shrpx front-end proxy error: decryption_failed(21). #124

zwChan · 2014-12-24T12:05:07Z

(get the file from http://pan.baidu.com/s/1mgNx5Mg)

I use shrpx as a front-end proxy, connect to another spdy proxy. But encounter a error of decryption_failed(21). I try google a lot, but there so few material for reading.
The backend server "106.187.39.217,443" is a spdy proxy, and it work OK if I use it in a pac-file on Chrome.

I know not much about openssl, but I make the crt-file by openssl using the following command.
openssl genrsa -out ca.key 1024
openssl req -new -key ca.key -out ca.csr
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt

The shrpx option used:
src/shrpx -p --backend=106.187.39.217,443 --frontend=0.0.0.0,8808 --log-level=INFO --insecure --cacert=/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt --client-private-key-file=/etc/pki/CA/private/ca.key --client-cert-file=/etc/pki/CA/certs/ca.crt --tls-proto-list=TLSv1.0

It seems no error in the log:

[INFO] Resolving backend address
(shrpx.cc:1183)
[INFO] Address resolution for 106.187.39.217 succeeded: 106.187.39.217
(shrpx.cc:105)
[INFO] Unable to get IPv6 address for 0.0.0.0: Address family for hostname not supported
(shrpx.cc:148)
[INFO] Listening on 0.0.0.0, port 8808
(shrpx.cc:186)
[INFO] Entering event loop
(shrpx.cc:299)
[INFO] [LISTEN:0x1000260] Accepted connection. fd=9
(shrpx_listen_handler.cc:101)
[INFO] [UPSTREAM:0xfe3a00] HTTP request started
(shrpx_https_upstream.cc:78)
[INFO] [UPSTREAM:0xfe3a00] HTTP request headers completed
(shrpx_https_upstream.cc:135)
[INFO] [UPSTREAM:0xfe3a00] HTTP request headers
CONNECT clients4.google.com:443 HTTP/1.1
Host: clients4.google.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36

   (shrpx_https_upstream.cc:156)

[INFO] [CLIENT_HANDLER:0xfd5dd0] Downstream connection pool is empty. Create new one
(shrpx_client_handler.cc:309)
[INFO] [DCONN:0xfbd720] Attaching to DOWNSTREAM:0xfd6070
(shrpx_spdy_downstream_connection.cc:101)
[INFO] [UPSTREAM:0xfe3a00] Downstream output buffer is full
(shrpx_https_upstream.cc:311)
[INFO] [DSPDY:0xfd6130] Connecting to downstream server
(shrpx_spdy_session.cc:393)
[INFO] [DSPDY:0xfd6130] Connection established
(shrpx_spdy_session.cc:249)
[INFO] [DSPDY:0xfd6130] Negotiated next protocol:
(shrpx_spdy_session.cc:1049)
[INFO] [DSPDY:0xfd6130] Disconnecting
(shrpx_spdy_session.cc:72)
[INFO] [DSPDY:0xfd6130] Closing fd=10
(shrpx_spdy_session.cc:103)
[INFO] [CLIENT_HANDLER:0xfd5dd0] Deleting
(shrpx_client_handler.cc:173)
[INFO] [DOWNSTREAM:0xfd6070] Deleting
(shrpx_downstream.cc:67)
[INFO] [DCONN:0xfbd720] Deleting
(shrpx_spdy_downstream_connection.cc:59)
[INFO] [DCONN:0xfbd720] Deleted
(shrpx_spdy_downstream_connection.cc:76)
[INFO] [DOWNSTREAM:0xfd6070] Deleted
(shrpx_downstream.cc:77)
[INFO] [CLIENT_HANDLER:0xfd5dd0] Deleted
(shrpx_client_handler.cc:202)
[INFO] [LISTEN:0x1000260] Accepted connection. fd=9
(shrpx_listen_handler.cc:101)

