You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Jason Pyeron <jp...@pdinc.us> on 2010/09/08 04:03:08 UTC

[users@httpd] Ssl front end proxy and Segmentation fault (11)

I am trying to reverse proxy client certs, here is the config snipit:

RequestHeader set Front-End-Https "On"
CacheDisable *
SSLProxyEngine On
ProxyPass /test https://192.168.10.193/test
ProxyPassReverse /test https://192.168.10.193/test
SSLProxyMachineCertificatePath /var/www.xxxx/certs
SSLProxyVerify off

Every call to the server for /test results in:
[Tue Sep 07 21:59:19 2010] [notice] child pid 24344 exit signal Segmentation
fault (11)

Fetching https://xxxx/cgi-bin/test.cgi

AUTH_TYPE = 'Basic'
DOCUMENT_ROOT = '/var/www.xxxx/html'
GATEWAY_INTERFACE = 'CGI/1.1'
HTTPS = 'on'
HTTP_ACCEPT = 'image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword,
application/x-ms-application, application/x-ms-xbap,
application/vnd.ms-xpsdocument, application/xaml+xml, */*'
HTTP_ACCEPT_ENCODING = 'gzip, deflate'
HTTP_ACCEPT_LANGUAGE = 'en-us'
HTTP_CONNECTION = 'Keep-Alive'
HTTP_COOKIE = 'ASP.NET_SessionId=fnut3nm4wmsbyc55x5g5tp45'
HTTP_FRONT_END_HTTPS = 'On'
HTTP_HOST = 'xxxx'
HTTP_UA_CPU = 'x86'
HTTP_USER_AGENT = 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
1.1.4322; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR
3.5.30729; .NET4.0C)'
PATH = '/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin'
QUERY_STRING = ''
REMOTE_ADDR = '16.0.0.0'
REMOTE_PORT = '1954'
REMOTE_USER = '/C=US/O=U.S.
Government/OU=DoD/OU=PKI/OU=CONTRACTOR/CN=PYERON.JASON.J.1291147719'
REQUEST_METHOD = 'GET'
REQUEST_URI = '/cgi-bin/test.cgi'
SCRIPT_FILENAME = '/var/www.xxxx/cgi-bin/test.cgi'
SCRIPT_NAME = '/cgi-bin/test.cgi'
SERVER_ADDR = 'x.x.x.x'
SERVER_ADMIN = 'root@localhost'
SERVER_NAME = 'xxxx'
SERVER_PORT = '443'
SERVER_PROTOCOL = 'HTTP/1.1'
SERVER_SIGNATURE = '<address>Apache/2.0.52 (CentOS) Server at xxxx Port
443</address>
'
SERVER_SOFTWARE = 'Apache/2.0.52 (CentOS)'
SSL_CLIENT_CERT = '-----BEGIN CERTIFICATE-----
MIID6DCCA1GgAwIBAgIDCb6dMA0GCSqGSIb3DQEBBQUAMFcxCzAJBgNVBAYTAlVT
MRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsTA0RvRDEMMAoGA1UE
CxMDUEtJMRIwEAYDVQQDEwlET0QgQ0EtMTUwHhcNMDcxMDE4MDAwMDAwWhcNMTAx
MDE0MjM1OTU5WjB8MQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5t
ZW50MQwwCgYDVQQLEwNEb0QxDDAKBgNVBAsTA1BLSTETMBEGA1UECxMKQ09OVFJB
Q1RPUjEiMCAGA1UEAxMZUFlFUk9OLkpBU09OLkouMTI5MTE0NzcxOTCBnzANBgkq
hkiG9w0BAQEFAAOBjQAwgYkCgYEAhMQ+RKYz1XcPripHGnBICeiyzbGarX57ndk/
6ZRtlk8LW/WsHy3A9t31PsnEIVALPbr75yEVvrn2htQuOdm24D6T5984JDOHchYu
WUUyS/W73NCr/Uv3aQ2EyFi9yNdZxuS0dg7GJAXwnYmDAHkMS0o5eAJKVBWb+yuV
wiEhSGECAwEAAaOCAZswggGXMA4GA1UdDwEB/wQEAwIGwDAfBgNVHSMEGDAWgBRo
gBF4GQ3u7fNlSY4AIuxSjroEzjAdBgNVHQ4EFgQUT9z86adICxztaDTGWVbqxwY2
Ll4wFgYDVR0gBA8wDTALBglghkgBZQIBCwkwgcUGA1UdHwSBvTCBujAsoCqgKIYm
aHR0cDovL2NybC5kaXNhLm1pbC9nZXRjcmw/RE9EJTIwQ0EtMTUwgYmggYaggYOG
gYBsZGFwOi8vY3JsLmdkcy5kaXNhLm1pbC9jbiUzZERvRCUyMENBLTE1JTJjb3Ul
M2RQS0klMmNvdSUzZERvRCUyY28lM2RVLlMuJTIwR292ZXJubWVudCUyY2MlM2RV
Uz9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0O2JpbmFyeTBlBggrBgEFBQcBAQRZ
MFcwMwYIKwYBBQUHMAKGJ2h0dHA6Ly9jcmwuZGlzYS5taWwvZ2V0c2lnbj9ET0Ql
MjBDQS0xNTAgBggrBgEFBQcwAYYUaHR0cDovL29jc3AuZGlzYS5taWwwDQYJKoZI
hvcNAQEFBQADgYEAp08dHan3bDsdmG1UJaQzcbFRQwGuyI5JKzTcmjTZ/3lRRsp5
vmPDoAnSbLd0CkG4z7d/OW5JvA9bZSDdC4DS1f9utK8bdCdzlCigfupfNxs+jzvB
3UQDxqUSnC+E7bIc5fnbUD2aKfCkHNYVoHhBgHJt+S19iUcRsxIT8Aj1+70=
-----END CERTIFICATE-----
'
SSL_SERVER_CERT = '-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----
'
downgrade_1_0 = '1'
force_response_1_0 = '1'
nokeepalive = '1'
ssl_unclean_shutdown = '1'

