You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Jamie Johnson <je...@gmail.com> on 2015/04/21 17:55:27 UTC

[users@httpd] Re: mod_proxy and mod_nss - occasional "SSL Proxy: I don't have the name of the host we're supposed to connect to so I can't verify that we are connecting to who we think we should be. Giving up."

Sorry to hit this again, but I've made no headway short of setting
NSSProxyCheckPeerCN off, is this not reproducible?  Is there another list I
should be asking this on?


On Wed, Apr 8, 2015 at 2:40 PM, Jamie Johnson <je...@gmail.com> wrote:

> I am running httpd-2.4.12 and mod_nss-1.0.11 built from source and am
> running into an issue where I occasionally get an error where mod_nss
> throws the following exception
>
> SSL Proxy: I don't have the name of the host we're supposed to connect to
> so I can't verify that we are connecting to who we think we should be.
> Giving up.
>
> What is strange is that the issue does not happen consistently, sometimes
> the error will occur after the first request, other times after the 5000th.
>
>
> Any thoughts about what could be causing this?
>
> The following is what I'm seeing in the log
>
> [Wed Apr 08 18:31:07.331041 2015] [:info] [pid 17342:tid 47143550196032]
> Connection to child 0 established (server test.domain.com:443, client
> 10.81.1.91)
> [Wed Apr 08 18:31:07.412436 2015] [:info] [pid 17342:tid 47143550196032]
> Initial (No.1) HTTPS request received for child 0 (server
> test.domain.com:443)
> [Wed Apr 08 18:31:07.412499 2015] [authz_core:debug] [pid 17342:tid
> 47143550196032] mod_authz_core.c(835): [client 10.81.1.91:50727] AH01628:
> authorization result: granted (no directives)
> [Wed Apr 08 18:31:07.412654 2015] [proxy:debug] [pid 17342:tid
> 47143550196032] mod_proxy.c(1163): [client 10.81.1.91:50727] AH01143:
> Running scheme https handler (attempt 0)
> [Wed Apr 08 18:31:07.412669 2015] [proxy:debug] [pid 17342:tid
> 47143550196032] proxy_util.c(2140): AH00942: HTTPS: has acquired connection
> for (test.domain.com)
> [Wed Apr 08 18:31:07.412734 2015] [proxy:debug] [pid 17342:tid
> 47143550196032] proxy_util.c(2193): [client 10.81.1.91:50727] AH00944:
> connecting https://test.domain.com:8443/test/home.html to
> test.domain.com:8443
> [Wed Apr 08 18:31:07.412745 2015] [proxy:debug] [pid 17342:tid
> 47143550196032] proxy_util.c(2394): [client 10.81.1.91:50727] AH00947:
> connected /test/home.html to test.domain.com:8443
> [Wed Apr 08 18:31:07.412752 2015] [:debug] [pid 17342:tid 47143550196032]
> nss_engine_io.c(658): SSL connection destroyed without being closed
> [Wed Apr 08 18:31:07.412859 2015] [proxy:debug] [pid 17342:tid
> 47143550196032] proxy_util.c(2636): AH00951: HTTPS: backend socket is
> disconnected.
> [Wed Apr 08 18:31:07.412910 2015] [proxy:debug] [pid 17342:tid
> 47143550196032] proxy_util.c(2771): AH02824: HTTPS: connection established
> with 10.81.1.183:8443 (test.domain.com)
> [Wed Apr 08 18:31:07.412923 2015] [proxy:debug] [pid 17342:tid
> 47143550196032] proxy_util.c(2923): AH00962: HTTPS: connection complete to
> 10.81.1.183:8443 (test.domain.com)
> [Wed Apr 08 18:31:07.412928 2015] [:info] [pid 17342:tid 47143550196032]
> Connection to child 0 established (server test.domain.com:443, client
> 10.81.1.183)
> [Wed Apr 08 18:31:07.424280 2015] [:error] [pid 17342:tid 47143550196032]
> SSL Proxy: I don't have the name of the host we're supposed to connect to
> so I can't verify that we are connecting to who we think we should be.
> Giving up.
> [Wed Apr 08 18:31:07.424330 2015] [:info] [pid 17342:tid 47143550196032]
> SSL library error -12276 writing data
> [Wed Apr 08 18:31:07.424337 2015] [:info] [pid 17342:tid 47143550196032]
> SSL Library Error: -12276 Requested domain name does not match the server's
> certificate
> [Wed Apr 08 18:31:07.424344 2015] [proxy:error] [pid 17342:tid
> 47143550196032] (20014)Internal error: [client 10.81.1.91:50727] AH01084:
> pass request body failed to 10.81.1.183:8443 (test.domain.com)
> [Wed Apr 08 18:31:07.424352 2015] [proxy_http:error] [pid 17342:tid
> 47143550196032] [client 10.81.1.91:50727] AH01097: pass request body
> failed to 10.81.1.183:8443 (test.domain.com) from 10.81.1.91 ()
> [Wed Apr 08 18:31:07.424356 2015] [proxy:debug] [pid 17342:tid
> 47143550196032] proxy_util.c(2155): AH00943: HTTPS: has released connection
> for (test.domain.com)
> [Wed Apr 08 18:31:07.424385 2015] [:info] [pid 17342:tid 47143550196032]
> Connection to child 0 closed (server test.domain.com:443, client
> 10.81.1.183)
> [Wed Apr 08 18:31:07.424394 2015] [proxy:debug] [pid 17342:tid
> 47143550196032] proxy_util.c(2864): [remote 10.81.1.183:8443] AH02642:
> proxy: connection shutdown
> [Wed Apr 08 18:31:07.424686 2015] [:info] [pid 17342:tid 47143550196032]
> Connection to child 0 closed (server test.domain.com:443, client
> 10.81.1.91)
>
>
> My configuration is as follows for the virtual host
>
> <VirtualHost _default_:443>
>
>     ErrorLog /var/log/httpd/error_log
>
>     TransferLog /var/log/httpd/access_log
>
>     LogLevel debug
>
>     NSSEngine on
>
>     NSSCipherSuite
> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
>
>     NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
>
>     NSSNickname "*.domain.com"
>
>     NSSCertificateDatabase /etc/httpd/wildcard
>
>     NSSVerifyClient optional
>
>     NSSOptions +ExportCertData +StdEnvVars
>
>     <Files ~ "\.(cgi|shtml|phtml|php3?)$">
>
>         NSSOptions +StdEnvVars
>
>         </Files>
>
>     <Directory "/var/www/cgi-bin">
>
>         NSSOptions +StdEnvVars
>
>     </Directory>
>
>     ServerName test.domain.com
>
>     NSSProxyEngine on
>
>     NSSProxyProtocol TLSv1.0,TLSv1.1,TLSv1.2
>
>     NSSProxyCipherSuite
> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
>
>     ProxyRequests off
>
>     ProxyPass /test https://test.domain.com:8443/test
>
>     ProxyPassReverse /test https://test.domain.com:8443/test
>
> </VirtualHost>
>
>
>