[INFO] [CLIENT_HANDLER:0xfd5dd0] EOF
(shrpx_client_handler.cc:83)
[INFO] [CLIENT_HANDLER:0xfd5dd0] Deleting
(shrpx_client_handler.cc:173)
[INFO] [CLIENT_HANDLER:0xfd5dd0] Deleted
(shrpx_client_handler.cc:202)
[INFO] [LISTEN:0x1000260] Accepted connection. fd=9
(shrpx_listen_handler.cc:101)
[INFO] [UPSTREAM:0x101d470] HTTP request started
(shrpx_https_upstream.cc:78)
[INFO] [UPSTREAM:0x101d470] HTTP request headers completed
(shrpx_https_upstream.cc:135)
[INFO] [UPSTREAM:0x101d470] HTTP request headers
GET http://www.baidu.com/ HTTP/1.1
Host: www.baidu.com
Proxy-Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: BAIDUID=1BA2C2A8FF4226E396526FE4BE6B740E:FG=1; BAIDUPSID=1BA2C2A8FF4226E396526FE4BE6B740E; BD_HOME=0; H_PS_PSSID=10382_1444_10571_10211_10501_10496_10753_10646_10459_10219_10687_10356_10666_10596_10096_10657_10443_10699_10403_10360_10617_10702_10627; BD_UPN=1b314353

   (shrpx_https_upstream.cc:156)

[INFO] [CLIENT_HANDLER:0xfd5dd0] Downstream connection pool is empty. Create new one
(shrpx_client_handler.cc:309)
[INFO] [DCONN:0xf2f400] Attaching to DOWNSTREAM:0xfed6c0
(shrpx_spdy_downstream_connection.cc:101)
[INFO] [UPSTREAM:0x101d470] HTTP request completed
(shrpx_https_upstream.cc:227)
[INFO] [DSPDY:0xfd6130] Connecting to downstream server
(shrpx_spdy_session.cc:393)
[INFO] [LISTEN:0x1000260] Accepted connection. fd=11
(shrpx_listen_handler.cc:101)
[INFO] [UPSTREAM:0x10177f0] HTTP request started
(shrpx_https_upstream.cc:78)
[INFO] [UPSTREAM:0x10177f0] HTTP request headers completed
(shrpx_https_upstream.cc:135)

The text was updated successfully, but these errors were encountered:

zwChan · 2014-12-28T14:58:30Z

It seems nobody pay attention to this ...

tatsuhiro-t · 2014-12-29T16:21:55Z

From the log, I see SPDY protocol is not negotiated in backend. Check that backend SPDY proxy supports NPN.
For SSL/TLS stuff, check tls version and cipher suites.

zwChan · 2014-12-29T18:33:17Z

In fact, I know little about the proxy (I buy the service of the proxy, but it just support Chrome browser by a plugin), and the proxy works OK when using a pac-script in chrome, like "return 'HTTPS 106.187.39.217:443' ". I capture the packets, and it occur exactly the same negotiation(including tls version and cipher suites), without decryption_failed(21). So I think something wrong with the key-file or cacert.
I don't understand the options " --cacert , --client-private-key-file, --client-cert-file" very much, not much info i can get about them in the help-info. Now I create cacert/client-key/client-cert using the above openssl command on my linux server. Should it work ? Could you offer more hint?

The debugging info in Chrome is really cool! When it works OK, I get the SPDY session info as follow :
SPDY Enabled: true
Use Alternate Protocol: true
Force SPDY Always: false
Force SPDY Over SSL: true
Next Protocols: http/1.1,spdy/3,spdy/3.1

