httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 52703] New: SSL+SNI+client-auth fakeBasicAuth "lost" after some time
Date Sat, 18 Feb 2012 03:14:28 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=52703

             Bug #: 52703
           Summary: SSL+SNI+client-auth fakeBasicAuth "lost" after some
                    time
           Product: Apache httpd-2
           Version: 2.2.16
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: major
          Priority: P2
         Component: mod_ssl
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: calestyo@scientia.net
    Classification: Unclassified


Hi.

This is a really weird problem. I'm actually not sure whether it's a bug in
Apache (or the browsers) but, having absolutely no idea, I need some point to
start (sorry).

It is similar (and may be related to #52631). It happens with Firefox and
Chromium.


Setup is the following:
I'm using SSL with SNI and SSL client authentication required.
I have fakeBasicAuth enabled.

I go to the site, I'm asked for my certificate, I'm granted access,.. so far
everything fine.

But after some time (haven't measured it, about in the range of 10 minutes),
when I click reload, or any link within the same site, the access is forbidden
and I get HTTP 403.
It seems as if the SSL session would still be open (the browsers show their
coloured address and there is no client cert or other SSL error).

Looking in the vhost's log I see:
[Sat Feb 18 04:08:23 2012] [error] No hostname was provided via SNI for a name
based virtual host
[Sat Feb 18 04:08:23 2012] [error] No hostname was provided via SNI for a name
based virtual host

and in the server wide error log:
at Feb 18 04:08:22 2012] [info] [client 91.8.39.109] Connection to child 84
established (server localhost:443)
[Sat Feb 18 04:08:22 2012] [info] Seeding PRNG with 1312 bytes of entropy
[Sat Feb 18 04:08:23 2012] [info] [client 91.8.39.109] Connection to child 17
established (server localhost:443)
[Sat Feb 18 04:08:23 2012] [info] Seeding PRNG with 1312 bytes of entropy
[Sat Feb 18 04:08:23 2012] [info] [client 91.8.39.109] Connection to child 213
established (server localhost:443)
[Sat Feb 18 04:08:23 2012] [info] Seeding PRNG with 1312 bytes of entropy
[Sat Feb 18 04:08:23 2012] [info] [client 91.8.39.109] Connection to child 148
established (server localhost:443)
[Sat Feb 18 04:08:23 2012] [info] Seeding PRNG with 1312 bytes of entropy
[Sat Feb 18 04:08:23 2012] [info] [client 91.8.39.109] Connection to child 83
established (server localhost:443)
[Sat Feb 18 04:08:23 2012] [info] Seeding PRNG with 1312 bytes of entropy
[Sat Feb 18 04:08:23 2012] [info] [client 91.8.39.109] Connection to child 11
established (server localhost:443)
[Sat Feb 18 04:08:23 2012] [info] Seeding PRNG with 1312 bytes of entropy
[Sat Feb 18 04:08:23 2012] [info] [client 91.8.39.109] Connection closed to
child 84 with standard shutdown (server localhost:443)
[Sat Feb 18 04:08:23 2012] [info] [client 91.8.39.109] Connection closed to
child 11 with standard shutdown (server localhost:443)
[Sat Feb 18 04:08:33 2012] [info] [client 91.8.39.109] Request header read
timeout
[Sat Feb 18 04:08:33 2012] [info] [client 91.8.39.109] (70007)The timeout
specified has expired: SSL input filter read failed.
[Sat Feb 18 04:08:33 2012] [info] [client 91.8.39.109] Connection closed to
child 17 with standard shutdown (server localhost:443)
[Sat Feb 18 04:08:33 2012] [info] [client 91.8.39.109] Request header read
timeout
[Sat Feb 18 04:08:33 2012] [info] [client 91.8.39.109] (70007)The timeout
specified has expired: SSL input filter read failed.
[Sat Feb 18 04:08:33 2012] [info] [client 91.8.39.109] Connection closed to
child 213 with standard shutdown (server localhost:443)
[Sat Feb 18 04:08:33 2012] [info] [client 91.8.39.109] Request header read
timeout
[Sat Feb 18 04:08:33 2012] [info] [client 91.8.39.109] (70007)The timeout
specified has expired: SSL input filter read failed.
[Sat Feb 18 04:08:33 2012] [info] [client 91.8.39.109] Connection closed to
child 148 with standard shutdown (server localhost:443)
[Sat Feb 18 04:08:33 2012] [info] [client 91.8.39.109] Request header read
timeout
[Sat Feb 18 04:08:33 2012] [info] [client 91.8.39.109] (70007)The timeout
specified has expired: SSL input filter read failed.
[Sat Feb 18 04:08:33 2012] [info] [client 91.8.39.109] Connection closed to
child 83 with standard shutdown (server localhost:443)


...for every tried access.
The times of both log output correspond (both from the same access).
Not sure what this timeout from the server log is,.. but I guess it's due to my
use of RequestReadTimeout, could that be?!


When I restart Apache and try it again with both browsers it still doesn't work
again (still get 403, but still the SSL session seems to be successfully
created).


The only way to get it working again, is to close the browsers and start again,
or with firefox, to clear all "Active Logons".


Now I have absolutely no idea where to start tracing,... not even whether this
seems to be more a browser issue or a server issue.
Just some indication that some timeout or cache that runs out could be the
reason.


Any ideas?


Cheers,
Chris.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message