httpd 2.2.3 as an SSL proxy with a client certificate fails on connect

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: <users@xxxxxxxxxxxxxxxx>
Subject: httpd 2.2.3 as an SSL proxy with a client certificate fails on connect
From: "Shai Yallin" <shai@xxxxxxxxxxxxxx>
Date: Mon, 18 Dec 2006 10:45:09 +0200
Delivered-to: mailing list users@xxxxxxxxxxxxxxxx
Mailing-list: contact users-help@xxxxxxxxxxxxxxxx; run by ezmlm
Reply-to: users@xxxxxxxxxxxxxxxx
Thread-index: AccigNMfu/A0WHSJTvSLQhZUVzZtZw==
Thread-topic: httpd 2.2.3 as an SSL proxy with a client certificate fails on connect

Title: httpd 2.2.3 as an SSL proxy with a client certificate fails on connect

Hi all,

I'm running httpd 2.2.3 on win32 with openssl 0.9.8d as a reverse proxy server.

One of the things this sever needs to do is to act as a reverse proxy for applications that do not speak SSL, to SSL-only servers.

I have configured the following:

SSLMutex default

SSLRandomSeed startup builtin

SSLSessionCache none

DocumentRoot d:/WebServer/www

ProxyRequests Off

ProxyPreserveHost On

RequestHeader set ClientProtocol HTTPS

SSLProxyMachineCertificateFile d:/WebServer/apache2/conf/ssl/cellcom_cpm.cert

SSLProxyEngine On

ProxyPass /cpm/ https://192.118.30.12/

ProxyPassReverse /cpm/ https://192.118.30.12/

</VirtualHost>

This worked for a few months, then suddenly started returning the following error and dying:

[Mon Dec 18 10:17:53 2006] [error] (502)Unknown error: proxy: pass request body failed to 192.118.30.12:443 (192.118.30.12)

[Mon Dec 18 10:17:53 2006] [error] (502)Unknown error: proxy: pass request body failed to 192.118.30.12:443 (192.118.30.12) from 192.168.2.1 ()

I ran httpd in debug mode and got the following:

[Mon Dec 18 10:17:53 2006] [debug] mod_proxy_http.c(54): proxy: HTTP: canonicalising URL //192.118.30.12/cpm.wsdl

[Mon Dec 18 10:17:53 2006] [debug] proxy_util.c(1378): [client 192.168.2.1] proxy: https: found worker https://192.118.30.12/ for https://192.118.30.12/cpm.wsdl

[Mon Dec 18 10:17:53 2006] [debug] mod_proxy.c(756): Running scheme https handler (attempt 0)

[Mon Dec 18 10:17:53 2006] [debug] mod_proxy_http.c(1662): proxy: HTTP: serving URL https://192.118.30.12/cpm.wsdl

[Mon Dec 18 10:17:53 2006] [debug] proxy_util.c(1798): proxy: HTTPS: has acquired connection for (192.118.30.12)

[Mon Dec 18 10:17:53 2006] [debug] proxy_util.c(1858): proxy: connecting https://192.118.30.12/cpm.wsdl to 192.118.30.12:443

[Mon Dec 18 10:17:53 2006] [debug] proxy_util.c(1951): proxy: connected /cpm.wsdl to 192.118.30.12:443

[Mon Dec 18 10:17:53 2006] [debug] proxy_util.c(2045): proxy: HTTPS: fam 2 socket created to connect to 192.118.30.12

[Mon Dec 18 10:17:53 2006] [debug] proxy_util.c(2141): proxy: HTTPS: connection complete to 192.118.30.12:443 (192.118.30.12)

[Mon Dec 18 10:17:53 2006] [info] [client 192.118.30.12] Connection to child 249 established (server israel-test.backbone.locationet.com:8443)

[Mon Dec 18 10:17:53 2006] [info] Seeding PRNG with 0 bytes of entropy

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1752): OpenSSL: Handshake: start

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: before/connect initialization

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv2/v3 write client hello A

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1775): OpenSSL: read 7/7 bytes from BIO#ec6da0 [mem: f03140] (BIO dump follows)

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1722): +-------------------------------------------------------------------------+

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1747): | 0000: 16 03 01 00 2a 02 ....*. |

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1751): | 0007 - <SPACES/NULS>

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1753): +-------------------------------------------------------------------------+

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1775): OpenSSL: read 40/40 bytes from BIO#ec6da0 [mem: f03147] (BIO dump follows)

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1722): +-------------------------------------------------------------------------+

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1747): | 0000: 00 26 03 01 fa 44 46 43-f0 21 42 c5 5f 67 8b 95 .&...DFC.!B._g.. |

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1747): | 0010: 03 0d d9 c8 dd 01 b1 19-52 76 3a 0f 39 1a c7 91 ........Rv:.9... |

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1747): | 0020: 4c d1 ee 4c 00 00 04 L..L... |

