Re: ap-kal-ssl script keepalive problem with cert warning

cdeeds · ‎04-18-2006

When I configure a keepalive type as the ap-kal-ssl script, the keepalive fails. I found that the servers being monitored are prompting with a certificate warning (see attachment) informing me that the name on the cert does not match the name of the site. Hence, the CSS is monitoring the servers using the IP addresses rather than the domain name registered with the cert.

Does anyone know how to configure the ap-kal-ssl script to accept the cert warning message so the keepalive will follow through to the web server?

Here's my config:

service SERVERA

ip address 10.10.10.26

keepalive port 443

keepalive frequency 10

keepalive type script ap-kal-ssl "10.10.10.26 /css443.txt myuser:mypass"

active

service SERVERB

ip address 10.10.10.27

keepalive port 444

keepalive frequency 10

keepalive type script ap-kal-ssl "10.10.10.27 /css444.txt myuser:mypass"

active

Kind regards,

Chad

Gilles Dufour · ‎04-19-2006

Chad,

the script really does not care about the certificate.

It basically sends a hello packet and check for specific bytes in the server response

! Wait for a handshake message (0x16), paired with the version

! of SSL (0x03 0x00)

socket waitfor ${SOCKET} "160300" 2000 raw

! Wait for the specific server hello (0x02)

socket waitfor ${SOCKET} "02" 2000 raw

! Wait for the version again (as it appears twice: 0x03 0x00)

socket waitfor ${SOCKET} "0300" 2000 raw

So, sniff the traffic between css and server and verify what are the first bytes sent by the server response.

You can then edit the script and put your own bytes.

[or send us the sniff and will send you the new scrip t lines - if possible]

Gilles.

cdeeds · ‎04-26-2006

Thanks for your help Gilles!

I'm still working on the trace but once I have it, I'll re-write the script with per your suggestions and see how that goes.

-Chad