87493: SPDY_SESSION
maps.google.com:443 (HTTPS ipad1826.pw:443)
Start Time: 2014-12-30 01:50:33.010

t=344605 [st= 0] +SPDY_SESSION [dt=?]
--> host = "maps.google.com:443"
--> proxy = "HTTPS ipad1826.pw:443"
t=344605 [st= 0] SPDY_SESSION_INITIALIZED
--> protocol = "spdy/3.1"
--> source_dependency = 87479 (SOCKET)
t=344605 [st= 0] SPDY_SESSION_SEND_SETTINGS
--> settings = ["[id:4 flags:0 value:1000]","[id:7 flags:0 value:10485760]"]
t=344606 [st= 1] SPDY_STREAM_UPDATE_RECV_WINDOW
--> delta = 10420224
--> window_size = 10485760
t=344606 [st= 1] SPDY_SESSION_SENT_WINDOW_UPDATE_FRAME
--> delta = 10420224
--> stream_id = 0
t=344608 [st= 3] SPDY_SESSION_SYN_STREAM
--> fin = true
--> :host: maps.google.com
:method: GET
:path: /maps?biw=1366&bih=667&q=%E9%99%B6%E7%93%B7%E6%A0%87%E9%A2%98&bav=on.2,or.r_cp.&um=1&ie=UTF-8&sa=X&ei=042hVMTXCtLZoASZ4YDYDA&ved=0CAcQ_AUoAg
:scheme: https
:version: HTTP/1.1
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
accept-encoding: gzip, deflate, sdch
accept-language: zh-CN,zh;q=0.8,en;q=0.6,zh-TW;q=0.4
cookie: [811 bytes were stripped]
ra-sid: CB6EAFB3-20140731-015918-084620-688fb4
ra-ver: 2.8.6
referer: https://www.google.com/
user-agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
x-client-data: CJO2yQEIorbJAQiptskBCMS2yQEInobKAQjwiMoB
--> spdy_priority = 0
--> stream_id = 1
--> unidirectional = false
t=344791 [st=186] SPDY_SESSION_RECV_SETTINGS
--> clear_persisted = false
--> host = "maps.google.com:443"
t=344791 [st=186] SPDY_SESSION_RECV_SETTING
--> flags = 1
--> id = 4
--> value = 100
t=344791 [st=186] SPDY_SESSION_UPDATE_STREAMS_SEND_WINDOW_SIZE
--> delta_window_size = 0
t=344791 [st=186] SPDY_SESSION_RECV_SETTING
--> flags = 0
--> id = 7
--> value = 65536
t=344791 [st=186] SPDY_SESSION_RECEIVED_WINDOW_UPDATE_FRAME
--> delta = 983040
--> stream_id = 0
t=344791 [st=186] SPDY_SESSION_UPDATE_SEND_WINDOW
--> delta = 983040
--> window_size = 1048576
t=344848 [st=243] SPDY_SESSION_SYN_REPLY
--> fin = false
--> :status: 302 Found
:version: HTTP/1.1
alternate-protocol: 443:quic,p=0.02
cache-control: private
content-length: 391
content-type: text/html; charset=UTF-8
date: Mon, 29 Dec 2014 17:49:57 GMT
location: https://www.google.com/maps?biw=1366&bih=667&q=%E9%99%B6%E7%93%B7%E6%A0%87%E9%A2%98&bav=on.2,or.r_cp.&um=1&ie=UTF-8&sa=X&ei=042hVMTXCtLZoASZ4YDYDA&ved=0CAcQ_AUoAg
server: gws
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
--> stream_id = 1
t=344849 [st=244] SPDY_SESSION_RECV_DATA
--> fin = false
--> size = 391
--> stream_id = 1
t=344849 [st=244] SPDY_SESSION_UPDATE_RECV_WINDOW
--> delta = -391
--> window_size = 10485369
t=344849 [st=244] SPDY_SESSION_RECV_DATA
--> fin = true
--> size = 0
--> stream_id = 1
t=344849 [st=244] SPDY_SESSION_PING
--> is_ack = false
--> type = "received"
--> unique_id = 0
t=344849 [st=244] SPDY_SESSION_PING
--> is_ack = true
--> type = "sent"
--> unique_id = 0
t=344851 [st=246] SPDY_STREAM_UPDATE_RECV_WINDOW
--> delta = 391
--> window_size = 10485760

