CONTENT

CHANGES

Szukaj

#top Przydatne informacje¶

[<<]|[<]|[^]|[v]|[>]|[>>]|[Zwiń]|[#top]|[X]

#top Timeout¶

#top Load Balancing with HAProxy¶

#top Lighttpd behind HAProxy¶

Zobacz także Lighttpd behind HAProxy dla: HAProxy (HAProxy)

W niniejszej konfiguracji HAProxy odbiera połączenia przychodzące na port 80 i przekierowywuje je do Lighttpd na port 86:

Plik konfiguracyjny /etc/lighttpd/conf.d/access_log.conf:

##
##  Basic Configuration
## ---------------------
##
server.port = 86

Plik konfiguracyjny /etc/lighttpd/conf.d/access_log.conf:

##
## The default format produces CLF compatible output.
## For available parameters see access.txt
##
#accesslog.format = "%h %l %u %t \"%r\" %b %>s \"%{User-Agent}i\" \"%{Referer}i\""
accesslog.format = "%a %l %u %t \"%r\" %b %>s \"%{User-Agent}i\" \"%{Referer}i\" \"%{X-Forwarded-For}i\""

Plik konfiguracyjny /etc/lighttpd/vhosts.d/cen06x64.xen.wbcd.pl.conf:

#
# cen06x64.xen.wbcd.pl
#
$HTTP["host"] == "cen06x64.xen.wbcd.pl" {
simple-vhost.server-root   = vhosts_dir + "/"
simple-vhost.default-host  = "cen06x64.xen.wbcd.pl"
simple-vhost.document-root = ""
accesslog.filename = log_root + "/cen06x64.xen.wbcd.pl-access.log"
}

Zgodnie z RFC 7239 - Forwarded HTTP Header Field

A proxy server that wants to add a new "Forwarded" header field value
can either append it to the last existing "Forwarded" header field
after a comma separator or add a new field at the end of the header block.

oraz dokumentacją na stronie X-Forwarded-For (mozilla.org)

Syntax
X-Forwarded-For: <client>, <proxy1>, <proxy2>

adres IP klienta jest pierwszym adresem na liście w nagłówku HTTP X-Forwarded-For. Natomiast adres IP klienta łączącego się do serwera WWW jest ostatnim adresem IP na liście w nagłówku HTTP X-Forwarded-For dodanym przez serwer HAProxy, który przekazuje odebrane żądanie HTTP do serwera WWW i ten adres zostanie zapisany w logach access serwera.

Aby w logach access serwera Lighttpd zamiast adresu serwera Proxy zapisywany był adres klienta łączącego się poprzez Proxy niezbędna jest modyfikacja formatu informacji zapisywanych w logach access polegająca na dodaniu do obecnego formatu na końcu opcji zapisujacej do logu również nagłówek X-Forwarded-For jeśli jest obecny (Zobacz sekcję LogFormat).

#top TLS SNI¶

An extension to the SSL / TLS protocol that has gained support recently is Server Name Indication. This addition is simple and elegant: During the SSL negotiation, the client sends the name of the host it wants to contact to the server, which can then use this information to select the correct certificate.

This is of course the best and most fitting solution to the problem. Lighttpd supports SNI since 1.4.24, if openssl 0.9.8f or newer is available.

The big downside of this approach is the limited browser support. The newest versions of the major browsers support SNI, but in particular Internet Explorer on Windows XP seems to lack support and support with mobile browsers is unclear.

To use SNI with lighttpd, simply put additional ssl.pemfile configuration directives inside host conditionals under the socket conditional. A default ssl.pemfile is still required in the socket conditional, though.

EXAMPLES

$SERVER["socket"] == ":443" {
	ssl.pemfile = "/etc/lighttpd/ssl/the-default-domain.com.pem" 
	$HTTP["host"] == "www.example.org" {
		ssl.pemfile = "/etc/lighttpd/www.example.org.pem" 
	}
	$HTTP["host"] == "mail.example.org" {
		ssl.pemfile = "/etc/lighttpd/mail.example.org.pem" 
	}
}

#top SNI config¶

#
# cen06x64.xen.wbcd.pl:443 - HTTPS server configuration
#
$SERVER["socket"] == ":443" {
ssl.engine                  = "enable"
ssl.pemfile                 = "/etc/pki/tls/certs/cen06x64.xen.wbcd.pl.pem"
$HTTP["host"] == "cen06x64.xen.wbcd.pl" {
ssl.engine = "enable"
ssl.pemfile = "/etc/pki/tls/certs/cen06x64.xen.wbcd.pl.pem"
ssl.ca-file = "/etc/pki/tls/certs/ca-bundle.crt"
ssl.use-sslv2 = "disable"
# ssl.use-sslv3 = "disable" # available from version 1.4.29
simple-vhost.server-root   = vhosts_dir + "/"
simple-vhost.default-host  = "cen06x64.xen.wbcd.pl"
simple-vhost.document-root = ""
accesslog.filename = log_root + "/cen06x64.xen.wbcd.pl-ssl-access.log"
}

