We have a strange problem with our Apache+mod_ssl server (Apache/1.3.26 (Unix) mod_perl/1.22 mod_ssl/2.8.9 OpenSSL/0.9.6, on Linux 2.2.19). After a while the server processes become stuck while waiting for the data from a socket. The timeout is set to 300 in httpd.conf, but the processes happily wait for data for about an hour before timing out. If the load on the server is high enough, all process slots eventually get populated and the server stops serving.
The interesting aspect is, most of the time processes get stuck when the request comes from one particular IP, and they don't get stuck on every request from that IP. DoS attack is very unlikely, judging by the activity. Did anybody see this before? Is there a fix or a workaround? Strace and cipher_log results are below. Thanks in advance, - Alex [EMAIL PROTECTED] Running strace on a hung process produces read(5, for a long time, eventually followed by read(5, 0x959d2d8, 11) = -1 ETIMEDOUT (Connection timed out) The connection takes about 3600 seconds to time out. cipher_log contains this for a "normal" connection (dumps removed): [23/Jun/2002 17:02:01 08719] [info] Connection to child 4 established (server xxx.xx :443, client xxx.xxx.xxx.xxx) [23/Jun/2002 17:02:01 08719] [info] Seeding PRNG with 23177 bytes of entropy [23/Jun/2002 17:02:01 08719] [trace] OpenSSL: Handshake: start [23/Jun/2002 17:02:01 08719] [trace] OpenSSL: Loop: before/accept initialization [23/Jun/2002 17:02:01 08719] [debug] OpenSSL: read 11/11 bytes from BIO#09327750 [mem: 092E2FD8] (BIO dump follows) [23/Jun/2002 17:02:01 08719] [debug] OpenSSL: read 91/91 bytes from BIO#09327750 [mem: 092E2FE3] (BIO dump follows) [23/Jun/2002 17:02:01 08719] [trace] OpenSSL: Loop: SSLv3 read client hello A [23/Jun/2002 17:02:01 08719] [trace] OpenSSL: Loop: SSLv3 write server hello A [23/Jun/2002 17:02:01 08719] [trace] OpenSSL: Loop: SSLv3 write change cipher sp ec A etc. For a stuck connection, cipher_log contains [23/Jun/2002 17:02:04 08719] [info] Connection to child 4 established (server xxx.xxx :443, client xxx.xxx.xxx.xxx) [23/Jun/2002 17:02:04 08719] [info] Seeding PRNG with 23177 bytes of entropy [23/Jun/2002 17:02:04 08719] [trace] OpenSSL: Handshake: start [23/Jun/2002 17:02:04 08719] [trace] OpenSSL: Loop: before/accept initialization with nothing else for this PID for a long time. It seems that the process is trying to start an SSL connection, but times out on read and does not respect Timeout settings in the configuration file. ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
