httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vosbury, David" <David.Vosb...@saabsensis.com>
Subject [users@httpd] Site using client certificates becomes unresponsive and requires httpd reload intermittenly
Date Tue, 25 Apr 2017 16:10:59 GMT
My company is developing a site for a customer. The site has a php based login page. The site
also uses client certificates for two factor authentication. We have SSLVerifyClient require
turned on in our ssl.conf. I'm getting intermittent issues where the site stops responding
when trying to access the login page. The usual symptoms are that the user is prompted for
their client certificate. Once that is submitted, sometimes the login page never appears,
the user just gets a blank browser screen. Other times, the login page appears. Then the user
is able to enter their login information, but then the site hangs again with a blank browser
screen. If I do a reload or a restart on the httpd service, the site immediately starts responding
again. In order to get past some testing deadlines I setup a cron job to reload Apache once
a minute which helped. A full restart isn't required to temporarily fix the issue. I then
changed that cron job to once an hour and that also helped. When removing that scheduled reload,
the problem reappears.

I've turned on the debugging log level. I see these types of error messages in the ssl_error_log,
but can't really correlate if that is when the problem occurs as I see them even when the
site is responding normally.

[Tue Apr 25 13:00:01 2017] [debug] ssl_engine_io.c(1925): OpenSSL: I/O error, 5 bytes expected
to read on BIO#7f3f4a0b0400 [mem: 7f3f4a098d13]
[Tue Apr 25 13:00:01 2017] [info] [client 64.128.122.230] (70007)The timeout specified has
expired: SSL input filter read failed.
[Tue Apr 25 13:00:01 2017] [debug] ssl_engine_kernel.c(1886): OpenSSL: Write: SSL negotiation
finished successfully [Tue Apr 25 13:00:01 2017] com:443)
I'm using Apache 2.2.15 and openssl  1.0.1e-fips on Red Hat 6.5.

David Vosbury
SAAB Sensis Corporation
david.vosbury@saabsensis.com<mailto:david.vosbury@saabsensis.com>
Main: 315-234-3761
Cell: 315-751-2675


This message is intended only for the addressee and may contain information that is company
confidential or privileged. Any technical data in this message may be exported only in accordance
with the U.S. International Traffic in Arms Regulations (22 CFR Parts 120-130) or the Export
Administration Regulations (15 CFR Parts 730-774). Unauthorized use is strictly prohibited
and may be unlawful. If you are not the intended recipient, or the person responsible for
delivering to the intended recipient, you should not read, copy, disclose or otherwise use
this message. If you have received this email in error, please delete it, and advise the sender
immediately.

Mime
View raw message