Hi, On Wed, Jan 21, 2015 at 7:25 PM, Chris Arnold <carnold@xxxxxxxxxxxxxxxxxxx> wrote: [...] > > [Wed Jan 21 12:50:06.641654 2015] [ssl:info] [pid 3229] [remote 192.168.123.200:8443] AH02003: SSL Proxy connect failed > [Wed Jan 21 12:50:06.641719 2015] [ssl:info] [pid 3229] SSL Library Error: error:100AE081:elliptic curve routines:EC_GROUP_new_by_curve_name:unknown group > [Wed Jan 21 12:50:06.641769 2015] [ssl:info] [pid 3229] SSL Library Error: error:1408D010:SSL routines:SSL3_GET_KEY_EXCHANGE:EC lib Old httpd-2.2.12 did not handle ECDH (and probably the SSL library on sles11 either), whereas latests httpd (2.2.x and 2.4.x) do and hence announce it to the backend server which in turn use it (preferably) for the handshake... However it seems that the backend is using an ECDH curve which is unknown on the httpd side (by the SSL lib). To avoid this error, you'll have to either exclude ECDH ciphers from SSLProxyCipherSuite (eg. "ALL:!ECDH") so that mod_ssl won't use them on backend connections, or configure your backend so that it uses a curve (ecparams) known on the sles12 side (by the SSL library). Regards, Yann. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|