You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Qingshan Xie <xi...@yahoo.com> on 2010/12/27 22:28:23 UTC
[users@httpd] Apache-2.2.17 and Openssl-1.0.0x failed on SSL-Proxy Client-Cert-Authentication
Hello,
we have Apache 2.2.17 + Openssl-1.0.0a compiled under a RedHat Enterprise
Linux 64-bit host. It's installed in a Reverse Proxy Server, which ssl proxy to
backend. It failed if configured with Client-Cert-Auth. Turning on log level
to Debug, it threw errors pasted below. I re-compiled Apache 2.2.17 +
Openssl-1.0.0c, it threw the same errors. However it worked well after I
re-compiled Apache 2.2.17 + Openssl-0.9.8q. It looks to me there is a
compatibility issue between Apache 2.2.17 and Openssl-1.0.0x. Have you ever got
the same issue or is there a bug report of it? If yes, please let me know if
there is any solution or work around.
Happy New Year!
Q.Xie
=============================================================================
......
[Fri Dec 24 20:37:08 2010] [debug] ssl_engine_kernel.c(1866): OpenSSL:
Handshake: start
[Fri Dec 24 20:37:08 2010] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop:
before/connect initialization
[Fri Dec 24 20:37:08 2010] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop:
SSLv2/v3 write client hello A
[Fri Dec 24 20:37:08 2010] [debug] ssl_engine_io.c(1889): OpenSSL: read 7/7
bytes from BIO#673210 [mem: 6c4aa0] (BIO dump follows)
......
[Fri Dec 24 20:37:08 2010] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop:
SSLv3 read server hello A
[Fri Dec 24 20:37:08 2010] [debug] ssl_engine_kernel.c(1321): [client
173.37.99.48] Certificate Verification: depth: 2, subject: /O=Digital Signature
Trust Co./CN=DST Root CA X3, issuer: /O=Digital Signature Trust Co./CN=DST Root
CA X3
[Fri Dec 24 20:37:08 2010] [debug] ssl_engine_kernel.c(1321): [client
173.37.99.48] Certificate Verification: depth: 1, subject: /O=xxxx
Systems/CN=xxxx SSCA, issuer: /O=Digital Signature Trust Co./CN=DST Root CA X3
[Fri Dec 24 20:37:08 2010] [debug] ssl_engine_kernel.c(1321): [client
173.37.99.48] Certificate Verification: depth: 0, subject:
/C=US/ST=California/L=San Jose/O=xxxx
Systems/OU=ATS/CN=xxxx.xxxx.com/emailAddress=itg-appserver-pms@xxxx.com, issuer:
/O=xxxx Systems/CN=xxxx SSCA
[Fri Dec 24 20:37:08 2010] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop:
SSLv3 read server certificate A
[Fri Dec 24 20:37:08 2010] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop:
SSLv3 read server certificate request A
[Fri Dec 24 20:37:08 2010] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop:
SSLv3 read server done A
[Fri Dec 24 20:37:08 2010] [debug] ssl_engine_kernel.c(1660): Proxy client
certificate callback: (xxxx.xxxx.com:80) entered
[Fri Dec 24 20:37:08 2010] [debug] ssl_engine_kernel.c(1633): Proxy client
certificate callback: (xxxx.xxxx.com:80) found acceptable cert, sending
/C=US/ST=California/L=San Jose/O=xxxx
Systems/OU=ATS/CN=xxxx.xxxx.com/emailAddress=itg-appserver-pms@xxxx.com
[Fri Dec 24 20:37:09 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard
slot 0 in child 1748 for worker https://xxxx.xxxx.com/
[Fri Dec 24 20:37:09 2010] [debug] proxy_util.c(1837): proxy: worker
https://xxxx.xxxx.com/ already initialized
[Fri Dec 24 20:37:09 2010] [debug] proxy_util.c(1914): proxy: initialized worker
0 in child 1748 for (xxxx.xxxx.com) min=0 max=32 smax=32
[Fri Dec 24 20:37:09 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard
slot 1 in child 1748 for worker proxy:reverse
[Fri Dec 24 20:37:09 2010] [debug] proxy_util.c(1837): proxy: worker
proxy:reverse already initialized
[Fri Dec 24 20:37:09 2010] [debug] proxy_util.c(1914): proxy: initialized worker
1 in child 1748 for (*) min=0 max=32 smax=32
[Fri Dec 24 20:37:09 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard
slot 0 in child 1750 for worker https://xxxx.xxxx.com/
[Fri Dec 24 20:37:09 2010] [debug] proxy_util.c(1837): proxy: worker
https://xxxx.xxxx.com/ already initialized
[Fri Dec 24 20:37:09 2010] [debug] proxy_util.c(1914): proxy: initialized worker
0 in child 1750 for (xxxx.xxxx.com) min=0 max=32 smax=32
[Fri Dec 24 20:37:09 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard
slot 1 in child 1750 for worker proxy:reverse
[Fri Dec 24 20:37:09 2010] [debug] proxy_util.c(1837): proxy: worker
proxy:reverse already initialized
[Fri Dec 24 20:37:09 2010] [debug] proxy_util.c(1914): proxy: initialized worker
1 in child 1750 for (*) min=0 max=32 smax=32
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org