--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-                                                               -
- Jason Pyeron                      PD Inc. http://www.pdinc.us -
- Principal Consultant              10 West 24th Street #100    -
- +1 (443) 269-1555 x333            Baltimore, Maryland 21218   -
-                                                               -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is copyright PD Inc, subject to license 20080407P00.




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Ssl front end proxy and Segmentation fault (11)

Posted by Joe Orton <jo...@redhat.com>.

On Wed, Sep 08, 2010 at 12:01:56AM -0400, Jason Pyeron wrote:
> 
> > -----Original Message-----
> > From: Jason Pyeron [mailto:jpyeron@pdinc.us] 
> > Sent: Tuesday, September 07, 2010 22:03
> > To: users@httpd.apache.org
> > Subject: [users@httpd] Ssl front end proxy and Segmentation fault (11)
> > 
> > I am trying to reverse proxy client certs, here is the config snipit:
> 
> Fyi: the version is httpd-2.0.52-41.ent.7.centos4

For 2.0.x I would suspect:

https://issues.apache.org/bugzilla/show_bug.cgi?id=24030

I'd move to use of SSLProxyMachineCertificateFile and make sure the 
configured file has a single cert and private key in that order.

Regards, Joe

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: [users@httpd] Ssl front end proxy and Segmentation fault (11)

Posted by Jason Pyeron <jp...@pdinc.us>.

