Perlbal - enable_ssl returns incorrect MAC

Author

enable_ssl returns incorrect MAC

Jim Blomo

2007-12-13, 7:11 pm

Hi all, I'm trying out Perlbal 1.60 with SSL but I'm getting back
responses with an "incorrect Message Authentication Code" (error from
Firefox). I've verified the key file and certificate, and tried the
configuration on 2 different machines. HTTP responses work fine, and
the debugging output is identical except for the "upgraded to SSL"
message: the ssl configuration is identical except for the ssl
specific options. Is this a known problem; is there a solution? Here
are some details:

Debugging info:
Running.
beginning run
Got new conn: IO::Socket::INET=GLOB(0x884071c) ([IP]:60973) for web_server
CA file certs/my-ca.pem not found, using CA path instead.
.. socket upgraded to SSL!
Perlbal::Socket::read_headers(Perlbal::C
lientHTTP=ARRAY(0x8841b90)) is_res=0
pre-parsed headers: [GET /version5/js/prototype.js HTTP/1.1
Host: sf38.coceve.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.8)
Gecko/20061201 Firefox/2.0.0.8 (Ubuntu-feisty)
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive]
got valid headers
ClientHTTPBase::setup_keepalive(Perlbal:
:ClientHTTP=ARRAY(0x8841b90))
service's persist_client = 0
doing connection: close
write(Perlbal::ClientHTTP=ARRAY(0x8841b9
0), <223>"HTTP/1.0 200 OK
....") from (Perlbal::ClientHTTPBase,
/usr/local/share/perl/5.8.8/Perlbal/ClientHTTPBase.pm, 496)
REPROXY Sent: 17019
REPROXY Sent: 10080
REPROXY Sent: 20504 [ed: this is the correct length of the response]

Debian etch with libssl-dev 0.9.8c-4etch1, libssl0.9.8 0.9.8c-4etch1,
openssl 0.9.8c-4etch1
Danga::Socket 1.57
IO::Socket::SSL 1.12
Net::SSLeay 1.32

Thanks for help, or pointers on what to debug next.

Jim

Jim Blomo

2007-12-14, 1:11 pm

On Dec 13, 2007 2:12 PM, Jim Blomo <jim@pbwiki.com> wrote:
> Hi all, I'm trying out Perlbal 1.60 with SSL but I'm getting back
> responses with an "incorrect Message Authentication Code" (error from
> Firefox).

It looks like the occurs when reproxying a local file.
Perlbal::Socket::sendfile writes directly to the socket file
descriptor, bypassing the IO::Socket::SSL layer and writing plaintext
to an SSL socket. Here is a patch to work around this problem, though
this probably isn't the cleanest solution.

Jim

diff -Naur /usr/local/share/perl/5.8.8/Perlbal/ClientHTTPBase.pm
Perlbal/ClientHTTPBase.pm
--- /usr/local/share/perl/5.8.8/Perlbal/ClientHTTPBase.pm 2007-10-23
15:39:17.000000000 +0000
+++ Perlbal/ClientHTTPBase.pm 2007-12-14 14:54:43.000000000 +0000
@@ -279,9 +279,14 @@
my $postread = sub {
return if $self->{closed};

- my $sent = Perlbal::Socket::sendfile($self->{fd},
- fileno($self->{reproxy_fh}),
- $to_send);
+ my $sent = ref $self->{sock} eq 'IO::Socket::SSL' ?
+ Perlbal::SocketSSL::writefile($self->{sock},
+ fileno($self->{reproxy_fh}),
+ $to_send)
+ :
+ Perlbal::Socket::sendfile($self->{fd},
+ fileno($self->{reproxy_fh}),
+ $to_send);
#warn "to_send = $to_send, sent = $sent\n";
print "REPROXY Sent: $sent\n" if Perlbal::DEBUG >= 2;

diff -Naur /usr/local/share/perl/5.8.8/Perlbal/SocketSSL.pm Perlbal/SocketSSL.pm
--- /usr/local/share/perl/5.8.8/Perlbal/SocketSSL.pm 2007-10-24
04:00:51.000000000 +0000
+++ Perlbal/SocketSSL.pm 2007-12-14 14:48:55.000000000 +0000
@@ -132,4 +132,25 @@
$_[0]->try_accept;
}

+our $max_sf_readwrite = 128 * 1024;
+sub writefile {
+ my ($sock, $fd, $bytes) = @_;
+
+ my $buf;
+ $bytes = $max_sf_readwrite if $bytes > $max_sf_readwrite;
+
+ my $rv = POSIX::read($fd, $buf, $bytes);
+ return -1 unless defined $rv;
+ return -1 unless $rv == $bytes;
+
+ my $wv = $sock->write($buf, $rv);
+ return -1 unless defined $wv;
+
+ if (my $over_read = $rv - $wv) {
+ POSIX::lseek($fd, -$over_read, &POSIX::SEEK_CUR);
+ }
+
+ return $wv;
+}
+
1;