Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 16216 invoked from network); 3 Oct 2008 14:41:56 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 3 Oct 2008 14:41:56 -0000 Received: (qmail 81472 invoked by uid 500); 3 Oct 2008 14:41:45 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 81461 invoked by uid 500); 3 Oct 2008 14:41:45 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 81450 invoked by uid 99); 3 Oct 2008 14:41:44 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 03 Oct 2008 07:41:44 -0700 X-ASF-Spam-Status: No, hits=1.2 required=10.0 tests=SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [209.85.217.10] (HELO mail-gx0-f10.google.com) (209.85.217.10) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 03 Oct 2008 14:40:40 +0000 Received: by gxk3 with SMTP id 3so4080855gxk.0 for ; Fri, 03 Oct 2008 07:41:13 -0700 (PDT) Received: by 10.142.187.14 with SMTP id k14mr413176wff.71.1223044873178; Fri, 03 Oct 2008 07:41:13 -0700 (PDT) Received: by 10.142.170.14 with HTTP; Fri, 3 Oct 2008 07:41:13 -0700 (PDT) Message-ID: <6d2327740810030741y1676385fn7dbbfdea25bea82e@mail.gmail.com> Date: Fri, 3 Oct 2008 15:41:13 +0100 From: "Denis McCarthy" To: users@httpd.apache.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Virus-Checked: Checked by ClamAV on apache.org Subject: [users@httpd] Very nasty ajp error when using ssl, client certificates, mod_proxy_ajp and jetty 6 Hi, We have a java application that, as part of its authentication process, needs to examine the contents of a X509 certificate from the client. The application is also a financial based one and therefore needs to be run entirely over SSL. Our architecture consists of an httpd 2.2.3 front end and a jetty 6 app server. Jetty and apache talk using AJP (mod_proxy_ajp on the apache side). For most requests this seems to work fine. However, occasionally we get some *extremely* nasty behaviour from apache (it may be caused by jetty, but I'm not sure as yet). Anyway, we get the following type messages in our apache log: [Fri Oct 03 14:26:43 2008] [error] (120006)APR does not understand this error code: proxy: read response failed from 172.17.102.156:8009 (172.17.102.156) [Fri Oct 03 14:26:43 2008] [error] (70007)The timeout specified has expired: ajp_ilink_receive() can't receive header [Fri Oct 03 14:26:43 2008] [error] ajp_read_header: ajp_ilink_receive failed [Fri Oct 03 14:26:43 2008] [error] (120006)APR does not understand this error code: proxy: read response failed from 172.17.102.156:8009 (172.17.102.156) [Fri Oct 03 14:29:52 2008] [error] ajp_check_msg_header() got bad signature 4854 [Fri Oct 03 14:29:52 2008] [error] ajp_ilink_receive() received bad header [Fri Oct 03 14:29:52 2008] [error] ajp_read_header: ajp_ilink_receive failed [Fri Oct 03 14:29:52 2008] [error] (120007)APR does not understand this error code: proxy: read response failed from (null) (172.17.102.156) Now, this seems to occur only for certain connection types: For example, it seems to often occur for connections from MSIE browsers, as well as on occasions when our java application server times out on requests (e.g. when our back end takes a very long time to come back with a response). I suspect these may be related, as I've read that MSIE browsers don't terminate SSL connections correctly. Anyway, when this occurs, the entire apache server seems to freeze up for several minutes. Here's the relevant apache config: Basic ssl config: LoadModule ssl_module modules/mod_ssl.so Listen 443 # Some MIME-types for downloading Certificates and CRLs # AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl # Pass Phrase Dialog: # Configure the pass phrase gathering process. # The filtering dialog program (`builtin' is a internal # terminal dialog) has to provide the pass phrase on stdout. SSLPassPhraseDialog builtin SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) SSLSessionCacheTimeout 600 SSLMutex pthread SSLRandomSeed startup file:/dev/urandom 256 SSLRandomSeed connect builtin ServerAdmin root@localhost ServerName www.ourapp.com:443 ProxyPreserveHost On ProxyPass /our-app ajp://172.17.102.156:8009/our-app ProxyPassReverse /our-app ajp://172.17.102.156:8009/our-app SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /etc/httpd/certs/server.crt SSLCertificateKeyFile /etc/httpd/certs/server.key SSLCACertificateFile /etc/httpd/certs/ca.crt SSLVerifyClient require SSLVerifyDepth 1 SSLOptions +StdEnvVars +ExportCertData +StrictRequire BrowserMatch ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 LoadModule proxy_ajp_module modules/mod_proxy_ajp.so In case there's anyone familiar with jetty out there, my jetty AJP config is very simple 8009 (The IP addresses etc. have been changed to protect the innocent) If anyone could give any pointers for a solution to this it'd be great, as the app in question is due to go live shortly, and we'll have to delay go-live until this issue is resolved. Thanks Denis --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org