87472: CONNECT_JOB
ssl/maps.google.com:443
Start Time: 2014-12-30 01:50:32.228

t=343823 [st= 0] +SOCKET_POOL_CONNECT_JOB [dt=103]
--> group_name = "ssl/maps.google.com:443"
t=343823 [st= 0] +SOCKET_POOL_CONNECT_JOB_CONNECT [dt=103]
t=343823 [st= 0] HOST_RESOLVER_IMPL [dt=0]
--> source_dependency = 87473 (HOST_RESOLVER_IMPL_REQUEST)
t=343823 [st= 0] HOST_RESOLVER_IMPL [dt=0]
--> source_dependency = 87476 (HOST_RESOLVER_IMPL_REQUEST)
t=343926 [st=103] CONNECT_JOB_SET_SOCKET
--> source_dependency = 87479 (SOCKET)
t=343926 [st=103] -SOCKET_POOL_CONNECT_JOB_CONNECT
t=343926 [st=103] -SOCKET_POOL_CONNECT_JOB
87473: HOST_RESOLVER_IMPL_REQUEST
ipad1826.pw:443
Start Time: 2014-12-30 01:50:32.228

t=343823 [st=0] +HOST_RESOLVER_IMPL_REQUEST [dt=0]
--> address_family = 0
--> allow_cached_response = true
--> host = "ipad1826.pw:443"
--> is_speculative = false
--> source_dependency = 87472 (CONNECT_JOB)
t=343823 [st=0] HOST_RESOLVER_IMPL_CACHE_HIT
t=343823 [st=0] -HOST_RESOLVER_IMPL_REQUEST
87476: HOST_RESOLVER_IMPL_REQUEST
maps.google.com:443
Start Time: 2014-12-30 01:50:32.228

t=343823 [st=0] +HOST_RESOLVER_IMPL_REQUEST [dt=0]
--> address_family = 0
--> allow_cached_response = true
--> host = "maps.google.com:443"
--> is_speculative = false
--> source_dependency = 87472 (CONNECT_JOB)
t=343823 [st=0] -HOST_RESOLVER_IMPL_REQUEST
--> net_error = -804 (ERR_DNS_CACHE_MISS)
87479: SOCKET
ssl/maps.google.com:443
Start Time: 2014-12-30 01:50:32.228

