Bug #4550: relayd does not work with HTTPS monitor on FreeBSD 10.x and above with certain cipher combinations - pfSense - pfSense bugtracker

Custom queries

2.7.0 - Resolved/Closed
2.7.1 - All Open Issues
2.7.1 - Resolved/Closed
2.7.2 - Resolved/Closed
2.8.0 - Resolved/Closed
2.8.1 - Resolved/Closed
2.9.0 - All Open Bugs
2.9.0 - All Open Features
2.9.0 - All Open Issues
2.9.0 - All Open Regressions
2.9.0 - Feedback
2.9.0 - Needs Attention
2.9.0 - New/Confirmed
2.9.0 - Pull Requests
2.9.0 - Regressions affecting 2.9.0
2.9.0 - Resolved/Closed
23.01 Plus - All Closed Issues
23.01 Target - All Closed Issues
23.05 Plus - All Closed Issues
23.05 Target - All Closed Issues
23.05.1 Plus - All Closed Issues
23.05.1 Target - All Closed Issues
23.09 Plus - All Closed Issues
23.09 Target - All Closed Issues
23.09.1 Plus - All Closed Issues
23.09.1 Target - All Closed Issues
24.03 Plus - All Closed Issues
24.03 Target - All Closed Issues
24.11 Plus - All Closed Issues
24.11 Target - All Closed Issues
25.07 Plus - All Closed Issues
25.07 Target - All Closed Issues
25.11 Plus - All Closed Issues
25.11 Plus - All Open Issues
25.11 Plus - Feedback Issues
25.11 Plus - Needs Attention/Work
25.11 Plus - New/Confirmed/In Progress Issues
25.11 Plus - Pull Request Review
25.11 Plus - Waiting on Merge
25.11 Target - All Closed Issues
25.11 Target - All Open Issues
26.03 Target - All Closed Issues
26.03 Target - All Open Issues
All Open Issues assigned to Me
All Open Pull Requests
Any Target - All Open Regressions
Any Target - Feedback Issues
CE-Next - All Closed Issues (Move to specific target)
CE-Next - All Open Issues
CE-Next - Feedback (Likely needs target changed)
New Issues by Category - Future Target
New Issues by Category - No Target
New Issues by Category - No Target+Future
No Target - All Open Issues (Base Only)
No Target - New Issues (Base Only)
No Target - New Issues (Base and Packages)
Release Notes - CE Target Version (DO NOT EDIT)
Release Notes - Plus Target Version (DO NOT EDIT)
Release Notes - Target Version (DO NOT EDIT)

Actions

Copy link

Bug #4550

closed

relayd does not work with HTTPS monitor on FreeBSD 10.x and above with certain cipher combinations

Added by Michael Knowles over 10 years ago. Updated over 10 years ago.

Status:

Rejected

Priority:

Normal

Assignee:

Category:

Load Balancer

Target version:

Start date:

03/23/2015

Due date:

% Done:

Estimated time:

Plus Target Version:

Release Notes:

Affected Version:

2.2.1

Affected Architecture:

All

Description

Load Balancer monitor when set to Type:https reports all nodes of the cluster as down, whereas other monitors (such as tcp) against the same servers (and same pool) report the servers as up. Ports are open on the servers and the https type worked on at least version 2.1.3 (2.1.5 was skipped). Problem first noticed on 2.2, and still exists when upgraded to 2.2.1

Files

loadbalancemonitor.JPG (30.9 KB) loadbalancemonitor.JPG

Screenshot showing 2 pools with only change being the monitor

Michael Knowles, 03/23/2015 12:07 PM

History
Notes
Property changes

Actions

Copy link

Updated by Jim Pingle over 10 years ago

Subject changed from Load Balancer does not work with HTTPS monitor on 2.2 and above to relayd does not work with HTTPS monitor on FreeBSD 10.x and above with certain cipher combinations
Status changed from New to Rejected
Target version deleted (~~2.2.2~~)

I hit this before working with a customer and tracked it down, it's an issue with relayd (even a current relayd) on FreeBSD 10.x and the ciphers offered by the web server(s). I setup a local test and with a default apache 2.4 SSL setup it works:

SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5

It fails with other cipher lists such as:

SSLCipherSuite RC4:TLSv1:-MD5:-aNULL:-MED:-LOW:-EXP:-NULL

It also fails with the cipher list given in the apache config example for "speed optimized" and it also fails with the cipher list we use for the pfSense GUI (on 2.2 at least, it has changed since my last test).

If I place some other cipher first such as AES128-SHA, or HIGH for example, it starts to work again.

It's still not clear if it's a relayd quirk, or something specific to FreeBSD, or OpenSSL, etc. About the only thing I haven't tried is a test purely on OpenBSD which wouldn't be as useful but may at least show if it's specific to relayd rather than the other factors.

At least we know that adjusting the SSLCipherSuite should be able to get it working again, though perhaps not an ideal solution, it's as far as we can take it ourselves. It'll need to be reported upstream to FreeBSD and/or the relayd maintainer (See http://www.freshports.org/net/relayd/ for contact info ) for a proper long-term resolution.

I've tried it with relayd (current version from pfSense and the latest in FreeBSD ports) on pfSense and FreeBSD directly and the problem was present there as well, so it is not specific to pfSense.

As an alternative, use the HAProxy package which is better in this role in nearly every way.

The /var/etc/relayd.conf file may be taken from pfSense and placed onto any FreeBSD box with relayd installed to test.

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense

Custom queries

Bug #4550

relayd does not work with HTTPS monitor on FreeBSD 10.x and above with certain cipher combinations

Updated by Jim Pingle over 10 years ago