$HTTP["host"] == "cen06x64a.xen.wbcd.pl" {
ssl.engine = "enable"
ssl.pemfile = "/etc/pki/tls/certs/cen06x64a.xen.wbcd.pl.pem"
ssl.use-sslv2 = "disable"
# ssl.use-sslv3 = "disable" # available from version 1.4.29
simple-vhost.server-root   = vhosts_dir + "/"
simple-vhost.default-host  = "cen06x64.xen.wbcd.pl"
simple-vhost.document-root = ""
accesslog.filename = log_root + "/cen06x64.xen.wbcd.pl-ssl-access.log"
}
$HTTP["host"] == "cen06x64a1.xen.wbcd.pl" {
ssl.engine = "enable"
ssl.pemfile = "/etc/pki/tls/certs/cen06x64a.xen.wbcd.pl.pem"
ssl.use-sslv2 = "disable"
# ssl.use-sslv3 = "disable" # available from version 1.4.29
simple-vhost.server-root   = vhosts_dir + "/"
simple-vhost.default-host  = "cen06x64.xen.wbcd.pl"
simple-vhost.document-root = ""
accesslog.filename = log_root + "/cen06x64.xen.wbcd.pl-ssl-access.log"
}
$HTTP["host"] == "cen06x64a2.xen.wbcd.pl" {
ssl.engine = "enable"
ssl.pemfile = "/etc/pki/tls/certs/cen06x64a.xen.wbcd.pl.pem"
ssl.use-sslv2 = "disable"
# ssl.use-sslv3 = "disable" # available from version 1.4.29
simple-vhost.server-root   = vhosts_dir + "/"
simple-vhost.default-host  = "cen06x64.xen.wbcd.pl"
simple-vhost.document-root = ""
accesslog.filename = log_root + "/cen06x64.xen.wbcd.pl-ssl-access.log"
}
$HTTP["host"] == "cen06x64a3.xen.wbcd.pl" {
ssl.engine = "enable"
ssl.pemfile = "/etc/pki/tls/certs/cen06x64a.xen.wbcd.pl.pem"
ssl.use-sslv2 = "disable"
# ssl.use-sslv3 = "disable" # available from version 1.4.29
simple-vhost.server-root   = vhosts_dir + "/"
simple-vhost.default-host  = "cen06x64.xen.wbcd.pl"
simple-vhost.document-root = ""
accesslog.filename = log_root + "/cen06x64.xen.wbcd.pl-ssl-access.log"
}
$HTTP["host"] == "cen06x64b.xen.wbcd.pl" {
ssl.engine = "enable"
ssl.pemfile = "/etc/pki/tls/certs/cen06x64b.xen.wbcd.pl.pem"
ssl.use-sslv2 = "disable"
# ssl.use-sslv3 = "disable" # available from version 1.4.29
simple-vhost.server-root   = vhosts_dir + "/"
simple-vhost.default-host  = "cen06x64.xen.wbcd.pl"
simple-vhost.document-root = ""
accesslog.filename = log_root + "/cen06x64.xen.wbcd.pl-ssl-access.log"
}
$HTTP["host"] == "cen06x64b1.xen.wbcd.pl" {
ssl.engine = "enable"
ssl.pemfile = "/etc/pki/tls/certs/cen06x64b.xen.wbcd.pl.pem"
ssl.use-sslv2 = "disable"
# ssl.use-sslv3 = "disable" # available from version 1.4.29
simple-vhost.server-root   = vhosts_dir + "/"
simple-vhost.default-host  = "cen06x64.xen.wbcd.pl"
simple-vhost.document-root = ""
accesslog.filename = log_root + "/cen06x64.xen.wbcd.pl-ssl-access.log"
}
$HTTP["host"] == "cen06x64b2.xen.wbcd.pl" {
ssl.engine = "enable"
ssl.pemfile = "/etc/pki/tls/certs/cen06x64b.xen.wbcd.pl.pem"
ssl.use-sslv2 = "disable"
# ssl.use-sslv3 = "disable" # available from version 1.4.29
simple-vhost.server-root   = vhosts_dir + "/"
simple-vhost.default-host  = "cen06x64.xen.wbcd.pl"
simple-vhost.document-root = ""
accesslog.filename = log_root + "/cen06x64.xen.wbcd.pl-ssl-access.log"
}
$HTTP["host"] == "cen06x64b3.xen.wbcd.pl" {
ssl.engine = "enable"
ssl.pemfile = "/etc/pki/tls/certs/cen06x64b.xen.wbcd.pl.pem"
ssl.use-sslv2 = "disable"
# ssl.use-sslv3 = "disable" # available from version 1.4.29
simple-vhost.server-root   = vhosts_dir + "/"
simple-vhost.default-host  = "cen06x64.xen.wbcd.pl"
simple-vhost.document-root = ""
accesslog.filename = log_root + "/cen06x64.xen.wbcd.pl-ssl-access.log"
}
$HTTP["host"] == "cen06x64c.xen.wbcd.pl" {
ssl.engine = "enable"
ssl.pemfile = "/etc/pki/tls/certs/cen06x64c.xen.wbcd.pl.pem"
ssl.use-sslv2 = "disable"
# ssl.use-sslv3 = "disable" # available from version 1.4.29
simple-vhost.server-root   = vhosts_dir + "/"
simple-vhost.default-host  = "cen06x64.xen.wbcd.pl"
simple-vhost.document-root = ""
accesslog.filename = log_root + "/cen06x64.xen.wbcd.pl-ssl-access.log"
}
$HTTP["host"] == "cen06x64c1.xen.wbcd.pl" {
ssl.engine = "enable"
ssl.pemfile = "/etc/pki/tls/certs/cen06x64c.xen.wbcd.pl.pem"
ssl.use-sslv2 = "disable"
# ssl.use-sslv3 = "disable" # available from version 1.4.29
simple-vhost.server-root   = vhosts_dir + "/"
simple-vhost.default-host  = "cen06x64.xen.wbcd.pl"
simple-vhost.document-root = ""
accesslog.filename = log_root + "/cen06x64.xen.wbcd.pl-ssl-access.log"
}
$HTTP["host"] == "cen06x64c2.xen.wbcd.pl" {
ssl.engine = "enable"
ssl.pemfile = "/etc/pki/tls/certs/cen06x64c.xen.wbcd.pl.pem"
ssl.use-sslv2 = "disable"
# ssl.use-sslv3 = "disable" # available from version 1.4.29
simple-vhost.server-root   = vhosts_dir + "/"
simple-vhost.default-host  = "cen06x64.xen.wbcd.pl"
simple-vhost.document-root = ""
accesslog.filename = log_root + "/cen06x64.xen.wbcd.pl-ssl-access.log"
}
$HTTP["host"] == "cen06x64c3.xen.wbcd.pl" {
ssl.engine = "enable"
ssl.pemfile = "/etc/pki/tls/certs/cen06x64c.xen.wbcd.pl.pem"
ssl.use-sslv2 = "disable"
# ssl.use-sslv3 = "disable" # available from version 1.4.29
simple-vhost.server-root   = vhosts_dir + "/"
simple-vhost.default-host  = "cen06x64.xen.wbcd.pl"
simple-vhost.document-root = ""
accesslog.filename = log_root + "/cen06x64.xen.wbcd.pl-ssl-access.log"
}
} # $SERVER["socket"] == ":443"