t=343823 [st= 0] +SOCKET_ALIVE [dt=225564]
--> source_dependency = 87472 (CONNECT_JOB)
t=343823 [st= 0] +TCP_CONNECT [dt=103]
--> address_list = ["106.187.100.125:443"]
t=343824 [st= 1] TCP_CONNECT_ATTEMPT [dt=102]
--> address = "106.187.100.125:443"
t=343926 [st= 103] -TCP_CONNECT
--> source_address = "192.168.0.103:49226"
t=343926 [st= 103] +SOCKET_IN_USE [dt=225461]
--> source_dependency = 87471 (CONNECT_JOB)
t=343926 [st= 103] +SSL_CONNECT [dt=103]
t=343926 [st= 103] SOCKET_BYTES_SENT
--> byte_count = 217
t=344028 [st= 205] SOCKET_BYTES_RECEIVED
--> byte_count = 145
t=344028 [st= 205] SSL_CERTIFICATES_RECEIVED
--> certificates =
-----BEGIN CERTIFICATE-----
MIIFRjCCBC6gAwIBAgIRALshNgnDpv7e6ZgpZKC9YnEwDQYJKoZIhvcNAQELBQAw
gZAxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTYwNAYD
VQQDEy1DT01PRE8gUlNBIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIg
Q0EwHhcNMTQxMTE4MDAwMDAwWhcNMTUxMTE4MjM1OTU5WjBPMSEwHwYDVQQLExhE
b21haW4gQ29udHJvbCBWYWxpZGF0ZWQxFDASBgNVBAsTC1Bvc2l0aXZlU1NMMRQw
EgYDVQQDEwtpcGFkMTgyNi5wdzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBANpBHYXRLlR9cRAJLLTmgw0drhQner9ZNcUD5sSgJd20qXfFtMFu0XfunXGX
aZgwNl7FdRNdgQQ5+Mx6auFsN6b1lX6COmYMEAEYfnJg9cQVAoyJYtCtvUOWG0i9
4dWiHCswW/KWKUdtW7YxlAuck78xqVVPpBUPfHDbZknP5Ky46QGZjHu1uoJkaZhr
62GdTfeGsTpXtrlMzfCJMngombdsaLQkJAuttABU9J9MUFNOXPJwahfEf5W8M6Am
+mz5Jdce6/XLIDCGvw1kGkANVx/0PIfAcPP1vI4vRu96QOBF/MV6E77TYPiBLZbJ
hw8sZAa3sbdgmV4FQne1pYOvG/UCAwEAAaOCAdkwggHVMB8GA1UdIwQYMBaAFJCv
ajqUWgvYkOoSVnPfQ7Q6KNrnMB0GA1UdDgQWBBQNAo8xiYD8N6kiAb7GGRWzZmQy
azAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEF
BQcDAQYIKwYBBQUHAwIwTwYDVR0gBEgwRjA6BgsrBgEEAbIxAQICBzArMCkGCCsG
AQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8uY29tL0NQUzAIBgZngQwBAgEw
VAYDVR0fBE0wSzBJoEegRYZDaHR0cDovL2NybC5jb21vZG9jYS5jb20vQ09NT0RP
UlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNybDCBhQYIKwYBBQUH
AQEEeTB3ME8GCCsGAQUFBzAChkNodHRwOi8vY3J0LmNvbW9kb2NhLmNvbS9DT01P
RE9SU0FEb21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3J0MCQGCCsGAQUF
BzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wJwYDVR0RBCAwHoILaXBhZDE4
MjYucHeCD3d3dy5pcGFkMTgyNi5wdzANBgkqhkiG9w0BAQsFAAOCAQEAcl05iAPJ
gcEolqt4T9kU3YP3hfK9QhNjTlyYSlaFsSOpOTN7j3sKryQhAZBZY6tlJMr0apsa
Y5SBi7UbBhFQMn/zCgyne8VnghuyGVlCz+WGMVss/U+Rbd3lsMzvuk6nrbRp9Da2
/xl9YnDJEQ2U9znLChyha79Cc+QMRbyUM0Wx63mgt5HkHns6x/aSnrGUJTH4Xi07
sBy/26Loo8mHDfyZNLlsuHfLxxrjOH+OGfGp2RC5RP2A80WlZ3pSudNiA0vbnOhs
vMmwqVm9Krk5QSwjCwVvFu2ATfgf+DCrnv6IuwMdQ0erSbUKPvsKo2BFktLHUTVo
Jiy2Fe4of4orbA==
-----END CERTIFICATE-----

