You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2009/03/20 02:53:34 UTC

DO NOT REPLY [Bug 46880] New: SSL+Client Certificates required+large POSTs cause ssl reneg to fail (sometimes)

https://issues.apache.org/bugzilla/show_bug.cgi?id=46880

           Summary: SSL+Client Certificates required+large POSTs cause ssl
                    reneg to fail (sometimes)
           Product: Apache httpd-2
           Version: 2.2.3
          Platform: PC
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_ssl
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: kgrindley@ll.mit.edu


When submitting a POST, usually a large post, sometimes the re-negotiation
fails with the following error.

[Thu Mar 19 21:35:58 2009] [info] Initial (No.1) HTTPS request received for
child 0 (server locus.example.com:443)
[Thu Mar 19 21:35:58 2009] [debug] ssl_engine_kernel.c(426): Changed client
verification type will force renegotiation
[Thu Mar 19 21:35:58 2009] [debug] ssl_engine_io.c(1478): [client
155.34.228.80] filling buffer
[Thu Mar 19 21:35:58 2009] [debug] ssl_engine_io.c(1800): OpenSSL: read 5/5
bytes from BIO#2aca86a7bc20 [mem: 2aca78e95010] (BIO dump follows)
[Thu Mar 19 21:35:58 2009] [debug] ssl_engine_io.c(1747):
+-------------------------------------------------------------------------+
[Thu Mar 19 21:35:58 2009] [debug] ssl_engine_io.c(1772): | 0000: 17 03 01 04
40                                   ....@            |
[Thu Mar 19 21:35:58 2009] [debug] ssl_engine_io.c(1778):
+-------------------------------------------------------------------------+
[Thu Mar 19 21:35:58 2009] [debug] ssl_engine_io.c(1800): OpenSSL: read
1088/1088 bytes from BIO#2aca86a7bc20 [mem: 2aca78e95015] (BIO dump follows)
[...snip...]
[Thu Mar 19 21:35:58 2009] [debug] ssl_engine_io.c(1529): [client
155.34.228.80] total of 4324 bytes in buffer, eos=1
[Thu Mar 19 21:35:58 2009] [info] Requesting connection re-negotiation
[Thu Mar 19 21:35:58 2009] [debug] ssl_engine_kernel.c(616): Performing full
renegotiation: complete handshake protocol
[Thu Mar 19 21:35:58 2009] [debug] ssl_engine_kernel.c(1752): OpenSSL:
Handshake: start
[Thu Mar 19 21:35:58 2009] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop:
SSL renegotiate ciphers
[Thu Mar 19 21:35:58 2009] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop:
SSLv3 write hello request A
[Thu Mar 19 21:35:58 2009] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop:
SSLv3 flush data
[Thu Mar 19 21:35:58 2009] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop:
SSLv3 write hello request C
[Thu Mar 19 21:35:58 2009] [info] Awaiting re-negotiation handshake
[Thu Mar 19 21:35:58 2009] [debug] ssl_engine_kernel.c(1752): OpenSSL:
Handshake: start
[Thu Mar 19 21:35:58 2009] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop:
before accept initialization
[Thu Mar 19 21:35:58 2009] [debug] ssl_engine_io.c(1811): OpenSSL: I/O error, 5
bytes expected to read on BIO#2aca86a7bc20 [mem: 2aca78e95010]
[Thu Mar 19 21:35:58 2009] [debug] ssl_engine_kernel.c(1789): OpenSSL: Exit:
error in SSLv3 read client hello B
[Thu Mar 19 21:35:58 2009] [error] Re-negotiation handshake failed: Not
accepted by client!?
[Thu Mar 19 21:35:58 2009] [debug] ssl_engine_io.c(1572): [client
155.34.228.80] read from buffered SSL brigade, mode 0, 8192 bytes
[Thu Mar 19 21:35:58 2009] [debug] ssl_engine_io.c(1647): [client
155.34.228.80] buffered SSL brigade exhausted

seems to fail 4 out of 5 times.  sometimes realoading will cause the reneg. to
complete and the post is passed to the CGI.

note I'm running a larger SSL reneg buffer of 800meg. (i need to be able to
accept large posts via client certificate authentication)

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 46880] SSL+Client Certificates required+large POSTs cause ssl reneg to fail (sometimes)

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=46880


Joe Orton <jo...@redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |NEEDINFO




--- Comment #1 from Joe Orton <jo...@redhat.com>  2009-03-20 06:23:38 PST ---
1) 800meg is um, seriously large.  I can't recommend enough that you rejig the
webapp to ensure that the first request to the client-cert-required area is a
GET rather than a POST-with-large-body.

2) if you're using the patched 2.2.3 RHEL packages please file bugs in RH
bugzilla in the first instance.  The debug message "filling buffer" should
include a suffix ", max size N bytes" if you are using the SSLRenegBufferSize
patch, which is confusing.

what this:

[Thu Mar 19 21:35:58 2009] [debug] ssl_engine_io.c(1529): [client
155.34.228.80] total of 4324 bytes in buffer, eos=1

means is that mod_ssl read an end-of-file (eos=1) from the client after reading
~4K of data.  What client is being used?  It may be necessary to look at packet
traces to determine what is going on here.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 46880] SSL+Client Certificates required+large POSTs cause ssl reneg to fail (sometimes)

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=46880


Karl Grindley <kg...@ll.mit.edu> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEEDINFO                    |RESOLVED
         Resolution|                            |WORKSFORME




--- Comment #2 from Karl Grindley <kg...@ll.mit.edu>  2009-03-20 06:32:11 PST ---
Joe,

Thanks for the reply.  I'm going to file a series of tickets in the RH bugzilla
as i think i've identified two broken items in the RH release of 2.2.3 related
to SSL and buffer sizes.

I decided it would be best for all parties to see if this was a bug in the
latest version of apache or not, so I downloaded 2.2.11 from apache.org and
spun an RPM.  So far, all the issues I was having have evaporated.  So I think
this is on RH's plate to fix.

Thanks again,
Karl

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org