#top SNI check¶

httprecv --syserrors -w 5 --header="Host: localhost" --SNI=localhost --ca-file=/etc/pki/tls/certs/ca-bundle.crt --starttls --tlsinfo --certcheck-no --certverify --certinfo --body-hide https://10.41.0.58:443/

httprecv: Resolving 10.41.0.58 ... 10.41.0.58 Success
httprecv: Connecting to 10.41.0.58[10.41.0.58]:443 Success
httprecv: CERT:VERIFY: Peer's certificate issuer is unknown
httprecv: CERT:VERIFY: Peer's certificate is NOT trusted
httprecv: CERT[0]:VERIFY: The hostname in the certificate does NOT match '10.41.0.58'
httprecv: CERT[0]:VERIFY: Issuer : C=PL,ST=Mazowieckie,O=Webbot\, Inc.,OU=Webbot Trust Network,CN=Webbot Certification Authority,EMAIL=ssl@wbcd.pl
httprecv: CERT[0]:VERIFY: Subject: C=PL,ST=Mazowieckie,O=Webbot\, Inc.,OU=Webbot Trust Network,CN=cen06x64.xen.wbcd.pl,EMAIL=ssl@wbcd.pl
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Not Before: 2014/04/04 22:33:09
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Not After : 2024/04/01 22:33:09
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Cert expire after 2715 [d] (234597708 [s]))
httprecv: X.509: Version: 3
httprecv: X.509: Serial Number (hex): 0A
httprecv: X.509: Signature Algorithm: RSA-SHA1
httprecv: X.509: Issuer : C=PL,ST=Mazowieckie,O=Webbot\, Inc.,OU=Webbot Trust Network,CN=Webbot Certification Authority,EMAIL=ssl@wbcd.pl
httprecv: X.509: Subject: C=PL,ST=Mazowieckie,O=Webbot\, Inc.,OU=Webbot Trust Network,CN=cen06x64.xen.wbcd.pl,EMAIL=ssl@wbcd.pl
httprecv: X.509: Validity: Not Before: 2014/04/04 22:33:09
httprecv: X.509: Validity: Not After : 2024/04/01 22:33:09
httprecv: X.509: Subject Public Key Info: Public Key Algorithm: RSA (4096 bits)
httprecv: X.509: Extensions: Basic Constraints:  CA:FALSE
httprecv: X.509: Extensions: Key usage:  Digital signature.
httprecv: X.509: Extensions: Key usage:  Key encipherment.
httprecv: X.509: Extensions: Key purpose OIDs: TLS WWW Server.
httprecv: X.509: Extensions: Key purpose OIDs: TLS WWW Client.
https://10.41.0.58:443/ dnsq=0.000, conn=0.010, socktls=0.052, send=0.000, wait=0.064, recv=0.000, summ=0.136, size=40, speed=272034, result=200:HTTP/1.0 200 OK

httprecv --syserrors -w 5 --header="Host: cen06x64a.xen.wbcd.pl" --SNI=cen06x64a.xen.wbcd.pl --ca-file=/etc/pki/tls/certs/ca-bundle.crt --starttls --tlsinfo --certcheck-no --certverify --certinfo --body-hide https://10.41.0.58:443/

httprecv: Resolving 10.41.0.58 ... 10.41.0.58 Success
httprecv: Connecting to 10.41.0.58[10.41.0.58]:443 Success
httprecv: CERT:VERIFY: Peer's certificate issuer is unknown
httprecv: CERT:VERIFY: Peer's certificate is NOT trusted
httprecv: CERT[0]:VERIFY: The hostname in the certificate does NOT match '10.41.0.58'
httprecv: CERT[0]:VERIFY: Issuer : C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Netowrk,CN=cen06x64a.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: CERT[0]:VERIFY: Subject: C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Netowrk,CN=cen06x64a.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Not Before: 2016/10/22 15:19:08
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Not After : 2017/10/22 15:19:08
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Cert expire after 361 [d] (31272467 [s]))
httprecv: CERT[0]:VERIFY: X509v3 Subject Alternative Name:
httprecv: CERT[0]:VERIFY:      DNS:cen06x64a.xen.wbcd.pl, DNS:cen06x64a1.xen.wbcd.pl, DNS:cen06x64a2.xen.wbcd.pl, DNS:cen06x64a3.xen.wbcd.pl,
httprecv: X.509: Version: 3
httprecv: X.509: Serial Number (hex): 00:DB:93:CA:57:E4:68:8F:EC
httprecv: X.509: Signature Algorithm: RSA-SHA256
httprecv: X.509: Issuer : C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Netowrk,CN=cen06x64a.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: X.509: Subject: C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Netowrk,CN=cen06x64a.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: X.509: Validity: Not Before: 2016/10/22 15:19:08
httprecv: X.509: Validity: Not After : 2017/10/22 15:19:08
httprecv: X.509: Subject Public Key Info: Public Key Algorithm: RSA (2048 bits)
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64a.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64a1.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64a2.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64a3.xen.wbcd.pl
httprecv: X.509: Extensions: Basic Constraints:  CA:TRUE
https://10.41.0.58:443/ dnsq=0.000, conn=0.010, socktls=0.037, send=0.000, wait=0.059, recv=0.000, summ=0.115, size=30, speed=237818, result=200:HTTP/1.0 200 OK

httprecv --syserrors -w 5 --header="Host: cen06x64a1.xen.wbcd.pl" --SNI=cen06x64a1.xen.wbcd.pl --ca-file=/etc/pki/tls/certs/ca-bundle.crt --starttls --tlsinfo --certcheck-no --certverify --certinfo --body-hide https://10.41.0.58:443/

httprecv: Resolving 10.41.0.58 ... 10.41.0.58 Success
httprecv: Connecting to 10.41.0.58[10.41.0.58]:443 Success
httprecv: CERT:VERIFY: Peer's certificate issuer is unknown
httprecv: CERT:VERIFY: Peer's certificate is NOT trusted
httprecv: CERT[0]:VERIFY: The hostname in the certificate does NOT match '10.41.0.58'
httprecv: CERT[0]:VERIFY: Issuer : C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Netowrk,CN=cen06x64a.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: CERT[0]:VERIFY: Subject: C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Netowrk,CN=cen06x64a.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Not Before: 2016/10/22 15:19:08
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Not After : 2017/10/22 15:19:08
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Cert expire after 361 [d] (31272467 [s]))
httprecv: CERT[0]:VERIFY: X509v3 Subject Alternative Name:
httprecv: CERT[0]:VERIFY:      DNS:cen06x64a.xen.wbcd.pl, DNS:cen06x64a1.xen.wbcd.pl, DNS:cen06x64a2.xen.wbcd.pl, DNS:cen06x64a3.xen.wbcd.pl,
httprecv: X.509: Version: 3
httprecv: X.509: Serial Number (hex): 00:DB:93:CA:57:E4:68:8F:EC
httprecv: X.509: Signature Algorithm: RSA-SHA256
httprecv: X.509: Issuer : C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Netowrk,CN=cen06x64a.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: X.509: Subject: C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Netowrk,CN=cen06x64a.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: X.509: Validity: Not Before: 2016/10/22 15:19:08
httprecv: X.509: Validity: Not After : 2017/10/22 15:19:08
httprecv: X.509: Subject Public Key Info: Public Key Algorithm: RSA (2048 bits)
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64a.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64a1.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64a2.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64a3.xen.wbcd.pl
httprecv: X.509: Extensions: Basic Constraints:  CA:TRUE
https://10.41.0.58:443/ dnsq=0.000, conn=0.010, socktls=0.040, send=0.000, wait=0.074, recv=0.000, summ=0.134, size=30, speed=242043, result=200:HTTP/1.0 200 OK