t=344029 [st= 206] SOCKET_BYTES_SENT
--> byte_count = 59
t=344029 [st= 206] SIGNED_CERTIFICATE_TIMESTAMPS_RECEIVED
--> embedded_scts = ""
--> scts_from_ocsp_response = ""
--> scts_from_tls_extension = ""
t=344029 [st= 206] SIGNED_CERTIFICATE_TIMESTAMPS_CHECKED
--> invalid_scts = []
--> unknown_logs_scts = []
--> verified_scts = []
t=344029 [st= 206] -SSL_CONNECT
t=344029 [st= 206] +SOCKET_IN_USE [dt=225358]
--> source_dependency = 87467 (CONNECT_JOB)
t=344029 [st= 206] +HTTP_TRANSACTION_TUNNEL_SEND_REQUEST [dt=1]
t=344029 [st= 206] HTTP_TRANSACTION_SEND_TUNNEL_HEADERS
--> CONNECT maps.google.com:443 HTTP/1.1
Host: maps.google.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
t=344029 [st= 206] HTTP_TRANSACTION_SEND_REQUEST_HEADERS
--> CONNECT maps.google.com:443 HTTP/1.1
Host: maps.google.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
t=344030 [st= 207] SSL_SOCKET_BYTES_SENT
--> byte_count = 220
t=344030 [st= 207] SOCKET_BYTES_SENT
--> byte_count = 282
t=344030 [st= 207] -HTTP_TRANSACTION_TUNNEL_SEND_REQUEST
t=344030 [st= 207] +HTTP_TRANSACTION_TUNNEL_READ_HEADERS [dt=320]
t=344030 [st= 207] +HTTP_STREAM_PARSER_READ_HEADERS [dt=320]
t=344350 [st= 527] SOCKET_BYTES_RECEIVED
--> byte_count = 69
t=344350 [st= 527] SSL_SOCKET_BYTES_RECEIVED
--> byte_count = 39
t=344350 [st= 527] -HTTP_STREAM_PARSER_READ_HEADERS
t=344350 [st= 527] HTTP_TRANSACTION_READ_TUNNEL_RESPONSE_HEADERS
--> HTTP/1.1 200 Connection established
t=344350 [st= 527] -HTTP_TRANSACTION_TUNNEL_READ_HEADERS
t=344350 [st= 527] +SOCKET_IN_USE [dt=225037]
--> source_dependency = 87466 (CONNECT_JOB)
t=344350 [st= 527] +SSL_CONNECT [dt=254]
t=344351 [st= 528] SSL_SOCKET_BYTES_SENT
--> byte_count = 215
t=344351 [st= 528] SOCKET_BYTES_SENT
--> byte_count = 282
t=344567 [st= 744] SOCKET_BYTES_RECEIVED
--> byte_count = 3957
t=344567 [st= 744] SSL_SOCKET_BYTES_RECEIVED
--> byte_count = 3918
t=344568 [st= 745] SSL_CHANNEL_ID_REQUESTED
t=344568 [st= 745] SSL_GET_DOMAIN_BOUND_CERT [dt=0]
t=344568 [st= 745] SSL_CHANNEL_ID_PROVIDED
t=344579 [st= 756] SSL_CERTIFICATES_RECEIVED
--> certificates =
-----BEGIN CERTIFICATE-----
MIIGxTCCBa2gAwIBAgIIAl5EtcNJFrcwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTQxMjEwMTEzMzM3WhcNMTUwMzEwMDAwMDAw
WjBmMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEVMBMGA1UEAwwMKi5n
b29nbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEmng6ZoVeVmmAplSC
9TcTQkkosO5zaPDTXLuuzQU3Bl5JUSF/11w6dlXdJJHXIQ3cIirUuyd288ORbu93
FrTTTaOCBF0wggRZMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjCCAyYG
A1UdEQSCAx0wggMZggwqLmdvb2dsZS5jb22CDSouYW5kcm9pZC5jb22CFiouYXBw
ZW5naW5lLmdvb2dsZS5jb22CEiouY2xvdWQuZ29vZ2xlLmNvbYIWKi5nb29nbGUt
YW5hbHl0aWNzLmNvbYILKi5nb29nbGUuY2GCCyouZ29vZ2xlLmNsgg4qLmdvb2ds
ZS5jby5pboIOKi5nb29nbGUuY28uanCCDiouZ29vZ2xlLmNvLnVrgg8qLmdvb2ds
ZS5jb20uYXKCDyouZ29vZ2xlLmNvbS5hdYIPKi5nb29nbGUuY29tLmJygg8qLmdv
b2dsZS5jb20uY2+CDyouZ29vZ2xlLmNvbS5teIIPKi5nb29nbGUuY29tLnRygg8q
Lmdvb2dsZS5jb20udm6CCyouZ29vZ2xlLmRlggsqLmdvb2dsZS5lc4ILKi5nb29n
bGUuZnKCCyouZ29vZ2xlLmh1ggsqLmdvb2dsZS5pdIILKi5nb29nbGUubmyCCyou
Z29vZ2xlLnBsggsqLmdvb2dsZS5wdIISKi5nb29nbGVhZGFwaXMuY29tgg8qLmdv
b2dsZWFwaXMuY26CFCouZ29vZ2xlY29tbWVyY2UuY29tghEqLmdvb2dsZXZpZGVv
LmNvbYIMKi5nc3RhdGljLmNugg0qLmdzdGF0aWMuY29tggoqLmd2dDEuY29tggoq
Lmd2dDIuY29tghQqLm1ldHJpYy5nc3RhdGljLmNvbYIMKi51cmNoaW4uY29tghAq
LnVybC5nb29nbGUuY29tghYqLnlvdXR1YmUtbm9jb29raWUuY29tgg0qLnlvdXR1
YmUuY29tghYqLnlvdXR1YmVlZHVjYXRpb24uY29tggsqLnl0aW1nLmNvbYILYW5k
cm9pZC5jb22CBGcuY2+CBmdvby5nbIIUZ29vZ2xlLWFuYWx5dGljcy5jb22CCmdv
b2dsZS5jb22CEmdvb2dsZWNvbW1lcmNlLmNvbYIKdXJjaGluLmNvbYIIeW91dHUu
YmWCC3lvdXR1YmUuY29tghR5b3V0dWJlZWR1Y2F0aW9uLmNvbTALBgNVHQ8EBAMC
B4AwaAYIKwYBBQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2ds
ZS5jb20vR0lBRzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29v
Z2xlLmNvbS9vY3NwMB0GA1UdDgQWBBTn6rT+UWACLuZnUas2zTQJkdrq5jAMBgNV
HRMBAf8EAjAAMB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMBcGA1Ud
IAQQMA4wDAYKKwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtp
Lmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQBb4wU7IjXL
msvaYqFlYYDKiYZhBUGHxxLkFWR72vFugYkJ7BbMCaKZJdyln5xL4pCdNHiNGfub
/3ct2t3sKeruc03EydznLQ78qrHuwNJdqUZfDLJ6ILAQUmpnYEXrnmB7C5chCWR0
OKWRLguwZQQQQlRyjZFtdoISHNveel/UkS/Jwijvpbw/wGg9W4L4En6RjDeD259X
zYvNzIwiEq50/5ZQCYE9EH0mWguAji9tuh5NJKPEeaaCQ3lp/UEAkq5uYls7tuSs
MTI9LMZRiYFJab/LYbq2uaz4B/lSuE9vku+ikNYA+J2Qv6eqU3U+jmUOSCfYJ2Qt
zSl8TUu4bL8a
-----END CERTIFICATE-----

