of the solution to my broken SSL problem:
I toyed with the pen source code and did some extra debugging where the
original source code did not. It seems that SSL was giving me
"SSL_GET_NEW_SESSION:ssl session id callback failed" errors. People
mention that this error has something to do with a program's inability
to do random number generation required for SSL, and since I had pen
running in chroot.... sure enough pen was unable to use /dev/urandom on
my FreeBSD box, which caused this error.
So now I am running pen unjailed as root and this error doesn't happen
anymore. However, SSL still doesn't work for me so I am going to have to
debug this further.
Nathan Butcher wrote:
> I'm trying to get penlogd to match client IP addresses with weblogs,
> but I've reached the end of my rope.
>
> Since pen is unable to insert X-Forwarded-For headers into encrypted
> SSL that goes over it, and penlogd cannot match the encrypted content
> pen sees and sends, with the unencrypted content the webserver sends,
> getting matching logs for SSL seems impossible.
>
> I was thinking that if pen was able to decrypt it's requests on the
> fly, send the decrypted request headers to penlogd (where they can
> match), and send the SSL traffic unmolested to the waiting HTTPS
> webserver, penlogd would be able to merge logs coming from SSL
> connections.
> Would it be possible to get pen to do this at all?
>
> I couldn't get the experimental SSL encapsulation to work at all
> (seems broken), but I don't need pen to do all the SSL encapsulation
> anyway (much better if the HTTPS webservers on each of my servers take
> the resource hit for this). All I need pen to do is translate the
> request headers for penlogd so the weblogs have something to match with.
>
> Is there a way to do this? or am I only dreaming?
>
Received on Wed Nov 29 2006 - 10:06:48 CET
This archive was generated by hypermail 2.2.0 : Wed Nov 29 2006 - 10:06:50 CET