httprecv --syserrors -w 5 --header="Host: cen06x64a2.xen.wbcd.pl" --SNI=cen06x64a2.xen.wbcd.pl --ca-file=/etc/pki/tls/certs/ca-bundle.crt --starttls --tlsinfo --certcheck-no --certverify --certinfo --body-hide https://10.41.0.58:443/

httprecv: Resolving 10.41.0.58 ... 10.41.0.58 Success
httprecv: Connecting to 10.41.0.58[10.41.0.58]:443 Success
httprecv: CERT:VERIFY: Peer's certificate issuer is unknown
httprecv: CERT:VERIFY: Peer's certificate is NOT trusted
httprecv: CERT[0]:VERIFY: The hostname in the certificate does NOT match '10.41.0.58'
httprecv: CERT[0]:VERIFY: Issuer : C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Netowrk,CN=cen06x64a.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: CERT[0]:VERIFY: Subject: C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Netowrk,CN=cen06x64a.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Not Before: 2016/10/22 15:19:08
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Not After : 2017/10/22 15:19:08
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Cert expire after 361 [d] (31272467 [s]))
httprecv: CERT[0]:VERIFY: X509v3 Subject Alternative Name:
httprecv: CERT[0]:VERIFY:      DNS:cen06x64a.xen.wbcd.pl, DNS:cen06x64a1.xen.wbcd.pl, DNS:cen06x64a2.xen.wbcd.pl, DNS:cen06x64a3.xen.wbcd.pl,
httprecv: X.509: Version: 3
httprecv: X.509: Serial Number (hex): 00:DB:93:CA:57:E4:68:8F:EC
httprecv: X.509: Signature Algorithm: RSA-SHA256
httprecv: X.509: Issuer : C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Netowrk,CN=cen06x64a.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: X.509: Subject: C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Netowrk,CN=cen06x64a.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: X.509: Validity: Not Before: 2016/10/22 15:19:08
httprecv: X.509: Validity: Not After : 2017/10/22 15:19:08
httprecv: X.509: Subject Public Key Info: Public Key Algorithm: RSA (2048 bits)
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64a.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64a1.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64a2.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64a3.xen.wbcd.pl
httprecv: X.509: Extensions: Basic Constraints:  CA:TRUE
https://10.41.0.58:443/ dnsq=0.000, conn=0.010, socktls=0.036, send=0.000, wait=0.063, recv=0.000, summ=0.120, size=30, speed=209558, result=200:HTTP/1.0 200 OK

httprecv --syserrors -w 5 --header="Host: cen06x64a3.xen.wbcd.pl" --SNI=cen06x64a3.xen.wbcd.pl --ca-file=/etc/pki/tls/certs/ca-bundle.crt --starttls --tlsinfo --certcheck-no --certverify --certinfo --body-hide https://10.41.0.58:443/

httprecv: Resolving 10.41.0.58 ... 10.41.0.58 Success
httprecv: Connecting to 10.41.0.58[10.41.0.58]:443 Success
httprecv: CERT:VERIFY: Peer's certificate issuer is unknown
httprecv: CERT:VERIFY: Peer's certificate is NOT trusted
httprecv: CERT[0]:VERIFY: The hostname in the certificate does NOT match '10.41.0.58'
httprecv: CERT[0]:VERIFY: Issuer : C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Netowrk,CN=cen06x64a.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: CERT[0]:VERIFY: Subject: C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Netowrk,CN=cen06x64a.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Not Before: 2016/10/22 15:19:08
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Not After : 2017/10/22 15:19:08
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Cert expire after 361 [d] (31272467 [s]))
httprecv: CERT[0]:VERIFY: X509v3 Subject Alternative Name:
httprecv: CERT[0]:VERIFY:      DNS:cen06x64a.xen.wbcd.pl, DNS:cen06x64a1.xen.wbcd.pl, DNS:cen06x64a2.xen.wbcd.pl, DNS:cen06x64a3.xen.wbcd.pl,
httprecv: X.509: Version: 3
httprecv: X.509: Serial Number (hex): 00:DB:93:CA:57:E4:68:8F:EC
httprecv: X.509: Signature Algorithm: RSA-SHA256
httprecv: X.509: Issuer : C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Netowrk,CN=cen06x64a.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: X.509: Subject: C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Netowrk,CN=cen06x64a.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: X.509: Validity: Not Before: 2016/10/22 15:19:08
httprecv: X.509: Validity: Not After : 2017/10/22 15:19:08
httprecv: X.509: Subject Public Key Info: Public Key Algorithm: RSA (2048 bits)
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64a.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64a1.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64a2.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64a3.xen.wbcd.pl
httprecv: X.509: Extensions: Basic Constraints:  CA:TRUE
https://10.41.0.58:443/ dnsq=0.000, conn=0.017, socktls=0.038, send=0.000, wait=0.067, recv=0.000, summ=0.132, size=30, speed=191103, result=200:HTTP/1.0 200 OK

httprecv --syserrors -w 5 --header="Host: cen06x64b.xen.wbcd.pl" --SNI=cen06x64b.xen.wbcd.pl --ca-file=/etc/pki/tls/certs/ca-bundle.crt --starttls --tlsinfo --certcheck-no --certverify --certinfo --body-hide https://10.41.0.58:443/

