httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christoph Anton Mitterer <cales...@scientia.net>
Subject [users@httpd] SSL+SNI+client-auth fakeBasicAuth "lost" after some time
Date Sat, 18 Feb 2012 23:08:32 GMT
Hey.

This is actually from 
https://issues.apache.org/bugzilla/show_bug.cgi?id=52703 but it seems 
bug hunting is not welcomed there anymore, as I've already had to 
experience in https://issues.apache.org/bugzilla/show_bug.cgi?id=52630 
...
So I was redirected here to the list...

Well maybe someone has some idea or can confirm :-)


------------------------------------------------------
Hi.

This is a really weird problem. I'm actually not sure whether it's a 
bug in
Apache (or the browsers) but, having absolutely no idea, I need some 
point to
start (sorry).

It is similar (and may be related to #52631). It happens with Firefox 
and
Chromium.


Setup is the following:
I'm using SSL with SNI and SSL client authentication required.
I have fakeBasicAuth enabled.

I go to the site, I'm asked for my certificate, I'm granted access,.. 
so far
everything fine.

But after some time (haven't measured it, about in the range of 10 
minutes),
when I click reload, or any link within the same site, the access is 
forbidden
and I get HTTP 403.
It seems as if the SSL session would still be open (the browsers show 
their
coloured address and there is no client cert or other SSL error).

Looking in the vhost's log I see:
[Sat Feb 18 04:08:23 2012] [error] No hostname was provided via SNI for 
a name
based virtual host
[Sat Feb 18 04:08:23 2012] [error] No hostname was provided via SNI for 
a name
based virtual host

and in the server wide error log:
at Feb 18 04:08:22 2012] [info] [client 91.8.39.109] Connection to 
child 84
established (server localhost:443)
[Sat Feb 18 04:08:22 2012] [info] Seeding PRNG with 1312 bytes of 
entropy
[Sat Feb 18 04:08:23 2012] [info] [client 91.8.39.109] Connection to 
child 17
established (server localhost:443)
[Sat Feb 18 04:08:23 2012] [info] Seeding PRNG with 1312 bytes of 
entropy
[Sat Feb 18 04:08:23 2012] [info] [client 91.8.39.109] Connection to 
child 213
established (server localhost:443)
[Sat Feb 18 04:08:23 2012] [info] Seeding PRNG with 1312 bytes of 
entropy
[Sat Feb 18 04:08:23 2012] [info] [client 91.8.39.109] Connection to 
child 148
established (server localhost:443)
[Sat Feb 18 04:08:23 2012] [info] Seeding PRNG with 1312 bytes of 
entropy
[Sat Feb 18 04:08:23 2012] [info] [client 91.8.39.109] Connection to 
child 83
established (server localhost:443)
[Sat Feb 18 04:08:23 2012] [info] Seeding PRNG with 1312 bytes of 
entropy
[Sat Feb 18 04:08:23 2012] [info] [client 91.8.39.109] Connection to 
child 11
established (server localhost:443)
[Sat Feb 18 04:08:23 2012] [info] Seeding PRNG with 1312 bytes of 
entropy
[Sat Feb 18 04:08:23 2012] [info] [client 91.8.39.109] Connection 
closed to
child 84 with standard shutdown (server localhost:443)
[Sat Feb 18 04:08:23 2012] [info] [client 91.8.39.109] Connection 
closed to
child 11 with standard shutdown (server localhost:443)
[Sat Feb 18 04:08:33 2012] [info] [client 91.8.39.109] Request header 
read
timeout
[Sat Feb 18 04:08:33 2012] [info] [client 91.8.39.109] (70007)The 
timeout
specified has expired: SSL input filter read failed.
[Sat Feb 18 04:08:33 2012] [info] [client 91.8.39.109] Connection 
closed to
child 17 with standard shutdown (server localhost:443)
[Sat Feb 18 04:08:33 2012] [info] [client 91.8.39.109] Request header 
read
timeout
[Sat Feb 18 04:08:33 2012] [info] [client 91.8.39.109] (70007)The 
timeout
specified has expired: SSL input filter read failed.
[Sat Feb 18 04:08:33 2012] [info] [client 91.8.39.109] Connection 
closed to
child 213 with standard shutdown (server localhost:443)
[Sat Feb 18 04:08:33 2012] [info] [client 91.8.39.109] Request header 
read
timeout
[Sat Feb 18 04:08:33 2012] [info] [client 91.8.39.109] (70007)The 
timeout
specified has expired: SSL input filter read failed.
[Sat Feb 18 04:08:33 2012] [info] [client 91.8.39.109] Connection 
closed to
child 148 with standard shutdown (server localhost:443)
[Sat Feb 18 04:08:33 2012] [info] [client 91.8.39.109] Request header 
read
timeout
[Sat Feb 18 04:08:33 2012] [info] [client 91.8.39.109] (70007)The 
timeout
specified has expired: SSL input filter read failed.
[Sat Feb 18 04:08:33 2012] [info] [client 91.8.39.109] Connection 
closed to
child 83 with standard shutdown (server localhost:443)


...for every tried access.
The times of both log output correspond (both from the same access).
Not sure what this timeout from the server log is,.. but I guess it's 
due to my
use of RequestReadTimeout, could that be?!


When I restart Apache and try it again with both browsers it still 
doesn't work
again (still get 403, but still the SSL session seems to be 
successfully
created).


The only way to get it working again, is to close the browsers and 
start again,
or with firefox, to clear all "Active Logons".


Now I have absolutely no idea where to start tracing,... not even 
whether this
seems to be more a browser issue or a server issue.
Just some indication that some timeout or cache that runs out could be 
the
reason.


Any ideas?


Cheers,
Chris.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message