Re: Merging logs under SSL request

From: Nathan Butcher <>
Date: Thu, 30 Nov 2006 16:20:06 +0900

Alright, I finally got SSL encapsulation working (although its a shame
that both servers I am load balancing out to can't share the load of the
SSL encryption/decryption, and pen has to do it all on one server.)

I also managed to get penlogd to produce correct client IPs for HTTPS
using clients, but it was only possible by adding the X-Forwarding-For
to the decrypted SSL connections in pen, getting tomcat to rewrite its
logs with that header, and then having the logs sent off to penlogd to
be merged with the (now decrypted) pen logs.

pen itself needs some extra debugging code when it does its SSL_Read and
SSL_Write, in order to trap weird SSL errors and other exceptions like
the one I encountered.

e.g. something like:-

if (rc < 0) {
    int err = SSL_get_error(ssl, n);
    if (err == SSL_ERROR_WANT_READ ||
        err == SSL_ERROR_WANT_WRITE) {
            return 0;
    } else {
        err == ERR_get_error();
        debug("SSL ERROR: %s", ERR_error_string(err, NULL));

....would have at least given me some debugging information to go on
when SSL wasn't working.

Cheers and beers,

Nathan Butcher wrote:
> Ok, I found part of the solution to my broken SSL problem:
> I toyed with the pen source code and did some extra debugging where
> the original source code did not. It seems that SSL was giving me
> "SSL_GET_NEW_SESSION:ssl session id callback failed" errors. People
> mention that this error has something to do with a program's inability
> to do random number generation required for SSL, and since I had pen
> running in chroot.... sure enough pen was unable to use /dev/urandom
> on my FreeBSD box, which caused this error.
> So now I am running pen unjailed as root and this error doesn't happen
> anymore. However, SSL still doesn't work for me so I am going to have
> to debug this further.
> Nathan Butcher wrote:
>> I'm trying to get penlogd to match client IP addresses with weblogs,
>> but I've reached the end of my rope.
>> Since pen is unable to insert X-Forwarded-For headers into encrypted
>> SSL that goes over it, and penlogd cannot match the encrypted content
>> pen sees and sends, with the unencrypted content the webserver sends,
>> getting matching logs for SSL seems impossible.
>> I was thinking that if pen was able to decrypt it's requests on the
>> fly, send the decrypted request headers to penlogd (where they can
>> match), and send the SSL traffic unmolested to the waiting HTTPS
>> webserver, penlogd would be able to merge logs coming from SSL
>> connections.
>> Would it be possible to get pen to do this at all?
>> I couldn't get the experimental SSL encapsulation to work at all
>> (seems broken), but I don't need pen to do all the SSL encapsulation
>> anyway (much better if the HTTPS webservers on each of my servers
>> take the resource hit for this). All I need pen to do is translate
>> the request headers for penlogd so the weblogs have something to
>> match with.
>> Is there a way to do this? or am I only dreaming?
Received on Thu Nov 30 2006 - 08:24:30 CET

This archive was generated by hypermail 2.2.0 : Thu Nov 30 2006 - 08:24:33 CET