From jej2003 at gmail.com Tue Apr 21 16:02:03 2015 From: jej2003 at gmail.com (Jamie Johnson) Date: Tue, 21 Apr 2015 12:02:03 -0400 Subject: [Mod_nss-list] mod_proxy and mod_nss - occasional "SSL Proxy: I don't have the name of the host we're supposed to connect to so I can't verify that we are connecting to who we think we should be. Giving up." Message-ID: I am running httpd-2.4.12 and mod_nss-1.0.11 built from source and am running into an issue where I occasionally get an error where mod_nss throws the following exception SSL Proxy: I don't have the name of the host we're supposed to connect to so I can't verify that we are connecting to who we think we should be. Giving up. What is strange is that the issue does not happen consistently, sometimes the error will occur after the first request, other times after the 5000th. Any thoughts about what could be causing this? The following is what I'm seeing in the log [Wed Apr 08 18:31:07.331041 2015] [:info] [pid 17342:tid 47143550196032] Connection to child 0 established (server test.domain.com:443, client 10.81.1.91) [Wed Apr 08 18:31:07.412436 2015] [:info] [pid 17342:tid 47143550196032] Initial (No.1) HTTPS request received for child 0 (server test.domain.com:443) [Wed Apr 08 18:31:07.412499 2015] [authz_core:debug] [pid 17342:tid 47143550196032] mod_authz_core.c(835): [client 10.81.1.91:50727] AH01628: authorization result: granted (no directives) [Wed Apr 08 18:31:07.412654 2015] [proxy:debug] [pid 17342:tid 47143550196032] mod_proxy.c(1163): [client 10.81.1.91:50727] AH01143: Running scheme https handler (attempt 0) [Wed Apr 08 18:31:07.412669 2015] [proxy:debug] [pid 17342:tid 47143550196032] proxy_util.c(2140): AH00942: HTTPS: has acquired connection for (test.domain.com) [Wed Apr 08 18:31:07.412734 2015] [proxy:debug] [pid 17342:tid 47143550196032] proxy_util.c(2193): [client 10.81.1.91:50727] AH00944: connectinghttps://test.domain.com:8443/test/home.html to test.domain.com:8443 [Wed Apr 08 18:31:07.412745 2015] [proxy:debug] [pid 17342:tid 47143550196032] proxy_util.c(2394): [client 10.81.1.91:50727] AH00947: connected /test/home.html totest.domain.com:8443 [Wed Apr 08 18:31:07.412752 2015] [:debug] [pid 17342:tid 47143550196032] nss_engine_io.c(658): SSL connection destroyed without being closed [Wed Apr 08 18:31:07.412859 2015] [proxy:debug] [pid 17342:tid 47143550196032] proxy_util.c(2636): AH00951: HTTPS: backend socket is disconnected. [Wed Apr 08 18:31:07.412910 2015] [proxy:debug] [pid 17342:tid 47143550196032] proxy_util.c(2771): AH02824: HTTPS: connection established with 10.81.1.183:8443(test.domain.com) [Wed Apr 08 18:31:07.412923 2015] [proxy:debug] [pid 17342:tid 47143550196032] proxy_util.c(2923): AH00962: HTTPS: connection complete to 10.81.1.183:8443(test.domain.com) [Wed Apr 08 18:31:07.412928 2015] [:info] [pid 17342:tid 47143550196032] Connection to child 0 established (server test.domain.com:443, client 10.81.1.183) [Wed Apr 08 18:31:07.424280 2015] [:error] [pid 17342:tid 47143550196032] SSL Proxy: I don't have the name of the host we're supposed to connect to so I can't verify that we are connecting to who we think we should be. Giving up. [Wed Apr 08 18:31:07.424330 2015] [:info] [pid 17342:tid 47143550196032] SSL library error -12276 writing data [Wed Apr 08 18:31:07.424337 2015] [:info] [pid 17342:tid 47143550196032] SSL Library Error: -12276 Requested domain name does not match the server's certificate [Wed Apr 08 18:31:07.424344 2015] [proxy:error] [pid 17342:tid 47143550196032] (20014)Internal error: [client 10.81.1.91:50727] AH01084: pass request body failed to10.81.1.183:8443 (test.domain.com) [Wed Apr 08 18:31:07.424352 2015] [proxy_http:error] [pid 17342:tid 47143550196032] [client 10.81.1.91:50727] AH01097: pass request body failed to 10.81.1.183:8443(test.domain.com) from 10.81.1.91 () [Wed Apr 08 18:31:07.424356 2015] [proxy:debug] [pid 17342:tid 47143550196032] proxy_util.c(2155): AH00943: HTTPS: has released connection for (test.domain.com) [Wed Apr 08 18:31:07.424385 2015] [:info] [pid 17342:tid 47143550196032] Connection to child 0 closed (server test.domain.com:443, client 10.81.1.183) [Wed Apr 08 18:31:07.424394 2015] [proxy:debug] [pid 17342:tid 47143550196032] proxy_util.c(2864): [remote 10.81.1.183:8443] AH02642: proxy: connection shutdown [Wed Apr 08 18:31:07.424686 2015] [:info] [pid 17342:tid 47143550196032] Connection to child 0 closed (server test.domain.com:443, client 10.81.1.91) My configuration is as follows for the virtual host ErrorLog /var/log/httpd/error_log TransferLog /var/log/httpd/access_log LogLevel debug NSSEngine on NSSCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 NSSNickname "*.domain.com" NSSCertificateDatabase /etc/httpd/wildcard NSSVerifyClient optional NSSOptions +ExportCertData +StdEnvVars NSSOptions +StdEnvVars NSSOptions +StdEnvVars ServerName test.domain.com NSSProxyEngine on NSSProxyProtocol TLSv1.0,TLSv1.1,TLSv1.2 NSSProxyCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA ProxyRequests off ProxyPass /test https://test.domain.com:8443/test ProxyPassReverse /test https://test.domain.com:8443/test -------------- next part -------------- An HTML attachment was scrubbed... URL: From jej2003 at gmail.com Wed Apr 29 11:31:21 2015 From: jej2003 at gmail.com (Jamie Johnson) Date: Wed, 29 Apr 2015 11:31:21 +0000 Subject: [Mod_nss-list] mod_proxy and mod_nss - occasional "SSL Proxy: I don't have the name of the host we're supposed to connect to so I can't verify that we are connecting to who we think we should be. Giving up." In-Reply-To: References: Message-ID: No thoughts on this? Can I provide more information to help? On Tue, Apr 21, 2015, 12:02 PM Jamie Johnson wrote: > I am running httpd-2.4.12 and mod_nss-1.0.11 built from source and am > running into an issue where I occasionally get an error where mod_nss > throws the following exception > > SSL Proxy: I don't have the name of the host we're supposed to connect to > so I can't verify that we are connecting to who we think we should be. > Giving up. > > What is strange is that the issue does not happen consistently, sometimes > the error will occur after the first request, other times after the 5000th. > > > Any thoughts about what could be causing this? > > The following is what I'm seeing in the log > > [Wed Apr 08 18:31:07.331041 2015] [:info] [pid 17342:tid 47143550196032] > Connection to child 0 established (server test.domain.com:443, client > 10.81.1.91) > [Wed Apr 08 18:31:07.412436 2015] [:info] [pid 17342:tid 47143550196032] > Initial (No.1) HTTPS request received for child 0 (server > test.domain.com:443) > [Wed Apr 08 18:31:07.412499 2015] [authz_core:debug] [pid 17342:tid > 47143550196032] mod_authz_core.c(835): [client 10.81.1.91:50727] AH01628: > authorization result: granted (no directives) > [Wed Apr 08 18:31:07.412654 2015] [proxy:debug] [pid 17342:tid > 47143550196032] mod_proxy.c(1163): [client 10.81.1.91:50727] AH01143: > Running scheme https handler (attempt 0) > [Wed Apr 08 18:31:07.412669 2015] [proxy:debug] [pid 17342:tid > 47143550196032] proxy_util.c(2140): AH00942: HTTPS: has acquired connection > for (test.domain.com) > [Wed Apr 08 18:31:07.412734 2015] [proxy:debug] [pid 17342:tid > 47143550196032] proxy_util.c(2193): [client 10.81.1.91:50727] AH00944: > connectinghttps://test.domain.com:8443/test/home.html to > test.domain.com:8443 > [Wed Apr 08 18:31:07.412745 2015] [proxy:debug] [pid 17342:tid > 47143550196032] proxy_util.c(2394): [client 10.81.1.91:50727] AH00947: > connected /test/home.html totest.domain.com:8443 > [Wed Apr 08 18:31:07.412752 2015] [:debug] [pid 17342:tid 47143550196032] > nss_engine_io.c(658): SSL connection destroyed without being closed > [Wed Apr 08 18:31:07.412859 2015] [proxy:debug] [pid 17342:tid > 47143550196032] proxy_util.c(2636): AH00951: HTTPS: backend socket is > disconnected. > [Wed