You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Anantha Padmanabha <an...@bankbazaar.com> on 2014/03/17 11:47:57 UTC

[users@httpd] SNI + RequestReadTimeout leads to SSL certificate error in client browser

Hi,

We are using Apache's
SNI<https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI>functionality
to host multiple sites in single apache instance [version
2.2.22]. Lets say the domain names we host are www.A.com and www.B.com

We are facing issues due to slow clients. Due to
RequestReadTimeout<http://httpd.apache.org/docs/2.2/mod/mod_reqtimeout.html>
settings,when
a slow client gets timed out before sending headers (which I believe
includes domain name) to a target VirtualHost, 408 error is thrown out and
client gets error from a different VirtualHost (default) and ends up
getting certificate error.

I simulated this using slowhttptest tool and when I send slow requests to
www.B.com, 408 errors were getting logged in default VirtualHosts log file
of www.A.com (actual data has been changed for privacy)


/opt/bin/slowhttptest -c 2 -i 100 -v 4 -u https://www.B.com/test.html

Fri Mar 14 20:22:15 2014:closing slow socket 3
Fri Mar 14 20:22:16 2014:run_test: socket 4 replied 194 bytes:
HTTP/1.1 408 Request Time-out
Date: Fri, 14 Mar 2014 14:52:03 GMT
Server: Apache
Vary: Accept-Encoding
Content-Length: 223
Connection: close
Content-Type: text/html; charset=iso-8859-1
Fri Mar 14 20:22:16 2014:run_test: socket 4 replied 223 bytes:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>408 Request Time-out</title>
</head><body>
<h1>Request Time-out</h1>
<p>Server timeout waiting for the HTTP request from the client.</p>
</body></html>

www.A.com logs
/var/log/apache2$ ls *-access.log|grep test.html
www.A.com-access.log:10.10.10.10 - - [14/Mar/2014:20:22:03 +0530] "GET
/test.html HTTP/1.1" 408 223 11402764 0 "Mozilla/4.0 (compatible; MSIE 8.0;
Windows NT 6.1; Trident/4.0; SLCC2)" 761 5512 - - - - - 10.10.10.10


More than logging at server, this is affecting the client as browser throws
a certificate warning saying something on the lines of
"You attempted to reach www.B.com but instead you actually reached a server
identifying itself as www.A.com"

Pls let us know how we can ensure certificate error doesn't show up when
using SNI and header-level request timeout happens.

Thanks
Anantha