[Bug 63430] proxy client certificates not found despite being configured
https://bz.apache.org/bugzilla/show_bug.cgi?id=63430 --- Comment #7 from Ruediger Pluem --- Created attachment 36585 --> https://bz.apache.org/bugzilla/attachment.cgi?id=36585=edit Possible fix Does the attached patch fix your problem? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 63430] proxy client certificates not found despite being configured
https://bz.apache.org/bugzilla/show_bug.cgi?id=63430 --- Comment #6 from m...@blackmans.org --- We have confirmed a configuration nearly identical to this one does work for version 2.4.38 -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 63430] proxy client certificates not found despite being configured
https://bz.apache.org/bugzilla/show_bug.cgi?id=63430 --- Comment #5 from m...@blackmans.org --- this is the proxypass line: ProxyPass /cca/messages balancer://balancer2/cca/messages Here's the full Proxy block with a bit of scrubbing # # BalancerConfiguration 2 # SSLProxyMachineCertificateFile /vhosts/somevhost/somepath/client.pem BalancerMember https://some.backend.corp.com:443 retry=5 timeout=120 ProxySet stickysession=JSESSIONID|jsessionid ProxySet scolonpathdelim=On ProxySet lbmethod=byrequests ProxySet forcerecovery=On You're correct, we have three proxy blocks + corresponding ProxyPass definitions for this VirtualHost. Here's the access log line for that failed request. 10.10.10.10 - some_remote_user [14/May/2019:09:37:43 +0200] "HEAD /cca/messages?q=read:false HTTP/1.1" 500 - "-" "-" I have not yet verified it, but my understanding is that this did work for Apache 2.4.38 at least. You may wish to wait until I can verify this myself, but I believe to be true so far. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 63430] proxy client certificates not found despite being configured
https://bz.apache.org/bugzilla/show_bug.cgi?id=63430 --- Comment #4 from Ruediger Pluem --- (In reply to mark from comment #3) > technically, there was a restart between those sets of lines, but not > between these, I have inserted the "resuming operation" and "mod_ssl" lines > from the global log as well for comparison > > [Tue May 14 09:27:15.212161 2019] [ssl:info] [pid 781991:tid > 14031095040] AH01876: mod_ssl/2.4.39 compiled against Server: > Apache/2.4.39, Library: OpenSSL/1.0.2r > [Tue May 14 09:27:15.252246 2019] [ssl:debug] [pid 781991:tid > 14031095040] ssl_engine_init.c(1582): AH02207: loaded 1 client certs for > SSL proxy > [Tue May 14 09:27:15.252487 2019] [ssl:debug] [pid 781991:tid > 14031095040] ssl_engine_init.c(1582): AH02207: loaded 1 client certs for > SSL proxy > [Tue May 14 09:27:15.253510 2019] [ssl:debug] [pid 781991:tid > 14031095040] ssl_engine_init.c(1582): AH02207: loaded 1 client certs for > SSL proxy > [Tue May 14 09:27:29.269928 2019] [mpm_event:notice] [pid 781991:tid > 14031095040] AH00489: Apache/2.4.39 (Unix) OpenSSL/1.0.2r > mod_fcgid/2.3.9 mod_auth_kerb/5.4 mod_qos/11.62 mod_jk/1.2.46 configured -- > resuming normal operations > [Tue May 14 09:37:43.553029 2019] [ssl:warn] [pid 799222:tid > 140218148460288] AH02268: Proxy client certificate callback: (dw25136:11719) > downstream server wanted client certificate but none are configured > > The configuration is pretty big, but the relevant configuration just involves > > > SSLProxyMachineCertificateFile /path/to/cert.pem > > > and a later proxypass line. What is the ProxyPass line? Which URL triggers the AH02268? The AH01876 appears 3 times. So you have 2 further Proxy sections that contain SSLProxyMachineCertificateFile? It did work with 2.4.x? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 63430] proxy client certificates not found despite being configured