Apr 08 18:31:07.412910 2015] [proxy:debug] [pid 17342:tid > 47143550196032] proxy_util.c(2771): AH02824: HTTPS: connection established > with 10.81.1.183:8443(test.domain.com) > [Wed Apr 08 18:31:07.412923 2015] [proxy:debug] [pid 17342:tid > 47143550196032] proxy_util.c(2923): AH00962: HTTPS: connection complete to > 10.81.1.183:8443(test.domain.com) > [Wed Apr 08 18:31:07.412928 2015] [:info] [pid 17342:tid 47143550196032] > Connection to child 0 established (server test.domain.com:443, client > 10.81.1.183) > [Wed Apr 08 18:31:07.424280 2015] [:error] [pid 17342:tid 47143550196032] > SSL Proxy: I don't have the name of the host we're supposed to connect to > so I can't verify that we are connecting to who we think we should be. > Giving up. > [Wed Apr 08 18:31:07.424330 2015] [:info] [pid 17342:tid 47143550196032] > SSL library error -12276 writing data > [Wed Apr 08 18:31:07.424337 2015] [:info] [pid 17342:tid 47143550196032] > SSL Library Error: -12276 Requested domain name does not match the server's > certificate > [Wed Apr 08 18:31:07.424344 2015] [proxy:error] [pid 17342:tid > 47143550196032] (20014)Internal error: [client 10.81.1.91:50727] AH01084: > pass request body failed to10.81.1.183:8443 (test.domain.com) > [Wed Apr 08 18:31:07.424352 2015] [proxy_http:error] [pid 17342:tid > 47143550196032] [client 10.81.1.91:50727] AH01097: pass request body > failed to 10.81.1.183:8443(test.domain.com) from 10.81.1.91 () > [Wed Apr 08 18:31:07.424356 2015] [proxy:debug] [pid 17342:tid > 47143550196032] proxy_util.c(2155): AH00943: HTTPS: has released connection > for (test.domain.com) > [Wed Apr 08 18:31:07.424385 2015] [:info] [pid 17342:tid 47143550196032] > Connection to child 0 closed (server test.domain.com:443, client > 10.81.1.183) > [Wed Apr 08 18:31:07.424394 2015] [proxy:debug] [pid 17342:tid > 47143550196032] proxy_util.c(2864): [remote 10.81.1.183:8443] AH02642: > proxy: connection shutdown > [Wed Apr 08 18:31:07.424686 2015] [:info] [pid 17342:tid 47143550196032] > Connection to child 0 closed (server test.domain.com:443, client > 10.81.1.91) > > > My configuration is as follows for the virtual host > > > > ErrorLog /var/log/httpd/error_log > > TransferLog /var/log/httpd/access_log > > LogLevel debug > > NSSEngine on > > NSSCipherSuite > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA > > NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 > > NSSNickname "*.domain.com" > > NSSCertificateDatabase /etc/httpd/wildcard > > NSSVerifyClient optional > > NSSOptions +ExportCertData +StdEnvVars > > > > NSSOptions +StdEnvVars > > > > > > NSSOptions +StdEnvVars > > > > ServerName test.domain.com > > NSSProxyEngine on > > NSSProxyProtocol TLSv1.0,TLSv1.1,TLSv1.2 > > NSSProxyCipherSuite > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA > > ProxyRequests off > > ProxyPass /test https://test.domain.com:8443/test > > ProxyPassReverse /test https://test.domain.com:8443/test > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Apr 29 13:14:32 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 29 Apr 2015 09:14:32 -0400 Subject: [Mod_nss-list] mod_proxy and mod_nss - occasional "SSL Proxy: I don't have the name of the host we're supposed to connect to so I can't verify that we are connecting to who we think we should be. Giving up." In-Reply-To: References: Message-ID: <5540D938.3090306@redhat.com> Jamie Johnson wrote: > No thoughts on this? Can I provide more information to help? > > > On Tue, Apr 21, 2015, 12:02 PM Jamie Johnson > wrote: > > I am running httpd-2.4.12 and mod_nss-1.0.11 built from source and > am running into an issue where I occasionally get an error where > mod_nss throws the following exception > > SSL Proxy: I don't have the name of the host we're supposed to > connect to so I can't verify that we are connecting to who we think > we should be. Giving up. > > What is strange is that the issue does not happen consistently, > sometimes the error will occur after the first request, other times > after the 5000th. > > Any thoughts about what could be causing this? > > The following is what I'm seeing in the log > > [Wed Apr 08 18:31:07.331041 2015] [:info] [pid 17342:tid > 47143550196032] Connection to child 0 established > (server test.domain.com:443 , client > 10.81.1.91) > [Wed Apr 08 18:31:07.412436 2015] [:info] [pid 17342:tid > 47143550196032] Initial (No.1) HTTPS request received for child 0 > (server test.domain.com:443 ) > [Wed Apr 08 18:31:07.412499 2015] [authz_core:debug] [pid 17342:tid > 47143550196032] mod_authz_core.c(835): [client 10.81.1.91:50727 > ] AH01628: authorization result: granted > (no directives) > [Wed Apr 08 18:31:07.412654 2015] [proxy:debug] [pid 17342:tid > 47143550196032] mod_proxy.c(1163): [client 10.81.1.91:50727 > ] AH01143: Running scheme https handler > (attempt 0) > [Wed Apr 08 18:31:07.412669 2015] [proxy:debug] [pid 17342:tid > 47143550196032] proxy_util.c(2140): AH00942: HTTPS: has acquired > connection for (test.domain.com ) > [Wed Apr 08 18:31:07.412734 2015] [proxy:debug] [pid 17342:tid > 47143550196032] proxy_util.c(2193): [client 10.81.1.91:50727 > ] AH00944: > connectinghttps://test.domain.com:8443/test/home.html to test.domain.com:8443 > > [Wed Apr 08 18:31:07.412745 2015] [proxy:debug] [pid 17342:tid > 47143550196032] proxy_util.c(2394): [client 10.81.1.91:50727 > ] AH00947: connected /test/home.html > totest.domain.com:8443 > [Wed Apr 08 18:31:07.412752 2015] [:debug] [pid 17342:tid > 47143550196032] nss_engine_io.c(658): SSL connection destroyed > without being closed > [Wed Apr 08 18:31:07.412859 2015] [proxy:debug] [pid 17342:tid > 47143550196032] proxy_util.c(2636): AH00951: HTTPS: backend socket > is disconnected. > [Wed Apr 08 18:31:07.412910 2015] [proxy:debug] [pid 17342:tid > 47143550196032] proxy_util.c(2771): AH02824: HTTPS: connection > established with 10.81.1.183:8443 > (test.domain.com ) > [Wed Apr 08 18:31:07.412923 2015] [proxy:debug] [pid 17342:tid > 47143550196032] proxy_util.c(2923): AH00962: HTTPS: connection > complete to 10.81.1.183:8443 > (test.domain.com ) > [Wed Apr 08 18:31:07.412928 2015] [:info] [pid 17342:tid > 47143550196032] Connection to child 0 established > (server test.domain.com:443 , client > 10.81.1.183) > [Wed Apr 08 18:31:07.424280 2015] [:error] [pid 17342:tid > 47143550196032] SSL Proxy: I don't have the name of the host we're > supposed to connect to so I can't verify that we are connecting to > who we think we should be. Giving up. > [Wed Apr 08 18:31:07.424330 2015] [:info] [pid 17342:tid > 47143550196032] SSL library error -12276 writing data > [Wed Apr 08 18:31:07.424337 2015] [:info] [pid 17342:tid > 47143550196032] SSL Library Error: -12276 Requested domain name does > not match the server's certificate > [Wed Apr 08 18:31:07.424344 2015] [proxy:error] [pid 17342:tid > 47143550196032] (20014)Internal error: [client 10.81.1.91:50727 > ] AH01084: pass request body failed > to10.81.1.183:8443 (test.domain.com > ) > [Wed Apr 08 18:31:07.424352 2015] [proxy_http:error] [pid 17342:tid > 47143550196032] [client 10.81.1.91:50727 ] > AH01097: pass request body failed to 10.81.1.183:8443 > (test.domain.com > ) from 10.81.1.91 () > [Wed Apr 08 18:31:07.424356 2015] [proxy:debug] [pid 17342:tid > 47143550196032] proxy_util.c(2155): AH00943: HTTPS: has released > connection for (test.domain.com ) > [Wed Apr 08 18:31:07.424385 2015] [:info] [pid 17342:tid > 47143550196032] Connection to child 0 closed > (server test.domain.com:443 , client > 10.81.1.183) > [Wed Apr 08 18:31:07.424394 2015] [proxy:debug] [pid 17342:tid > 47143550196032] proxy_util.c(2864): [remote 10.81.1.183:8443 > ] AH02642: proxy: connection shutdown > [Wed Apr 08 18:31:07.424686 2015] [:info] [pid 17342:tid > 47143550196032] Connection to child 0 closed > (server test.domain.com:443 , client > 10.81.1.91) > > > My configuration is as follows