[users@httpd] Re: mod_proxy and mod_nss - occasional "SSL Proxy: I don't have the name of the host we're supposed to connect to so I can't verify that we are connecting to who we think we should be. Giving up."

Jamie Johnson Tue, 21 Apr 2015 08:57:24 -0700

Sorry to hit this again, but I've made no headway short of setting
NSSProxyCheckPeerCN off, is this not reproducible?  Is there another list I
should be asking this on?



On Wed, Apr 8, 2015 at 2:40 PM, Jamie Johnson <jej2...@gmail.com> wrote:

> I am running httpd-2.4.12 and mod_nss-1.0.11 built from source and am
> running into an issue where I occasionally get an error where mod_nss
> throws the following exception
>
> SSL Proxy: I don't have the name of the host we're supposed to connect to
> so I can't verify that we are connecting to who we think we should be.
> Giving up.
>
> What is strange is that the issue does not happen consistently, sometimes
> the error will occur after the first request, other times after the 5000th.
>
>
> Any thoughts about what could be causing this?
>
> The following is what I'm seeing in the log
>
> [Wed Apr 08 18:31:07.331041 2015] [:info] [pid 17342:tid 47143550196032]
> Connection to child 0 established (server test.domain.com:443, client
> 10.81.1.91)
> [Wed Apr 08 18:31:07.412436 2015] [:info] [pid 17342:tid 47143550196032]
> Initial (No.1) HTTPS request received for child 0 (server
> test.domain.com:443)
> [Wed Apr 08 18:31:07.412499 2015] [authz_core:debug] [pid 17342:tid
> 47143550196032] mod_authz_core.c(835): [client 10.81.1.91:50727] AH01628:
> authorization result: granted (no directives)
> [Wed Apr 08 18:31:07.412654 2015] [proxy:debug] [pid 17342:tid
> 47143550196032] mod_proxy.c(1163): [client 10.81.1.91:50727] AH01143:
> Running scheme https handler (attempt 0)
> [Wed Apr 08 18:31:07.412669 2015] [proxy:debug] [pid 17342:tid
> 47143550196032] proxy_util.c(2140): AH00942: HTTPS: has acquired connection
> for (test.domain.com)
> [Wed Apr 08 18:31:07.412734 2015] [proxy:debug] [pid 17342:tid
> 47143550196032] proxy_util.c(2193): [client 10.81.1.91:50727] AH00944:
> connecting https://test.domain.com:8443/test/home.html to
> test.domain.com:8443
> [Wed Apr 08 18:31:07.412745 2015] [proxy:debug] [pid 17342:tid
> 47143550196032] proxy_util.c(2394): [client 10.81.1.91:50727] AH00947:
> connected /test/home.html to test.domain.com:8443
> [Wed Apr 08 18:31:07.412752 2015] [:debug] [pid 17342:tid 47143550196032]
> nss_engine_io.c(658): SSL connection destroyed without being closed
> [Wed Apr 08 18:31:07.412859 2015] [proxy:debug] [pid 17342:tid
> 47143550196032] proxy_util.c(2636): AH00951: HTTPS: backend socket is
> disconnected.
> [Wed Apr 08 18:31:07.412910 2015] [proxy:debug] [pid 17342:tid
> 47143550196032] proxy_util.c(2771): AH02824: HTTPS: connection established
> with 10.81.1.183:8443 (test.domain.com)
> [Wed Apr 08 18:31:07.412923 2015] [proxy:debug] [pid 17342:tid
> 47143550196032] proxy_util.c(2923): AH00962: HTTPS: connection complete to
> 10.81.1.183:8443 (test.domain.com)
> [Wed Apr 08 18:31:07.412928 2015] [:info] [pid 17342:tid 47143550196032]
> Connection to child 0 established (server test.domain.com:443, client
> 10.81.1.183)
> [Wed Apr 08 18:31:07.424280 2015] [:error] [pid 17342:tid 47143550196032]
> SSL Proxy: I don't have the name of the host we're supposed to connect to
> so I can't verify that we are connecting to who we think we should be.
> Giving up.
> [Wed Apr 08 18:31:07.424330 2015] [:info] [pid 17342:tid 47143550196032]
> SSL library error -12276 writing data
> [Wed Apr 08 18:31:07.424337 2015] [:info] [pid 17342:tid 47143550196032]
> SSL Library Error: -12276 Requested domain name does not match the server's
> certificate
> [Wed Apr 08 18:31:07.424344 2015] [proxy:error] [pid 17342:tid
> 47143550196032] (20014)Internal error: [client 10.81.1.91:50727] AH01084:
> pass request body failed to 10.81.1.183:8443 (test.domain.com)
> [Wed Apr 08 18:31:07.424352 2015] [proxy_http:error] [pid 17342:tid
> 47143550196032] [client 10.81.1.91:50727] AH01097: pass request body
> failed to 10.81.1.183:8443 (test.domain.com) from 10.81.1.91 ()
> [Wed Apr 08 18:31:07.424356 2015] [proxy:debug] [pid 17342:tid
> 47143550196032] proxy_util.c(2155): AH00943: HTTPS: has released connection
> for (test.domain.com)
> [Wed Apr 08 18:31:07.424385 2015] [:info] [pid 17342:tid 47143550196032]
> Connection to child 0 closed (server test.domain.com:443, client
> 10.81.1.183)
> [Wed Apr 08 18:31:07.424394 2015] [proxy:debug] [pid 17342:tid
> 47143550196032] proxy_util.c(2864): [remote 10.81.1.183:8443] AH02642:
> proxy: connection shutdown
> [Wed Apr 08 18:31:07.424686 2015] [:info] [pid 17342:tid 47143550196032]
> Connection to child 0 closed (server test.domain.com:443, client
> 10.81.1.91)
>
>
> My configuration is as follows for the virtual host
>
> <VirtualHost _default_:443>
>
>     ErrorLog /var/log/httpd/error_log
>
>     TransferLog /var/log/httpd/access_log
>
>     LogLevel debug
>
>     NSSEngine on
>
>     NSSCipherSuite
> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
>
>     NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
>
>     NSSNickname "*.domain.com"
>
>     NSSCertificateDatabase /etc/httpd/wildcard
>
>     NSSVerifyClient optional
>
>     NSSOptions +ExportCertData +StdEnvVars
>
>     <Files ~ "\.(cgi|shtml|phtml|php3?)$">
>
>         NSSOptions +StdEnvVars
>
>         </Files>
>
>     <Directory "/var/www/cgi-bin">
>
>         NSSOptions +StdEnvVars
>
>     </Directory>
>
>     ServerName test.domain.com
>
>     NSSProxyEngine on
>
>     NSSProxyProtocol TLSv1.0,TLSv1.1,TLSv1.2
>
>     NSSProxyCipherSuite
> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
>
>     ProxyRequests off
>
>     ProxyPass /test https://test.domain.com:8443/test
>
>     ProxyPassReverse /test https://test.domain.com:8443/test
>
> </VirtualHost>
>
>
>

[users@httpd] Re: mod_proxy and mod_nss - occasional "SSL Proxy: I don't have the name of the host we're supposed to connect to so I can't verify that we are connecting to who we think we should be. Giving up."

Reply via email to