Re: [users@httpd] httpd 2.2.3 as an SSL proxy with a client certificate fails on connect

[Christian Gottschalch]

why do you use HTTPS in Backend, it looks like the backend System also 
needs client certificate authentication, there may be something wrong 
with your SSLProxyMachineCertificateFile ? try to send a wget request to 
the remote server and use SSLProxyMachineCertificateFile, dose wget get 
authorized at the remote system ?

regards
Shai Yallin schrieb:

Hi all,

I'm running httpd 2.2.3 on win32 with openssl 0.9.8d as a reverse 
proxy server.

One of the things this sever needs to do is to act as a reverse proxy 
for applications that do not speak SSL, to SSL-only servers.

I have configured the following:

SSLMutex default

SSLRandomSeed startup builtin

SSLSessionCache none

<VirtualHost 192.168.2.231:8443>

        DocumentRoot d:/WebServer/www

        ProxyRequests Off

        ProxyPreserveHost On

        RequestHeader set ClientProtocol HTTPS

        SSLProxyMachineCertificateFile 
d:/WebServer/apache2/conf/ssl/cellcom_cpm.cert

        SSLProxyEngine On

        ProxyPass /cpm/         _https://192.118.30.12/_

        ProxyPassReverse /cpm/  _https://192.118.30.12/_

</VirtualHost>

This worked for a few months, then suddenly started returning the 
following error and dying:

[Mon Dec 18 10:17:53 2006] [error] (502)Unknown error: proxy: pass 
request body failed to 192.118.30.12:443 (192.118.30.12)

[Mon Dec 18 10:17:53 2006] [error] (502)Unknown error: proxy: pass 
request body failed to 192.118.30.12:443 (192.118.30.12) from 
192.168.2.1 ()

I ran httpd in debug mode and got the following:

[Mon Dec 18 10:17:53 2006] [debug] mod_proxy_http.c(54): proxy: HTTP: 
canonicalising URL //192.118.30.12/cpm.wsdl

[Mon Dec 18 10:17:53 2006] [debug] proxy_util.c(1378): [client 
192.168.2.1] proxy: https: found worker _https://192.118.30.12/_ for 
_https://192.118.30.12/cpm.wsdl_

[Mon Dec 18 10:17:53 2006] [debug] mod_proxy.c(756): Running scheme 
https handler (attempt 0)

[Mon Dec 18 10:17:53 2006] [debug] mod_proxy_http.c(1662): proxy: 
HTTP: serving URL _https://192.118.30.12/cpm.wsdl_

[Mon Dec 18 10:17:53 2006] [debug] proxy_util.c(1798): proxy: HTTPS: 
has acquired connection for (192.118.30.12)

[Mon Dec 18 10:17:53 2006] [debug] proxy_util.c(1858): proxy: 
connecting _https://192.118.30.12/cpm.wsdl_ to 192.118.30.12:443

[Mon Dec 18 10:17:53 2006] [debug] proxy_util.c(1951): proxy: 
connected /cpm.wsdl to 192.118.30.12:443

[Mon Dec 18 10:17:53 2006] [debug] proxy_util.c(2045): proxy: HTTPS: 
fam 2 socket created to connect to 192.118.30.12

[Mon Dec 18 10:17:53 2006] [debug] proxy_util.c(2141): proxy: HTTPS: 
connection complete to 192.118.30.12:443 (192.118.30.12)

[Mon Dec 18 10:17:53 2006] [info] [client 192.118.30.12] Connection to 
child 249 established (server israel-test.backbone.locationet.com:8443)

[Mon Dec 18 10:17:53 2006] [info] Seeding PRNG with 0 bytes of entropy

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1752): OpenSSL: 
Handshake: start

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1760): OpenSSL: 
Loop: before/connect initialization

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1760): OpenSSL: 
Loop: SSLv2/v3 write client hello A

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1775): OpenSSL: 
read 7/7 bytes from BIO#ec6da0 [mem: f03140] (BIO dump follows)

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1722): 
+-------------------------------------------------------------------------+

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1747): | 0000: 16 
03 01 00 2a 02                                ....*.           |

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1751): | 0007 - 
<SPACES/NULS>

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1753): 
+-------------------------------------------------------------------------+

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1775): OpenSSL: 
read 40/40 bytes from BIO#ec6da0 [mem: f03147] (BIO dump follows)

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1722): 
+-------------------------------------------------------------------------+

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1747): | 0000: 00 
26 03 01 fa 44 46 43-f0 21 42 c5 5f 67 8b 95  .&...DFC.!B._g.. |

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1747): | 0010: 03 
0d d9 c8 dd 01 b1 19-52 76 3a 0f 39 1a c7 91  ........Rv:.9... |

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1747): | 0020: 4c 
d1 ee 4c 00 00 04                             L..L...          |

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1751): | 0040 - 
<SPACES/NULS>

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1753): 
+-------------------------------------------------------------------------+

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1760): OpenSSL: 
Loop: SSLv3 read server hello A

