Re: Re: Apache Reverse Proxy with SSL mutul Auth

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Eric,

In location tag, i have configured /abc/xyz

and i am calling just https://hostname/abc/xyz?wsdl and internally its
not calling any other URL.

but wireshark dump says second "Change Cipher Spec" happens in between
Application data transfer (2905 and 3001).

Confusing part is why there is "Change Cipher Spec" renegotiation
happen between Application data transfer ?

Regards
Chima


On Mon, Mar 11, 2013 at 6:25 PM, Eric Covener <covener@xxxxxxxxx> wrote:
> If you change the ssl config per location, there is an ssl renegotiation.
>
> On Mar 11, 2013 8:54 AM, "chima s" <chima.s@xxxxxxxxx> wrote:
>>
>> Hi All,
>>
>> I found 2 “Change Cipher Spec”, only when i am using the "Location"
>> tag. I am using "Location" tag as i don't want SSL Mutual
>> authentication for all the URLs.
>>
>> Why i am getting 2 “Change Cipher Spec” when i am using "Location" tag.
>>
>> Regards
>> Chima
>>
>> On Mon, Mar 11, 2013 at 2:45 PM, chima s <chima.s@xxxxxxxxx> wrote:
>> > Hi
>> >
>> > We are using apache as reverse proxy and backend as tomact.
>> >
>> > In Apache we are terminating the SSL connection and also enabled the
>> > client authentication.
>> >
>> > We are using soapui to test the connectivity and wireshark to check
>> > the SSL handshake.
>> >
>> > Below is wireshark flow dump. I noticed 2 “Change Cipher Spec”
>> > messages (2903 and 2999).  Why there is 2 “Change Cipher Spec” and is
>> > this normal ?
>> >
>> > No.     Time        Source                Destination
>> > Protocol Length Info
>> >    2811 3.440639    172.168.78.64         10.250.250.188         TCP
>> >    74     36556 > https [SYN, ECN, CWR] Seq=0 Win=5840 Len=0 MSS=1460
>> > SACK_PERM=1 TSval=3497146518 TSecr=0 WS=256
>> >    2843 3.457441    10.250.250.188         172.168.78.64         TCP
>> >    74     https > 36556 [SYN, ACK, ECN] Seq=0 Ack=1 Win=5792 Len=0
>> > MSS=1380 SACK_PERM=1 TSval=2174348895 TSecr=3497146518 WS=128
>> >    2844 3.457459    172.168.78.64         10.250.250.188         TCP
>> >    66     36556 > https [ACK] Seq=1 Ack=1 Win=5888 Len=0
>> > TSval=3497146522 TSecr=2174348895
>> >    2845 3.457683    172.168.78.64         10.250.250.188         TLSv1
>> >    173    Client Hello
>> >    2865 3.473604    10.250.250.188         172.168.78.64         TCP
>> >    66     https > 36556 [ACK] Seq=1 Ack=108 Win=5888 Len=0
>> > TSval=2174348912 TSecr=3497146522
>> >    2888 3.482350    10.250.250.188         172.168.78.64         TLSv1
>> >    1434   Server Hello
>> >    2889 3.482356    172.168.78.64         10.250.250.188         TCP
>> >    66     36556 > https [ACK] Seq=108 Ack=1369 Win=8960 Len=0
>> > TSval=3497146528 TSecr=2174348920
>> >    2890 3.482359    10.250.250.188         172.168.78.64         TCP
>> >    1434   [TCP segment of a reassembled PDU]
>> >    2891 3.482363    172.168.78.64         10.250.250.188         TCP
>> >    66     36556 > https [ACK] Seq=108 Ack=2737 Win=11776 Len=0
>> > TSval=3497146528 TSecr=2174348920
>> >    2892 3.482366    10.250.250.188         172.168.78.64         TLSv1
>> >    1426   Certificate
>> >    2893 3.482371    172.168.78.64         10.250.250.188         TCP
>> >    66     36556 > https [ACK] Seq=108 Ack=4097 Win=14592 Len=0
>> > TSval=3497146528 TSecr=2174348920
>> >    2898 3.509659    10.250.250.188         172.168.78.64         TLSv1
>> >    465    Server Key Exchange
>> >    2899 3.509666    172.168.78.64         10.250.250.188         TCP
