Full_Name: Mats Josefsson
Version: 2.6.5
OS: HPUX (10.20 and 11)
Submission from: (NULL) (193.180.125.234)
I have a problem using apache/mod_ssl in a proxy config
where the browser uses http to the proxy server and the
proxy uses https to another server. (Don't ask why we
need to do it like this, we just have to).
The problem is that Server1 dies (SIGSEGV) after it has
verified Server2's certificates, but before it sends its
client cert to Server2. A core is produced, but I haven't
been able to get any information from it (yet).
Server: Apache/1.3.12
Interface: mod_ssl/2.6.5
Library: OpenSSL/0.9.5a
HW/OS: PA-RISC, HPUX 10.20 HPUX 11 (same problem on both)
---- Details below ----
It's like this:
http https
Browser ------> Server1 -------> Server2
Server2 is configured to require client authetication, and
Server1 is configured with a proxy client cert.
Looking at the source I would have expected to see a log
entry in Server1 like:
[debug] Proxy client certificate callback: (%s) entered
But it seems that the client cert callback is never reached.
I have tried Server1 both with and without DSO/libssl.so
Info from Server2 ssl_engine_log:
[trace] OpenSSL: Handshake: start
[trace] OpenSSL: Loop: before/accept initialization
[trace] OpenSSL: Loop: SSLv3 read client hello A
[trace] OpenSSL: Loop: SSLv3 write server hello A
[trace] OpenSSL: Loop: SSLv3 write certificate A
[trace] OpenSSL: Loop: SSLv3 write key exchange A
[trace] OpenSSL: Loop: SSLv3 write certificate request A
[trace] OpenSSL: Loop: SSLv3 flush data
[trace] OpenSSL: Exit: failed in SSLv3 read client certificate A
[info] Spurious SSL handshake interrupt[Hint: Usually just one
of those OpenSSL confusions!?]
Info from Server1 ssl_engine_log:
[info] Server: Apache/1.3.12, Interface: mod_ssl/2.6.5,
Library: OpenSSL/0.9.5a
[info] Init: 1st startup round (still not detached)
[info] Init: Initializing OpenSSL library
[info] Init: Loading certificate & private key of SSL-aware
server Server1:9443
[trace] Init: (Server1:9443) unencrypted RSA private key - pass
phrase not required
[info] Init: Seeding PRNG with 136 bytes of entropy
[info] Init: Generating temporary RSA private keys (512/1024 bits)
[info] Init: Configuring temporary DH parameters (512/1024 bits)
[trace] Init: (Server1:9080) Creating new proxy SSL context
(protocols: SSLv3)
[trace] Init: (Server1:9080) loaded 1 client certs for SSL proxy
[trace] Init: (Server1:9080) Configuring permitted SSL ciphers for
SSL proxy
[debug] Init: (Server1:9080) Configuring client verification
locations for SSL Proxy
[trace] Init: (Server1:9443) Creating new proxy SSL context
(protocols: SSLv3)
[trace] Init: (Server1:9443) loaded 1 client certs for SSL proxy
[trace] Init: (Server1:9443) Configuring permitted SSL ciphers for
SSL proxy
[debug] Init: (Server1:9443) Configuring client verification
locations for SSL Proxy
[info] Init: 2nd startup round (already detached)
[info] Init: Reinitializing OpenSSL library
[info] Init: Created hash-table (250 buckets) in shared memory
(512000 bytes) for SSL session cache
[info] Init: Seeding PRNG with 136 bytes of entropy
[info] Init: Configuring temporary RSA private keys (512/1024 bits)
[info] Init: Configuring temporary DH parameters (512/1024 bits)
[info] Init: Initializing (virtual) servers for SSL
[info] Init: Configuring server Server1:9443 for SSL protocol
[trace] Init: (Server1:9443) Creating new SSL context (protocols:
SSLv2, SSLv3, TLSv1)
[trace] Init: (Server1:9443) Configuring permitted SSL ciphers
[ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL]
[trace] Init: (Server1:9443) Configuring client authentication
[trace] CA certificate: /C=SE/O=RSV/OU=Test-CA-utv1/CN=002/SN=202100-0985
[trace] Init: (Server1:9443) Configuring RSA server certificate
[trace] Init: (Server1:9443) Configuring RSA server private key
[trace] Init: (Server1:9080) Creating new proxy SSL context
(protocols: SSLv3)
[trace] Init: (Server1:9080) loaded 1 client certs for SSL proxy
[trace] Init: (Server1:9080) Configuring permitted SSL ciphers for
SSL proxy
[debug] Init: (Server1:9080) Configuring client verification
locations for SSL Proxy
[trace] Init: (Server1:9443) Creating new proxy SSL context
(protocols: SSLv3)
[trace] Init: (Server1:9443) loaded 1 client certs for SSL proxy
[trace] Init: (Server1:9443) Configuring permitted SSL ciphers for
SSL proxy
[debug] Init: (Server1:9443) Configuring client verification
locations for SSL Proxy
[debug] SSL Proxy: (Server1:9080) Certificate Verification for remote
server Server2:11443: depth: 1,
subject: /C=SE/O=RSV/OU=Test-CA-utv1/CN=002/SN=202100-0985,
issuer: /C=SE/O=RSV/OU=Test-CA-utv1/CN=002/SN=202100-0985
[debug] SSL Proxy: (Server1:9080) Certificate Verification for remote
server Server2:11443: depth: 0,
subject: /C=SE/O=RSV/OU=DataService/CN=Server2,
issuer: /C=SE/O=RSV/OU=Test-CA-utv1/CN=002/SN=202100-0985
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
