I have a wellness completion benefit package that works good and a budget component that I have registered for and The SSL must remain pure. Assignments have been compiled and are relevant to the assistance progs; Top priority LifeSpan preserved with occupational legitimate safework load environments.
On Thu, Nov 1, 2018, 5:42 PM . <thrif...@gmail.com> wrote: > Hey everyone, > > I have an apache http server (version 2.4.37) that is using SSL > (version 1.1.1) to communicate to an F5 back-end through mod_proxy and > mod_proxy_http. > > The server is configured with a SSLProxyProtocol string that allows for > TLSv1.3, and I am seeing an error that looks like the following: > > [Thu Nov 01 20:00:27.687919 2018] [ssl:info] [pid 86604:tid > 47699324180224] [remote PRIVATEIPREDACTED:443] AH01964: Connection to child > 0 established (server PRIVATEDNSNAMEREDACTED:443) > > [Thu Nov 01 20:00:27.687937 2018] [ssl:trace2] [pid 86604:tid > 47699324180224] ssl_engine_rand.c(126): Proxy: Seeding PRNG with 144 bytes > of entropy > > [Thu Nov 01 20:00:27.687999 2018] [ssl:trace4] [pid 86604:tid > 47699324180224] ssl_engine_io.c(1667): [remote PRIVATEIPREDACTED:443] > coalesce: have 0 bytes, adding 675 more > > [Thu Nov 01 20:00:27.688005 2018] [ssl:trace4] [pid 86604:tid > 47699324180224] ssl_engine_io.c(1727): [remote PRIVATEIPREDACTED:443] > coalesce: passing on 675 bytes > > [Thu Nov 01 20:00:27.688009 2018] [ssl:trace3] [pid 86604:tid > 47699324180224] ssl_engine_io.c(1239): [remote PRIVATEIPREDACTED:443] SNI > extension for SSL Proxy request set to 'PRIVATEDNSNAMEREDACTED' > > [Thu Nov 01 20:00:27.688014 2018] [ssl:trace3] [pid 86604:tid > 47699324180224] ssl_engine_kernel.c(2191): [remote PRIVATEIPREDACTED:443] > OpenSSL: Handshake: start > > [Thu Nov 01 20:00:27.688043 2018] [ssl:trace3] [pid 86604:tid > 47699324180224] ssl_engine_kernel.c(2200): [remote PRIVATEIPREDACTED:443] > OpenSSL: Loop: before SSL initialization > > [Thu Nov 01 20:00:27.688293 2018] [ssl:trace4] [pid 86604:tid > 47699324180224] ssl_engine_io.c(2220): [remote PRIVATEIPREDACTED:443] > OpenSSL: write 7/7 bytes to BIO#2b61fc008b80 [mem: 2b61fc027750] (BIO dump > follows) > > [Thu Nov 01 20:00:27.688299 2018] [ssl:trace7] [pid 86604:tid > 47699324180224] ssl_engine_io.c(2143): [remote PRIVATEIPREDACTED:443] > +-------------------------------------------------------------------------+ > > [Thu Nov 01 20:00:27.688302 2018] [ssl:trace7] [pid 86604:tid > 47699324180224] ssl_engine_io.c(2181): [remote PRIVATEIPREDACTED:443] | > 0000: 15 03 01 00 02 02 50 ......P | > > [Thu Nov 01 20:00:27.688304 2018] [ssl:trace7] [pid 86604:tid > 47699324180224] ssl_engine_io.c(2187): [remote PRIVATEIPREDACTED:443] > +-------------------------------------------------------------------------+ > > [Thu Nov 01 20:00:27.688307 2018] [ssl:trace3] [pid 86604:tid > 47699324180224] ssl_engine_kernel.c(22PRIVATEIPREDACTED[remote > PRIVATEIPREDACTED:443] OpenSSL: Write: error > > [Thu Nov 01 20:00:27.688311 2018] [ssl:trace3] [pid 86604:tid > 47699324180224] ssl_engine_kernel.c(2229): [remote PRIVATEIPREDACTED:443] > OpenSSL: Exit: error in error > > [Thu Nov 01 20:00:27.688313 2018] [ssl:info] [pid 86604:tid > 47699324180224] [remote PRIVATEIPREDACTED:443] AH02003: SSL Proxy connect > failed > > [Thu Nov 01 20:00:27.688335 2018] [ssl:info] [pid 86604:tid > 47699324180224] SSL Library Error: error:14228044:SSL > routines:construct_ca_names:internal error > > [Thu Nov 01 20:00:27.688338 2018] [ssl:info] [pid 86604:tid > 47699324180224] [remote PRIVATEIPREDACTED:443] AH01998: Connection closed > to child 0 with abortive shutdown (server PRIVATEDNSNAMEREDACTED:443) > > [Thu Nov 01 20:00:27.688353 2018] [ssl:info] [pid 86604:tid > 47699324180224] [remote PRIVATEIPREDACTED:443] AH01997: SSL handshake > failed: sending 502 > > [Thu Nov 01 20:00:27.688366 2018] [proxy_http:error] [pid 86604:tid > 47699324180224] (PRIVATEIPREDACTED software caused connection abort: > [client PRIVATEIPREDACTED:60171] AH01PRIVATEIPREDACTED error reading status > line from remote server PRIVATEDNSNAMEREDACTED:443 > > This is causing the back-end connection to fail. > > Narrowing the scope of the SSLProxyProtocol string to not allow for TLS > 1.3 relieves the issue and allows proper communication to occur. > > Can anyone else confirm the issue? If so, is there a bug report yet or > would you like me to make one? > > If this is an issue with the release, I would mention that we also saw > a different issue we had to patch ourselves with the apache http server > proxy protocol SSL code between the releases of 2.4.29 and 2.4.33 (there > were security fixes in this release so not upgrading wasn't a great > option), perhaps there could be some additional automated testing for the > use case of an SSL enabled proxy? Unless of course we find I am doing > something stupid at which point disregard that suggestion. > > Thanks, > Dan Oliver >