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1751): | 0040 - <SPACES/NULS>

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1753): +-------------------------------------------------------------------------+

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 read server hello A

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1775): OpenSSL: read 5/5 bytes from BIO#ec6da0 [mem: f03140] (BIO dump follows)

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1722): +-------------------------------------------------------------------------+

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1747): | 0000: 16 03 01 11 b1 ..... |

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1753): +-------------------------------------------------------------------------+

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1775): OpenSSL: read 4529/4529 bytes from BIO#ec6da0 [mem: f03145] (BIO dump follows)

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1722): +-------------------------------------------------------------------------+

(snip BIO dump)

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1753): +-------------------------------------------------------------------------+

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1190): Certificate Verification: depth: 2, subject: /CN=CelCaRoot, issuer: /CN=CelCaRoot

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1190): Certificate Verification: depth: 1, subject: /DC=il/DC=co/DC=cellcom/DC=corp/DC=sdmz/CN=sdmzca, issuer: /CN=CelCaRoot

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1190): Certificate Verification: depth: 0, subject: /C=IL/ST=Israel/L=Natania/O=Cellcom/OU=IT/CN=CPM-QA.cellcom.co.il, issuer: /DC=il/DC=co/DC=cellcom/DC=corp/DC=sdmz/CN=sdmzca

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 read server certificate A

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1775): OpenSSL: read 5/5 bytes from BIO#ec6da0 [mem: f03140] (BIO dump follows)

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1722): +-------------------------------------------------------------------------+

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1747): | 0000: 16 03 01 00 08 ..... |

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1753): +-------------------------------------------------------------------------+

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1775): OpenSSL: read 8/8 bytes from BIO#ec6da0 [mem: f03145] (BIO dump follows)

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1722): +-------------------------------------------------------------------------+

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1747): | 0000: 0d 00 00 04 01 01 ...... |

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1751): | 0008 - <SPACES/NULS>

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1753): +-------------------------------------------------------------------------+

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 read server certificate request A

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1775): OpenSSL: read 5/5 bytes from BIO#ec6da0 [mem: f03140] (BIO dump follows)

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1722): +-------------------------------------------------------------------------+

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1747): | 0000: 16 03 01 00 04 ..... |

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1753): +-------------------------------------------------------------------------+

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1775): OpenSSL: read 4/4 bytes from BIO#ec6da0 [mem: f03145] (BIO dump follows)

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1722): +-------------------------------------------------------------------------+

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1747): | 0000: 0e . |

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1751): | 0004 - <SPACES/NULS>

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1753): +-------------------------------------------------------------------------+

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 read server done A

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1526): Proxy client certificate callback: (israel-test.backbone.locationet.com:8443) entered

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1499): Proxy client certificate callback: (israel-test.backbone.locationet.com:8443) no acceptable CA list, sending /O=Cellcom/CN=Locationet

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 write client certificate A

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 write client key exchange A

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 write certificate verify A

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 write change cipher spec A

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 write finished A

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 flush data

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1786): OpenSSL: I/O error, 5 bytes expected to read on BIO#ec6da0 [mem: f03140]

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1789): OpenSSL: Exit: error in SSLv3 read finished A

[Mon Dec 18 10:17:53 2006] [info] [client 192.118.30.12] SSL Proxy connect failed

[Mon Dec 18 10:17:53 2006] [info] [client 192.118.30.12] Connection closed to child 249 with abortive shutdown (server israel-test.backbone.locationet.com:8443)

[Mon Dec 18 10:17:53 2006] [error] (502)Unknown error: proxy: pass request body failed to 192.118.30.12:443 (192.118.30.12)

[Mon Dec 18 10:17:53 2006] [error] (502)Unknown error: proxy: pass request body failed to 192.118.30.12:443 (192.118.30.12) from 192.168.2.1 ()

I can't seem to find any definite answer googling this error.

I'll be glad to have any lead on the subject.

Cheers,

Shai Yallin

IT Manager & Developer

LocatioNet Systems Ltd.

Tel: +972-9-8856451

Fax: +972-9-8856452

Mobile: +972-54-4840868

"...we will be restoring normality just as soon as we are sure what is normal anyway."

Follow-Ups:
- Re: httpd 2.2.3 as an SSL proxy with a client certificate fails on connect
  - From: Christian Gottschalch

Prev by Date: RE: Growing Error.log
Next by Date: Re: Growing Error.log
Previous by thread: Growing Error.log
Next by thread: Re: httpd 2.2.3 as an SSL proxy with a client certificate fails on connect
Index(es):
- Date
- Thread

[Index of Archives] [Open SSH Users] [Linux ACPI] [Linux Kernel] [Linux Laptop] [Kernel Newbies] [Security] [Netfilter] [Bugtraq] [Squid] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux Security] [Linux RAID] [Samba] [Video 4 Linux] [Device Mapper]