[Debian-ha-maintainers] Bug#770349: ldirectord: SSL hostname check failure
Shawn Heisey
debian at elyograg.org
Thu Nov 20 16:43:02 UTC 2014
Package: ldirectord
Version: 1.0.3-4
When ldirectord does https health checks, they fail because newer LWP
versions validate the hostname used against the hostname in the
certificate, and ldirectord is almost always configured with IP addresses.
The simple fix for this is here:
https://github.com/mcnewton/resource-agents/commit/68fad38326b7c04efd6434e736e32fe395eafe02
I originally came across this problem on Ubuntu 14.04, but the
ldirectord version found in sid still creates the LWP object with
verify_hostname set, so I'm filing the bug here.
If you simply update to the newest upstream release, you'll have the
fix, but I want to discuss another idea.
Here's a slightly redacted ldirectord config stanza that fails without a
change to ldirectord:
virtual=192.168.1.10:443
real=10.100.2.103:8443 masq
fallback=127.0.0.1:443 masq
service=https
scheduler=wrr
persistent=14400
protocol=tcp
checktype=negotiate
checkport=8443
request="services/testAlive"
receive="alive"
virtualhost=services.stg.example.com
If LWP offers the capability, what I'd actually like to see is a way to
have certificate validation still happen, but only if the configuration
says to do it. Here's the same config stanza again with a couple of new
lines added:
virtual=192.168.1.10:443
real=10.100.2.103:8443 masq
fallback=127.0.0.1:443 masq
service=https
scheduler=wrr
persistent=14400
protocol=tcp
checktype=negotiate
checkport=8443
request="services/testAlive"
receive="alive"
virtualhost=services.stg.example.com
validatecert=true
sslhostname=services.stg.example.com
More information about the Debian-ha-maintainers
mailing list