httprecv: Resolving 10.41.0.58 ... 10.41.0.58 Success
httprecv: Connecting to 10.41.0.58[10.41.0.58]:443 Success
httprecv: CERT:VERIFY: Peer's certificate issuer is unknown
httprecv: CERT:VERIFY: Peer's certificate is NOT trusted
httprecv: CERT[0]:VERIFY: The hostname in the certificate does NOT match '10.41.0.58'
httprecv: CERT[0]:VERIFY: Issuer : C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Netowrk,CN=cen06x64b.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: CERT[0]:VERIFY: Subject: C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Netowrk,CN=cen06x64b.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Not Before: 2016/10/22 15:19:11
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Not After : 2017/10/22 15:19:11
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Cert expire after 361 [d] (31272469 [s]))
httprecv: CERT[0]:VERIFY: X509v3 Subject Alternative Name:
httprecv: CERT[0]:VERIFY:      DNS:cen06x64b.xen.wbcd.pl, DNS:cen06x64b1.xen.wbcd.pl, DNS:cen06x64b2.xen.wbcd.pl, DNS:cen06x64b3.xen.wbcd.pl,
httprecv: X.509: Version: 3
httprecv: X.509: Serial Number (hex): 00:82:1E:15:3B:CB:FA:45:6E
httprecv: X.509: Signature Algorithm: RSA-SHA256
httprecv: X.509: Issuer : C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Netowrk,CN=cen06x64b.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: X.509: Subject: C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Netowrk,CN=cen06x64b.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: X.509: Validity: Not Before: 2016/10/22 15:19:11
httprecv: X.509: Validity: Not After : 2017/10/22 15:19:11
httprecv: X.509: Subject Public Key Info: Public Key Algorithm: RSA (2048 bits)
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64b.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64b1.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64b2.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64b3.xen.wbcd.pl
httprecv: X.509: Extensions: Basic Constraints:  CA:TRUE
https://10.41.0.58:443/ dnsq=0.000, conn=0.010, socktls=0.044, send=0.000, wait=0.062, recv=0.000, summ=0.126, size=30, speed=237947, result=200:HTTP/1.0 200 OK

httprecv --syserrors -w 5 --header="Host: cen06x64b1.xen.wbcd.pl" --SNI=cen06x64b1.xen.wbcd.pl --ca-file=/etc/pki/tls/certs/ca-bundle.crt --starttls --tlsinfo --certcheck-no --certverify --certinfo --body-hide https://10.41.0.58:443/

httprecv: Resolving 10.41.0.58 ... 10.41.0.58 Success
httprecv: Connecting to 10.41.0.58[10.41.0.58]:443 Success
httprecv: CERT:VERIFY: Peer's certificate issuer is unknown
httprecv: CERT:VERIFY: Peer's certificate is NOT trusted
httprecv: CERT[0]:VERIFY: The hostname in the certificate does NOT match '10.41.0.58'
httprecv: CERT[0]:VERIFY: Issuer : C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Netowrk,CN=cen06x64b.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: CERT[0]:VERIFY: Subject: C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Netowrk,CN=cen06x64b.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Not Before: 2016/10/22 15:19:11
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Not After : 2017/10/22 15:19:11
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Cert expire after 361 [d] (31272469 [s]))
httprecv: CERT[0]:VERIFY: X509v3 Subject Alternative Name:
httprecv: CERT[0]:VERIFY:      DNS:cen06x64b.xen.wbcd.pl, DNS:cen06x64b1.xen.wbcd.pl, DNS:cen06x64b2.xen.wbcd.pl, DNS:cen06x64b3.xen.wbcd.pl,
httprecv: X.509: Version: 3
httprecv: X.509: Serial Number (hex): 00:82:1E:15:3B:CB:FA:45:6E
httprecv: X.509: Signature Algorithm: RSA-SHA256
httprecv: X.509: Issuer : C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Netowrk,CN=cen06x64b.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: X.509: Subject: C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Netowrk,CN=cen06x64b.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: X.509: Validity: Not Before: 2016/10/22 15:19:11
httprecv: X.509: Validity: Not After : 2017/10/22 15:19:11
httprecv: X.509: Subject Public Key Info: Public Key Algorithm: RSA (2048 bits)
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64b.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64b1.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64b2.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64b3.xen.wbcd.pl
httprecv: X.509: Extensions: Basic Constraints:  CA:TRUE
https://10.41.0.58:443/ dnsq=0.000, conn=0.009, socktls=0.050, send=0.000, wait=0.072, recv=0.000, summ=0.142, size=30, speed=186365, result=200:HTTP/1.0 200 OK

httprecv --syserrors -w 5 --header="Host: cen06x64b2.xen.wbcd.pl" --SNI=cen06x64b2.xen.wbcd.pl --ca-file=/etc/pki/tls/certs/ca-bundle.crt --starttls --tlsinfo --certcheck-no --certverify --certinfo --body-hide https://10.41.0.58:443/

httprecv: Resolving 10.41.0.58 ... 10.41.0.58 Success
httprecv: Connecting to 10.41.0.58[10.41.0.58]:443 Success
httprecv: CERT:VERIFY: Peer's certificate issuer is unknown
httprecv: CERT:VERIFY: Peer's certificate is NOT trusted
httprecv: CERT[0]:VERIFY: The hostname in the certificate does NOT match '10.41.0.58'
httprecv: CERT[0]:VERIFY: Issuer : C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Netowrk,CN=cen06x64b.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: CERT[0]:VERIFY: Subject: C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Netowrk,CN=cen06x64b.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Not Before: 2016/10/22 15:19:11
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Not After : 2017/10/22 15:19:11
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Cert expire after 361 [d] (31272469 [s]))
httprecv: CERT[0]:VERIFY: X509v3 Subject Alternative Name:
httprecv: CERT[0]:VERIFY:      DNS:cen06x64b.xen.wbcd.pl, DNS:cen06x64b1.xen.wbcd.pl, DNS:cen06x64b2.xen.wbcd.pl, DNS:cen06x64b3.xen.wbcd.pl,
httprecv: X.509: Version: 3
httprecv: X.509: Serial Number (hex): 00:82:1E:15:3B:CB:FA:45:6E
httprecv: X.509: Signature Algorithm: RSA-SHA256
httprecv: X.509: Issuer : C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Netowrk,CN=cen06x64b.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: X.509: Subject: C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Netowrk,CN=cen06x64b.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: X.509: Validity: Not Before: 2016/10/22 15:19:11
httprecv: X.509: Validity: Not After : 2017/10/22 15:19:11
httprecv: X.509: Subject Public Key Info: Public Key Algorithm: RSA (2048 bits)
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64b.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64b1.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64b2.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64b3.xen.wbcd.pl
httprecv: X.509: Extensions: Basic Constraints:  CA:TRUE
https://10.41.0.58:443/ dnsq=0.000, conn=0.008, socktls=0.042, send=0.000, wait=0.058, recv=0.000, summ=0.118, size=30, speed=209909, result=200:HTTP/1.0 200 OK

