You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2012/07/27 14:48:05 UTC

[Bug 53612] New: Reverse Proxy causing 500 error SSL proxy 1.0.1c OpenSSL

https://issues.apache.org/bugzilla/show_bug.cgi?id=53612

          Priority: P2
            Bug ID: 53612
          Assignee: bugs@httpd.apache.org
           Summary: Reverse Proxy causing 500 error SSL proxy 1.0.1c
                    OpenSSL
          Severity: normal
    Classification: Unclassified
          Reporter: gibsonb@imsweb.com
          Hardware: PC
            Status: NEW
           Version: 2.2.22
         Component: mod_ssl
           Product: Apache httpd-2

It seems that my configs work perfectly fine using the same build of Apache
(same options and version 2.2.22) with OpenSSL 0.9.8r.  However when I rebuild
Apache using OpenSSL 1.0.1c my reverse proxy to a Windows server starts to
fail.  I see 500 errors in my error logs in Apache and in Windows.  I'm using
the same httpd.conf files, and it's as easy as switching back to the older
binary and then it works fine again.

Any other operation I use OpenSSL for however seems to work just fine.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 53612] Reverse Proxy causing 500 error SSL proxy 1.0.1c OpenSSL

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=53612

--- Comment #2 from gibsonb@imsweb.com ---
Not sure exactly what you mean, but I will post the configurations I'm using
for the vhost:


<VirtualHost server:443>
ServerName arcgisproxy01dev
SSLEngine on
SSLProxyEngine on
SSLCertificateChainFile chain.crt
SSLCertificateFile site.crt
SSLCertificateKeyFile site.key
SSLOptions +StdEnvVars
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0
force-response-1.0
SetEnv proxy-initial-not-pooled 1
RewriteEngine on
RewriteCond %{HTTP_HOST} !^arcgisproxy01dev [nocase]
RewriteCond %{HTTP_HOST} !^$
RewriteRule ^/(.*)       https://arcgisproxy01dev/$1 [redirect,last]
ProxyRequests off
# arcgis instance
ProxyPassMatch (?i)^/arcgis/services(.*)$
https://arcgis01dev/arcgis/services/$1
ProxyPassReverse /arcgis/services https://arcgis01dev/arcgis/services
ProxyPassMatch (?i)^/arcgis/rest(.*)$ https://arcgis01dev/arcgis/rest/$1
ProxyPassReverse /arcgis/rest https://arcgis01dev/arcgis/rest
ProxyPassMatch (?i)^/arcgis/sdk/rest(.*)$
https://arcgis01dev/arcgis/sdk/rest/$1
ProxyPassReverse /arcgis/sdk/rest https://arcgis01dev/arcgis/sdk/rest
ProxyPassMatch (?i)^/arcgis/tokens(.*)$ https://arcgis01dev/arcgis/tokens/$1
ProxyPassReverse /arcgis/tokens https://arcgis01dev/arcgis/tokens
ProxyPassMatch (?i)^/arcgis/server/proxyoutput/(.*)$
https://arcgis01dev/proxyoutput/$1
ProxyPassReverse /arcgis/server/proxyoutput/ https://arcgis01dev/proxyoutput/
ProxyPassMatch (?i)^/arcgis/server/proxycache/(.*)$
https://arcgis01dev/proxycache/$1
ProxyPassReverse /arcgis/server/proxycache/ https://arcgis01dev/proxycache/
ProxyPassMatch (?i)^/arcgis/server/proxyjobs/(.*)$
https://arcgis01dev/proxyjobs/$1
ProxyPassReverse /arcgis/server/proxyjobs/ https://arcgis01dev/proxyjobs
# public instance
ProxyPassMatch (?i)^/public/services(.*)$
https://arcgis01dev/public/services/$1
ProxyPassReverse /public/services https://arcgis01dev/public/services
ProxyPassMatch (?i)^/public/rest(.*)$ https://arcgis01dev/public/rest/$1
ProxyPassReverse /public/rest https://arcgis01dev/public/rest
ProxyPassMatch (?i)^/public/sdk/rest(.*)$
https://arcgis01dev/public/sdk/rest/$1
ProxyPassReverse /public/sdk/rest https://arcgis01dev/public/sdk/rest
ProxyPassMatch (?i)^/public/tokens(.*)$ https://arcgis01dev/public/tokens/$1
ProxyPassReverse /public/tokens https://arcgis01dev/public/tokens
ProxyPassMatch (?i)^/public/server/proxyoutput/(.*)$
https://arcgis01dev/proxyoutput/$1
ProxyPassReverse /public/server/proxyoutput/ https://arcgis01dev/proxyoutput/
ProxyPassMatch (?i)^/public/server/proxycache/(.*)$
https://arcgis01dev/proxycache/$1
ProxyPassReverse /public/server/proxycache/ https://arcgis01dev/proxycache/
ProxyPassMatch (?i)^/public/server/proxyjobs/(.*)$
https://arcgis01dev/proxyjobs/$1
ProxyPassReverse /public/server/proxyjobs/ https://arcgis01dev/proxyjobs
DocumentRoot /prj/web/arcgisproxy01dev/htdocs
<Directory /prj/web/arcgisproxy01dev/htdocs>
  Options FollowSymLinks Includes
  AllowOverride All
  Order allow,deny
  Allow from all
  SSL</Directory>
ScriptAlias /cgi-bin/ /prj/web/arcgisproxy01dev/cgi-bin/
<Directory /prj/web/arcgisproxy01dev/cgi-bin>
  AllowOverride AuthConfig Limit
  Options None
  Order allow,deny
  Allow from all
  SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
</Directory>
ErrorLog ssl_error_log
CustomLog ssl_access_log combined
</VirtualHost>

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 53612] Reverse Proxy causing 500 error SSL proxy 1.0.1c OpenSSL

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=53612

--- Comment #3 from Eric Covener <co...@gmail.com> ---
presumably there's a new SSL behavior over the wire, you'll have to capture it
with e.g. ssldump and provide loglevel debug that corresponds to it

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 53612] Reverse Proxy causing 500 error SSL proxy 1.0.1c OpenSSL

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=53612

Eric Covener <co...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |NEEDINFO
                 OS|                            |All

--- Comment #1 from Eric Covener <co...@gmail.com> ---
you'll have to provide some details of the SSL connection between the two
servers if you want it looked at as a bug in Apache.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 53612] Reverse Proxy causing 500 error SSL proxy 1.0.1c OpenSSL

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=53612

--- Comment #4 from Rainer Jung <ra...@kippdata.de> ---
Shootin from the hip: Could it be

http://rt.openssl.org/index.html?q=2811

which was fixed after the OpenSSL 1.0.1c release in

http://cvs.openssl.org/chngview?cn=22565

Regards,

Rainer

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org