You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Qingshan Xie <xi...@yahoo.com> on 2010/12/27 22:28:23 UTC

[users@httpd] Apache-2.2.17 and Openssl-1.0.0x failed on SSL-Proxy Client-Cert-Authentication

Hello, 

  we have Apache 2.2.17 + Openssl-1.0.0a compiled under a RedHat Enterprise 
Linux 64-bit host.  It's installed in a Reverse Proxy Server, which ssl proxy to 
backend.  It failed if configured with Client-Cert-Auth.  Turning on log level 
to Debug, it threw errors pasted below.  I re-compiled Apache 2.2.17 + 
Openssl-1.0.0c, it threw the same errors.  However it worked well after I 
re-compiled Apache 2.2.17 + Openssl-0.9.8q.  It looks to me there is a 
compatibility issue between Apache 2.2.17 and Openssl-1.0.0x.  Have you ever got 
the same issue or is there a bug report of it?  If yes, please let me know if 
there is any solution or work around. 

Happy New Year! 
Q.Xie
=============================================================================
......
      
[Fri Dec 24 20:37:08 2010] [debug] ssl_engine_kernel.c(1866): OpenSSL: 
Handshake: start
[Fri Dec 24 20:37:08 2010] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop: 
before/connect initialization
[Fri Dec 24 20:37:08 2010] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop: 
SSLv2/v3 write client hello A
[Fri Dec 24 20:37:08 2010] [debug] ssl_engine_io.c(1889): OpenSSL: read 7/7 
bytes from BIO#673210 [mem: 6c4aa0] (BIO dump follows)
......
      
[Fri Dec 24 20:37:08 2010] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop: 
SSLv3 read server hello A
[Fri Dec 24 20:37:08 2010] [debug] ssl_engine_kernel.c(1321): [client 
173.37.99.48] Certificate Verification: depth: 2, subject: /O=Digital Signature 
Trust Co./CN=DST Root CA X3, issuer: /O=Digital Signature Trust Co./CN=DST Root 
CA X3
[Fri Dec 24 20:37:08 2010] [debug] ssl_engine_kernel.c(1321): [client 
173.37.99.48] Certificate Verification: depth: 1, subject: /O=xxxx 
Systems/CN=xxxx SSCA, issuer: /O=Digital Signature Trust Co./CN=DST Root CA X3
[Fri Dec 24 20:37:08 2010] [debug] ssl_engine_kernel.c(1321): [client 
173.37.99.48] Certificate Verification: depth: 0, subject: 
/C=US/ST=California/L=San Jose/O=xxxx 
Systems/OU=ATS/CN=xxxx.xxxx.com/emailAddress=itg-appserver-pms@xxxx.com, issuer: 
/O=xxxx Systems/CN=xxxx SSCA
[Fri Dec 24 20:37:08 2010] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop: 
SSLv3 read server certificate A
[Fri Dec 24 20:37:08 2010] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop: 
SSLv3 read server certificate request A
[Fri Dec 24 20:37:08 2010] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop: 
SSLv3 read server done A
[Fri Dec 24 20:37:08 2010] [debug] ssl_engine_kernel.c(1660): Proxy client 
certificate callback: (xxxx.xxxx.com:80) entered
[Fri Dec 24 20:37:08 2010] [debug] ssl_engine_kernel.c(1633): Proxy client 
certificate callback: (xxxx.xxxx.com:80) found acceptable cert, sending 
/C=US/ST=California/L=San Jose/O=xxxx 
Systems/OU=ATS/CN=xxxx.xxxx.com/emailAddress=itg-appserver-pms@xxxx.com
[Fri Dec 24 20:37:09 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard 
slot 0 in child 1748 for worker https://xxxx.xxxx.com/
[Fri Dec 24 20:37:09 2010] [debug] proxy_util.c(1837): proxy: worker 
https://xxxx.xxxx.com/ already initialized
[Fri Dec 24 20:37:09 2010] [debug] proxy_util.c(1914): proxy: initialized worker 
0 in child 1748 for (xxxx.xxxx.com) min=0 max=32 smax=32
[Fri Dec 24 20:37:09 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard 
slot 1 in child 1748 for worker proxy:reverse
[Fri Dec 24 20:37:09 2010] [debug] proxy_util.c(1837): proxy: worker 
proxy:reverse already initialized
[Fri Dec 24 20:37:09 2010] [debug] proxy_util.c(1914): proxy: initialized worker 
1 in child 1748 for (*) min=0 max=32 smax=32
[Fri Dec 24 20:37:09 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard 
slot 0 in child 1750 for worker https://xxxx.xxxx.com/
[Fri Dec 24 20:37:09 2010] [debug] proxy_util.c(1837): proxy: worker 
https://xxxx.xxxx.com/ already initialized
[Fri Dec 24 20:37:09 2010] [debug] proxy_util.c(1914): proxy: initialized worker 
0 in child 1750 for (xxxx.xxxx.com) min=0 max=32 smax=32
[Fri Dec 24 20:37:09 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard 
slot 1 in child 1750 for worker proxy:reverse
[Fri Dec 24 20:37:09 2010] [debug] proxy_util.c(1837): proxy: worker 
proxy:reverse already initialized
[Fri Dec 24 20:37:09 2010] [debug] proxy_util.c(1914): proxy: initialized worker 
1 in child 1750 for (*) min=0 max=32 smax=32


      

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org