> -----Original Message-----
> From: Jason Pyeron [mailto:jpyeron@pdinc.us] 
> Sent: Tuesday, September 07, 2010 22:03
> To: users@httpd.apache.org
> Subject: [users@httpd] Ssl front end proxy and Segmentation fault (11)
> 
> I am trying to reverse proxy client certs, here is the config snipit:

Fyi: the version is httpd-2.0.52-41.ent.7.centos4

> 
> RequestHeader set Front-End-Https "On"
> CacheDisable *
> SSLProxyEngine On
> ProxyPass /test https://192.168.10.193/test ProxyPassReverse 
> /test https://192.168.10.193/test 
> SSLProxyMachineCertificatePath /var/www.xxxx/certs SSLProxyVerify off
> 
> Every call to the server for /test results in:
> [Tue Sep 07 21:59:19 2010] [notice] child pid 24344 exit 
> signal Segmentation fault (11)
> 
> Fetching https://xxxx/cgi-bin/test.cgi
> 
> AUTH_TYPE = 'Basic'
> DOCUMENT_ROOT = '/var/www.xxxx/html'
> GATEWAY_INTERFACE = 'CGI/1.1'
> HTTPS = 'on'
> HTTP_ACCEPT = 'image/gif, image/x-xbitmap, image/jpeg, 
> image/pjpeg, application/vnd.ms-excel, 
> application/vnd.ms-powerpoint, application/msword, 
> application/x-ms-application, application/x-ms-xbap, 
> application/vnd.ms-xpsdocument, application/xaml+xml, */*'
> HTTP_ACCEPT_ENCODING = 'gzip, deflate'
> HTTP_ACCEPT_LANGUAGE = 'en-us'
> HTTP_CONNECTION = 'Keep-Alive'
> HTTP_COOKIE = 'ASP.NET_SessionId=fnut3nm4wmsbyc55x5g5tp45'
> HTTP_FRONT_END_HTTPS = 'On'
> HTTP_HOST = 'xxxx'
> HTTP_UA_CPU = 'x86'
> HTTP_USER_AGENT = 'Mozilla/4.0 (compatible; MSIE 7.0; Windows 
> NT 5.1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727; 
> .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C)'
> PATH = '/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin'
> QUERY_STRING = ''
> REMOTE_ADDR = '16.0.0.0'
> REMOTE_PORT = '1954'
> REMOTE_USER = '/C=US/O=U.S.
> Government/OU=DoD/OU=PKI/OU=CONTRACTOR/CN=PYERON.JASON.J.1291147719'
> REQUEST_METHOD = 'GET'
> REQUEST_URI = '/cgi-bin/test.cgi'
> SCRIPT_FILENAME = '/var/www.xxxx/cgi-bin/test.cgi'
> SCRIPT_NAME = '/cgi-bin/test.cgi'
> SERVER_ADDR = 'x.x.x.x'
> SERVER_ADMIN = 'root@localhost'
> SERVER_NAME = 'xxxx'
> SERVER_PORT = '443'
> SERVER_PROTOCOL = 'HTTP/1.1'
> SERVER_SIGNATURE = '<address>Apache/2.0.52 (CentOS) Server at 
> xxxx Port 443</address> '
> SERVER_SOFTWARE = 'Apache/2.0.52 (CentOS)'
> SSL_CLIENT_CERT = '-----BEGIN CERTIFICATE----- 
> MIID6DCCA1GgAwIBAgIDCb6dMA0GCSqGSIb3DQEBBQUAMFcxCzAJBgNVBAYTAlVT
> MRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsTA0RvRDEMMAoGA1UE
> CxMDUEtJMRIwEAYDVQQDEwlET0QgQ0EtMTUwHhcNMDcxMDE4MDAwMDAwWhcNMTAx
> MDE0MjM1OTU5WjB8MQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5t
> ZW50MQwwCgYDVQQLEwNEb0QxDDAKBgNVBAsTA1BLSTETMBEGA1UECxMKQ09OVFJB
> Q1RPUjEiMCAGA1UEAxMZUFlFUk9OLkpBU09OLkouMTI5MTE0NzcxOTCBnzANBgkq
> hkiG9w0BAQEFAAOBjQAwgYkCgYEAhMQ+RKYz1XcPripHGnBICeiyzbGarX57ndk/
> 6ZRtlk8LW/WsHy3A9t31PsnEIVALPbr75yEVvrn2htQuOdm24D6T5984JDOHchYu
> WUUyS/W73NCr/Uv3aQ2EyFi9yNdZxuS0dg7GJAXwnYmDAHkMS0o5eAJKVBWb+yuV
> wiEhSGECAwEAAaOCAZswggGXMA4GA1UdDwEB/wQEAwIGwDAfBgNVHSMEGDAWgBRo
> gBF4GQ3u7fNlSY4AIuxSjroEzjAdBgNVHQ4EFgQUT9z86adICxztaDTGWVbqxwY2
> Ll4wFgYDVR0gBA8wDTALBglghkgBZQIBCwkwgcUGA1UdHwSBvTCBujAsoCqgKIYm
> aHR0cDovL2NybC5kaXNhLm1pbC9nZXRjcmw/RE9EJTIwQ0EtMTUwgYmggYaggYOG
> gYBsZGFwOi8vY3JsLmdkcy5kaXNhLm1pbC9jbiUzZERvRCUyMENBLTE1JTJjb3Ul
> M2RQS0klMmNvdSUzZERvRCUyY28lM2RVLlMuJTIwR292ZXJubWVudCUyY2MlM2RV
> Uz9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0O2JpbmFyeTBlBggrBgEFBQcBAQRZ
> MFcwMwYIKwYBBQUHMAKGJ2h0dHA6Ly9jcmwuZGlzYS5taWwvZ2V0c2lnbj9ET0Ql
> MjBDQS0xNTAgBggrBgEFBQcwAYYUaHR0cDovL29jc3AuZGlzYS5taWwwDQYJKoZI
> hvcNAQEFBQADgYEAp08dHan3bDsdmG1UJaQzcbFRQwGuyI5JKzTcmjTZ/3lRRsp5
> vmPDoAnSbLd0CkG4z7d/OW5JvA9bZSDdC4DS1f9utK8bdCdzlCigfupfNxs+jzvB
> 3UQDxqUSnC+E7bIc5fnbUD2aKfCkHNYVoHhBgHJt+S19iUcRsxIT8Aj1+70=
> -----END CERTIFICATE-----
> '
> SSL_SERVER_CERT = '-----BEGIN CERTIFICATE----- 
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> -----END CERTIFICATE-----
> '
> downgrade_1_0 = '1'
> force_response_1_0 = '1'
> nokeepalive = '1'
> ssl_unclean_shutdown = '1'