https://bz.apache.org/bugzilla/show_bug.cgi?id=63430 --- Comment #3 from m...@blackmans.org --- technically, there was a restart between those sets of lines, but not between these, I have inserted the "resuming operation" and "mod_ssl" lines from the global log as well for comparison [Tue May 14 09:27:15.212161 2019] [ssl:info] [pid 781991:tid 14031095040] AH01876: mod_ssl/2.4.39 compiled against Server: Apache/2.4.39, Library: OpenSSL/1.0.2r [Tue May 14 09:27:15.252246 2019] [ssl:debug] [pid 781991:tid 14031095040] ssl_engine_init.c(1582): AH02207: loaded 1 client certs for SSL proxy [Tue May 14 09:27:15.252487 2019] [ssl:debug] [pid 781991:tid 14031095040] ssl_engine_init.c(1582): AH02207: loaded 1 client certs for SSL proxy [Tue May 14 09:27:15.253510 2019] [ssl:debug] [pid 781991:tid 14031095040] ssl_engine_init.c(1582): AH02207: loaded 1 client certs for SSL proxy [Tue May 14 09:27:29.269928 2019] [mpm_event:notice] [pid 781991:tid 14031095040] AH00489: Apache/2.4.39 (Unix) OpenSSL/1.0.2r mod_fcgid/2.3.9 mod_auth_kerb/5.4 mod_qos/11.62 mod_jk/1.2.46 configured -- resuming normal operations [Tue May 14 09:37:43.553029 2019] [ssl:warn] [pid 799222:tid 140218148460288] AH02268: Proxy client certificate callback: (dw25136:11719) downstream server wanted client certificate but none are configured The configuration is pretty big, but the relevant configuration just involves SSLProxyMachineCertificateFile /path/to/cert.pem and a later proxypass line. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 63430] proxy client certificates not found despite being configured
https://bz.apache.org/bugzilla/show_bug.cgi?id=63430 --- Comment #2 from Ruediger Pluem --- With which version does your setup work? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 63430] proxy client certificates not found despite being configured
https://bz.apache.org/bugzilla/show_bug.cgi?id=63430 --- Comment #1 from Ruediger Pluem --- The version was the same (2.4.39) for both log lines / blocks and you did not restart in between? So the server was just running? What is your configuration? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 63430] New: proxy client certificates not found despite being configured
https://bz.apache.org/bugzilla/show_bug.cgi?id=63430 Bug ID: 63430 Summary: proxy client certificates not found despite being configured Product: Apache httpd-2 Version: 2.4.39 Hardware: PC OS: Linux Status: NEW Severity: major Priority: P2 Component: mod_ssl Assignee: bugs@httpd.apache.org Reporter: m...@blackmans.org Target Milestone: --- Apache 2.4.39 is failing requests going to an HTTPS proxy backend with errors like so, indicating a client certificate was not configured, however, we know that it was configured. [Tue May 14 09:49:03.378930 2019] [ssl:warn] [pid 1674555:tid 140693875197696] AH02268: Proxy client certificate callback: (dw25136:443) downstream server wanted client certificate but none are configured These log lines, a hour or so earlier, tell us that a client certificate was configured (in fact, the same one was used in three 3 contexts, hence the triple message) [Tue May 14 08:05:16.787346 2019] [ssl:debug] [pid 1670484:tid 140697080997632] ssl_engine_init.c(1582): AH02207: loaded 1 client certs for SSL proxy [Tue May 14 08:05:16.787558 2019] [ssl:debug] [pid 1670484:tid 140697080997632] ssl_engine_init.c(1582): AH02207: loaded 1 client certs for SSL proxy [Tue May 14 08:05:16.788403 2019] [ssl:debug] [pid 1670484:tid 140697080997632] ssl_engine_init.c(1582): AH02207: loaded 1 client certs for SSL proxy I have selectively pulled out log lines to make the point and to minimize the amount of scrubbing I have to do. This looks like new behavior in 2.4.39 to me, but I haven't yet demonstrated that. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 63427] New: Proxy error reading status line from remote server with big files and Content-Length header
https://bz.apache.org/bugzilla/show_bug.cgi?id=63427 Bug ID: 63427 Summary: Proxy error reading status line from remote server with big files and Content-Length header Product: Apache httpd-2 Version: 2.4.6 Hardware: PC OS: All Status: NEW Severity: major Priority: P2 Component: mod_proxy Assignee: bugs@httpd.apache.org Reporter: fma...@comune.genova.it Target Milestone: --- I have this configuration: apache 2.4.6 on a centos 7, configured as https reverse proxy on a filesender server (http://filesender.org/), on a Redhat 5.3 server. Filesender is a software for sending big files with email links. The error occurs clicking on the download.php link (for downloading files), and only for very big files (several GB I guess). Direct links to filesender server work. Finally I found the problem, but don't know why it happens: I tought the problem could be in the headers sent by download.php, so I tryied to comment them one by one and I found that the one which gives error is the one which sends file dimension: header('Content-Length: '.$functions->getFileSize($file)); Commenting out this one eliminates the error. I don't know if it occurs only with certain type of file or in https only. Here is verbose log: [Tue May 14 12:09:09.995372 2019] [ssl:debug] [pid 5421] ssl_engine_kernel.c(224): [client xxx.xxx.xxx.xxx:14019] AH02034: Initial (No.1) HTTPS request received for child 32 (server yyy.yyy.yyy.yyy:443) [Tue May 14 12:09:09.995577 2019] [authz_core:debug] [pid 5421] mod_authz_core.c(835): [client xxx.xxx.xxx.xxx:14019] AH01628: authorization result: granted (no directives) [Tue May 14 12:09:09.995915 2019] [proxy:debug] [pid 5421] mod_proxy.c(1117): [client xxx.xxx.xxx.xxx:14019] AH01143: Running scheme http handler (attempt 0) [Tue May 14 12:09:09.995947 2019] [proxy_ajp:debug] [pid 5421] mod_proxy_ajp.c(713): [client xxx.xxx.xxx.xxx:14019] AH00894: declining URL http://yyy.yyy.yyy.yyy/filesender/download1.php?vid=zzz [Tue May 14 12:09:09.995980 2019] [proxy_fcgi:debug] [pid 5421] mod_proxy_fcgi.c(963): [client xxx.xxx.xxx.xxx:14019] AH01076: url: http://yyy.yyy.yyy.yyy/filesender/download1.php?vid=zzz proxyname: (null) proxyport: 0 [Tue May 14 12:09:09.995990 2019] [proxy_fcgi:debug] [pid 5421] mod_proxy_fcgi.c(966): [client xxx.xxx.xxx.xxx:14019] AH01077: declining URL http://yyy.yyy.yyy.yyy/filesender/download1.php?vid=zzz [Tue May 14 12:09:09.996020 2019] [proxy:debug] [pid 5421] proxy_util.c(2256): [client xxx.xxx.xxx.xxx:14019] AH00944: connecting http://yyy.yyy.yyy.yyy/filesender/download1.php?vid=zzz to yyy.yyy.yyy.yyy:80 [Tue May 14 12:09:09.996453 2019] [proxy:debug] [pid 5421] proxy_util.c(2422): [client xxx.xxx.xxx.xxx:14019] AH00947: connected /filesender/download1.php?vid=zzz to yyy.yyy.yyy.yyy:80 [Tue May 14 12:09:10.708571 2019] [proxy_http:error] [pid 5421] (104)Connection reset by peer: [client xxx.xxx.xxx.xxx:14019] AH01102: error reading status line from remote server yyy.yyy.yyy.yyy:80 [Tue May 14 12:09:10.708731 2019] [proxy_http:debug] [pid 5421] mod_proxy_http.c(1363): [client xxx.xxx.xxx.xxx:14019] AH01105: NOT Closing connection to client although reading from backend server yyy.yyy.yyy.yyy:80 failed. [Tue May 14 12:09:10.708801 2019] [proxy:error] [pid 5421] [client xxx.xxx.xxx.xxx:14019] AH00898: Error reading from remote server returned by /filesender/download1.php [Tue May 14 12:09:15.715088 2019] [ssl:debug] [pid 5421] ssl_engine_io.c(992): [client xxx.xxx.xxx.xxx:14019] AH02001: Connection closed to child 32 with standard shutdown (server yyy.yyy.yyy.yyy:443) Here is proxy vhost: ServerName yyy.yyy.yyy.yyy:443 ErrorLog logs/filesender_ssl_error_log TransferLog logs/filesender_ssl_access_log LogLevel debug ProxyPass / http://yyy.yyy.yyy.yyy/ ProxyPassReverse / http://yyy.yyy.yyy.yyy/ SSLEngine on SSLProtocol +TLSv1.2 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:!RC4:!DES-CBC-SHA:!EDH-RSA-DES-CBC-SHA:!AECDH-DES-CBC3-SHA:!AECDH-AES128-SHA:!AECDH-AES256-SHA:RC4+RSA:+HIGH:+MEDIUM:+LOW:!3DES:!IDEA SSLCertificateFile /etc/pki/tls/certs/yyy.yyy.yyy.yyy.cer SSLCertificateKeyFile /etc/pki/tls/private/yyy.yyy.yyy.yyy.key SSLCertificateChainFile /etc/pki/tls/certs/yyy.yyy.yyy.yyy.cer CustomLog logs/filesender_ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" These are headers sent by backend server: Date: Tue, 14 May 2019 10:37:55 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.3.3 Cache-Control: private, max-age=10800, pre-check=10800 Last-Modified: Tue, 14 May 2019 10:01:03 GMT Content-Length: 5165363650 Content-Disposition: attachment; filename="yyy.7z" Connection: close Content-Type: application/octet-stream With these headers I got error, if I remove Content-Length header I can download file. -- You are receiving this mail because: You are the assignee for the bug.
[Bug 63256] mod_ssl segmentation fault after 2.4.29
https://bz.apache.org/bugzilla/show_bug.cgi?id=63256 --- Comment #23 from Ruediger Pluem --- (In reply to mark from comment #22) > Could this patch have interfered with the SSLProxyMachineCertificateFile > Directive? > > We are seeing errors like this, even though we are certain we have > configured a client certificate for the proxying. > You mean with 2.4.39 containing the patch? What is your configuration? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org