t=344579 [st= 756] SSL_SOCKET_BYTES_SENT
--> byte_count = 254
t=344579 [st= 756] SOCKET_BYTES_SENT
--> byte_count = 330
t=344580 [st= 757] +CERT_VERIFIER_REQUEST [dt=24]
t=344580 [st= 757] CERT_VERIFIER_REQUEST_BOUND_TO_JOB
--> source_dependency = 87489 (CERT_VERIFIER_JOB)
t=344604 [st= 781] -CERT_VERIFIER_REQUEST
t=344604 [st= 781] SIGNED_CERTIFICATE_TIMESTAMPS_RECEIVED
--> embedded_scts = ""
--> scts_from_ocsp_response = ""
--> scts_from_tls_extension = ""
t=344604 [st= 781] SIGNED_CERTIFICATE_TIMESTAMPS_CHECKED
--> invalid_scts = []
--> unknown_logs_scts = []
--> verified_scts = []
t=344604 [st= 781] -SSL_CONNECT
t=344604 [st= 781] +SOCKET_IN_USE [dt=224783]
--> source_dependency = 87462 (HTTP_STREAM_JOB)
t=344606 [st= 783] SSL_SOCKET_BYTES_SENT
--> byte_count = 28
t=344606 [st= 783] SSL_SOCKET_BYTES_SENT
--> byte_count = 49
t=344606 [st= 783] SOCKET_BYTES_SENT
--> byte_count = 122
t=344606 [st= 783] SSL_SOCKET_BYTES_SENT
--> byte_count = 16
t=344606 [st= 783] SSL_SOCKET_BYTES_SENT
--> byte_count = 37
t=344606 [st= 783] SOCKET_BYTES_SENT
--> byte_count = 106
t=344608 [st= 785] SSL_SOCKET_BYTES_SENT
--> byte_count = 1423
t=344608 [st= 785] SSL_SOCKET_BYTES_SENT
--> byte_count = 1444
t=344608 [st= 785] SOCKET_BYTES_SENT
--> byte_count = 1514
t=344791 [st= 968] SOCKET_BYTES_RECEIVED
--> byte_count = 389
t=344791 [st= 968] SSL_SOCKET_BYTES_RECEIVED
--> byte_count = 356
t=344791 [st= 968] SSL_SOCKET_BYTES_RECEIVED
--> byte_count = 44
t=344848 [st= 1025] SOCKET_BYTES_RECEIVED
--> byte_count = 853
t=344848 [st= 1025] SSL_SOCKET_BYTES_RECEIVED
--> byte_count = 825
t=344848 [st= 1025] SSL_SOCKET_BYTES_RECEIVED
--> byte_count = 762
t=344849 [st= 1026] SSL_SOCKET_BYTES_SENT
--> byte_count = 12
t=344849 [st= 1026] SSL_SOCKET_BYTES_SENT
--> byte_count = 33
t=344849 [st= 1026] SOCKET_BYTES_SENT
--> byte_count = 106
t=569385 [st=225562] SOCKET_BYTES_RECEIVED
--> byte_count = 133
t=569385 [st=225562] SSL_SOCKET_BYTES_RECEIVED
--> byte_count = 94
t=569385 [st=225562] SOCKET_BYTES_RECEIVED
--> byte_count = 0
t=569385 [st=225562] SSL_SOCKET_BYTES_RECEIVED
--> byte_count = 52
t=569385 [st=225562] SSL_SOCKET_BYTES_RECEIVED
--> byte_count = 0
t=569386 [st=225563] SOCKET_CLOSED
t=569387 [st=225564] -SOCKET_IN_USE
t=569387 [st=225564] -SOCKET_IN_USE
t=569387 [st=225564] -SOCKET_IN_USE
t=569387 [st=225564] -SOCKET_IN_USE
t=569387 [st=225564] -SOCKET_ALIVE

tatsuhiro-t · 2014-12-30T15:49:44Z

I don't understand the options " --cacert , --client-private-key-file, --client-cert-file" very much, not

--cacert: CA certificates shrpx trusts when connecting backend connection. If backend host uses self-signed certs and you'd like to make sure that it is really is, specify its cert here.

--client-private-key-file and --client-cert-file: Specify client private key and certificate file. They are only required if backend TLS server requires them. Usually backend server service says somethings about this; for example, signing your client certs with their keys.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

shrpx front-end proxy error: decryption_failed(21). #124

shrpx front-end proxy error: decryption_failed(21). #124

zwChan commented Dec 24, 2014

zwChan commented Dec 28, 2014

tatsuhiro-t commented Dec 29, 2014

zwChan commented Dec 29, 2014

tatsuhiro-t commented Dec 30, 2014

shrpx front-end proxy error: decryption_failed(21). #124

shrpx front-end proxy error: decryption_failed(21). #124

Comments

zwChan commented Dec 24, 2014

It seems no error in the log:

zwChan commented Dec 28, 2014

tatsuhiro-t commented Dec 29, 2014

zwChan commented Dec 29, 2014

tatsuhiro-t commented Dec 30, 2014