Re: httpd 2.2.3 as an SSL proxy with a client certificate fails on connect

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

why do you use HTTPS in Backend, it looks like the backend System also needs client certificate authentication, there may be something wrong with your SSLProxyMachineCertificateFile ? try to send a wget request to the remote server and use SSLProxyMachineCertificateFile, dose wget get authorized at the remote system ? 

regards

Shai Yallin schrieb:


Hi all,
I'm running httpd 2.2.3 on win32 with openssl 0.9.8d as a reverse proxy server.
One of the things this sever needs to do is to act as a reverse proxy for applications that do not speak SSL, to SSL-only servers. 

I have configured the following:

SSLMutex default

SSLRandomSeed startup builtin

SSLSessionCache none

<VirtualHost 192.168.2.231:8443>

        DocumentRoot d:/WebServer/www

        ProxyRequests Off

        ProxyPreserveHost On

        RequestHeader set ClientProtocol HTTPS
SSLProxyMachineCertificateFile d:/WebServer/apache2/conf/ssl/cellcom_cpm.cert 

        SSLProxyEngine On

        ProxyPass /cpm/         _https://192.118.30.12/_

        ProxyPassReverse /cpm/  _https://192.118.30.12/_

</VirtualHost>
This worked for a few months, then suddenly started returning the following error and dying:
[Mon Dec 18 10:17:53 2006] [error] (502)Unknown error: proxy: pass request body failed to 192.118.30.12:443 (192.118.30.12)
[Mon Dec 18 10:17:53 2006] [error] (502)Unknown error: proxy: pass request body failed to 192.118.30.12:443 (192.118.30.12) from 192.168.2.1 () 

I ran httpd in debug mode and got the following:
[Mon Dec 18 10:17:53 2006] [debug] mod_proxy_http.c(54): proxy: HTTP: canonicalising URL //192.118.30.12/cpm.wsdl
[Mon Dec 18 10:17:53 2006] [debug] proxy_util.c(1378): [client 192.168.2.1] proxy: https: found worker _https://192.118.30.12/_ for _https://192.118.30.12/cpm.wsdl_
[Mon Dec 18 10:17:53 2006] [debug] mod_proxy.c(756): Running scheme https handler (attempt 0)
[Mon Dec 18 10:17:53 2006] [debug] mod_proxy_http.c(1662): proxy: HTTP: serving URL _https://192.118.30.12/cpm.wsdl_
[Mon Dec 18 10:17:53 2006] [debug] proxy_util.c(1798): proxy: HTTPS: has acquired connection for (192.118.30.12)
[Mon Dec 18 10:17:53 2006] [debug] proxy_util.c(1858): proxy: connecting _https://192.118.30.12/cpm.wsdl_ to 192.118.30.12:443
[Mon Dec 18 10:17:53 2006] [debug] proxy_util.c(1951): proxy: connected /cpm.wsdl to 192.118.30.12:443
[Mon Dec 18 10:17:53 2006] [debug] proxy_util.c(2045): proxy: HTTPS: fam 2 socket created to connect to 192.118.30.12
[Mon Dec 18 10:17:53 2006] [debug] proxy_util.c(2141): proxy: HTTPS: connection complete to 192.118.30.12:443 (192.118.30.12)
[Mon Dec 18 10:17:53 2006] [info] [client 192.118.30.12] Connection to child 249 established (server israel-test.backbone.locationet.com:8443) 

[Mon Dec 18 10:17:53 2006] [info] Seeding PRNG with 0 bytes of entropy
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1752): OpenSSL: Handshake: start
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: before/connect initialization
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv2/v3 write client hello A
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1775): OpenSSL: read 7/7 bytes from BIO#ec6da0 [mem: f03140] (BIO dump follows)
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1722): +-------------------------------------------------------------------------+
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1747): | 0000: 16 03 01 00 2a 02 ....*. |
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1751): | 0007 - <SPACES/NULS>
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1753): +-------------------------------------------------------------------------+
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1775): OpenSSL: read 40/40 bytes from BIO#ec6da0 [mem: f03147] (BIO dump follows)
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1722): +-------------------------------------------------------------------------+
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1747): | 0000: 00 26 03 01 fa 44 46 43-f0 21 42 c5 5f 67 8b 95 .&...DFC.!B._g.. |
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1747): | 0010: 03 0d d9 c8 dd 01 b1 19-52 76 3a 0f 39 1a c7 91 ........Rv:.9... |
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1747): | 0020: 4c d1 ee 4c 00 00 04 L..L... |
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1751): | 0040 - <SPACES/NULS>
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1753): +-------------------------------------------------------------------------+
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 read server hello A
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1775): OpenSSL: read 5/5 bytes from BIO#ec6da0 [mem: f03140] (BIO dump follows)
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1722): +-------------------------------------------------------------------------+
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1747): | 0000: 16 03 01 11 b1 ..... |
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1753): +-------------------------------------------------------------------------+
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1775): OpenSSL: read 4529/4529 bytes from BIO#ec6da0 [mem: f03145] (BIO dump follows)
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1722): +-------------------------------------------------------------------------+ 

