DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=20785>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=20785 ssl with mod_proxy is very unstable Summary: ssl with mod_proxy is very unstable Product: Apache httpd-2.0 Version: 2.0.46 Platform: PC OS/Version: Linux Status: NEW Severity: Normal Priority: Other Component: All AssignedTo: [email protected] ReportedBy: [EMAIL PROTECTED] I use mod_proxy for reverse proxy https connection, it is running fine with apache 2.0.43 , but when I upgrade it to 2.0.46, more than 50% of the https connetions will fail, httpd child process is just died. 2.0.44 and 2.0.45 have the same problem, their child process is just died in more than 50% https connections. I tried also to upgrade openssl to the latest version 0.9.7b, and recompile apache, but it doesn't help, since maybe it is not openssl's bug. and this behaviour is resproducible in another server, I tried it here with redhat 7.0 and gentoo 1.4. both of them have the same problem with apache 2.0.44,2.0.45 and 2.0.46 no mater which openssl version and have a stable connection with 2.0.43. here is my config: NameVirtualHost xxx.5.131.41:443 SSLProxyEngine on <VirtualHost xxx.5.131.41:443> ServerName iniskp.mydomain.org ProxyPass / https://iniskp.mydomain.org/ ProxyPassReverse / https://iniskp.mydomain.org/ LogLevel debug SSLEngine on SSLCertificateFile conf/ssl/server.crt SSLCertificateKeyFile conf/ssl/server.key </VirtualHost> And here is the error log when the connections failed: ..... [Fri Jun 13 18:18:52 2003] [debug] ssl_engine_io.c(1462): +-------------------------------------------------------------------------+ [Fri Jun 13 18:18:52 2003] [debug] proxy_http.c(109): proxy: HTTP: canonicalising URL //iniskp.mydomain.org/ [Fri Jun 13 18:18:52 2003] [debug] mod_proxy.c(459): Trying to run scheme_handler [Fri Jun 13 18:18:52 2003] [debug] proxy_http.c(1076): proxy: HTTP: serving URL https://iniskp.mydomain.org/ [Fri Jun 13 18:18:52 2003] [debug] proxy_http.c(221): proxy: HTTP connecting https://iniskp.mydomain.org/ to iniskp.mydomain.org:443 [Fri Jun 13 18:18:52 2003] [debug] proxy_util.c(1203): proxy: HTTP: fam 2 socket created to connect to iniskp.mydomain.org [Fri Jun 13 18:18:52 2003] [debug] proxy_http.c(370): proxy: socket is connected [Fri Jun 13 18:18:52 2003] [debug] proxy_http.c(404): proxy: connection complete to xxx.5.67.95:443 (iniskp.mydomain.org) [Fri Jun 13 18:18:52 2003] [info] Connection to child 3 established (server iniskp.mydomain.org:443, client xxx.5.67.95) [Fri Jun 13 18:18:52 2003] [info] Seeding PRNG with 136 bytes of entropy [Fri Jun 13 18:18:52 2003] [debug] ssl_engine_kernel.c(1766): OpenSSL: Handshake: start [Fri Jun 13 18:18:52 2003] [debug] ssl_engine_kernel.c(1774): OpenSSL: Loop: before/connect initialization [Fri Jun 13 18:18:52 2003] [debug] ssl_engine_kernel.c(1774): OpenSSL: Loop: SSLv2/v3 write client hello A [Fri Jun 13 18:18:52 2003] [debug] ssl_engine_io.c(1484): OpenSSL: read 0/7 bytes from BIO#8194ea0 [mem: 81a1c98] (BIO dump follows) [Fri Jun 13 18:18:52 2003] [debug] ssl_engine_io.c(1431): +-------------------------------------------------------------------------+ [Fri Jun 13 18:18:52 2003] [debug] ssl_engine_io.c(1462): +-------------------------------------------------------------------------+ [Fri Jun 13 18:18:52 2003] [info] SSL Proxy connect failed [Fri Jun 13 18:18:52 2003] [info] Connection to child 3 closed with abortive shutdown(server iniskp.mydomain.org:443, client xxx.5.67.95) ..... And here is a successfull connection right after above connection: ..... [Fri Jun 13 18:18:53 2003] [debug] proxy_http.c(109): proxy: HTTP: canonicalising URL //iniskp.mydomain.org/ [Fri Jun 13 18:18:53 2003] [debug] mod_proxy.c(459): Trying to run scheme_handler [Fri Jun 13 18:18:53 2003] [debug] proxy_http.c(1076): proxy: HTTP: serving URL https://iniskp.mydomain.org/ [Fri Jun 13 18:18:53 2003] [debug] proxy_http.c(221): proxy: HTTP connecting https://iniskp.mydomain.org/ to iniskp.mydomain.org:443 [Fri Jun 13 18:18:53 2003] [debug] proxy_util.c(1203): proxy: HTTP: fam 2 socket created to connect to iniskp.mydomain.org [Fri Jun 13 18:18:53 2003] [debug] proxy_http.c(370): proxy: socket is connected [Fri Jun 13 18:18:53 2003] [debug] proxy_http.c(404): proxy: connection complete to 161.5.67.95:443 (iniskp.mydomain.org) [Fri Jun 13 18:18:53 2003] [info] Connection to child 5 established (server iniskp.mydomain.org:443, client xxx.5.67.95) [Fri Jun 13 18:18:53 2003] [info] Seeding PRNG with 136 bytes of entropy [Fri Jun 13 18:18:53 2003] [debug] ssl_engine_kernel.c(1766): OpenSSL: Handshake: start [Fri Jun 13 18:18:53 2003] [debug] ssl_engine_kernel.c(1774): OpenSSL: Loop: before/connect initialization [Fri Jun 13 18:18:53 2003] [debug] ssl_engine_kernel.c(1774): OpenSSL: Loop: SSLv2/v3 write client hello A [Fri Jun 13 18:18:53 2003] [debug] ssl_engine_io.c(1484): OpenSSL: read 7/7 bytes from BIO#8194ea0 [mem: 81a3ca0] (BIO dump follows) [Fri Jun 13 18:18:53 2003] [debug] ssl_engine_io.c(1431): +-------------------------------------------------------------------------+ [Fri Jun 13 18:18:53 2003] [debug] ssl_engine_io.c(1456): | 0000: 16 03 01 03 68 02 ....h. | [Fri Jun 13 18:18:53 2003] [debug] ssl_engine_io.c(1460): | 0007 - <SPACES/NULS> ..... The difference is in "ssl_engine_io() : OpenSSL: read 0/7 bytes from ..." if it is failed and "ssl_engine_io() : OpenSSL: read 7/7 bytes from ..." if it is successfull. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