httprecv --syserrors -w 5 --header="Host: cen06x64b3.xen.wbcd.pl" --SNI=cen06x64b3.xen.wbcd.pl --ca-file=/etc/pki/tls/certs/ca-bundle.crt --starttls --tlsinfo --certcheck-no --certverify --certinfo --body-hide https://10.41.0.58:443/

httprecv: Resolving 10.41.0.58 ... 10.41.0.58 Success
httprecv: Connecting to 10.41.0.58[10.41.0.58]:443 Success
httprecv: CERT:VERIFY: Peer's certificate issuer is unknown
httprecv: CERT:VERIFY: Peer's certificate is NOT trusted
httprecv: CERT[0]:VERIFY: The hostname in the certificate does NOT match '10.41.0.58'
httprecv: CERT[0]:VERIFY: Issuer : C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Netowrk,CN=cen06x64b.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: CERT[0]:VERIFY: Subject: C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Netowrk,CN=cen06x64b.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Not Before: 2016/10/22 15:19:11
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Not After : 2017/10/22 15:19:11
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Cert expire after 361 [d] (31272469 [s]))
httprecv: CERT[0]:VERIFY: X509v3 Subject Alternative Name:
httprecv: CERT[0]:VERIFY:      DNS:cen06x64b.xen.wbcd.pl, DNS:cen06x64b1.xen.wbcd.pl, DNS:cen06x64b2.xen.wbcd.pl, DNS:cen06x64b3.xen.wbcd.pl,
httprecv: X.509: Version: 3
httprecv: X.509: Serial Number (hex): 00:82:1E:15:3B:CB:FA:45:6E
httprecv: X.509: Signature Algorithm: RSA-SHA256
httprecv: X.509: Issuer : C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Netowrk,CN=cen06x64b.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: X.509: Subject: C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Netowrk,CN=cen06x64b.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: X.509: Validity: Not Before: 2016/10/22 15:19:11
httprecv: X.509: Validity: Not After : 2017/10/22 15:19:11
httprecv: X.509: Subject Public Key Info: Public Key Algorithm: RSA (2048 bits)
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64b.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64b1.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64b2.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64b3.xen.wbcd.pl
httprecv: X.509: Extensions: Basic Constraints:  CA:TRUE
https://10.41.0.58:443/ dnsq=0.000, conn=0.010, socktls=0.038, send=0.000, wait=0.060, recv=0.000, summ=0.119, size=30, speed=222286, result=200:HTTP/1.0 200 OK

httprecv --syserrors -w 5 --header="Host: cen06x64c.xen.wbcd.pl" --SNI=cen06x64c.xen.wbcd.pl --ca-file=/etc/pki/tls/certs/ca-bundle.crt --starttls --tlsinfo --certcheck-no --certverify --certinfo --body-hide https://10.41.0.58:443/

httprecv: Resolving 10.41.0.58 ... 10.41.0.58 Success
httprecv: Connecting to 10.41.0.58[10.41.0.58]:443 Success
httprecv: CERT:VERIFY: Peer's certificate issuer is unknown
httprecv: CERT:VERIFY: Peer's certificate is NOT trusted
httprecv: CERT[0]:VERIFY: The hostname in the certificate does NOT match '10.41.0.58'
httprecv: CERT[0]:VERIFY: Issuer : C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Netowrk,CN=cen06x64c.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: CERT[0]:VERIFY: Subject: C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Netowrk,CN=cen06x64c.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Not Before: 2016/10/22 15:19:13
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Not After : 2017/10/22 15:19:13
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Cert expire after 361 [d] (31272471 [s]))
httprecv: CERT[0]:VERIFY: X509v3 Subject Alternative Name:
httprecv: CERT[0]:VERIFY:      DNS:cen06x64c.xen.wbcd.pl, DNS:cen06x64c1.xen.wbcd.pl, DNS:cen06x64c2.xen.wbcd.pl, DNS:cen06x64c3.xen.wbcd.pl,
httprecv: X.509: Version: 3
httprecv: X.509: Serial Number (hex): 00:E3:2A:B0:D8:C5:B3:8E:FA
httprecv: X.509: Signature Algorithm: RSA-SHA256
httprecv: X.509: Issuer : C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Netowrk,CN=cen06x64c.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: X.509: Subject: C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Netowrk,CN=cen06x64c.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: X.509: Validity: Not Before: 2016/10/22 15:19:13
httprecv: X.509: Validity: Not After : 2017/10/22 15:19:13
httprecv: X.509: Subject Public Key Info: Public Key Algorithm: RSA (2048 bits)
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64c.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64c1.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64c2.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64c3.xen.wbcd.pl
httprecv: X.509: Extensions: Basic Constraints:  CA:TRUE
https://10.41.0.58:443/ dnsq=0.000, conn=0.011, socktls=0.060, send=0.000, wait=0.072, recv=0.000, summ=0.154, size=30, speed=190948, result=200:HTTP/1.0 200 OK

httprecv --syserrors -w 5 --header="Host: cen06x64c1.xen.wbcd.pl" --SNI=cen06x64c1.xen.wbcd.pl --ca-file=/etc/pki/tls/certs/ca-bundle.crt --starttls --tlsinfo --certcheck-no --certverify --certinfo --body-hide https://10.41.0.58:443/

