Hello all,
I've been looking at an issue now for 3 days, and after extensively reading the mailing list and docuementation, i am unable to find a solution for my problem.
Frist, i am running Apache 1.3.28 and mod_ssl 2.8.15/openssl 0.9.7d.
The behavior i see is that during the course of normal SSL traffic (handshakes, data transfer, closing connection) a client will sometimes spawn between 100 and 500 TCP connections to Apache that remain in the "Reading" state and occupy client slots until the Apache Timeout of 1200 seconds kicks in and removes them.
For a few of the offending IP Addresses, i have used tcpdump/ssldump to capture the TCP traffic inside of the firewall and on the Apache machine.
What i see, is as follows:
1. Normal TCP Connection 2. Followed by Handshake and Cipher Exchange 3. Application Data Flowing 4. TCP connection closed.
However, in certain cases after application data is exchanged, i will see a flood of TCP connections that are followed by RST(s). Here is a snippet from the TCPDUMP/SSLDUMP.
--------------------------------------------------------------- 361 14 24.8021 (0.0000) S>CV3.0(21) application_data --------------------------------------------------------------- --------------------------------------------------------------- 361 15 24.9503 (0.1481) C>SV3.0(977) application_data --------------------------------------------------------------- 361 24.9521 (0.0017) C>S TCP RST New TCP connection #397: REMOTE_HOST(2683) <-> APACHE_HOST(443) 397 0.1080 (0.1080) C>S TCP RST New TCP connection #398: REMOTE_HOST(2684) <-> APACHE_HOST(443) 398 0.1103 (0.1103) C>S TCP RST New TCP connection #399: REMOTE_HOST(2685) <-> APACHE_HOST(443) 399 0.1126 (0.1126) C>S TCP RST New TCP connection #400: REMOTE_HOST(2686) <-> APACHE_HOST(443) 400 0.1147 (0.1147) C>S TCP RST New TCP connection #401: REMOTE_HOST(2687) <-> APACHE_HOST(443) 401 0.1170 (0.1170) C>S TCP RST New TCP connection #402: REMOTE_HOST(2688) <-> APACHE_HOST(443) 402 0.1193 (0.1193) C>S TCP RST New TCP connection #403: REMOTE_HOST(2689) <-> APACHE_HOST(443) 403 0.1214 (0.1214) C>S TCP RST New TCP connection #404: REMOTE_HOST(2690) <-> APACHE_HOST(443) 404 0.1237 (0.1237) C>S TCP RST New TCP connection #405: REMOTE_HOST(2691) <-> APACHE_HOST(443) 405 0.1259 (0.1259) C>S TCP RST New TCP connection #406: REMOTE_HOST(2692) <-> APACHE_HOST(443) 406 0.1279 (0.1279) C>S TCP RST New TCP connection #407: REMOTE_HOST(2693) <-> APACHE_HOST(443) 407 0.1300 (0.1300) C>S TCP RST ... <<REPEATS 173 TIMES>> ... New TCP connection #580: REMOTE_HOST(2883) <-> APACHE_HOST(443) 580 1 0.0673 (0.0673) C>SV3.0(97) Handshake ClientHello Version 3.0
Additionally, i turned on SSL Debugging at the Apache layer, and this is the only real relevant information i obtained:
[26/Oct/2004 07:54:24 07446] [info] Connection to child 17 established (server VIRTUAL_HOST:443, client REMOTE_IP) [26/Oct/2004 07:54:24 07446] [info] Seeding PRNG with 1160 bytes of entropy [26/Oct/2004 07:54:24 07446] [trace] OpenSSL: Handshake: start [26/Oct/2004 07:54:24 07446] [trace] OpenSSL: Loop: before/accept initialization [26/Oct/2004 08:14:26 07446] [debug] OpenSSL: I/O error, 11 bytes expected to read on BIO#082BE820 [mem: 083D2128] [26/Oct/2004 08:14:26 07446] [trace] OpenSSL: Exit: error in SSLv2/v3 read client hello A [26/Oct/2004 08:14:26 07446] [error] SSL handshake timed out (client REMOTE_UP, server VIRTUAL_HOST:443)
Notice above that the point at which the SSL hanshake timed out was at the Apache Timeout of 1200 seconds. During this period, the request is occupying a client slot in the Reading state.
I would appreciate any help/suggestions, as i am nearly out of idea.
If you reply, please CC [EMAIL PROTECTED] as i am currently not on the modssl-users mailing list.
thanks,
ted rice
______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]