Site using client certificates becomes unresponsive and requires httpd reload intermittenly

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

My company is developing a site for a customer. The site has a php based login page. The site also uses client certificates for two factor authentication. We have SSLVerifyClient require turned on in our ssl.conf. I’m getting intermittent issues where the site stops responding when trying to access the login page. The usual symptoms are that the user is prompted for their client certificate. Once that is submitted, sometimes the login page never appears, the user just gets a blank browser screen. Other times, the login page appears. Then the user is able to enter their login information, but then the site hangs again with a blank browser screen. If I do a reload or a restart on the httpd service, the site immediately starts responding again. In order to get past some testing deadlines I setup a cron job to reload Apache once a minute which helped. A full restart isn’t required to temporarily fix the issue. I then changed that cron job to once an hour and that also helped. When removing that scheduled reload, the problem reappears.

 

I’ve turned on the debugging log level. I see these types of error messages in the ssl_error_log, but can’t really correlate if that is when the problem occurs as I see them even when the site is responding normally.

 

[Tue Apr 25 13:00:01 2017] [debug] ssl_engine_io.c(1925): OpenSSL: I/O error, 5 bytes expected to read on BIO#7f3f4a0b0400 [mem: 7f3f4a098d13]

[Tue Apr 25 13:00:01 2017] [info] [client 64.128.122.230] (70007)The timeout specified has expired: SSL input filter read failed.

[Tue Apr 25 13:00:01 2017] [debug] ssl_engine_kernel.c(1886): OpenSSL: Write: SSL negotiation finished successfully [Tue Apr 25 13:00:01 2017] com:443)

I’m using Apache 2.2.15 and openssl  1.0.1e-fips on Red Hat 6.5.

 

David Vosbury

SAAB Sensis Corporation

david.vosbury@xxxxxxxxxxxxxx

Main: 315-234-3761

Cell: 315-751-2675

 


This message is intended only for the addressee and may contain information that is company confidential or privileged. Any technical data in this message may be exported only in accordance with the U.S. International Traffic in Arms Regulations (22 CFR Parts 120-130) or the Export Administration Regulations (15 CFR Parts 730-774). Unauthorized use is strictly prohibited and may be unlawful. If you are not the intended recipient, or the person responsible for delivering to the intended recipient, you should not read, copy, disclose or otherwise use this message. If you have received this email in error, please delete it, and advise the sender immediately.
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux