You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by "jb2002@pc9.org" <jb...@pc9.org> on 2002/08/28 16:25:28 UTC

[users@httpd] Apache/2.0.40, mod_ssl unexplainable errors logged

Here is my setup (for www.pc-tools.net): Apache/2.0.40 (Unix) 
mod_ssl/2.0.40 OpenSSL/0.9.6g. Running on Linux 2.4 kernel.

I am getting tons of these errors in apache's log file, sometimes 
separated by tens of minutes, other times separated by only a few 
seconds. I don't see any regularity (however I DID detect a correlation 
with non-SSL hits served, see below)

[error] Spurious SSL handshake interrupt [Hint: Usually just one of those 
OpenSSL confusions!?]

At first I thought this might be the result of people connecting to my 
SSL server. Then I found out that this is NOT the case. I firewalled off 
the https port so that nobody could reach my SSL server (the port 80 
server still gets plenty of traffic, however). For my remaining tests 
there was no SSL site access at all.

Doing tail -f I can watch the errors continue to appear. One odd thing I 
noticed is that whenever the error appears, netstat shows this local 
connection on the server, with varying port (1924, 1936, 1949)

tcp        0      0 localhost:1924          localhost:https

There are no "special" programs running that could cause this local, other 
than httpd itself. Next time the error occured, I got netstat to dump 
PID/Program name which turned out to be "-"

127.0.0.1:2259          127.0.0.1:443           TIME_WAIT   -

There is no PID or program name reported. But whenever one of those 
"Spurious SSL handshake interrupt" messages appears, this localhost to 
localhost connection has taken place (cause, or effect?)

So this leads me to believe that this error appears when a local 
connection originates from Apache back to itself. I hypothesize that when 
an httpd thread serves a number of requests and terminates/resets, this 
causes the error (when mod_ssl gets confused upon the reset). To test the 
hypothesis I dug into my logs.

Over the period of 2 days (which isn't a lot of data points) I extracted 
the time stamp from each 'Spurious' error and the time stamp from each HTTP 
request served. I tabulated both based on hour of the day, and plotted the 
results. The results seem to suggest that the trend of the errors is 
related to the trend of general HTTP traffic, which might support the idea 
of the error being caused by threads dying/reseting and pissing off 
mod_ssl.

So... what can I do to stop those "Spurious SSL handshake interrupt" errors 
from appearing? As I've shown, it IS NOT related to external SSL site 
traffic. Is this an Apache or mod_ssl bug? What is that self-initiated 
local https connection?

Any help appreciated. Regards,

Jem Berkes



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Apache/2.0.40, mod_ssl unexplainable errors logged

Posted by "jb2002@pc9.org" <jb...@pc9.org>.

> Over the period of 2 days (which isn't a lot of data points) I extracted
> the time stamp from each 'Spurious' error and the time stamp from each
> HTTP request served. I tabulated both based on hour of the day, and
> plotted the results. The results seem to suggest that the trend of the
> errors is related to the trend of general HTTP traffic, which might
> support the idea of the error being caused by threads dying/reseting and
> pissing off mod_ssl.

Just thought I would add, you can actually see my graph here :)

http://www.pc9.org/usage/spurious_errors.png



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Apache/2.0.40, mod_ssl unexplainable errors logged

Posted by "jb2002@pc9.org" <jb...@pc9.org>.

> You could run a tcpdump localhost and port 443 for a long period of time
> and see what gives. Last time I had to dig into a thing like did;
> regular nmap like security sweeps where the issue.

Thanks, it didn't take too long to accumulate some output. Cross 
referencing it with apache's error log I see that the times match up 
exactly.

http://www.pc9.org/usage/tcpdump.log

I'm in over my head here, as I don't know how to interpret this output. Can 
you help?

However I really don't think this is caused by another program running on 
my system. The errors only started appearing after I upgraded to the 2.0.x 
line, and searching the net I see plenty of other people observing the same 
errors (though I haven't found an explanation as of yet). Is there anyone 
running Apache 2.0.x with mod_ssl who isn't seeing this error?

Also, this graph I compiled from my data seems to suggest a relation 
between HTTP traffic and SSL errors, even though the two should be 
completely independent. The # of SSL errors is multiplied by 50 here:
http://www.pc9.org/usage/spurious_errors.png



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Apache/2.0.40, mod_ssl unexplainable errors logged

Posted by Jem Berkes <jb...@pc9.org>.

> More on this. I kept one console running tcpdump -i lo port 443 Sure
> enough, whenever the 'spurious' SSL error appeared in the logs, a
> connection from localhost to itself appears on port 443. So it appears
> that those connections are causing the errors.

OK, with the help of Mr. Trawick from the apache developer's mailing 
list, this problem has been solved! The cause does seem to be, in fact, 
the idle server maintenance (that's why it is related to the amount of 
server traffic). Apparently apache does dummy connects to itself in order 
to wake up children.

The solution lies in the order of your Listen statements. The dummy 
connect should hit port 80, not port 443. I had Listen 80 then Listen 443 
in my configuration files (httpd.conf before ssl.conf) and with that 
order, the dummy connects go to port 443.

Swapping the order should get rid of the "[error] Spurious SSL handshake 
interrupt" errors due to the apache dummy connects. I commented out the 
Listen 443 in ssl.conf, and instead modified httpd.conf so that it says:

<IfDefine SSL>
        Listen 443
</IfDefine>
Listen 80

i.e. Listen 443 before Listen 80. No more
[error] Spurious SSL handshake interrupt [Hint: Usually just one of those 
OpenSSL confusions!?]

-- 
Jem Berkes
Student IEEE (Canada)

http://www.pc-tools.net/
Windows, Linux & UNIX software



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Apache/2.0.40, mod_ssl unexplainable errors logged

Posted by "jb2002@pc9.org" <jb...@pc9.org>.

> You could run a tcpdump localhost and port 443 for a long period of time
> and see what gives. Last time I had to dig into a thing like did;
> regular nmap like security sweeps where the issue.

More on this. I kept one console running tcpdump -i lo port 443
Sure enough, whenever the 'spurious' SSL error appeared in the logs, a 
connection from localhost to itself appears on port 443. So it appears that 
those connections are causing the errors.

I ruled out the possibility of it being anything outside of apache. When I 
do 'apachectl start' as opposed to 'apachectl startssl' then tcpdump does 
NOT show any such localhost traffic to port 443. Using startssl, the errors 
re-appear. So these errors=connections are caused by apache (BUG??)

In other words, only when Apache is running in SSL mode, occasionally it 
opens a connection to itself on the ssl port and then logs an error 
resulting from this. The frequency of weird errors = mysterious connections 
to self is closely related to the amount of server traffic (purely non-SSL 
traffic). I updated the earlier graph I posted with more data, and the 
relationship is clear.

But surely with all this info somebody, perhaps a developer, can offer an 
explanation? Should I instead be posting these to the developers list?

Jem Berkes



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Apache/2.0.40, mod_ssl unexplainable errors logged

Posted by Dirk-Willem van Gulik <di...@webweaving.org>.

You could run a tcpdump localhost and port 443 for a long period of time
and see what gives. Last time I had to dig into a thing like did; regular
nmap like security sweeps where the issue.

Dw.

On Wed, 28 Aug 2002, jb2002@pc9.org wrote:

> Here is my setup (for www.pc-tools.net): Apache/2.0.40 (Unix)
> mod_ssl/2.0.40 OpenSSL/0.9.6g. Running on Linux 2.4 kernel.
>
> I am getting tons of these errors in apache's log file, sometimes
> separated by tens of minutes, other times separated by only a few
> seconds. I don't see any regularity (however I DID detect a correlation
> with non-SSL hits served, see below)
>
> [error] Spurious SSL handshake interrupt [Hint: Usually just one of those
> OpenSSL confusions!?]
>
> At first I thought this might be the result of people connecting to my
> SSL server. Then I found out that this is NOT the case. I firewalled off
> the https port so that nobody could reach my SSL server (the port 80
> server still gets plenty of traffic, however). For my remaining tests
> there was no SSL site access at all.
>
> Doing tail -f I can watch the errors continue to appear. One odd thing I
> noticed is that whenever the error appears, netstat shows this local
> connection on the server, with varying port (1924, 1936, 1949)
>
> tcp        0      0 localhost:1924          localhost:https
>
> There are no "special" programs running that could cause this local, other
> than httpd itself. Next time the error occured, I got netstat to dump
> PID/Program name which turned out to be "-"
>
> 127.0.0.1:2259          127.0.0.1:443           TIME_WAIT   -
>
> There is no PID or program name reported. But whenever one of those
> "Spurious SSL handshake interrupt" messages appears, this localhost to
> localhost connection has taken place (cause, or effect?)
>
> So this leads me to believe that this error appears when a local
> connection originates from Apache back to itself. I hypothesize that when
> an httpd thread serves a number of requests and terminates/resets, this
> causes the error (when mod_ssl gets confused upon the reset). To test the
> hypothesis I dug into my logs.
>
> Over the period of 2 days (which isn't a lot of data points) I extracted
> the time stamp from each 'Spurious' error and the time stamp from each HTTP
> request served. I tabulated both based on hour of the day, and plotted the
> results. The results seem to suggest that the trend of the errors is
> related to the trend of general HTTP traffic, which might support the idea
> of the error being caused by threads dying/reseting and pissing off
> mod_ssl.
>
> So... what can I do to stop those "Spurious SSL handshake interrupt" errors
> from appearing? As I've shown, it IS NOT related to external SSL site
> traffic. Is this an Apache or mod_ssl bug? What is that self-initiated
> local https connection?
>
> Any help appreciated. Regards,
>
> Jem Berkes
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org