httprecv: Resolving 10.41.0.58 ... 10.41.0.58 Success
httprecv: Connecting to 10.41.0.58[10.41.0.58]:443 Success
httprecv: CERT:VERIFY: Peer's certificate issuer is unknown
httprecv: CERT:VERIFY: Peer's certificate is NOT trusted
httprecv: CERT[0]:VERIFY: The hostname in the certificate does NOT match '10.41.0.58'
httprecv: CERT[0]:VERIFY: Issuer : C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Netowrk,CN=cen06x64c.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: CERT[0]:VERIFY: Subject: C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Netowrk,CN=cen06x64c.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Not Before: 2016/10/22 15:19:13
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Not After : 2017/10/22 15:19:13
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Cert expire after 361 [d] (31272471 [s]))
httprecv: CERT[0]:VERIFY: X509v3 Subject Alternative Name:
httprecv: CERT[0]:VERIFY:      DNS:cen06x64c.xen.wbcd.pl, DNS:cen06x64c1.xen.wbcd.pl, DNS:cen06x64c2.xen.wbcd.pl, DNS:cen06x64c3.xen.wbcd.pl,
httprecv: X.509: Version: 3
httprecv: X.509: Serial Number (hex): 00:E3:2A:B0:D8:C5:B3:8E:FA
httprecv: X.509: Signature Algorithm: RSA-SHA256
httprecv: X.509: Issuer : C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Netowrk,CN=cen06x64c.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: X.509: Subject: C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Netowrk,CN=cen06x64c.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: X.509: Validity: Not Before: 2016/10/22 15:19:13
httprecv: X.509: Validity: Not After : 2017/10/22 15:19:13
httprecv: X.509: Subject Public Key Info: Public Key Algorithm: RSA (2048 bits)
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64c.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64c1.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64c2.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64c3.xen.wbcd.pl
httprecv: X.509: Extensions: Basic Constraints:  CA:TRUE
https://10.41.0.58:443/ dnsq=0.000, conn=0.011, socktls=0.052, send=0.000, wait=0.058, recv=0.000, summ=0.131, size=30, speed=206980, result=200:HTTP/1.0 200 OK

httprecv --syserrors -w 5 --header="Host: cen06x64c2.xen.wbcd.pl" --SNI=cen06x64c2.xen.wbcd.pl --ca-file=/etc/pki/tls/certs/ca-bundle.crt --starttls --tlsinfo --certcheck-no --certverify --certinfo --body-hide https://10.41.0.58:443/

httprecv: Resolving 10.41.0.58 ... 10.41.0.58 Success
httprecv: Connecting to 10.41.0.58[10.41.0.58]:443 Success
httprecv: CERT:VERIFY: Peer's certificate issuer is unknown
httprecv: CERT:VERIFY: Peer's certificate is NOT trusted
httprecv: CERT[0]:VERIFY: The hostname in the certificate does NOT match '10.41.0.58'
httprecv: CERT[0]:VERIFY: Issuer : C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Netowrk,CN=cen06x64c.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: CERT[0]:VERIFY: Subject: C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Netowrk,CN=cen06x64c.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Not Before: 2016/10/22 15:19:13
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Not After : 2017/10/22 15:19:13
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Cert expire after 361 [d] (31272471 [s]))
httprecv: CERT[0]:VERIFY: X509v3 Subject Alternative Name:
httprecv: CERT[0]:VERIFY:      DNS:cen06x64c.xen.wbcd.pl, DNS:cen06x64c1.xen.wbcd.pl, DNS:cen06x64c2.xen.wbcd.pl, DNS:cen06x64c3.xen.wbcd.pl,
httprecv: X.509: Version: 3
httprecv: X.509: Serial Number (hex): 00:E3:2A:B0:D8:C5:B3:8E:FA
httprecv: X.509: Signature Algorithm: RSA-SHA256
httprecv: X.509: Issuer : C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Netowrk,CN=cen06x64c.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: X.509: Subject: C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Netowrk,CN=cen06x64c.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: X.509: Validity: Not Before: 2016/10/22 15:19:13
httprecv: X.509: Validity: Not After : 2017/10/22 15:19:13
httprecv: X.509: Subject Public Key Info: Public Key Algorithm: RSA (2048 bits)
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64c.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64c1.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64c2.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64c3.xen.wbcd.pl
httprecv: X.509: Extensions: Basic Constraints:  CA:TRUE
https://10.41.0.58:443/ dnsq=0.000, conn=0.012, socktls=0.068, send=0.000, wait=0.232, recv=0.005, summ=0.327, size=30, speed=6070, result=200:HTTP/1.0 200 OK

httprecv --syserrors -w 5 --header="Host: cen06x64c3.xen.wbcd.pl" --SNI=cen06x64c3.xen.wbcd.pl --ca-file=/etc/pki/tls/certs/ca-bundle.crt --starttls --tlsinfo --certcheck-no --certverify --certinfo --body-hide https://10.41.0.58:443/

httprecv: Resolving 10.41.0.58 ... 10.41.0.58 Success
httprecv: Connecting to 10.41.0.58[10.41.0.58]:443 Success
httprecv: CERT:VERIFY: Peer's certificate issuer is unknown
httprecv: CERT:VERIFY: Peer's certificate is NOT trusted
httprecv: CERT[0]:VERIFY: The hostname in the certificate does NOT match '10.41.0.58'
httprecv: CERT[0]:VERIFY: Issuer : C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Netowrk,CN=cen06x64c.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: CERT[0]:VERIFY: Subject: C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Netowrk,CN=cen06x64c.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Not Before: 2016/10/22 15:19:13
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Not After : 2017/10/22 15:19:13
httprecv: CERT[0]:VERIFY: CERT:DATE:OK   Validity: Cert expire after 361 [d] (31272470 [s]))
httprecv: CERT[0]:VERIFY: X509v3 Subject Alternative Name:
httprecv: CERT[0]:VERIFY:      DNS:cen06x64c.xen.wbcd.pl, DNS:cen06x64c1.xen.wbcd.pl, DNS:cen06x64c2.xen.wbcd.pl, DNS:cen06x64c3.xen.wbcd.pl,
httprecv: X.509: Version: 3
httprecv: X.509: Serial Number (hex): 00:E3:2A:B0:D8:C5:B3:8E:FA
httprecv: X.509: Signature Algorithm: RSA-SHA256
httprecv: X.509: Issuer : C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Netowrk,CN=cen06x64c.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: X.509: Subject: C=PL,ST=Mazowieckie,L=Warszawa,O=Webbot\, Inc,OU=Webbot Trust Netowrk,CN=cen06x64c.xen.wbcd.pl,EMAIL=ssl@cen06x64.xen.wbcd.pl
httprecv: X.509: Validity: Not Before: 2016/10/22 15:19:13
httprecv: X.509: Validity: Not After : 2017/10/22 15:19:13
httprecv: X.509: Subject Public Key Info: Public Key Algorithm: RSA (2048 bits)
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64c.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64c1.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64c2.xen.wbcd.pl
httprecv: X.509: Extensions: Subject Alternative Name: DNS:cen06x64c3.xen.wbcd.pl
httprecv: X.509: Extensions: Basic Constraints:  CA:TRUE
https://10.41.0.58:443/ dnsq=0.000, conn=0.018, socktls=0.040, send=0.000, wait=0.066, recv=0.000, summ=0.135, size=30, speed=212680, result=200:HTTP/1.0 200 OK

