You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "jb2002@pc9.org" <jb...@pc9.org> on 2002/08/28 16:25:28 UTC
[users@httpd] Apache/2.0.40, mod_ssl unexplainable errors logged
Here is my setup (for www.pc-tools.net): Apache/2.0.40 (Unix)
mod_ssl/2.0.40 OpenSSL/0.9.6g. Running on Linux 2.4 kernel.
I am getting tons of these errors in apache's log file, sometimes
separated by tens of minutes, other times separated by only a few
seconds. I don't see any regularity (however I DID detect a correlation
with non-SSL hits served, see below)
[error] Spurious SSL handshake interrupt [Hint: Usually just one of those
OpenSSL confusions!?]
At first I thought this might be the result of people connecting to my
SSL server. Then I found out that this is NOT the case. I firewalled off
the https port so that nobody could reach my SSL server (the port 80
server still gets plenty of traffic, however). For my remaining tests
there was no SSL site access at all.
Doing tail -f I can watch the errors continue to appear. One odd thing I
noticed is that whenever the error appears, netstat shows this local
connection on the server, with varying port (1924, 1936, 1949)
tcp 0 0 localhost:1924 localhost:https
There are no "special" programs running that could cause this local, other
than httpd itself. Next time the error occured, I got netstat to dump
PID/Program name which turned out to be "-"
127.0.0.1:2259 127.0.0.1:443 TIME_WAIT -
There is no PID or program name reported. But whenever one of those
"Spurious SSL handshake interrupt" messages appears, this localhost to
localhost connection has taken place (cause, or effect?)
So this leads me to believe that this error appears when a local
connection originates from Apache back to itself. I hypothesize that when
an httpd thread serves a number of requests and terminates/resets, this
causes the error (when mod_ssl gets confused upon the reset). To test the
hypothesis I dug into my logs.
Over the period of 2 days (which isn't a lot of data points) I extracted
the time stamp from each 'Spurious' error and the time stamp from each HTTP
request served. I tabulated both based on hour of the day, and plotted the
results. The results seem to suggest that the trend of the errors is
related to the trend of general HTTP traffic, which might support the idea
of the error being caused by threads dying/reseting and pissing off
mod_ssl.
So... what can I do to stop those "Spurious SSL handshake interrupt" errors
from appearing? As I've shown, it IS NOT related to external SSL site
traffic. Is this an Apache or mod_ssl bug? What is that self-initiated
local https connection?
Any help appreciated. Regards,
Jem Berkes
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache/2.0.40, mod_ssl unexplainable errors logged
Posted by "jb2002@pc9.org" <jb...@pc9.org>.
> Over the period of 2 days (which isn't a lot of data points) I extracted
> the time stamp from each 'Spurious' error and the time stamp from each
> HTTP request served. I tabulated both based on hour of the day, and
> plotted the results. The results seem to suggest that the trend of the
> errors is related to the trend of general HTTP traffic, which might
> support the idea of the error being caused by threads dying/reseting and
> pissing off mod_ssl.
Just thought I would add, you can actually see my graph here :)
http://www.pc9.org/usage/spurious_errors.png
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache/2.0.40, mod_ssl unexplainable errors logged
Posted by "jb2002@pc9.org" <jb...@pc9.org>.
> You could run a tcpdump localhost and port 443 for a long period of time
> and see what gives. Last time I had to dig into a thing like did;
> regular nmap like security sweeps where the issue.
Thanks, it didn't take too long to accumulate some output. Cross
referencing it with apache's error log I see that the times match up
exactly.
http://www.pc9.org/usage/tcpdump.log
I'm in over my head here, as I don't know how to interpret this output. Can
you help?
However I really don't think this is caused by another program running on
my system. The errors only started appearing after I upgraded to the 2.0.x
line, and searching the net I see plenty of other people observing the same
errors (though I haven't found an explanation as of yet). Is there anyone
running Apache 2.0.x with mod_ssl who isn't seeing this error?
Also, this graph I compiled from my data seems to suggest a relation
between HTTP traffic and SSL errors, even though the two should be
completely independent. The # of SSL errors is multiplied by 50 here:
http://www.pc9.org/usage/spurious_errors.png
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache/2.0.40, mod_ssl unexplainable errors logged
Posted by Jem Berkes <jb...@pc9.org>.
> More on this. I kept one console running tcpdump -i lo port 443 Sure
> enough, whenever the 'spurious' SSL error appeared in the logs, a
> connection from localhost to itself appears on port 443. So it appears
> that those connections are causing the errors.
OK, with the help of Mr. Trawick from the apache developer's mailing
list, this problem has been solved! The cause does seem to be, in fact,
the idle server maintenance (that's why it is related to the amount of
server traffic). Apparently apache does dummy connects to itself in order
to wake up children.