--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-                                                               -
- Jason Pyeron                      PD Inc. http://www.pdinc.us -
- Principal Consultant              10 West 24th Street #100    -
- +1 (443) 269-1555 x333            Baltimore, Maryland 21218   -
-                                                               -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is copyright PD Inc, subject to license 20080407P00.

 



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Ssl front end proxy and Segmentation fault (11)

Posted by Jeff Trawick <tr...@gmail.com>.

On Tue, Sep 7, 2010 at 10:03 PM, Jason Pyeron <jp...@pdinc.us> wrote:

> I am trying to reverse proxy client certs, here is the config snipit:
>
> RequestHeader set Front-End-Https "On"
> CacheDisable *
> SSLProxyEngine On
> ProxyPass /test https://192.168.10.193/test
> ProxyPassReverse /test https://192.168.10.193/test
> SSLProxyMachineCertificatePath /var/www.xxxx/certs
> SSLProxyVerify off
>
> Every call to the server for /test results in:
> [Tue Sep 07 21:59:19 2010] [notice] child pid 24344 exit signal
> Segmentation
> fault (11)
>
> SERVER_SIGNATURE = '<address>Apache/2.0.52 (CentOS) Server at xxxx Port
> 443</address>
>

My 2 cents: Open a bug and provide a backtrace for the crash if you can
reproduce with 2.2.latest.  If it isn't reproducible there, switch.