SSL connection between Apache and Tomcat failing

2009-07-17 Thread Emsley, I (Iain) 
I've got a website which uses Apache 2.2 as the front end with Tomcat
5.5.23 as the backend and am using mod_ssl and mod_proxy to link to the
two together in Windows server 2003. Normally there isn't an issue with
two servers serving the website but recently (and mainly with , it
appears, mobile browsers), I'm getting the following errors:

i Jul 17 09:52:29 2009] [debug] ssl_engine_kernel.c(1760): OpenSSL:
Loop: SSLv3 read finished A

[Fri Jul 17 09:52:29 2009] [debug] ssl_engine_kernel.c(1756): OpenSSL:
Handshake: done

[Fri Jul 17 09:52:29 2009] [info] Connection: Client IP: 130.246.76.83,
Protocol: TLSv1, Cipher: DHE-RSA-AES256-SHA (256/256 bits)

[Fri Jul 17 09:52:29 2009] [debug] ssl_engine_io.c(1817): OpenSSL: read
5/5 bytes from BIO#7d0ad8 [mem: 4a3aaa8] (BIO dump follows)

[Fri Jul 17 09:52:29 2009] [debug] ssl_engine_io.c(1750):
+---
--+

Dump details   .|

[Fri Jul 17 09:52:29 2009] [debug] ssl_engine_io.c(1795):
+---
--+

[Fri Jul 17 09:52:29 2009] [debug] ssl_engine_io.c(1817): OpenSSL: read
992/992 bytes from BIO#7d0ad8 [mem: 4a3aaad] (BIO dump follows)

[Fri Jul 17 09:52:29 2009] [debug] ssl_engine_io.c(1750):
+---
--+

Dump details

 [Fri Jul 17 09:52:29 2009] [debug] ssl_engine_io.c(1795):
+---
--+

[Fri Jul 17 09:52:29 2009] [info] Initial (No.1) HTTPS request received
for child 245 (server dev.jiscmail.ac.uk:443)

[Fri Jul 17 09:52:35 2009] [debug] ssl_engine_io.c(1828): OpenSSL: I/O
error, 5 bytes expected to read on BIO#73e708 [mem: 4a169e0]

[Fri Jul 17 09:52:35 2009] [info] [client 130.246.76.83] (OS 10060)A
connection attempt failed because the connected party did not properly
respond after a period of time, or established connection failed because
connected host has failed to respond.  : SSL input filter read failed.

[Fri Jul 17 09:52:35 2009] [debug] ssl_engine_kernel.c(1770): OpenSSL:
Write: SSL negotiation finished successfully

 

I'd be grateful for any pointers in getting to the root of this issue
(or ruling out mod_ssl issues). 

 

Thanks, 

 

Iain


-- 
Scanned by iCritical.

Re: SSL connection between Apache and Tomcat failing

2009-07-17 Thread Lou Picciano 
Iain: 

Wow! Am I glad to hear from you! I've been wrestling with exactly this problem 
- error on: OpenSSL: read 5/5 bytes from BIO - for a few weeks now; was 
beginning to think I was losing my mind. (while we leave that possibility aside 
for the moment(!),) here's what's different about our environment: 

Apache/2.2.11 (Unix - Solaris SPARC) mod_ssl/2.2.11 OpenSSL/0.9.8k PHP/5.2.9 . 
We are using certificate authentication. Seeing this behavior under Firefox 
(Mac); haven't tried it using mobile browsers, though, presumably, you may be 
using a Mozilla-based mobile browser... We've recently upgraded to these 
current versions of Apache and OpenSSL, but the error behavior has not been 
impacted. The incessant prompting for certificate can be interrupted by setting 
Firefox's Advanced-Encryption-When a server requests my certificate-Select one 
automatically option. The above read error persists, however... 

The primary impact is - apparently - that the SSL session is constantly 
re-negotiated for GET of each page element; loading of a single page might 
generate 8-10 prompts for the certificate. We have fiddled with various 
settings for the Renogotiation buffer, including which buffer engine is used, 
its size, etc., all to no avail. Some of the settings result in Apache 
configuration errors, so I wonder if we're into an Apache - or mod_ssl - 'black 
hole' region. 

My quick research on this indicates that others have run into it, some have 
simply ignored it, but none have solved it. 

Hopefully we'll come up with something. Lou 

- Original Message - 
From: I Emsley (Iain) iain.ems...@stfc.ac.uk 
To: modssl-users@modssl.org 
Sent: Friday, July 17, 2009 8:56:23 AM GMT -05:00 US/Canada Eastern 
Subject: SSL connection between Apache and Tomcat failing 




I’ve got a website which uses Apache 2.2 as the front end with Tomcat 5.5.23 as 
the backend and am using mod_ssl and mod_proxy to link to the two together in 
Windows server 2003. Normally there isn’t an issue with two servers serving the 
website but recently (and mainly with , it appears, mobile browsers), I’m 
getting the following errors: 

i Jul 17 09:52:29 2009] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 
read finished A 

[Fri Jul 17 09:52:29 2009] [debug] ssl_engine_kernel.c(1756): OpenSSL: 
Handshake: done 

[Fri Jul 17 09:52:29 2009] [info] Connection: Client IP: 130.246.76.83, 
Protocol: TLSv1, Cipher: DHE-RSA-AES256-SHA (256/256 bits) 

[Fri Jul 17 09:52:29 2009] [debug] ssl_engine_io.c(1817): OpenSSL: read 5/5 
bytes from BIO