Try putting this line in the server config: SSLProxyProtocol SSLv3
Hope this helps. Claudio Campetto. -----Messaggio originale----- Da: Keith Sparacin [mailto:ksparacin@;ti.com] Inviato: mercoledì 23 ottobre 2002 3.15 A: [EMAIL PROTECTED] Oggetto: SSL reverse proxy using certificates to IIS server Has anyone gotten an Apache 2.0.43 SSL reverse proxy working to an IIS backend server requiring certificate verification on the IIS server side? I can reverse proxy Apache to an SSL Unix server and an SSL IIS server (neither requiring certificates). I can also reverse proxy Apache to an SSL Unix server requiring certificate verification. I have not been able to get it working to an IIS server requiring certificate verification. I have verified that the Apache certificates are valid using openssl to retrieve web pages from the IIS server: openssl s_client -connect IIS-server:443 -cert user.crt -key user.key -CAfile ca-bundle.crt GET / HTTP/1.0 <Web page content...> Originally when I tried the reverse proxy to the IIS server I would get a segmentation fault in ssl_engine_kernel.c. For some reason info->x_pkey was a NULL pointer. I modified the code shown below to get around this: $ diff ssl_engine_kernel.c{.ORIG,} 1606,1607c1606,1609 < *pkey = info->x_pkey->dec_pkey; \ < EVP_PKEY_reference_inc(*pkey) --- > if (info->x_pkey != 0) { \ > *pkey = info->x_pkey->dec_pkey; \ > EVP_PKEY_reference_inc(*pkey); \ > } Now when I use openssl to connect to the reverse proxy I get: HTTP/1.1 502 Proxy Error Date: Wed, 23 Oct 2002 01:00:39 GMT Server: Apache/2.0.43 (Unix) mod_ssl/2.0.43 OpenSSL/0.9.6g DAV/2 Content-Length: 453 Connection: close Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>502 Proxy Error</title> </head><body> <h1>Proxy Error</h1> <p>The proxy server received an invalid response from an upstream server.<br /> The proxy server could not handle the request <em><a href="/">GET /</a></em>.<p> Reason: <strong>Error reading from remote server</strong></p></p> <hr /> <address>Apache/2.0.43 Server at host Port 443</address> </body></html> read:errno=0 The Apache error log shows: [Tue Oct 22 17:31:19 2002] [info] Connection: Client IP: xxx.xxx.xxx.xxx, Protocol: TLSv1, Cipher: RC4-MD5 (128/128 bits) [Tue Oct 22 17:31:19 2002] [error] SSL error on reading data [Tue Oct 22 17:31:19 2002] [error] SSL Library Error: 336162922 error:1409706A:lib(20):func(151):reason(106) [Tue Oct 22 17:31:19 2002] [error] [client xxx.xxx.xxx.xxx] proxy: error reading status line from remote server IIS-server [Tue Oct 22 17:31:19 2002] [error] [client xxx.xxx.xxx.xxx] proxy: Error reading from remote server returned by / [Tue Oct 22 17:31:19 2002] [debug] ssl_engine_kernel.c(1866): OpenSSL: Write: SSL negotiation finished successfully [Tue Oct 22 17:31:19 2002] [info] Connection to child 1 closed with standard shutdown(server host:443, client xxx.xxx.xxx.xxx) [Tue Oct 22 17:31:19 2002] [debug] ssl_engine_kernel.c(1866): OpenSSL: Write: SSL negotiation finished successfully [Tue Oct 22 17:31:19 2002] [info] Connection to child 1 closed with standard shutdown(server host:443, client xxx.xxx.xxx.xxx) I don't know enough about SSL to know what is going on. It looks like the SSL_read() is failing but I do not know why. If I don't get anywhere with this i'm thinking about trying the expermental code in Apache 1.3.27 to see if I have any luck. Any input would be welcome. Thanks. Keith ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