>> >    66     36556 > https [ACK] Seq=108 Ack=4496 Win=17152 Len=0
>> > TSval=3497146535 TSecr=2174348937
>> >    2900 3.517916    172.168.78.64         10.250.250.188         TLSv1
>> >    264    Client Key Exchange, Change Cipher Spec, Encrypted Handshake
>> > Message
>> >    2903 3.541547    10.250.250.188         172.168.78.64         TLSv1
>> >    125    Change Cipher Spec, Encrypted Handshake Message
>> >    2904 3.541700    172.168.78.64         10.250.250.188         TLSv1
>> >    375    Application Data
>> >    2905 3.541777    172.168.78.64         10.250.250.188         TLSv1
>> >    343    Application Data
>> >    2939 3.562193    10.250.250.188         172.168.78.64         TCP
>> >    66     https > 36556 [ACK] Seq=4555 Ack=892 Win=9088 Len=0
>> > TSval=2174349001 TSecr=3497146543
>> >    2940 3.562846    10.250.250.188         172.168.78.64         TLSv1
>> >    103    Encrypted Handshake Message
>> >    2941 3.562945    172.168.78.64         10.250.250.188         TLSv1
>> >    183    Encrypted Handshake Message
>> >    2955 3.587402    10.250.250.188         172.168.78.64         TLSv1
>> >    1434   Encrypted Handshake Message
>> >    2956 3.587919    10.250.250.188         172.168.78.64         TLSv1
>> >    1434   Encrypted Handshake Message
>> >    2957 3.587928    172.168.78.64         10.250.250.188         TCP
>> >    66     36556 > https [ACK] Seq=1009 Ack=7328 Win=23040 Len=0
>> > TSval=3497146554 TSecr=2174349026
>> >    2958 3.587932    10.250.250.188         172.168.78.64         TLSv1
>> >    582    Encrypted Handshake Message
>> >    2963 3.597538    172.168.78.64         10.250.250.188         TLSv1
>> >    1434   Encrypted Handshake Message
>> >    2964 3.597543    172.168.78.64         10.250.250.188         TLSv1
>> >    371    Encrypted Handshake Message
>> >    2983 3.613528    10.250.250.188         172.168.78.64         TCP
>> >    66     https > 36556 [ACK] Seq=7844 Ack=2682 Win=14720 Len=0
>> > TSval=2174349052 TSecr=3497146557
>> >    2999 3.620452    10.250.250.188         172.168.78.64         TLSv1
>> >    156    Change Cipher Spec, Encrypted Handshake Message
>> >    3001 3.637337    10.250.250.188         172.168.78.64         TLSv1
>> >    609    Application Data, Application Data, Application Data
>> >    3002 3.637472    172.168.78.64         10.250.250.188         TCP
>> >    66     36556 > https [ACK] Seq=2682 Ack=8477 Win=28416 Len=0
>> > TSval=3497146567 TSecr=2174349059
>> >    3003 3.640371    10.250.250.188         172.168.78.64         TLSv1
>> >    103    Application Data
>> >    3106 3.676451    172.168.78.64         10.250.250.188         TCP
>> >    66     36556 > https [ACK] Seq=2682 Ack=8514 Win=28416 Len=0
>> > TSval=3497146577 TSecr=2174349079
>> >    7214 8.646676    10.250.250.188         172.168.78.64         TCP
>> >    66     https > 36556 [FIN, ACK] Seq=8514 Ack=2682 Win=14720 Len=0
>> > TSval=2174354085 TSecr=3497146577
>> >    7215 8.646809    172.168.78.64         10.250.250.188         TLSv1
>> >    103    Encrypted Alert
>> >    7216 8.646853    172.168.78.64         10.250.250.188         TCP
>> >    66     36556 > https [FIN, ACK] Seq=2719 Ack=8515 Win=28416 Len=0
>> > TSval=3497147819 TSecr=2174354085
>> >    7261 8.661712    10.250.250.188         172.168.78.64         TCP
>> >    66     https > 36556 [ACK] Seq=8515 Ack=2720 Win=14720 Len=0
>> > TSval=2174354101 TSecr=3497147819
>> >
>> >
>> > Regards
>> > Chima
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux