SNI + RequestReadTimeout leads to SSL certificate error in client browser

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

We are using Apache's SNI functionality to host multiple sites in single apache instance [version 2.2.22]. Lets say the domain names we host are www.A.com and www.B.com

We are facing issues due to slow clients. Due to RequestReadTimeout settings,when a slow client gets timed out before sending headers (which I believe includes domain name) to a target VirtualHost, 408 error is thrown out and client gets error from a different VirtualHost (default) and ends up getting certificate error.

I simulated this using slowhttptest tool and when I send slow requests to www.B.com, 408 errors were getting logged in default VirtualHosts log file of www.A.com (actual data has been changed for privacy)


/opt/bin/slowhttptest -c 2 -i 100 -v 4 -u https://www.B.com/test.html

Fri Mar 14 20:22:15 2014:closing slow socket 3
Fri Mar 14 20:22:16 2014:run_test: socket 4 replied 194 bytes:
HTTP/1.1 408 Request Time-out
Date: Fri, 14 Mar 2014 14:52:03 GMT
Server: Apache
Vary: Accept-Encoding
Content-Length: 223
Connection: close
Content-Type: text/html; charset=iso-8859-1
Fri Mar 14 20:22:16 2014:run_test: socket 4 replied 223 bytes:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>408 Request Time-out</title>
</head><body>
<h1>Request Time-out</h1>
<p>Server timeout waiting for the HTTP request from the client.</p>
</body></html>

www.A.com logs
/var/log/apache2$ ls *-access.log|grep test.html
www.A.com-access.log:10.10.10.10 - - [14/Mar/2014:20:22:03 +0530] "GET /test.html HTTP/1.1" 408 223 11402764 0 "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2)" 761 5512 - - - - - 10.10.10.10


More than logging at server, this is affecting the client as browser throws a certificate warning saying something on the lines of
"You attempted to reach www.B.com but instead you actually reached a server identifying itself as www.A.com"

Pls let us know how we can ensure certificate error doesn't show up when using SNI and header-level request timeout happens.

Thanks
Anantha
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux