[Bug 63430] proxy client certificates not found despite being configured
https://bz.apache.org/bugzilla/show_bug.cgi?id=63430 --- Comment #7 from Ruediger Pluem --- Created attachment 36585 --> https://bz.apache.org/bugzilla/attachment.cgi?id=36585=edit Possible fix Does the attached patch fix your problem? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 63430] proxy client certificates not found despite being configured
https://bz.apache.org/bugzilla/show_bug.cgi?id=63430 --- Comment #6 from m...@blackmans.org --- We have confirmed a configuration nearly identical to this one does work for version 2.4.38 -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 63430] proxy client certificates not found despite being configured
https://bz.apache.org/bugzilla/show_bug.cgi?id=63430 --- Comment #5 from m...@blackmans.org --- this is the proxypass line: ProxyPass /cca/messages balancer://balancer2/cca/messages Here's the full Proxy block with a bit of scrubbing # # BalancerConfiguration 2 # SSLProxyMachineCertificateFile /vhosts/somevhost/somepath/client.pem BalancerMember https://some.backend.corp.com:443 retry=5 timeout=120 ProxySet stickysession=JSESSIONID|jsessionid ProxySet scolonpathdelim=On ProxySet lbmethod=byrequests ProxySet forcerecovery=On You're correct, we have three proxy blocks + corresponding ProxyPass definitions for this VirtualHost. Here's the access log line for that failed request. 10.10.10.10 - some_remote_user [14/May/2019:09:37:43 +0200] "HEAD /cca/messages?q=read:false HTTP/1.1" 500 - "-" "-" I have not yet verified it, but my understanding is that this did work for Apache 2.4.38 at least. You may wish to wait until I can verify this myself, but I believe to be true so far. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 63430] proxy client certificates not found despite being configured
https://bz.apache.org/bugzilla/show_bug.cgi?id=63430 --- Comment #4 from Ruediger Pluem --- (In reply to mark from comment #3) > technically, there was a restart between those sets of lines, but not > between these, I have inserted the "resuming operation" and "mod_ssl" lines > from the global log as well for comparison > > [Tue May 14 09:27:15.212161 2019] [ssl:info] [pid 781991:tid > 14031095040] AH01876: mod_ssl/2.4.39 compiled against Server: > Apache/2.4.39, Library: OpenSSL/1.0.2r > [Tue May 14 09:27:15.252246 2019] [ssl:debug] [pid 781991:tid > 14031095040] ssl_engine_init.c(1582): AH02207: loaded 1 client certs for > SSL proxy > [Tue May 14 09:27:15.252487 2019] [ssl:debug] [pid 781991:tid > 14031095040] ssl_engine_init.c(1582): AH02207: loaded 1 client certs for > SSL proxy > [Tue May 14 09:27:15.253510 2019] [ssl:debug] [pid 781991:tid > 14031095040] ssl_engine_init.c(1582): AH02207: loaded 1 client certs for > SSL proxy > [Tue May 14 09:27:29.269928 2019] [mpm_event:notice] [pid 781991:tid > 14031095040] AH00489: Apache/2.4.39 (Unix) OpenSSL/1.0.2r > mod_fcgid/2.3.9 mod_auth_kerb/5.4 mod_qos/11.62 mod_jk/1.2.46 configured -- > resuming normal operations > [Tue May 14 09:37:43.553029 2019] [ssl:warn] [pid 799222:tid > 140218148460288] AH02268: Proxy client certificate callback: (dw25136:11719) > downstream server wanted client certificate but none are configured > > The configuration is pretty big, but the relevant configuration just involves > > > SSLProxyMachineCertificateFile /path/to/cert.pem > > > and a later proxypass line. What is the ProxyPass line? Which URL triggers the AH02268? The AH01876 appears 3 times. So you have 2 further Proxy sections that contain SSLProxyMachineCertificateFile? It did work with 2.4.x? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 63430] proxy client certificates not found despite being configured
https://bz.apache.org/bugzilla/show_bug.cgi?id=63430 --- Comment #3 from m...@blackmans.org --- technically, there was a restart between those sets of lines, but not between these, I have inserted the "resuming operation" and "mod_ssl" lines from the global log as well for comparison [Tue May 14 09:27:15.212161 2019] [ssl:info] [pid 781991:tid 14031095040] AH01876: mod_ssl/2.4.39 compiled against Server: Apache/2.4.39, Library: OpenSSL/1.0.2r [Tue May 14 09:27:15.252246 2019] [ssl:debug] [pid 781991:tid 14031095040] ssl_engine_init.c(1582): AH02207: loaded 1 client certs for SSL proxy [Tue May 14 09:27:15.252487 2019] [ssl:debug] [pid 781991:tid 14031095040] ssl_engine_init.c(1582): AH02207: loaded 1 client certs for SSL proxy [Tue May 14 09:27:15.253510 2019] [ssl:debug] [pid 781991:tid 14031095040] ssl_engine_init.c(1582): AH02207: loaded 1 client certs for SSL proxy [Tue May 14 09:27:29.269928 2019] [mpm_event:notice] [pid 781991:tid 14031095040] AH00489: Apache/2.4.39 (Unix) OpenSSL/1.0.2r mod_fcgid/2.3.9 mod_auth_kerb/5.4 mod_qos/11.62 mod_jk/1.2.46 configured -- resuming normal operations [Tue May 14 09:37:43.553029 2019] [ssl:warn] [pid 799222:tid 140218148460288] AH02268: Proxy client certificate callback: (dw25136:11719) downstream server wanted client certificate but none are configured The configuration is pretty big, but the relevant configuration just involves SSLProxyMachineCertificateFile /path/to/cert.pem and a later proxypass line. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 63430] proxy client certificates not found despite being configured
https://bz.apache.org/bugzilla/show_bug.cgi?id=63430 --- Comment #2 from Ruediger Pluem --- With which version does your setup work? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 63430] proxy client certificates not found despite being configured
https://bz.apache.org/bugzilla/show_bug.cgi?id=63430 --- Comment #1 from Ruediger Pluem --- The version was the same (2.4.39) for both log lines / blocks and you did not restart in between? So the server was just running? What is your configuration? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 63430] New: proxy client certificates not found despite being configured
https://bz.apache.org/bugzilla/show_bug.cgi?id=63430 Bug ID: 63430 Summary: proxy client certificates not found despite being configured Product: Apache httpd-2 Version: 2.4.39 Hardware: PC OS: Linux Status: NEW Severity: major Priority: P2 Component: mod_ssl Assignee: bugs@httpd.apache.org Reporter: m...@blackmans.org Target Milestone: --- Apache 2.4.39 is failing requests going to an HTTPS proxy backend with errors like so, indicating a client certificate was not configured, however, we know that it was configured. [Tue May 14 09:49:03.378930 2019] [ssl:warn] [pid 1674555:tid 140693875197696] AH02268: Proxy client certificate callback: (dw25136:443) downstream server wanted client certificate but none are configured These log lines, a hour or so earlier, tell us that a client certificate was configured (in fact, the same one was used in three 3 contexts, hence the triple message) [Tue May 14 08:05:16.787346 2019] [ssl:debug] [pid 1670484:tid 140697080997632] ssl_engine_init.c(1582): AH02207: loaded 1 client certs for SSL proxy [Tue May 14 08:05:16.787558 2019] [ssl:debug] [pid 1670484:tid 140697080997632] ssl_engine_init.c(1582): AH02207: loaded 1 client certs for SSL proxy [Tue May 14 08:05:16.788403 2019] [ssl:debug] [pid 1670484:tid 140697080997632] ssl_engine_init.c(1582): AH02207: loaded 1 client certs for SSL proxy I have selectively pulled out log lines to make the point and to minimize the amount of scrubbing I have to do. This looks like new behavior in 2.4.39 to me, but I haven't yet demonstrated that. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 63427] New: Proxy error reading status line from remote server with big files and Content-Length header
https://bz.apache.org/bugzilla/show_bug.cgi?id=63427
Bug ID: 63427
Summary: Proxy error reading status line from remote server
with big files and Content-Length header
Product: Apache httpd-2
Version: 2.4.6
Hardware: PC
OS: All
Status: NEW
Severity: major
Priority: P2
Component: mod_proxy
Assignee: bugs@httpd.apache.org
Reporter: fma...@comune.genova.it
Target Milestone: ---
I have this configuration: apache 2.4.6 on a centos 7, configured as https
reverse proxy on a filesender server (http://filesender.org/), on a Redhat 5.3
server. Filesender is a software for sending big files with email links.
The error occurs clicking on the download.php link (for downloading files), and
only for very big files (several GB I guess). Direct links to filesender server
work.
Finally I found the problem, but don't know why it happens: I tought the
problem could be in the headers sent by download.php, so I tryied to comment
them one by one and I found that the one which gives error is the one which
sends file dimension:
header('Content-Length: '.$functions->getFileSize($file));
Commenting out this one eliminates the error.
I don't know if it occurs only with certain type of file or in https only.