for the virtual host > > > > ErrorLog /var/log/httpd/error_log > > TransferLog /var/log/httpd/access_log > > LogLevel debug > > NSSEngine on > > NSSCipherSuite > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA > > NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 > > NSSNickname "*.domain.com " > > NSSCertificateDatabase /etc/httpd/wildcard > > NSSVerifyClient optional > > NSSOptions +ExportCertData +StdEnvVars > > > > NSSOptions +StdEnvVars > > > > > > NSSOptions +StdEnvVars > > > > ServerName test.domain.com > > NSSProxyEngine on > > NSSProxyProtocol TLSv1.0,TLSv1.1,TLSv1.2 > > NSSProxyCipherSuite > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA > > ProxyRequests off > > ProxyPass /test https://test.domain.com:8443/test > > ProxyPassReverse /test https://test.domain.com:8443/test > > Sorry for the delay. It looks like there have been changes in mod_proxy to support SNI. mod_nss doesn't support SNI currently (though a user has kindly contributed some patches). I'm not sure if this is related or it's just a red herring. The key that the hostname is probably set is this line: proxy_util.c(2394): [client 10.81.1.91:50727] AH00947: connected /test/home.html to test.domain.com:8443 It is right before this line that the proxy determines if there is an SSL connection and sets the appropriate hostname. Now for some reason the proxy already has an open connection so it closes it and opens a new one. I'm not sure if this is related either. When it fails is it a one-off or do all subsequent requests fail as well? rob From jej2003 at gmail.com Wed Apr 29 14:51:38 2015 From: jej2003 at gmail.com (Jamie Johnson) Date: Wed, 29 Apr 2015 14:51:38 +0000 Subject: [Mod_nss-list] mod_proxy and mod_nss - occasional "SSL Proxy: I don't have the name of the host we're supposed to connect to so I can't verify that we are connecting to who we think we should be. Giving up." In-Reply-To: <5540D938.3090306@redhat.com> References: <5540D938.3090306@redhat.com> Message-ID: It's a one off typically. If I refresh again sometimes it works, sometimes it doesn't. On Wed, Apr 29, 2015, 9:14 AM Rob Crittenden wrote: > Jamie Johnson wrote: > > No thoughts on this? Can I provide more information to help? > > > > > > On Tue, Apr 21, 2015, 12:02 PM Jamie Johnson > > wrote: > > > > I am running httpd-2.4.12 and mod_nss-1.0.11 built from source and > > am running into an issue where I occasionally get an error where > > mod_nss throws the following exception > > > > SSL Proxy: I don't have the name of the host we're supposed to > > connect to so I can't verify that we are connecting to who we think > > we should be. Giving up. > > > > What is strange is that the issue does not happen consistently, > > sometimes the error will occur after the first request, other times > > after the 5000th. > > > > Any thoughts about what could be causing this? > > > > The following is what I'm seeing in the log > > > > [Wed Apr 08 18:31:07.331041 2015] [:info] [pid 17342:tid > > 47143550196032] Connection to child 0 established > > (server test.domain.com:443 , client > > 10.81.1.91) > > [Wed Apr 08 18:31:07.412436 2015] [:info] [pid 17342:tid > > 47143550196032] Initial (No.1) HTTPS request received for child 0 > > (server test.domain.com:443 ) > > [Wed Apr 08 18:31:07.412499 2015] [authz_core:debug] [pid 17342:tid > > 47143550196032] mod_authz_core.c(835): [client 10.81.1.91:50727 > > ] AH01628: authorization result: granted > > (no directives) > > [Wed Apr 08 18:31:07.412654 2015] [proxy:debug] [pid 17342:tid > > 47143550196032] mod_proxy.c(1163): [client 10.81.1.91:50727 > > ] AH01143: Running scheme https handler > > (attempt 0) > > [Wed Apr 08 18:31:07.412669 2015] [proxy:debug] [pid 17342:tid > > 47143550196032] proxy_util.c(2140): AH00942: HTTPS: has acquired > > connection for (test.domain.com ) > > [Wed Apr 08 18:31:07.412734 2015] [proxy:debug] [pid 17342:tid > > 47143550196032] proxy_util.c(2193): [client 