Re: [users@httpd] Re: mod_proxy and mod_nss - occasional "SSL Proxy: I don't have the name of the host we're supposed to connect to so I can't verify that we are connecting to who we think we should be. Giving up."

Posted by Jamie Johnson <je...@gmail.com>.

Thanks, I found this almost immediately after my last email.  I posted
there if anyone runs into a similar issue.
On Apr 21, 2015 12:24 PM, "Pete Houston" <ph...@openstrike.co.uk> wrote:

> Hello Jamie,
>
> On Tue, Apr 21, 2015 at 11:55:27AM -0400, Jamie Johnson wrote:
> > Sorry to hit this again, but I've made no headway short of setting
> > NSSProxyCheckPeerCN off, is this not reproducible?  Is there another
> list I
> > should be asking this on?
>
> As mod_nss is a third-party module it's quite conceivable that nobody on
> this list uses it. Perhaps you would have more luck posting to the
> mod_nss list instead? It is at
> https://www.redhat.com/mailman/listinfo/mod_nss-list
>
> HTH,
>
> Pete
> --
> Openstrike - improving business through open source
> http://www.openstrike.co.uk/ or call 01722 770036 / 07092 020107
>

Re: [users@httpd] Re: mod_proxy and mod_nss - occasional "SSL Proxy: I don't have the name of the host we're supposed to connect to so I can't verify that we are connecting to who we think we should be. Giving up."

Posted by Pete Houston <ph...@openstrike.co.uk>.

Hello Jamie,

On Tue, Apr 21, 2015 at 11:55:27AM -0400, Jamie Johnson wrote:
> Sorry to hit this again, but I've made no headway short of setting
> NSSProxyCheckPeerCN off, is this not reproducible?  Is there another list I
> should be asking this on?

As mod_nss is a third-party module it's quite conceivable that nobody on
this list uses it. Perhaps you would have more luck posting to the
mod_nss list instead? It is at
https://www.redhat.com/mailman/listinfo/mod_nss-list

HTH,

Pete
-- 
Openstrike - improving business through open source
http://www.openstrike.co.uk/ or call 01722 770036 / 07092 020107