I am running httpd-2.4.12 and mod_nss-1.0.11 built from source and am running into an issue where I occasionally get an error where mod_nss throws the following exception
SSL Proxy: I don't have the name of the host we're supposed to connect to so I can't verify that we are connecting to who we think we should be. Giving up.
What is strange is that the issue does not happen consistently, sometimes the error will occur after the first request, other times after the 5000th.
Any thoughts about what could be causing this?
The following is what I'm seeing in the log
[Wed Apr 08 18:31:07.331041 2015] [:info] [pid 17342:tid 47143550196032] Connection to child 0 established (server
test.domain.com:443, client 10.81.1.91)
[Wed Apr 08 18:31:07.412436 2015] [:info] [pid 17342:tid 47143550196032] Initial (No.1) HTTPS request received for child 0 (server
test.domain.com:443)
[Wed Apr 08 18:31:07.412499 2015] [authz_core:debug] [pid 17342:tid 47143550196032] mod_authz_core.c(835): [client
10.81.1.91:50727] AH01628: authorization result: granted (no directives)
[Wed Apr 08 18:31:07.412654 2015] [proxy:debug] [pid 17342:tid 47143550196032] mod_proxy.c(1163): [client
10.81.1.91:50727] AH01143: Running scheme https handler (attempt 0)
[Wed Apr 08 18:31:07.412669 2015] [proxy:debug] [pid 17342:tid 47143550196032] proxy_util.c(2140): AH00942: HTTPS: has acquired connection for (
test.domain.com)
[Wed Apr 08 18:31:07.412745 2015] [proxy:debug] [pid 17342:tid 47143550196032] proxy_util.c(2394): [client
10.81.1.91:50727] AH00947: connected /test/home.html to
test.domain.com:8443[Wed Apr 08 18:31:07.412752 2015] [:debug] [pid 17342:tid 47143550196032] nss_engine_io.c(658): SSL connection destroyed without being closed
[Wed Apr 08 18:31:07.412859 2015] [proxy:debug] [pid 17342:tid 47143550196032] proxy_util.c(2636): AH00951: HTTPS: backend socket is disconnected.
[Wed Apr 08 18:31:07.412910 2015] [proxy:debug] [pid 17342:tid 47143550196032] proxy_util.c(2771): AH02824: HTTPS: connection established with
10.81.1.183:8443 (
test.domain.com)
[Wed Apr 08 18:31:07.412923 2015] [proxy:debug] [pid 17342:tid 47143550196032] proxy_util.c(2923): AH00962: HTTPS: connection complete to
10.81.1.183:8443 (
test.domain.com)
[Wed Apr 08 18:31:07.412928 2015] [:info] [pid 17342:tid 47143550196032] Connection to child 0 established (server
test.domain.com:443, client 10.81.1.183)
[Wed Apr 08 18:31:07.424280 2015] [:error] [pid 17342:tid 47143550196032] SSL Proxy: I don't have the name of the host we're supposed to connect to so I can't verify that we are connecting to who we think we should be. Giving up.
[Wed Apr 08 18:31:07.424330 2015] [:info] [pid 17342:tid 47143550196032] SSL library error -12276 writing data
[Wed Apr 08 18:31:07.424337 2015] [:info] [pid 17342:tid 47143550196032] SSL Library Error: -12276 Requested domain name does not match the server's certificate
[Wed Apr 08 18:31:07.424356 2015] [proxy:debug] [pid 17342:tid 47143550196032] proxy_util.c(2155): AH00943: HTTPS: has released connection for (
test.domain.com)
[Wed Apr 08 18:31:07.424385 2015] [:info] [pid 17342:tid 47143550196032] Connection to child 0 closed (server
test.domain.com:443, client 10.81.1.183)
[Wed Apr 08 18:31:07.424394 2015] [proxy:debug] [pid 17342:tid 47143550196032] proxy_util.c(2864): [remote
10.81.1.183:8443] AH02642: proxy: connection shutdown
[Wed Apr 08 18:31:07.424686 2015] [:info] [pid 17342:tid 47143550196032] Connection to child 0 closed (server
test.domain.com:443, client 10.81.1.91)
My configuration is as follows for the virtual host
<VirtualHost _default_:443>
ErrorLog /var/log/httpd/error_log
TransferLog /var/log/httpd/access_log
LogLevel debug
NSSEngine on
NSSCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
NSSNickname "*.domain.com"
NSSCertificateDatabase /etc/httpd/wildcard
NSSVerifyClient optional
NSSOptions +ExportCertData +StdEnvVars
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
NSSOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
NSSOptions +StdEnvVars
</Directory>
ServerName test.domain.com
NSSProxyEngine on
NSSProxyProtocol TLSv1.0,TLSv1.1,TLSv1.2
NSSProxyCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
ProxyRequests off
ProxyPass /test https://test.domain.com:8443/test
ProxyPassReverse /test https://test.domain.com:8443/test
</VirtualHost>
