You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Cahya Wirawan <cw...@email.archlab.tuwien.ac.at> on 2003/07/08 15:27:03 UTC

ssl connection with mod_proxy is very unstable

I use mod_proxy for reverse proxy https connection, it is running fine 
with apache 2.0.43 , but when I upgrade it to 2.0.46, more than 50% of the 
https connetions will fail, httpd child process is just died.
2.0.44 and 2.0.45 have the same problem, their child process is just died in
more than 50% https connections. I tried also to upgrade openssl
to the latest version 0.9.7b, and recompile apache, but it doesn't help,
since maybe it is not openssl's bug. and this behaviour is resproducible in
another server, I tried it here with redhat 7.0 and gentoo 1.4. both of them
have the same problem with apache 2.0.44,2.0.45 and 2.0.46 no mater which
openssl version and have a stable connection with 2.0.43.
 
here is my config:

NameVirtualHost xxx.5.131.41:443
SSLProxyEngine on
<VirtualHost xxx.5.131.41:443>
	ServerName iniskp.mydomain.org
        ProxyPass               /       https://iniskp.mydomain.org/
	ProxyPassReverse        /       https://iniskp.mydomain.org/
	LogLevel        debug
        SSLEngine on
        SSLCertificateFile conf/ssl/server.crt
        SSLCertificateKeyFile conf/ssl/server.key
</VirtualHost>

And here is the error log when the connections failed:

.....
[Fri Jun 13 18:18:52 2003] [debug] ssl_engine_io.c(1462):
+-------------------------------------------------------------------------+
[Fri Jun 13 18:18:52 2003] [debug] proxy_http.c(109): proxy: HTTP:
canonicalising URL //iniskp.mydomain.org/
[Fri Jun 13 18:18:52 2003] [debug] mod_proxy.c(459): Trying to run scheme_handler
[Fri Jun 13 18:18:52 2003] [debug] proxy_http.c(1076): proxy: HTTP: serving URL
https://iniskp.mydomain.org/
[Fri Jun 13 18:18:52 2003] [debug] proxy_http.c(221): proxy: HTTP connecting
https://iniskp.mydomain.org/ to iniskp.mydomain.org:443
[Fri Jun 13 18:18:52 2003] [debug] proxy_util.c(1203): proxy: HTTP: fam 2 socket
created to connect to iniskp.mydomain.org
[Fri Jun 13 18:18:52 2003] [debug] proxy_http.c(370): proxy: socket is connected
[Fri Jun 13 18:18:52 2003] [debug] proxy_http.c(404): proxy: connection complete
to xxx.5.67.95:443 (iniskp.mydomain.org)
[Fri Jun 13 18:18:52 2003] [info] Connection to child 3 established (server
iniskp.mydomain.org:443, client xxx.5.67.95)
[Fri Jun 13 18:18:52 2003] [info] Seeding PRNG with 136 bytes of entropy
[Fri Jun 13 18:18:52 2003] [debug] ssl_engine_kernel.c(1766): OpenSSL:
Handshake: start
[Fri Jun 13 18:18:52 2003] [debug] ssl_engine_kernel.c(1774): OpenSSL: Loop:
before/connect initialization
[Fri Jun 13 18:18:52 2003] [debug] ssl_engine_kernel.c(1774): OpenSSL: Loop:
SSLv2/v3 write client hello A
[Fri Jun 13 18:18:52 2003] [debug] ssl_engine_io.c(1484): OpenSSL: read 0/7
bytes from BIO#8194ea0 [mem: 81a1c98] (BIO dump follows)
[Fri Jun 13 18:18:52 2003] [debug] ssl_engine_io.c(1431):
+-------------------------------------------------------------------------+
[Fri Jun 13 18:18:52 2003] [debug] ssl_engine_io.c(1462):
+-------------------------------------------------------------------------+
[Fri Jun 13 18:18:52 2003] [info] SSL Proxy connect failed
[Fri Jun 13 18:18:52 2003] [info] Connection to child 3 closed with abortive
shutdown(server iniskp.mydomain.org:443, client xxx.5.67.95)
.....

And here is a successfull connection right after above connection:

.....
[Fri Jun 13 18:18:53 2003] [debug] proxy_http.c(109): proxy: HTTP:
canonicalising URL //iniskp.mydomain.org/
[Fri Jun 13 18:18:53 2003] [debug] mod_proxy.c(459): Trying to run scheme_handler
[Fri Jun 13 18:18:53 2003] [debug] proxy_http.c(1076): proxy: HTTP: serving URL
https://iniskp.mydomain.org/
[Fri Jun 13 18:18:53 2003] [debug] proxy_http.c(221): proxy: HTTP connecting
https://iniskp.mydomain.org/ to iniskp.mydomain.org:443
[Fri Jun 13 18:18:53 2003] [debug] proxy_util.c(1203): proxy: HTTP: fam 2 socket
created to connect to iniskp.mydomain.org
[Fri Jun 13 18:18:53 2003] [debug] proxy_http.c(370): proxy: socket is connected
[Fri Jun 13 18:18:53 2003] [debug] proxy_http.c(404): proxy: connection complete
to xxx.5.67.95:443 (iniskp.mydomain.org)
[Fri Jun 13 18:18:53 2003] [info] Connection to child 5 established (server
iniskp.mydomain.org:443, client xxx.5.67.95)
[Fri Jun 13 18:18:53 2003] [info] Seeding PRNG with 136 bytes of entropy
[Fri Jun 13 18:18:53 2003] [debug] ssl_engine_kernel.c(1766): OpenSSL:
Handshake: start
[Fri Jun 13 18:18:53 2003] [debug] ssl_engine_kernel.c(1774): OpenSSL: Loop:
before/connect initialization
[Fri Jun 13 18:18:53 2003] [debug] ssl_engine_kernel.c(1774): OpenSSL: Loop:
SSLv2/v3 write client hello A
[Fri Jun 13 18:18:53 2003] [debug] ssl_engine_io.c(1484): OpenSSL: read 7/7
bytes from BIO#8194ea0 [mem: 81a3ca0] (BIO dump follows)
[Fri Jun 13 18:18:53 2003] [debug] ssl_engine_io.c(1431):
+-------------------------------------------------------------------------+
[Fri Jun 13 18:18:53 2003] [debug] ssl_engine_io.c(1456): 
| 0000: 16 03 01 03 68 02                                ....h.           |
[Fri Jun 13 18:18:53 2003] [debug] ssl_engine_io.c(1460): 
| 0007 - <SPACES/NULS>
.....

The difference is in "ssl_engine_io() : OpenSSL: read 0/7 bytes from ..." if it
is failed and "ssl_engine_io() : OpenSSL: read 7/7 bytes from ..." if it is
successfull.

I did some experimentation, I compiled version 2.0.44/2.0.46 but I replace all files
in the directory httpd-2.0.4[46]/modules/ssl with the files from httpd-2.0.43/modules/ssl
and it works stable. So I assume that the problem is in mod_ssl module.

If it is to complicated to fix this problem and take long time to wait for it, 
is it save if I use apache version 2.0.46 but with mod_ssl module from version 2.0.43 
as described above ? because I think I need to upgrade my apache 2.0.43 due of security issues.

thanks,
cahya.