[users@httpd] httpd 2.2.3 as an SSL proxy with a client certificate fails on connect

Shai Yallin Mon, 18 Dec 2006 00:46:52 -0800

Hi all,

I'm running httpd 2.2.3 on win32 with openssl 0.9.8d as a reverse proxy server.
One of the things this sever needs to do is to act as a reverse proxy for 
applications that do not speak SSL, to SSL-only servers.


I have configured the following:

SSLMutex default
SSLRandomSeed startup builtin
SSLSessionCache none
<VirtualHost 192.168.2.231:8443>
        DocumentRoot d:/WebServer/www
        ProxyRequests Off
        ProxyPreserveHost On
        RequestHeader set ClientProtocol HTTPS
        SSLProxyMachineCertificateFile 
d:/WebServer/apache2/conf/ssl/cellcom_cpm.cert
        SSLProxyEngine On
        ProxyPass /cpm/         https://192.118.30.12/
        ProxyPassReverse /cpm/  https://192.118.30.12/
</VirtualHost>

This worked for a few months, then suddenly started returning the following 
error and dying:
[Mon Dec 18 10:17:53 2006] [error] (502)Unknown error: proxy: pass request body 
failed to 192.118.30.12:443 (192.118.30.12)
[Mon Dec 18 10:17:53 2006] [error] (502)Unknown error: proxy: pass request body 
failed to 192.118.30.12:443 (192.118.30.12) from 192.168.2.1 ()

I ran httpd in debug mode and got the following:

[Mon Dec 18 10:17:53 2006] [debug] mod_proxy_http.c(54): proxy: HTTP: 
canonicalising URL //192.118.30.12/cpm.wsdl
[Mon Dec 18 10:17:53 2006] [debug] proxy_util.c(1378): [client 192.168.2.1] 
proxy: https: found worker https://192.118.30.12/ for 
https://192.118.30.12/cpm.wsdl
[Mon Dec 18 10:17:53 2006] [debug] mod_proxy.c(756): Running scheme https 
handler (attempt 0)
[Mon Dec 18 10:17:53 2006] [debug] mod_proxy_http.c(1662): proxy: HTTP: serving 
URL https://192.118.30.12/cpm.wsdl
[Mon Dec 18 10:17:53 2006] [debug] proxy_util.c(1798): proxy: HTTPS: has 
acquired connection for (192.118.30.12)
[Mon Dec 18 10:17:53 2006] [debug] proxy_util.c(1858): proxy: connecting 
https://192.118.30.12/cpm.wsdl to 192.118.30.12:443
[Mon Dec 18 10:17:53 2006] [debug] proxy_util.c(1951): proxy: connected 
/cpm.wsdl to 192.118.30.12:443
[Mon Dec 18 10:17:53 2006] [debug] proxy_util.c(2045): proxy: HTTPS: fam 2 
socket created to connect to 192.118.30.12
[Mon Dec 18 10:17:53 2006] [debug] proxy_util.c(2141): proxy: HTTPS: connection 
complete to 192.118.30.12:443 (192.118.30.12)
[Mon Dec 18 10:17:53 2006] [info] [client 192.118.30.12] Connection to child 
249 established (server israel-test.backbone.locationet.com:8443)
[Mon Dec 18 10:17:53 2006] [info] Seeding PRNG with 0 bytes of entropy
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1752): OpenSSL: 
Handshake: start
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: 
before/connect initialization
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: 
SSLv2/v3 write client hello A
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1775): OpenSSL: read 7/7 
bytes from BIO#ec6da0 [mem: f03140] (BIO dump follows)
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1722): 
+-------------------------------------------------------------------------+
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1747): | 0000: 16 03 01 00 
2a 02                                ....*.           |
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1751): | 0007 - <SPACES/NULS>
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1753): 
+-------------------------------------------------------------------------+
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1775): OpenSSL: read 40/40 
bytes from BIO#ec6da0 [mem: f03147] (BIO dump follows)
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1722): 
+-------------------------------------------------------------------------+
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1747): | 0000: 00 26 03 01 
fa 44 46 43-f0 21 42 c5 5f 67 8b 95  .&...DFC.!B._g.. |
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1747): | 0010: 03 0d d9 c8 
dd 01 b1 19-52 76 3a 0f 39 1a c7 91  ........Rv:.9... |
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1747): | 0020: 4c d1 ee 4c 
00 00 04                             L..L...          |
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1751): | 0040 - <SPACES/NULS>
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1753): 
+-------------------------------------------------------------------------+
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: 
SSLv3 read server hello A
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1775): OpenSSL: read 5/5 
bytes from BIO#ec6da0 [mem: f03140] (BIO dump follows)
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1722): 
+-------------------------------------------------------------------------+
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1747): | 0000: 16 03 01 11 
b1                                   .....            |
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1753): 
+-------------------------------------------------------------------------+
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1775): OpenSSL: read 
4529/4529 bytes from BIO#ec6da0 [mem: f03145] (BIO dump follows)
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1722): 
+-------------------------------------------------------------------------+

