[Debian-ha-maintainers] Bug#770349: ldirectord: SSL hostname check failure

Shawn Heisey debian at elyograg.org
Thu Nov 20 16:43:02 UTC 2014


Package: ldirectord
Version: 1.0.3-4

When ldirectord does https health checks, they fail because newer LWP
versions validate the hostname used against the hostname in the
certificate, and ldirectord is almost always configured with IP addresses.

The simple fix for this is here:

https://github.com/mcnewton/resource-agents/commit/68fad38326b7c04efd6434e736e32fe395eafe02

I originally came across this problem on Ubuntu 14.04, but the
ldirectord version found in sid still creates the LWP object with
verify_hostname set, so I'm filing the bug here.

If you simply update to the newest upstream release, you'll have the
fix, but I want to discuss another idea.

Here's a slightly redacted ldirectord config stanza that fails without a
change to ldirectord:

virtual=192.168.1.10:443
        real=10.100.2.103:8443 masq
        fallback=127.0.0.1:443 masq
        service=https
        scheduler=wrr
        persistent=14400
        protocol=tcp
        checktype=negotiate
        checkport=8443
        request="services/testAlive"
        receive="alive"
        virtualhost=services.stg.example.com

If LWP offers the capability, what I'd actually like to see is a way to
have certificate validation still happen, but only if the configuration
says to do it.  Here's the same config stanza again with a couple of new
lines added:

virtual=192.168.1.10:443
        real=10.100.2.103:8443 masq
        fallback=127.0.0.1:443 masq
        service=https
        scheduler=wrr
        persistent=14400
        protocol=tcp
        checktype=negotiate
        checkport=8443
        request="services/testAlive"
        receive="alive"
        virtualhost=services.stg.example.com
        validatecert=true
        sslhostname=services.stg.example.com



More information about the Debian-ha-maintainers mailing list