10.81.1.91:50727 > > ] AH00944: > > connectinghttps://test.domain.com:8443/test/home.html to > test.domain.com:8443 > > > > [Wed Apr 08 18:31:07.412745 2015] [proxy:debug] [pid 17342:tid > > 47143550196032] proxy_util.c(2394): [client 10.81.1.91:50727 > > ] AH00947: connected /test/home.html > > totest.domain.com:8443 > > [Wed Apr 08 18:31:07.412752 2015] [:debug] [pid 17342:tid > > 47143550196032] nss_engine_io.c(658): SSL connection destroyed > > without being closed > > [Wed Apr 08 18:31:07.412859 2015] [proxy:debug] [pid 17342:tid > > 47143550196032] proxy_util.c(2636): AH00951: HTTPS: backend socket > > is disconnected. > > [Wed Apr 08 18:31:07.412910 2015] [proxy:debug] [pid 17342:tid > > 47143550196032] proxy_util.c(2771): AH02824: HTTPS: connection > > established with 10.81.1.183:8443 > > (test.domain.com >) > > [Wed Apr 08 18:31:07.412923 2015] [proxy:debug] [pid 17342:tid > > 47143550196032] proxy_util.c(2923): AH00962: HTTPS: connection > > complete to 10.81.1.183:8443 > > (test.domain.com >) > > [Wed Apr 08 18:31:07.412928 2015] [:info] [pid 17342:tid > > 47143550196032] Connection to child 0 established > > (server test.domain.com:443 , client > > 10.81.1.183) > > [Wed Apr 08 18:31:07.424280 2015] [:error] [pid 17342:tid > > 47143550196032] SSL Proxy: I don't have the name of the host we're > > supposed to connect to so I can't verify that we are connecting to > > who we think we should be. Giving up. > > [Wed Apr 08 18:31:07.424330 2015] [:info] [pid 17342:tid > > 47143550196032] SSL library error -12276 writing data > > [Wed Apr 08 18:31:07.424337 2015] [:info] [pid 17342:tid > > 47143550196032] SSL Library Error: -12276 Requested domain name does > > not match the server's certificate > > [Wed Apr 08 18:31:07.424344 2015] [proxy:error] [pid 17342:tid > > 47143550196032] (20014)Internal error: [client 10.81.1.91:50727 > > ] AH01084: pass request body failed > > to10.81.1.183:8443 (test.domain.com > > ) > > [Wed Apr 08 18:31:07.424352 2015] [proxy_http:error] [pid 17342:tid > > 47143550196032] [client 10.81.1.91:50727 ] > > AH01097: pass request body failed to 10.81.1.183:8443 > > (test.domain.com > > ) from 10.81.1.91 () > > [Wed Apr 08 18:31:07.424356 2015] [proxy:debug] [pid 17342:tid > > 47143550196032] proxy_util.c(2155): AH00943: HTTPS: has released > > connection for (test.domain.com ) > > [Wed Apr 08 18:31:07.424385 2015] [:info] [pid 17342:tid > > 47143550196032] Connection to child 0 closed > > (server test.domain.com:443 , client > > 10.81.1.183) > > [Wed Apr 08 18:31:07.424394 2015] [proxy:debug] [pid 17342:tid > > 47143550196032] proxy_util.c(2864): [remote 10.81.1.183:8443 > > ] AH02642: proxy: connection shutdown > > [Wed Apr 08 18:31:07.424686 2015] [:info] [pid 17342:tid > > 47143550196032] Connection to child 0 closed > > (server test.domain.com:443 , client > > 10.81.1.91) > > > > > > My configuration is as follows for the virtual host > > > > > > > > ErrorLog /var/log/httpd/error_log > > > > TransferLog /var/log/httpd/access_log > > > > LogLevel debug > > > > NSSEngine on > > > > NSSCipherSuite > > > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA > > > > NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 > > > > NSSNickname "*.domain.com " > > > > NSSCertificateDatabase /etc/httpd/wildcard > > > > NSSVerifyClient optional > > > > NSSOptions +ExportCertData +StdEnvVars > > > > > > > > NSSOptions +StdEnvVars > > > > > > > > > > > > NSSOptions +StdEnvVars > > > > > > > > ServerName test.domain.com > > > > NSSProxyEngine on > > > > NSSProxyProtocol TLSv1.0,TLSv1.1,TLSv1.2 > > > > NSSProxyCipherSuite > > > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA > > > > ProxyRequests off > > > > ProxyPass /test https://test.domain.com:8443/test > > > > ProxyPassReverse /test https://test.domain.com:8443/test > > > > > > Sorry for the delay. > > It looks like there have been changes in mod_proxy to support SNI. > mod_nss