You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2021/03/15 09:36:10 UTC

[Bug 65186] New: could not buffer message body to allow SSL renegotiation to proceed

https://bz.apache.org/bugzilla/show_bug.cgi?id=65186

            Bug ID: 65186
           Summary: could not buffer message body to allow SSL
                    renegotiation to proceed
           Product: Apache httpd-2
           Version: 2.4.23
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: blocker
          Priority: P2
         Component: mod_ssl
          Assignee: bugs@httpd.apache.org
          Reporter: gopiraj.m@pramata.com
  Target Milestone: ---

Created attachment 37771
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=37771&action=edit
Apache error log screenshot

Hi Team, 

we are trying to upload some files from one service to another microservice. 

During uploading the file, we are getting the below errors for certain files in
production, but not on any other environments. apache is raising those error
before its reaching the application. 

from the logs, we could understand the SSL renegotiation was not able to happen
for some reason during the maximum body it can handle. 

By default, we know that the maximum size is 128Kb. I believe that there is
nothing to do with the file size because we were able to upload 20MB files
without any issue.

FYI: using the same file we were able to successfully send the data from one
service to another service in another env. 

File size: 400Kb
File type: PDF

Error:
request body exceeds the maximum size (131072) for SSL buffer
could not buffer message body to allow SSL renegotiation to proceed

screenshots are attached for reference.

Please guide!

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 65186] could not buffer message body to allow SSL renegotiation to proceed

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=65186

--- Comment #2 from Gopiraj M <go...@pramata.com> ---
Hi Joe,

we are not using SSLVerifyClient on. by the way I couldn't understand sslregeg
buffer required, because when the data is more than 20 MB we were able to make
renegotiation without any issues and file is uploaded without any issues

FYI: we are using multipart/form-data & type: application/json to read the file
file and send to other service to save the file.

Thanks in advance!

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 65186] could not buffer message body to allow SSL renegotiation to proceed

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=65186

Joe Orton <jo...@redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|REOPENED                    |NEEDINFO

--- Comment #3 from Joe Orton <jo...@redhat.com> ---
You have some mod_ssl configuration which requires renegotiation, that's
usually SSLVerifyClient but it could (rarely) be something like SSLCipherSuite.
Turn on debugging for mod_ssl ("LogLevel ssl:debug") and grep error_log for
"renegotiation"

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 65186] could not buffer message body to allow SSL renegotiation to proceed

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=65186

Gopiraj M <go...@pramata.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |gopiraj.m@pramata.com

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 65186] could not buffer message body to allow SSL renegotiation to proceed

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=65186

Gopiraj M <go...@pramata.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|INVALID                     |---
             Status|RESOLVED                    |REOPENED

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 65186] could not buffer message body to allow SSL renegotiation to proceed

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=65186

Joe Orton <jo...@redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |INVALID

--- Comment #1 from Joe Orton <jo...@redhat.com> ---
The "reneg buffer" is required if you want to renegotiate in the same request
that a client cert is first required.  Either:

a) you need a buffer large enough to handle whatever you're expecting can be
uploaded, or better,

b) ensure that your site is structured so the first request which requires a
client cert (SSLVerifyClient on) does NOT include a large body, but is a plain
GET request.  Then follow up the form/file upload in a second POST request.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 65186] could not buffer message body to allow SSL renegotiation to proceed

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=65186

Joe Orton <jo...@redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |INVALID

--- Comment #5 from Joe Orton <jo...@redhat.com> ---
Please take it to the users list or somewhere, Bugzilla is for reporting bugs,
this isn't a support forum.

https://httpd.apache.org/lists.html#http-users

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 65186] could not buffer message body to allow SSL renegotiation to proceed

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=65186

Gopiraj M <go...@pramata.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEEDINFO                    |NEW

--- Comment #4 from Gopiraj M <go...@pramata.com> ---
Hi Joe, thanks for your guidance

Please find the SSL logs which I extracted from apache. here I could see cipher
suite is forcefully re-initiating the SSL renegotiation. but first of all, I
couldn't understand why this behavior should happen. 


AH02645: Server name not provided via TLS extension (using default/first
virtual host)
AH02041: Protocol: TLSv1.2, Cipher: XXX-XXX-XXX-XXX-XXX (256/256 bits)
AH02034: Initial (No.1) HTTPS request received for child 215 (server
sample.com:443), referer: https://sample.com
AH02220: Reconfigured cipher suite will force renegotiation, referer:
https://sample.com
AH02221: Requesting connection re-negotiation, referer: https://sample.com
AH02260: Performing full renegotiation: complete handshake protocol (client
does support secure renegotiation), referer: https://sample.com
AH02226: Awaiting re-negotiation handshake, referer: https://sample.com
AH02645: Server name not provided via TLS extension (using default/first
virtual host)
AH02041: Protocol: TLSv1.2, Cipher: XXX-XXX-XXX-XXX-XXX (256/256 bits)
AH02034: Initial (No.1) HTTPS request received for child 201 (server
sample.com:443), referer: https://sample.com
AH02220: Reconfigured cipher suite will force renegotiation, referer:
https://sample.com
AH02018: request body exceeds maximum size (131072) for SSL buffer, referer:
https://sample.com
AH02257: could not buffer message body to allow SSL renegotiation to proceed,
https://sample.com

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org