Summary: | Error during SSL Handshake with remote server | ||
---|---|---|---|
Product: | Apache httpd-2 | Reporter: | Allen Zhao <allen.zhao> |
Component: | mod_proxy | Assignee: | Apache HTTPD Bugs Mailing List <bugs> |
Status: | RESOLVED LATER | ||
Severity: | normal | CC: | sbhanwra18 |
Priority: | P2 | Keywords: | MassUpdate |
Version: | 2.2.24 | ||
Target Milestone: | --- | ||
Hardware: | PC | ||
OS: | Linux |
Description
Allen Zhao
2013-06-26 20:20:10 UTC
I also built openssl from source version: 1.0.1e I rebuilt apache with openssl 1.0.0d. it works. Any idear? Thx a lot, Can you validate a connection to the backend server with openssl s_client between the two builds? 1.0.0d works fine. 1.0.1e: it doesn't read anything from stdin (e.g. enter a http request) I got same issue with 2.2.25/1.0.1e. 2.2.25/1.0.0d works fine. This looks OpenSSL related. bin/openssl s_client -host 172.23.199.200 -port 443 CONNECTED(00000003) write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 321 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- Here is part of the output from 1.0.0d: bin/openssl s_client -host 172.23.199.200 -port 443 CONNECTED(00000003) depth=1 C = CA, ST = Ontario, L = Toronto, O = TELUS, OU = Application Infrastructure, CN = www.telus.com verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/C=CA/ST=Ontario/L=Toronto/O=TELUS/OU=Application Infrastructure/CN=telusmobility.tmi.telus.com i:/C=CA/ST=Ontario/L=Toronto/O=TELUS/OU=Application Infrastructure/CN=www.telus.com 1 s:/C=CA/ST=Ontario/L=Toronto/O=TELUS/OU=Application Infrastructure/CN=www.telus.com i:/C=CA/ST=Ontario/L=Toronto/O=TELUS/OU=Application Infrastructure/CN=www.telus.com --- Server certificate -----BEGIN CERTIFICATE----- MIIDIDCCAomgAwIBAgIDEADpMA0GCSqGSIb3DQEBBQUAMH4xCzAJBgNVBAYTAkNB MRAwDgYDVQQIEwdPbnRhcmlvMRAwDgYDVQQHEwdUb3JvbnRvMQ4wDAYDVQQKEwVU RUxVUzEjMCEGA1UECxMaQXBwbGljYXRpb24gSW5mcmFzdHJ1Y3R1cmUxFjAUBgNV BAMTDXd3dy50ZWx1cy5jb20wHhcNMDkwMzAyMTYxNTA4WhcNMTQwMzAxMTYxNTA4 WjCBjDELMAkGA1UEBhMCQ0ExEDAOBgNVBAgTB09udGFyaW8xEDAOBgNVBAcTB1Rv cm9udG8xDjAMBgNVBAoTBVRFTFVTMSMwIQYDVQQLExpBcHBsaWNhdGlvbiBJbmZy YXN0cnVjdHVyZTEkMCIGA1UEAxMbdGVsdXNtb2JpbGl0eS50bWkudGVsdXMuY29t MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUi+ni+nyqZUugOOmkFovxmYi8 N/bARsvInCK6bXzYDhQQJr6+NtX5LytUDhDYHQXQVAL9Lm0wtOcNsrFLjEukvPuc SI2Fr/4HWajIIA6uebFPIz5AvJh7jVYsDvv8/XcC+VgBh2TeJtSEZ5sDLj6mEF2y ThAhffEHS3Ye5Ij+5wIDAQABo4GcMIGZMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEB BAQDAgXgMAsGA1UdDwQEAwIF4DAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5l cmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFI3c2E1SsZBpaTYZOd3y1yUdWZTH MB8GA1UdIwQYMBaAFFmwVgMX8YForRj3nr1434gfsUwaMA0GCSqGSIb3DQEBBQUA A4GBABb/lsKiK42488U0w3oJuRJdIl6IRdmZTCp223tFpFihc0Se7jeiJeHKPniq eNFnuKWbc52wiyLk98q313vp3DV3wfAafcYo77KwiXVPx9PUFcsJvZb9kJ8M6CxG vLwicZg0gZFHegQRUkyKeYJHTcLbRZOyR5huX3gqklPJYlhm -----END CERTIFICATE----- subject=/C=CA/ST=Ontario/L=Toronto/O=TELUS/OU=Application Infrastructure/CN=telusmobility.tmi.telus.com issuer=/C=CA/ST=Ontario/L=Toronto/O=TELUS/OU=Application Infrastructure/CN=www.telus.com --- No client certificate CA names sent --- SSL handshake has read 1824 bytes and written 392 bytes --- New, TLSv1/SSLv3, Cipher is RC4-MD5 Server public key is 1024 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : RC4-MD5 Session-ID: 7549FF55BA4A41504A7E0C5AC261BC44BEFAA5E9CBEF366D7213C9A0DF2147BD Session-ID-ctx: Master-Key: 2D0F124D2315E89C48F4DD3573B1985716C56C90C4D6D723CB35701C0F0EA31AF47C84D3B772EC6DCD669A3D008C0771 Key-Arg : None PSK identity: None PSK identity hint: None Start Time: 1378238532 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain) --- GET / <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> For 1.0.1e, if I add -ssl3, it works: bin/openssl s_client -host 172.23.199.200 -port 443 -ssl3 CONNECTED(00000003) depth=1 C = CA, ST = Ontario, L = Toronto, O = TELUS, OU = Application Infrastructure, CN = www.telus.com verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/C=CA/ST=Ontario/L=Toronto/O=TELUS/OU=Application Infrastructure/CN=telusmobility.tmi.telus.com i:/C=CA/ST=Ontario/L=Toronto/O=TELUS/OU=Application Infrastructure/CN=www.telus.com 1 s:/C=CA/ST=Ontario/L=Toronto/O=TELUS/OU=Application Infrastructure/CN=www.telus.com i:/C=CA/ST=Ontario/L=Toronto/O=TELUS/OU=Application Infrastructure/CN=www.telus.com --- Server certificate -----BEGIN CERTIFICATE----- ... This seems caused by TLSV1.2. I solve the problem by adding following line to httpd.conf. SSLProxyProtocol +SSLv2 +SSLv3 +TLSv1 +TLSv1.1 Thanks a lot, Allen Please help us to refine our list of open and current defects; this is a mass update of old and inactive Bugzilla reports which reflect user error, already resolved defects, and still-existing defects in httpd. As repeatedly announced, the Apache HTTP Server Project has discontinued all development and patch review of the 2.2.x series of releases. The final release 2.2.34 was published in July 2017, and no further evaluation of bug reports or security risks will be considered or published for 2.2.x releases. All reports older than 2.4.x have been updated to status RESOLVED/LATER; no further action is expected unless the report still applies to a current version of httpd. If your report represented a question or confusion about how to use an httpd feature, an unexpected server behavior, problems building or installing httpd, or working with an external component (a third party module, browser etc.) we ask you to start by bringing your question to the User Support and Discussion mailing list, see [https://httpd.apache.org/lists.html#http-users] for details. Include a link to this Bugzilla report for completeness with your question. If your report was clearly a defect in httpd or a feature request, we ask that you retest using a modern httpd release (2.4.33 or later) released in the past year. If it can be reproduced, please reopen this bug and change the Version field above to the httpd version you have reconfirmed with. Your help in identifying defects or enhancements still applicable to the current httpd server software release is greatly appreciated. |