(snip BIO dump)

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1753): 
+-------------------------------------------------------------------------+
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1190): Certificate 
Verification: depth: 2, subject: /CN=CelCaRoot, issuer: /CN=CelCaRoot
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1190): Certificate 
Verification: depth: 2, subject: /CN=CelCaRoot, issuer: /CN=CelCaRoot
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1190): Certificate 
Verification: depth: 1, subject: 
/DC=il/DC=co/DC=cellcom/DC=corp/DC=sdmz/CN=sdmzca, issuer: /CN=CelCaRoot
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1190): Certificate 
Verification: depth: 0, subject: 
/C=IL/ST=Israel/L=Natania/O=Cellcom/OU=IT/CN=CPM-QA.cellcom.co.il, issuer: 
/DC=il/DC=co/DC=cellcom/DC=corp/DC=sdmz/CN=sdmzca
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: 
SSLv3 read server certificate A
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1775): OpenSSL: read 5/5 
bytes from BIO#ec6da0 [mem: f03140] (BIO dump follows)
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1722): 
+-------------------------------------------------------------------------+
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1747): | 0000: 16 03 01 00 
08                                   .....            |
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1753): 
+-------------------------------------------------------------------------+
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1775): OpenSSL: read 8/8 
bytes from BIO#ec6da0 [mem: f03145] (BIO dump follows)
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1722): 
+-------------------------------------------------------------------------+
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1747): | 0000: 0d 00 00 04 
01 01                                ......           |
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1751): | 0008 - <SPACES/NULS>
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1753): 
+-------------------------------------------------------------------------+
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: 
SSLv3 read server certificate request A
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1775): OpenSSL: read 5/5 
bytes from BIO#ec6da0 [mem: f03140] (BIO dump follows)
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1722): 
+-------------------------------------------------------------------------+
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1747): | 0000: 16 03 01 00 
04                                   .....            |
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1753): 
+-------------------------------------------------------------------------+
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1775): OpenSSL: read 4/4 
bytes from BIO#ec6da0 [mem: f03145] (BIO dump follows)
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1722): 
+-------------------------------------------------------------------------+
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1747): | 0000: 0e            
                                   .                |
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1751): | 0004 - <SPACES/NULS>
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1753): 
+-------------------------------------------------------------------------+
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: 
SSLv3 read server done A
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1526): Proxy client 
certificate callback: (israel-test.backbone.locationet.com:8443) entered
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1499): Proxy client 
certificate callback: (israel-test.backbone.locationet.com:8443) no acceptable 
CA list, sending /O=Cellcom/CN=Locationet
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: 
SSLv3 write client certificate A
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: 
SSLv3 write client key exchange A
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: 
SSLv3 write certificate verify A
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: 
SSLv3 write change cipher spec A
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: 
SSLv3 write finished A
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: 
SSLv3 flush data
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1786): OpenSSL: I/O error, 5 
bytes expected to read on BIO#ec6da0 [mem: f03140]
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1789): OpenSSL: Exit: 
error in SSLv3 read finished A
[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1789): OpenSSL: Exit: 
error in SSLv3 read finished A
[Mon Dec 18 10:17:53 2006] [info] [client 192.118.30.12] SSL Proxy connect 
failed
[Mon Dec 18 10:17:53 2006] [info] [client 192.118.30.12] Connection closed to 
child 249 with abortive shutdown (server 
israel-test.backbone.locationet.com:8443)
[Mon Dec 18 10:17:53 2006] [error] (502)Unknown error: proxy: pass request body 
failed to 192.118.30.12:443 (192.118.30.12)
[Mon Dec 18 10:17:53 2006] [error] (502)Unknown error: proxy: pass request body 
failed to 192.118.30.12:443 (192.118.30.12) from 192.168.2.1 ()

I can't seem to find any definite answer googling this error.

I'll be glad to have any lead on the subject.

Cheers,

Shai                     Yallin  
IT Manager &  Developer
LocatioNet  Systems Ltd.
Tel:         +972-9-8856451
Fax:       +972-9-8856452
Mobile: +972-54-4840868
 
"...we will be restoring normality just as soon as we are sure what is normal 
anyway."

[users@httpd] httpd 2.2.3 as an SSL proxy with a client certificate fails on connect

Reply via email to