50332 – mod_proxy_http is not aware of SSL handshake failures

Bug 50332 - mod_proxy_http is not aware of SSL handshake failures

Summary: mod_proxy_http is not aware of SSL handshake failures

Status:	RESOLVED FIXED

Alias:	None

Product:	Apache httpd-2
Classification:	Unclassified
Component:	mod_proxy_http (show other bugs)
Version:	2.2.17
Hardware:	All All

Importance:	P2 enhancement (vote)
Target Milestone:	---
Assignee:	Apache HTTPD Bugs Mailing List

URL:
Keywords:	ErrorMessage, FixedInTrunk, NeedsReleaseNote, PatchAvailable

Depends on:
Blocks:

Reported:	2010-11-24 17:27 UTC by Daniel Ruggeri
Modified:	2011-02-11 07:31 UTC (History)
CC List:	1 user (show)

Attachments
mod_ssl -> mod_proxy note via conn_rec (1.96 KB, application/octet-stream) 2010-11-24 17:27 UTC, Daniel Ruggeri	Details
Final (2.06 KB, patch) 2010-11-24 23:33 UTC, Daniel Ruggeri	Details \| Diff
Final trunk patch (2.11 KB, patch) 2010-11-24 23:33 UTC, Daniel Ruggeri	Details \| Diff
Added mod_proxy_http SSL error message (3.00 KB, application/octet-stream) 2010-11-25 09:55 UTC, Daniel Ruggeri	Details
Added mod_proxy_http SSL error message (trunk) (3.00 KB, patch) 2010-11-25 09:56 UTC, Daniel Ruggeri	Details \| Diff
Added mod_proxy_http SSL error message (2.2.x) (3.00 KB, patch) 2010-11-25 09:57 UTC, Daniel Ruggeri	Details \| Diff
Added mod_proxy_http SSL error message (trunk) (2.27 KB, patch) 2010-11-25 09:58 UTC, Daniel Ruggeri	Details \| Diff
2.2.x patch - using HTTP_INTERNAL_SERVER_ERROR (2.87 KB, patch) 2010-11-25 10:59 UTC, Daniel Ruggeri	Details \| Diff
trunk patch - using HTTP_INTERNAL_SERVER_ERROR (2.13 KB, patch) 2010-11-25 11:00 UTC, Daniel Ruggeri	Details \| Diff
2.2.x patch - using HTTP_INTERNAL_SERVER_ERROR (2.13 KB, patch) 2010-12-04 10:49 UTC, Daniel Ruggeri	Details \| Diff
Updated patch for 2.2.x based on r1039304 and r1053584. (2.26 KB, patch) 2010-12-29 04:52 UTC, Ruediger Pluem	Details \| Diff
Show Obsolete (9) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Daniel Ruggeri 2010-11-24 17:27:16 UTC

Created attachment 26337 [details]
mod_ssl -> mod_proxy note via conn_rec

In the event an SSL handshake from the httpd proxy to a backend fails, mod_proxy is not aware until it attempts to pass the request.

To duplicate, simply stand up an openssl s_server like so:
/usr/local/openssl/bin/openssl s_server -cert /root/certs/ssl.crt -key /root/certs/ssl.key -www -accept 8001 -Verify 1
/usr/local/openssl/bin/openssl s_server -cert /root/certs/ssl.crt -key /root/certs/ssl.key -www -accept 8002

And set up a balancer like so:
<Proxy balancer://mycluster>
   BalancerMember https://127.0.0.1:8001
   BalancerMember https://127.0.0.1:8002
</Proxy>

ProxyPass /test/ balancer://mycluster/



You will find that all requests to /test will attempt to connect, but fail on the first member. Worse yet, since no request ever gets through, the balancer never considers the next member for usage.

The attached patch utilizes a note on the conn_rec for mod_proxy_httpd to recognize that a failure has occurred. If a failure has been found, it's too late for that request, but the worker used is put in error state.

I am investigating as to whether or not this is needed for 2.3.

Comment 1 Daniel Ruggeri 2010-11-24 23:33:37 UTC

Created attachment 26338 [details]
Final

Comment 2 Daniel Ruggeri 2010-11-24 23:33:58 UTC

Created attachment 26339 [details]
Final trunk patch

Comment 3 Daniel Ruggeri 2010-11-24 23:35:41 UTC

Patch to do the same on httpd-trunk is attached now.

Comment 4 Daniel Ruggeri 2010-11-25 09:55:35 UTC

Created attachment 26341 [details]
Added mod_proxy_http SSL error message

Comment 5 Daniel Ruggeri 2010-11-25 09:56:18 UTC

Created attachment 26342 [details]
Added mod_proxy_http SSL error message (trunk)

Comment 6 Daniel Ruggeri 2010-11-25 09:57:47 UTC

Created attachment 26343 [details]
Added mod_proxy_http SSL error message (2.2.x)

Obsoleted the wrong patch...

Comment 7 Daniel Ruggeri 2010-11-25 09:58:28 UTC

Created attachment 26344 [details]
Added mod_proxy_http SSL error message (trunk)

Uploaded the wrong patch

Comment 8 Daniel Ruggeri 2010-11-25 10:59:50 UTC

Created attachment 26345 [details]
2.2.x patch - using HTTP_INTERNAL_SERVER_ERROR

Comment 9 Daniel Ruggeri 2010-11-25 11:00:10 UTC

Created attachment 26346 [details]
trunk patch - using HTTP_INTERNAL_SERVER_ERROR

Comment 10 Ruediger Pluem 2010-11-26 05:35:50 UTC

Committed as r1039304.

Comment 11 Daniel Ruggeri 2010-12-04 10:49:28 UTC

Created attachment 26374 [details]
2.2.x patch - using HTTP_INTERNAL_SERVER_ERROR

Removed STATUS proposal from this patch - submitting to DEV list separately.

Comment 12 Ruediger Pluem 2010-12-29 04:52:26 UTC

Created attachment 26450 [details]
Updated patch for 2.2.x based on r1039304 and r1053584.

Comment 13 Ruediger Pluem 2011-02-11 07:31:21 UTC

Backported to 2.2.x as r1069773.