#top Protocol Secure¶

#top Remove Service Version Information¶

##
## The value for the "Server:" response field.
##
## It would be nice to keep it at "lighttpd".
##
server.tag = "lighttpd"

#top Add HTTP Response Headers Security¶

Zobacz także Add HTTP Response Headers Security dla: Apache | Nginx | Lighttpd | thttpd | HAProxy | Varnish | SQUID
Zobacz także Add HTTP Response Headers Security dla: ProFTPd | Pure-FTPd | vsftpd | Postfix | Dovecot | OpenLDAP
Zobacz także Add HTTP Response Headers Security dla: pgpool | PostgreSQL | MySQL | Firebird

(Zobacz sekcję HTTP Header Add)

Strict-Transport-Security: RFC6797, mozilla.org (mozilla.org),
X-XSS-Protection: RFC-draft, mozilla.org, microsoft.com,
X-Frame-Options: RFC7034, mozilla.org, microsoft.com, microsoft.com,
X-Content-Type-Options: mozilla.org,
Content-Security-Policy: RFC7762, mozilla.org, mozilla.org,

EXAMPLES

#
# cen06x64.xen.wbcd.pl:443 - HTTPS server configuration
#
$SERVER["socket"] == ":446" {
ssl.engine                  = "enable"
ssl.pemfile                 = "/etc/pki/tls/certs/cen06x64.xen.wbcd.pl.pem"
$HTTP["host"] == "cen06x64.xen.wbcd.pl" {
ssl.engine = "enable"
ssl.pemfile = "/etc/pki/tls/certs/cen06x64.xen.wbcd.pl.pem"
ssl.ca-file = "/etc/pki/tls/certs/ca-bundle.crt"
ssl.use-sslv2 = "disable"
# ssl.use-sslv3 = "disable" # available from version 1.4.29
simple-vhost.server-root   = vhosts_dir + "/"
simple-vhost.default-host  = "cen06x64.xen.wbcd.pl"
simple-vhost.document-root = ""
accesslog.filename = log_root + "/cen06x64.xen.wbcd.pl-ssl-access.log"
setenv.add-response-header = ("Strict-Transport-Security" => "max-age=15552000; includeSubDomains")
setenv.add-response-header = ("X-XSS-Protection" => "1; mode=block")
setenv.add-response-header = ("X-Frame-Options" => "SAMEORIGIN")
setenv.add-response-header = ("X-Content-Type-Options" => "nosniff")
setenv.add-response-header = ("Content-Security-Policy" => "default-src 'self' cen06x64.xen.wbcd.pl")
}

#top TLS Secure¶

#top Disable SSLv2/SSLv3 Protocols¶

#top Disable weak Cipher Suites¶

#top Disable RC4 CipherSuite¶

#top Disable Anonymous CipherSuite¶

#top Disable SSL Compression¶

The openssl packages in Red Hat Enterprise Linux 5 (starting with RHBA-2009:0181 update released in Red Hat Enterprise Linux 5.3) and 6, and also in Fedora, contain a patch that makes the library check if OPENSSL_NO_DEFAULT_ZLIB environment variable is set (can have arbitrary value, even empty string) and disable the default zlib support.

Setting the OPENSSL_NO_DEFAULT_ZLIB environment variable before starting a client or a server application using OpenSSL can be used to disable zlib compression support and hence mitigate this flaw. For example, httpd with mod_ssl has compression enabled by default in Red Hat Enterprise Linux 5 and 6, and hence it is used when client also supports it. Adding the following line to the /etc/sysconfig/httpd file:

export OPENSSL_NO_DEFAULT_ZLIB=1

and restarting the httpd service disables the use of SSL/TLS compression in mod_ssl and the compression will not be negotiated even when connecting client supports it. Note that this environment variable only affects the use of SSL/TLS protocol compression and does not affect the use of HTTP protocol compression implemented by the mod_deflate module.

CVE-2012-4929 SSL/TLS CRIME attack against HTTPS

The MITRE CVE dictionary describes this issue as:

The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, Qt, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a "CRIME" attack.

Find out more about CVE-2012-4929 from the MITRE CVE dictionary and NIST NVD.

Vulnerability Summary for CVE-2009-1891

The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, Qt, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a "CRIME" attack.

#top Set custom DH parameters¶

#top Avoid certificates with Signature Algorithm: SHA1¶

After Jan. 1, 2016, Firefox will present an "Untrusted Connection" error when a newly issued SHA-1 certificate is encountered, and after Jan. 1, 2017, Firefox will present an "Untrusted Connection" error whenever a SHA-1 certificate is encountered at all, according to a Tuesday post.

SHA-1 has been around for nearly two decades, and in recent years researchers have demonstrated SHA-1 mathematical weaknesses that could be exploited given enough time and computing power, Richard Barnes, engineering manager, cryptography and PKI, with Mozilla, told SCMagazine.com in a Wednesday email correspondence.

Mozilla Security Blog

Many of the certificates used by secure websites today are signed using algorithms based on a hash algorithm called SHA-1. The integrity of the hash algorithm used in signing a certificate is a critical element in the security of the certificate. Weaknesses in hash algorithms can lead to situations in which attackers can obtain fraudulent certificates. Mozilla, along with other browser vendors, is working on a plan to phase out support for the SHA-1 hash algorithm.

SHA-1 is nearly twenty years old, and is beginning to show its age. In the last few years, collision attacks undermining some properties of SHA-1 have been getting close to being practical. Collision attacks against the older MD5 hash algorithm have been used to obtain fraudulent certificates, so the improving feasibility of collision attacks against SHA-1 is concerning. In order to avoid the need for a rapid transition should a critical attack against SHA-1 be discovered, we are proactively phasing out SHA-1.

Zmodyfikowany ostatnio: 2018/04/11 23:28:36 (6 lat temu), textsize: 71,5 kB, htmlsize: 100 kB

Zapraszam do komentowania, zgłaszania sugestii, propozycji, własnych przykładów, ...

Dodaj komentarzKomentarze użytkowników