httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christian Gottschalch <ma...@llbc.de>
Subject Re: [users@httpd] httpd 2.2.3 as an SSL proxy with a client certificate fails on connect
Date Thu, 21 Dec 2006 09:07:02 GMT
why do you use HTTPS in Backend, it looks like the backend System also 
needs client certificate authentication, there may be something wrong 
with your SSLProxyMachineCertificateFile ? try to send a wget request to 
the remote server and use SSLProxyMachineCertificateFile, dose wget get 
authorized at the remote system ?

regards

Shai Yallin schrieb:
>
> Hi all,
>
> I'm running httpd 2.2.3 on win32 with openssl 0.9.8d as a reverse 
> proxy server.
>
> One of the things this sever needs to do is to act as a reverse proxy 
> for applications that do not speak SSL, to SSL-only servers.
>
> I have configured the following:
>
> SSLMutex default
>
> SSLRandomSeed startup builtin
>
> SSLSessionCache none
>
> <VirtualHost 192.168.2.231:8443>
>
>         DocumentRoot d:/WebServer/www
>
>         ProxyRequests Off
>
>         ProxyPreserveHost On
>
>         RequestHeader set ClientProtocol HTTPS
>
>         SSLProxyMachineCertificateFile 
> d:/WebServer/apache2/conf/ssl/cellcom_cpm.cert
>
>         SSLProxyEngine On
>
>         ProxyPass /cpm/         _https://192.118.30.12/_
>
>         ProxyPassReverse /cpm/  _https://192.118.30.12/_
>
> </VirtualHost>
>
> This worked for a few months, then suddenly started returning the 
> following error and dying:
>
> [Mon Dec 18 10:17:53 2006] [error] (502)Unknown error: proxy: pass 
> request body failed to 192.118.30.12:443 (192.118.30.12)
>
> [Mon Dec 18 10:17:53 2006] [error] (502)Unknown error: proxy: pass 
> request body failed to 192.118.30.12:443 (192.118.30.12) from 
> 192.168.2.1 ()
>
> I ran httpd in debug mode and got the following:
>
> [Mon Dec 18 10:17:53 2006] [debug] mod_proxy_http.c(54): proxy: HTTP: 
> canonicalising URL //192.118.30.12/cpm.wsdl
>
> [Mon Dec 18 10:17:53 2006] [debug] proxy_util.c(1378): [client 
> 192.168.2.1] proxy: https: found worker _https://192.118.30.12/_ for 
> _https://192.118.30.12/cpm.wsdl_
>
> [Mon Dec 18 10:17:53 2006] [debug] mod_proxy.c(756): Running scheme 
> https handler (attempt 0)
>
> [Mon Dec 18 10:17:53 2006] [debug] mod_proxy_http.c(1662): proxy: 
> HTTP: serving URL _https://192.118.30.12/cpm.wsdl_
>
> [Mon Dec 18 10:17:53 2006] [debug] proxy_util.c(1798): proxy: HTTPS: 
> has acquired connection for (192.118.30.12)
>
> [Mon Dec 18 10:17:53 2006] [debug] proxy_util.c(1858): proxy: 
> connecting _https://192.118.30.12/cpm.wsdl_ to 192.118.30.12:443
>
> [Mon Dec 18 10:17:53 2006] [debug] proxy_util.c(1951): proxy: 
> connected /cpm.wsdl to 192.118.30.12:443
>
> [Mon Dec 18 10:17:53 2006] [debug] proxy_util.c(2045): proxy: HTTPS: 
> fam 2 socket created to connect to 192.118.30.12
>
> [Mon Dec 18 10:17:53 2006] [debug] proxy_util.c(2141): proxy: HTTPS: 
> connection complete to 192.118.30.12:443 (192.118.30.12)
>
> [Mon Dec 18 10:17:53 2006] [info] [client 192.118.30.12] Connection to 
> child 249 established (server israel-test.backbone.locationet.com:8443)
>
> [Mon Dec 18 10:17:53 2006] [info] Seeding PRNG with 0 bytes of entropy
>
> [Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1752): OpenSSL: 
> Handshake: start
>
> [Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1760): OpenSSL: 
> Loop: before/connect initialization
>
> [Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1760): OpenSSL: 
> Loop: SSLv2/v3 write client hello A
>
> [Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1775): OpenSSL: 
> read 7/7 bytes from BIO#ec6da0 [mem: f03140] (BIO dump follows)
>
> [Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1722): 
> +-------------------------------------------------------------------------+
>
> [Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1747): | 0000: 16 
> 03 01 00 2a 02                                ....*.           |
>
> [Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1751): | 0007 - 
> <SPACES/NULS>
>
> [Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1753): 
> +-------------------------------------------------------------------------+
>
> [Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1775): OpenSSL: 
> read 40/40 bytes from BIO#ec6da0 [mem: f03147] (BIO dump follows)
>
> [Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1722): 
> +-------------------------------------------------------------------------+
>
> [Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1747): | 0000: 00 
> 26 03 01 fa 44 46 43-f0 21 42 c5 5f 67 8b 95  .&...DFC.!B._g.. |
>
> [Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1747): | 0010: 03 
> 0d d9 c8 dd 01 b1 19-52 76 3a 0f 39 1a c7 91  ........Rv:.9... |
>
> [Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1747): | 0020: 4c 
> d1 ee 4c 00 00 04                             L..L...          |
>
> [Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1751): | 0040 - 
> <SPACES/NULS>
>
> [Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1753): 
> +-------------------------------------------------------------------------+
>
> [Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1760): OpenSSL: 
> Loop: SSLv3 read server hello A
>
> [Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1775): OpenSSL: 
> read 5/5 bytes from BIO#ec6da0 [mem: f03140] (BIO dump follows)
>
> [Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1722): 
> +-------------------------------------------------------------------------+
>
> [Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1747): | 0000: 16 
> 03 01 11 b1                                   .....            |
>
> [Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1753): 
> +-------------------------------------------------------------------------+
>
> [Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1775): OpenSSL: 
> read 4529/4529 bytes from BIO#ec6da0 [mem: f03145] (BIO dump follows)
>
> [Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1722): 
> +-------------------------------------------------------------------------+
>
> (snip BIO dump)