doesn't support SNI currently (though a user has kindly > contributed some patches). I'm not sure if this is related or it's just > a red herring. > > The key that the hostname is probably set is this line: > > proxy_util.c(2394): [client 10.81.1.91:50727] AH00947: connected > /test/home.html to test.domain.com:8443 > > It is right before this line that the proxy determines if there is an > SSL connection and sets the appropriate hostname. > > Now for some reason the proxy already has an open connection so it > closes it and opens a new one. I'm not sure if this is related either. > > When it fails is it a one-off or do all subsequent requests fail as well? > > rob > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Apr 30 18:43:25 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 30 Apr 2015 14:43:25 -0400 Subject: [Mod_nss-list] mod_proxy and mod_nss - occasional "SSL Proxy: I don't have the name of the host we're supposed to connect to so I can't verify that we are connecting to who we think we should be. Giving up." In-Reply-To: References: <5540D938.3090306@redhat.com> Message-ID: <554277CD.8040506@redhat.com> Jamie Johnson wrote: > It's a one off typically. If I refresh again sometimes it works, > sometimes it doesn't. Ok. I've opened a bug to track this, https://bugzilla.redhat.com/show_bug.cgi?id=1217596 rob > > > On Wed, Apr 29, 2015, 9:14 AM Rob Crittenden > wrote: > > Jamie Johnson wrote: > > No thoughts on this? Can I provide more information to help? > > > > > > On Tue, Apr 21, 2015, 12:02 PM Jamie Johnson > > >> wrote: > > > > I am running httpd-2.4.12 and mod_nss-1.0.11 built from source and > > am running into an issue where I occasionally get an error where > > mod_nss throws the following exception > > > > SSL Proxy: I don't have the name of the host we're supposed to > > connect to so I can't verify that we are connecting to who we > think > > we should be. Giving up. > > > > What is strange is that the issue does not happen consistently, > > sometimes the error will occur after the first request, other > times > > after the 5000th. > > > > Any thoughts about what could be causing this? > > > > The following is what I'm seeing in the log > > > > [Wed Apr 08 18:31:07.331041 2015] [:info] [pid 17342:tid > > 47143550196032] Connection to child 0 established > > (server test.domain.com:443 > , client > > 10.81.1.91) > > [Wed Apr 08 18:31:07.412436 2015] [:info] [pid 17342:tid > > 47143550196032] Initial (No.1) HTTPS request received for child 0 > > (server test.domain.com:443 > ) > > [Wed Apr 08 18:31:07.412499 2015] [authz_core:debug] [pid > 17342:tid > > 47143550196032] mod_authz_core.c(835): [client > 10.81.1.91:50727 > > ] AH01628: authorization result: granted > > (no directives) > > [Wed Apr 08 18:31:07.412654 2015] [proxy:debug] [pid 17342:tid > > 47143550196032] mod_proxy.c(1163): [client 10.81.1.91:50727 > > > ] AH01143: Running scheme https handler > > (attempt 0) > > [Wed Apr 08 18:31:07.412669 2015] [proxy:debug] [pid 17342:tid > > 47143550196032] proxy_util.c(2140): AH00942: HTTPS: has acquired > > connection for (test.domain.com > ) > > [Wed Apr 08 18:31:07.412734 2015] [proxy:debug] [pid 17342:tid > > 47143550196032] proxy_util.c(2193): [client 10.81.1.91:50727 > > > ] AH00944: > > connectinghttps://test.domain.com:8443/test/home.html > to test.domain.com:8443 > > > > > [Wed Apr 08 18:31:07.412745 2015] [proxy:debug] [pid 17342:tid > > 47143550196032] proxy_util.c(2394): [client 10.81.1.91:50727 > > > ] AH00947: connected /test/home.html > > totest.domain.com:8443 > > > [Wed Apr 08 18:31:07.412752 2015] [:debug] [pid 17342:tid > > 47143550196032] nss_engine_io.c(658): SSL connection destroyed > > without being closed > > [Wed Apr 08 18:31:07.412859 2015] [proxy:debug] [pid 17342:tid > > 47143550196032] proxy_util.c(2636): AH00951: HTTPS: backend socket > > is disconnected. > > [Wed Apr 08 18:31:07.412910 2015] [proxy:debug] [pid 17342:tid > > 47143550196032] proxy_util.c(2771): AH02824: HTTPS: connection > > established with 10.81.1.183:8443 > > (test.domain.com > ) > > [Wed Apr 08 18:31:07.412923 2015] [proxy:debug] [pid 17342:tid > > 47143550196032] proxy_util.c(2923): AH00962: HTTPS: connection > > complete to 10.81.1.183:8443 > > (test.domain.com > ) > > [Wed Apr 08 18:31:07.412928 2015] [:info] [pid 17342:tid > > 47143550196032] Connection to child 0 established > > (server test.domain.com:443 > , client > > 10.81.1.183) > > [Wed Apr 08 18:31:07.424280 2015] [:error] [pid 17342:tid > > 47143550196032] SSL Proxy: I don't have the name of the host we're > > supposed to connect to so I can't verify that we are connecting to > > who we think we should be. Giving up. > > [Wed Apr 08 18:31:07.424330 2015] [:info] [pid 17342:tid > > 47143550196032] SSL library error -12276 writing data > > [Wed Apr 08 18:31:07.424337 2015] [:info] [pid 17342:tid > > 47143550196032] SSL Library Error: -12276 Requested domain > name does > > not match the server's certificate > > [Wed Apr 08 18:31:07.424344 2015] [proxy:error] [pid 17342:tid > > 47143550196032] (20014)Internal error: [client > 10.81.1.91:50727 > > ] AH01084: pass request body failed > > to10.81.1.183:8443 (test.domain.com > > > ) > > [Wed Apr 08 18:31:07.424352 2015] [proxy_http:error] [pid > 17342:tid > > 47143550196032] [client 10.81.1.91:50727 > ] > > AH01097: pass request body failed to 10.81.1.183:8443 > > > (test.domain.com > > > ) from 10.81.1.91 () > > [Wed Apr 08 18:31:07.424356 2015] [proxy:debug] [pid 17342:tid > > 47143550196032] proxy_util.c(2155): AH00943: HTTPS: has released > > connection for (test.domain.com > ) > > [Wed Apr 08 18:31:07.424385 2015] [:info] [pid 17342:tid > > 47143550196032] Connection to child 0 closed > > (server test.domain.com:443 > , client > > 10.81.1.183) > > [Wed Apr 08 18:31:07.424394 2015] [proxy:debug] [pid 17342:tid > > 47143550196032] proxy_util.c(2864): [remote 10.81.1.183:8443 > > > ] AH02642: proxy: connection shutdown > > [Wed Apr 08 18:31:07.424686 2015] [:info] [pid 17342:tid > > 47143550196032] Connection to child 0 closed > > (server test.domain.com:443 > , client > > 10.81.1.91) > > > > > > My configuration is as follows for the virtual host > > > > > > > > ErrorLog /var/log/httpd/error_log > > > > TransferLog /var/log/httpd/access_log > > > > LogLevel debug > > > > NSSEngine on > > > > NSSCipherSuite > > > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA > > > > NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 > > > > NSSNickname "*.domain.com > " > > > > NSSCertificateDatabase /etc/httpd/wildcard > > > > NSSVerifyClient optional > > > > NSSOptions +ExportCertData +StdEnvVars > > > > > > > > NSSOptions +StdEnvVars > > > > > > > > > > > > NSSOptions +StdEnvVars > > > > > > > > ServerName test.domain.com > > > > > NSSProxyEngine on > > > > NSSProxyProtocol TLSv1.0,TLSv1.1,TLSv1.2 > > > > NSSProxyCipherSuite > > > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA > > > > ProxyRequests off > > > > ProxyPass /test https://test.domain.com:8443/test > > > > ProxyPassReverse /test https://test.domain.com:8443/test > > > > > > Sorry for the delay. > > It looks like there have been changes in mod_proxy to support SNI. > mod_nss doesn't support SNI currently (though a user has kindly > contributed some patches). I'm not sure if this is related or it's just > a red herring. > > The key that the hostname is probably set is this line: > > proxy_util.c(2394): [client 10.81.1.91:50727 > ] AH00947: connected > /test/home.html to test.domain.com:8443 > > It is right before this line that the proxy determines if there is an > SSL connection and sets the appropriate hostname. > > Now for some reason the proxy already has an open connection so it > closes it and opens a new one. I'm not sure if this is related either. > > When it fails is it a one-off or do all subsequent requests fail as > well? > > rob >