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1775): OpenSSL: 
read 5/5 bytes from BIO#ec6da0 [mem: f03140] (BIO dump follows)

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1722): 
+-------------------------------------------------------------------------+

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1747): | 0000: 16 
03 01 11 b1                                   .....            |

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1753): 
+-------------------------------------------------------------------------+

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1775): OpenSSL: 
read 4529/4529 bytes from BIO#ec6da0 [mem: f03145] (BIO dump follows)

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1722): 
+-------------------------------------------------------------------------+

(snip BIO dump)

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1753): 
+-------------------------------------------------------------------------+

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1190): 
Certificate Verification: depth: 2, subject: /CN=CelCaRoot, issuer: 
/CN=CelCaRoot

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1190): 
Certificate Verification: depth: 2, subject: /CN=CelCaRoot, issuer: 
/CN=CelCaRoot

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1190): 
Certificate Verification: depth: 1, subject: 
/DC=il/DC=co/DC=cellcom/DC=corp/DC=sdmz/CN=sdmzca, issuer: /CN=CelCaRoot

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1190): 
Certificate Verification: depth: 0, subject: 
/C=IL/ST=Israel/L=Natania/O=Cellcom/OU=IT/CN=CPM-QA.cellcom.co.il, 
issuer: /DC=il/DC=co/DC=cellcom/DC=corp/DC=sdmz/CN=sdmzca

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1760): OpenSSL: 
Loop: SSLv3 read server certificate A

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1775): OpenSSL: 
read 5/5 bytes from BIO#ec6da0 [mem: f03140] (BIO dump follows)

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1722): 
+-------------------------------------------------------------------------+

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1747): | 0000: 16 
03 01 00 08                                   .....            |

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1753): 
+-------------------------------------------------------------------------+

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1775): OpenSSL: 
read 8/8 bytes from BIO#ec6da0 [mem: f03145] (BIO dump follows)

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1722): 
+-------------------------------------------------------------------------+

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1747): | 0000: 0d 
00 00 04 01 01                                ......           |

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1751): | 0008 - 
<SPACES/NULS>

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1753): 
+-------------------------------------------------------------------------+

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1760): OpenSSL: 
Loop: SSLv3 read server certificate request A

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1775): OpenSSL: 
read 5/5 bytes from BIO#ec6da0 [mem: f03140] (BIO dump follows)

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1722): 
+-------------------------------------------------------------------------+

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1747): | 0000: 16 
03 01 00 04                                   .....            |

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1753): 
+-------------------------------------------------------------------------+

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1775): OpenSSL: 
read 4/4 bytes from BIO#ec6da0 [mem: f03145] (BIO dump follows)

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1722): 
+-------------------------------------------------------------------------+

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1747): | 0000: 
0e                                               .                |

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1751): | 0004 - 
<SPACES/NULS>

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1753): 
+-------------------------------------------------------------------------+

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1760): OpenSSL: 
Loop: SSLv3 read server done A

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1526): Proxy 
client certificate callback: 
(israel-test.backbone.locationet.com:8443) entered

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1499): Proxy 
client certificate callback: 
(israel-test.backbone.locationet.com:8443) no acceptable CA list, 
sending /O=Cellcom/CN=Locationet

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1760): OpenSSL: 
Loop: SSLv3 write client certificate A

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1760): OpenSSL: 
Loop: SSLv3 write client key exchange A

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1760): OpenSSL: 
Loop: SSLv3 write certificate verify A

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1760): OpenSSL: 
Loop: SSLv3 write change cipher spec A

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1760): OpenSSL: 
Loop: SSLv3 write finished A

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1760): OpenSSL: 
Loop: SSLv3 flush data

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_io.c(1786): OpenSSL: I/O 
error, 5 bytes expected to read on BIO#ec6da0 [mem: f03140]

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1789): OpenSSL: 
Exit: error in SSLv3 read finished A

[Mon Dec 18 10:17:53 2006] [debug] ssl_engine_kernel.c(1789): OpenSSL: 
Exit: error in SSLv3 read finished A

[Mon Dec 18 10:17:53 2006] [info] [client 192.118.30.12] SSL Proxy 
connect failed

[Mon Dec 18 10:17:53 2006] [info] [client 192.118.30.12] Connection 
closed to child 249 with abortive shutdown (server 
israel-test.backbone.locationet.com:8443)

[Mon Dec 18 10:17:53 2006] [error] (502)Unknown error: proxy: pass 
request body failed to 192.118.30.12:443 (192.118.30.12)

[Mon Dec 18 10:17:53 2006] [error] (502)Unknown error: proxy: pass 
request body failed to 192.118.30.12:443 (192.118.30.12) from 
192.168.2.1 ()

I can't seem to find any definite answer googling this error.

I'll be glad to have any lead on the subject.

Cheers,

Shai                     Yallin  

IT Manager &  Developer

LocatioNet  Systems Ltd.

Tel:         +972-9-8856451

Fax:       +972-9-8856452

Mobile: +972-54-4840868

 

"...we will be restoring normality just as soon as we are sure what is 
normal anyway."



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]