The solution lies in the order of your Listen statements. The dummy
connect should hit port 80, not port 443. I had Listen 80 then Listen 443
in my configuration files (httpd.conf before ssl.conf) and with that
order, the dummy connects go to port 443.
Swapping the order should get rid of the "[error] Spurious SSL handshake
interrupt" errors due to the apache dummy connects. I commented out the
Listen 443 in ssl.conf, and instead modified httpd.conf so that it says:
<IfDefine SSL>
Listen 443
</IfDefine>
Listen 80
i.e. Listen 443 before Listen 80. No more
[error] Spurious SSL handshake interrupt [Hint: Usually just one of those
OpenSSL confusions!?]
--
Jem Berkes
Student IEEE (Canada)
http://www.pc-tools.net/
Windows, Linux & UNIX software
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache/2.0.40, mod_ssl unexplainable errors logged
Posted by "jb2002@pc9.org" <jb...@pc9.org>.
> You could run a tcpdump localhost and port 443 for a long period of time
> and see what gives. Last time I had to dig into a thing like did;
> regular nmap like security sweeps where the issue.
More on this. I kept one console running tcpdump -i lo port 443
Sure enough, whenever the 'spurious' SSL error appeared in the logs, a
connection from localhost to itself appears on port 443. So it appears that
those connections are causing the errors.
I ruled out the possibility of it being anything outside of apache. When I
do 'apachectl start' as opposed to 'apachectl startssl' then tcpdump does
NOT show any such localhost traffic to port 443. Using startssl, the errors
re-appear. So these errors=connections are caused by apache (BUG??)
In other words, only when Apache is running in SSL mode, occasionally it
opens a connection to itself on the ssl port and then logs an error
resulting from this. The frequency of weird errors = mysterious connections
to self is closely related to the amount of server traffic (purely non-SSL
traffic). I updated the earlier graph I posted with more data, and the
relationship is clear.
But surely with all this info somebody, perhaps a developer, can offer an
explanation? Should I instead be posting these to the developers list?
Jem Berkes
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache/2.0.40, mod_ssl unexplainable errors logged
Posted by Dirk-Willem van Gulik <di...@webweaving.org>.
You could run a tcpdump localhost and port 443 for a long period of time
and see what gives. Last time I had to dig into a thing like did; regular
nmap like security sweeps where the issue.
Dw.
On Wed, 28 Aug 2002, jb2002@pc9.org wrote:
> Here is my setup (for www.pc-tools.net): Apache/2.0.40 (Unix)
> mod_ssl/2.0.40 OpenSSL/0.9.6g. Running on Linux 2.4 kernel.
>
> I am getting tons of these errors in apache's log file, sometimes
> separated by tens of minutes, other times separated by only a few
> seconds. I don't see any regularity (however I DID detect a correlation
> with non-SSL hits served, see below)
>
> [error] Spurious SSL handshake interrupt [Hint: Usually just one of those
> OpenSSL confusions!?]
>
> At first I thought this might be the result of people connecting to my
> SSL server. Then I found out that this is NOT the case. I firewalled off
> the https port so that nobody could reach my SSL server (the port 80
> server still gets plenty of traffic, however). For my remaining tests
> there was no SSL site access at all.
>
> Doing tail -f I can watch the errors continue to appear. One odd thing I
> noticed is that whenever the error appears, netstat shows this local
> connection on the server, with varying port (1924, 1936, 1949)
>
> tcp 0 0 localhost:1924 localhost:https
>
> There are no "special" programs running that could cause this local, other
> than httpd itself. Next time the error occured, I got netstat to dump
> PID/Program name which turned out to be "-"
>
> 127.0.0.1:2259 127.0.0.1:443 TIME_WAIT -
>
> There is no PID or program name reported. But whenever one of those
> "Spurious SSL handshake interrupt" messages appears, this localhost to
> localhost connection has taken place (cause, or effect?)
>
> So this leads me to believe that this error appears when a local
> connection originates from Apache back to itself. I hypothesize that when
> an httpd thread serves a number of requests and terminates/resets, this
> causes the error (when mod_ssl gets confused upon the reset). To test the
> hypothesis I dug into my logs.
>
> Over the period of 2 days (which isn't a lot of data points) I extracted
> the time stamp from each 'Spurious' error and the time stamp from each HTTP
> request served. I tabulated both based on hour of the day, and plotted the
> results. The results seem to suggest that the trend of the errors is
> related to the trend of general HTTP traffic, which might support the idea
> of the error being caused by threads dying/reseting and pissing off
> mod_ssl.
>
> So... what can I do to stop those "Spurious SSL handshake interrupt" errors
> from appearing? As I've shown, it IS NOT related to external SSL site
> traffic. Is this an Apache or mod_ssl bug? What is that self-initiated
> local https connection?
>
> Any help appreciated. Regards,
>
> Jem Berkes
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org