>
> [Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1753): 
> +-------------------------------------------------------------------------+
>
> [Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1190): 
> Certificate Verification: depth: 2, subject: /CN=CelCaRoot, issuer: 
> /CN=CelCaRoot
>
> [Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1190): 
> Certificate Verification: depth: 2, subject: /CN=CelCaRoot, issuer: 
> /CN=CelCaRoot
>
> [Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1190): 
> Certificate Verification: depth: 1, subject: 
> /DC=il/DC=co/DC=cellcom/DC=corp/DC=sdmz/CN=sdmzca, issuer: /CN=CelCaRoot
>
> [Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1190): 
> Certificate Verification: depth: 0, subject: 
> /C=IL/ST=Israel/L=Natania/O=Cellcom/OU=IT/CN=CPM-QA.cellcom.co.il, 
> issuer: /DC=il/DC=co/DC=cellcom/DC=corp/DC=sdmz/CN=sdmzca
>
> [Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1760): OpenSSL: 
> Loop: SSLv3 read server certificate A
>
> [Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1775): OpenSSL: 
> read 5/5 bytes from BIO#ec6da0 [mem: f03140] (BIO dump follows)
>
> [Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1722): 
> +-------------------------------------------------------------------------+
>
> [Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1747): | 0000: 16 
> 03 01 00 08                                   .....            |
>
> [Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1753): 
> +-------------------------------------------------------------------------+
>
> [Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1775): OpenSSL: 
> read 8/8 bytes from BIO#ec6da0 [mem: f03145] (BIO dump follows)
>
> [Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1722): 
> +-------------------------------------------------------------------------+
>
> [Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1747): | 0000: 0d 
> 00 00 04 01 01                                ......           |
>
> [Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1751): | 0008 - 
> <SPACES/NULS>
>
> [Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1753): 
> +-------------------------------------------------------------------------+
>
> [Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1760): OpenSSL: 
> Loop: SSLv3 read server certificate request A
>
> [Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1775): OpenSSL: 
> read 5/5 bytes from BIO#ec6da0 [mem: f03140] (BIO dump follows)
>
> [Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1722): 
> +-------------------------------------------------------------------------+
>
> [Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1747): | 0000: 16 
> 03 01 00 04                                   .....            |
>
> [Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1753): 
> +-------------------------------------------------------------------------+
>
> [Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1775): OpenSSL: 
> read 4/4 bytes from BIO#ec6da0 [mem: f03145] (BIO dump follows)
>
> [Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1722): 
> +-------------------------------------------------------------------------+
>
> [Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1747): | 0000: 
> 0e                                               .                |
>
> [Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1751): | 0004 - 
> <SPACES/NULS>
>
> [Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1753): 
> +-------------------------------------------------------------------------+
>
> [Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1760): OpenSSL: 
> Loop: SSLv3 read server done A
>
> [Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1526): Proxy 
> client certificate callback: 
> (israel-test.backbone.locationet.com:8443) entered
>
> [Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1499): Proxy 
> client certificate callback: 
> (israel-test.backbone.locationet.com:8443) no acceptable CA list, 
> sending /O=Cellcom/CN=Locationet
>
> [Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1760): OpenSSL: 
> Loop: SSLv3 write client certificate A
>
> [Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1760): OpenSSL: 
> Loop: SSLv3 write client key exchange A
>
> [Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1760): OpenSSL: 
> Loop: SSLv3 write certificate verify A
>
> [Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1760): OpenSSL: 
> Loop: SSLv3 write change cipher spec A
>
> [Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1760): OpenSSL: 
> Loop: SSLv3 write finished A
>
> [Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1760): OpenSSL: 
> Loop: SSLv3 flush data
>
> [Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1786): OpenSSL: I/O 
> error, 5 bytes expected to read on BIO#ec6da0 [mem: f03140]
>
> [Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1789): OpenSSL: 
> Exit: error in SSLv3 read finished A
>
> [Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1789): OpenSSL: 
> Exit: error in SSLv3 read finished A
>
> [Mon Dec 18 10:17:53 2006] [info] [client 192.118.30.12] SSL Proxy 
> connect failed
>
> [Mon Dec 18 10:17:53 2006] [info] [client 192.118.30.12] Connection 
> closed to child 249 with abortive shutdown (server 
> israel-test.backbone.locationet.com:8443)
>
> [Mon Dec 18 10:17:53 2006] [error] (502)Unknown error: proxy: pass 
> request body failed to 192.118.30.12:443 (192.118.30.12)
>
> [Mon Dec 18 10:17:53 2006] [error] (502)Unknown error: proxy: pass 
> request body failed to 192.118.30.12:443 (192.118.30.12) from 
> 192.168.2.1 ()
>
> I can't seem to find any definite answer googling this error.
>
> I'll be glad to have any lead on the subject.
>
> Cheers,
>
> Shai                     Yallin  
>
> IT Manager &  Developer
>
> LocatioNet  Systems Ltd.
>
> Tel:         +972-9-8856451
>
> Fax:       +972-9-8856452
>
> Mobile: +972-54-4840868
>
>  
>
> "...we will be restoring normality just as soon as we are sure what is 
> normal anyway."
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message