Here is verbose log:
[Tue May 14 12:09:09.995372 2019] [ssl:debug] [pid 5421]
ssl_engine_kernel.c(224): [client xxx.xxx.xxx.xxx:14019] AH02034: Initial
(No.1) HTTPS request received for child 32 (server yyy.yyy.yyy.yyy:443)
[Tue May 14 12:09:09.995577 2019] [authz_core:debug] [pid 5421]
mod_authz_core.c(835): [client xxx.xxx.xxx.xxx:14019] AH01628: authorization
result: granted (no directives)
[Tue May 14 12:09:09.995915 2019] [proxy:debug] [pid 5421] mod_proxy.c(1117):
[client xxx.xxx.xxx.xxx:14019] AH01143: Running scheme http handler (attempt 0)
[Tue May 14 12:09:09.995947 2019] [proxy_ajp:debug] [pid 5421]
mod_proxy_ajp.c(713): [client xxx.xxx.xxx.xxx:14019] AH00894: declining URL
http://yyy.yyy.yyy.yyy/filesender/download1.php?vid=zzz
[Tue May 14 12:09:09.995980 2019] [proxy_fcgi:debug] [pid 5421]
mod_proxy_fcgi.c(963): [client xxx.xxx.xxx.xxx:14019] AH01076: url:
http://yyy.yyy.yyy.yyy/filesender/download1.php?vid=zzz proxyname: (null)
proxyport: 0
[Tue May 14 12:09:09.995990 2019] [proxy_fcgi:debug] [pid 5421]
mod_proxy_fcgi.c(966): [client xxx.xxx.xxx.xxx:14019] AH01077: declining URL
http://yyy.yyy.yyy.yyy/filesender/download1.php?vid=zzz
[Tue May 14 12:09:09.996020 2019] [proxy:debug] [pid 5421] proxy_util.c(2256):
[client xxx.xxx.xxx.xxx:14019] AH00944: connecting
http://yyy.yyy.yyy.yyy/filesender/download1.php?vid=zzz to yyy.yyy.yyy.yyy:80
[Tue May 14 12:09:09.996453 2019] [proxy:debug] [pid 5421] proxy_util.c(2422):
[client xxx.xxx.xxx.xxx:14019] AH00947: connected
/filesender/download1.php?vid=zzz to yyy.yyy.yyy.yyy:80
[Tue May 14 12:09:10.708571 2019] [proxy_http:error] [pid 5421] (104)Connection
reset by peer: [client xxx.xxx.xxx.xxx:14019] AH01102: error reading status
line from remote server yyy.yyy.yyy.yyy:80
[Tue May 14 12:09:10.708731 2019] [proxy_http:debug] [pid 5421]
mod_proxy_http.c(1363): [client xxx.xxx.xxx.xxx:14019] AH01105: NOT Closing
connection to client although reading from backend server yyy.yyy.yyy.yyy:80
failed.
[Tue May 14 12:09:10.708801 2019] [proxy:error] [pid 5421] [client
xxx.xxx.xxx.xxx:14019] AH00898: Error reading from remote server returned by
/filesender/download1.php
[Tue May 14 12:09:15.715088 2019] [ssl:debug] [pid 5421] ssl_engine_io.c(992):
[client xxx.xxx.xxx.xxx:14019] AH02001: Connection closed to child 32 with
standard shutdown (server yyy.yyy.yyy.yyy:443)
Here is proxy vhost:
ServerName yyy.yyy.yyy.yyy:443
ErrorLog logs/filesender_ssl_error_log
TransferLog logs/filesender_ssl_access_log
LogLevel debug
ProxyPass / http://yyy.yyy.yyy.yyy/
ProxyPassReverse / http://yyy.yyy.yyy.yyy/
SSLEngine on
SSLProtocol +TLSv1.2
SSLCipherSuite
ALL:!ADH:!EXPORT:!SSLv2:!RC4:!DES-CBC-SHA:!EDH-RSA-DES-CBC-SHA:!AECDH-DES-CBC3-SHA:!AECDH-AES128-SHA:!AECDH-AES256-SHA:RC4+RSA:+HIGH:+MEDIUM:+LOW:!3DES:!IDEA
SSLCertificateFile /etc/pki/tls/certs/yyy.yyy.yyy.yyy.cer
SSLCertificateKeyFile /etc/pki/tls/private/yyy.yyy.yyy.yyy.key
SSLCertificateChainFile /etc/pki/tls/certs/yyy.yyy.yyy.yyy.cer
CustomLog logs/filesender_ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
These are headers sent by backend server:
Date: Tue, 14 May 2019 10:37:55 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.3.3
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Tue, 14 May 2019 10:01:03 GMT
Content-Length: 5165363650
Content-Disposition: attachment; filename="yyy.7z"
Connection: close
Content-Type: application/octet-stream
With these headers I got error, if I remove Content-Length header I can
download file.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 63256] mod_ssl segmentation fault after 2.4.29
https://bz.apache.org/bugzilla/show_bug.cgi?id=63256 --- Comment #23 from Ruediger Pluem --- (In reply to mark from comment #22) > Could this patch have interfered with the SSLProxyMachineCertificateFile > Directive? > > We are seeing errors like this, even though we are certain we have > configured a client certificate for the proxying. > You mean with 2.4.39 containing the patch? What is your configuration? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