(snip BIO dump)
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1753): +-------------------------------------------------------------------------+
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1190): Certificate Verification: depth: 2, subject: /CN=CelCaRoot, issuer: /CN=CelCaRoot
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1190): Certificate Verification: depth: 2, subject: /CN=CelCaRoot, issuer: /CN=CelCaRoot
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1190): Certificate Verification: depth: 1, subject: /DC=il/DC=co/DC=cellcom/DC=corp/DC=sdmz/CN=sdmzca, issuer: /CN=CelCaRoot
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1190): Certificate Verification: depth: 0, subject: /C=IL/ST=Israel/L=Natania/O=Cellcom/OU=IT/CN=CPM-QA.cellcom.co.il, issuer: /DC=il/DC=co/DC=cellcom/DC=corp/DC=sdmz/CN=sdmzca
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 read server certificate A
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1775): OpenSSL: read 5/5 bytes from BIO#ec6da0 [mem: f03140] (BIO dump follows)
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1722): +-------------------------------------------------------------------------+
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1747): | 0000: 16 03 01 00 08 ..... |
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1753): +-------------------------------------------------------------------------+
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1775): OpenSSL: read 8/8 bytes from BIO#ec6da0 [mem: f03145] (BIO dump follows)
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1722): +-------------------------------------------------------------------------+
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1747): | 0000: 0d 00 00 04 01 01 ...... |
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1751): | 0008 - <SPACES/NULS>
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1753): +-------------------------------------------------------------------------+
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 read server certificate request A
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1775): OpenSSL: read 5/5 bytes from BIO#ec6da0 [mem: f03140] (BIO dump follows)
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1722): +-------------------------------------------------------------------------+
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1747): | 0000: 16 03 01 00 04 ..... |
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1753): +-------------------------------------------------------------------------+
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1775): OpenSSL: read 4/4 bytes from BIO#ec6da0 [mem: f03145] (BIO dump follows)
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1722): +-------------------------------------------------------------------------+
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1747): | 0000: 0e . |
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1751): | 0004 - <SPACES/NULS>
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1753): +-------------------------------------------------------------------------+
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 read server done A
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1526): Proxy client certificate callback: (israel-test.backbone.locationet.com:8443) entered
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1499): Proxy client certificate callback: (israel-test.backbone.locationet.com:8443) no acceptable CA list, sending /O=Cellcom/CN=Locationet
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 write client certificate A
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 write client key exchange A
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 write certificate verify A
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 write change cipher spec A
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 write finished A
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 flush data
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1786): OpenSSL: I/O error, 5 bytes expected to read on BIO#ec6da0 [mem: f03140]
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1789): OpenSSL: Exit: error in SSLv3 read finished A
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1789): OpenSSL: Exit: error in SSLv3 read finished A
[Mon Dec 18 10:17:53 2006] [info] [client 192.118.30.12] SSL Proxy connect failed
[Mon Dec 18 10:17:53 2006] [info] [client 192.118.30.12] Connection closed to child 249 with abortive shutdown (server israel-test.backbone.locationet.com:8443)
[Mon Dec 18 10:17:53 2006] [error] (502)Unknown error: proxy: pass request body failed to 192.118.30.12:443 (192.118.30.12)
[Mon Dec 18 10:17:53 2006] [error] (502)Unknown error: proxy: pass request body failed to 192.118.30.12:443 (192.118.30.12) from 192.168.2.1 () 

I can't seem to find any definite answer googling this error.

I'll be glad to have any lead on the subject.

Cheers,
Shai Yallin 
IT Manager &  Developer

LocatioNet  Systems Ltd.

Tel:         +972-9-8856451

Fax:       +972-9-8856452

Mobile: +972-54-4840868
"...we will be restoring normality just as soon as we are sure what is normal anyway." 




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux