From jej2003 at gmail.com Fri May 1 10:56:41 2015 From: jej2003 at gmail.com (Jamie Johnson) Date: Fri, 01 May 2015 10:56:41 +0000 Subject: [Mod_nss-list] mod_proxy and mod_nss - occasional "SSL Proxy: I don't have the name of the host we're supposed to connect to so I can't verify that we are connecting to who we think we should be. Giving up." In-Reply-To: <554277CD.8040506@redhat.com> References: <5540D938.3090306@redhat.com> <554277CD.8040506@redhat.com> Message-ID: Thanks On Thu, Apr 30, 2015, 2:43 PM Rob Crittenden wrote: > Jamie Johnson wrote: > > It's a one off typically. If I refresh again sometimes it works, > > sometimes it doesn't. > > Ok. I've opened a bug to track this, > https://bugzilla.redhat.com/show_bug.cgi?id=1217596 > > rob > > > > > > > On Wed, Apr 29, 2015, 9:14 AM Rob Crittenden > > wrote: > > > > Jamie Johnson wrote: > > > No thoughts on this? Can I provide more information to help? > > > > > > > > > On Tue, Apr 21, 2015, 12:02 PM Jamie Johnson > > > > >> wrote: > > > > > > I am running httpd-2.4.12 and mod_nss-1.0.11 built from source > and > > > am running into an issue where I occasionally get an error > where > > > mod_nss throws the following exception > > > > > > SSL Proxy: I don't have the name of the host we're supposed to > > > connect to so I can't verify that we are connecting to who we > > think > > > we should be. Giving up. > > > > > > What is strange is that the issue does not happen consistently, > > > sometimes the error will occur after the first request, other > > times > > > after the 5000th. > > > > > > Any thoughts about what could be causing this? > > > > > > The following is what I'm seeing in the log > > > > > > [Wed Apr 08 18:31:07.331041 2015] [:info] [pid 17342:tid > > > 47143550196032] Connection to child 0 established > > > (server test.domain.com:443 > > , client > > > 10.81.1.91) > > > [Wed Apr 08 18:31:07.412436 2015] [:info] [pid 17342:tid > > > 47143550196032] Initial (No.1) HTTPS request received for > child 0 > > > (server test.domain.com:443 > > ) > > > [Wed Apr 08 18:31:07.412499 2015] [authz_core:debug] [pid > > 17342:tid > > > 47143550196032] mod_authz_core.c(835): [client > > 10.81.1.91:50727 > > > ] AH01628: authorization result: > granted > > > (no directives) > > > [Wed Apr 08 18:31:07.412654 2015] [proxy:debug] [pid 17342:tid > > > 47143550196032] mod_proxy.c(1163): [client 10.81.1.91:50727 > > > > > ] AH01143: Running scheme https > handler > > > (attempt 0) > > > [Wed Apr 08 18:31:07.412669 2015] [proxy:debug] [pid 17342:tid > > > 47143550196032] proxy_util.c(2140): AH00942: HTTPS: has > acquired > > > connection for (test.domain.com > > ) > > > [Wed Apr 08 18:31:07.412734 2015] [proxy:debug] [pid 17342:tid > > > 47143550196032] proxy_util.c(2193): [client 10.81.1.91:50727 > > > > > ] AH00944: > > > connectinghttps://test.domain.com:8443/test/home.html > > to test.domain.com:8443 > > > > > > > > [Wed Apr 08 18:31:07.412745 2015] [proxy:debug] [pid 17342:tid > > > 47143550196032] proxy_util.c(2394): [client 10.81.1.91:50727 > > > > > ] AH00947: connected /test/home.html > > > totest.domain.com:8443 > > > > > [Wed Apr 08 18:31:07.412752 2015] [:debug] [pid 17342:tid > > > 47143550196032] nss_engine_io.c(658): SSL connection destroyed > > > without being closed > > > [Wed Apr 08 18:31:07.412859 2015] [proxy:debug] [pid 17342:tid > > > 47143550196032] proxy_util.c(2636): AH00951: HTTPS: backend > socket > > > is disconnected. > > > [Wed Apr 08 18:31:07.412910 2015] [proxy:debug] [pid 17342:tid > > > 47143550196032] proxy_util.c(2771): AH02824: HTTPS: connection > > > established with 10.81.1.183:8443 > > > (test.domain.com > > ) > > > [Wed Apr 08 18:31:07.412923 2015] [proxy:debug] [pid 17342:tid > > > 47143550196032] proxy_util.c(2923): AH00962: HTTPS: connection > > > complete to 10.81.1.183:8443 > > > (test.domain.com > > ) > > > [Wed Apr 08 18:31:07.412928 2015] [:info] [pid 17342:tid > > > 47143550196032] Connection to child 0 established > > > (server test.domain.com:443 > > , client > > > 10.81.1.183) > > > [Wed Apr 08 18:31:07.424280 2015] [:error] [pid 17342:tid > > > 47143550196032] SSL Proxy: I don't have the name of the host > we're > > > supposed to connect to so I can't verify that we are > connecting to > > > who we think we should be. Giving up. > > > [Wed Apr 08 18:31:07.424330 2015] [:info] [pid 17342:tid > > > 47143550196032] SSL library error -12276 writing data > > > [Wed Apr 08 18:31:07.424337 2015] [:info] [pid 17342:tid > > > 47143550196032] SSL Library Error: -12276 Requested domain > > name does > > > not match the server's certificate > > > [Wed Apr 08 18:31:07.424344 2015] [proxy:error] [pid 17342:tid > > > 47143550196032] (20014)Internal error: [client > > 10.81.1.91:50727 > > > ] AH01084: pass request body failed > > > to10.81.1.183:8443 (test.domain.com > > > > > ) > > > [Wed Apr 08 18:31:07.424352 2015] [proxy_http:error] [pid > > 17342:tid > > > 47143550196032] [client 10.81.1.91:50727 > > ] > > > AH01097: pass request body failed to 10.81.1.183:8443 > > > > > (test.domain.com > > > > > ) from 10.81.1.91 () > > > [Wed Apr 08 18:31:07.424356 2015] [proxy:debug] [pid 17342:tid > > > 47143550196032] proxy_util.c(2155): AH00943: HTTPS: has > released > > > connection for (test.domain.com > > ) > > > [Wed Apr 08 18:31:07.424385 2015] [:info] [pid 17342:tid > > > 47143550196032] Connection to child 0 closed > > > (server test.domain.com:443 > > , client > > > 10.81.1.183) > > > [Wed Apr 08 18:31:07.424394 2015] [proxy:debug] [pid 17342:tid > > > 47143550196032] proxy_util.c(2864): [remote 10.81.1.183:8443 > > > > > ] AH02642: proxy: connection > shutdown > > > [Wed Apr 08 18:31:07.424686 2015] [:info] [pid 17342:tid > > > 47143550196032] Connection to child 0 closed > > > (server test.domain.com:443 > > , client > > > 10.81.1.91) > > > > > > > > > My configuration is as follows for the virtual host > > > > > > > > > > > > ErrorLog /var/log/httpd/error_log > > > > > > TransferLog /var/log/httpd/access_log > > > > > > LogLevel debug > > > > > > NSSEngine on > > > > > > NSSCipherSuite > > > > > > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA > > > > > > NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 > > > > > > NSSNickname "*.domain.com > > " > > > > > > NSSCertificateDatabase /etc/httpd/wildcard > > > > > > NSSVerifyClient optional > > > > > > NSSOptions +ExportCertData +StdEnvVars > > > > > > > > > > > > NSSOptions +StdEnvVars > > > > > > > > > > > > > > > > > > NSSOptions +StdEnvVars > > > > > > > > > > > > ServerName test.domain.com > > > > > > > > NSSProxyEngine on > > > > > > NSSProxyProtocol TLSv1.0,TLSv1.1,TLSv1.2 > > > > > > NSSProxyCipherSuite > > > > > > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA > > > > > > ProxyRequests off > > > > > > ProxyPass /test https://test.domain.com:8443/test > > > > > > ProxyPassReverse /test https://test.domain.com:8443/test > > > > > > > > > > Sorry for the delay. > > > > It looks like there have been changes in mod_proxy to support SNI. > > mod_nss doesn't support SNI currently (though a user has kindly > > contributed some patches). I'm not sure if this is related or it's > just > > a red herring. > > > > The key that the hostname is probably set is this line: > > > > proxy_util.c(2394): [client 10.81.1.91:50727 > > ] AH00947: connected > > /test/home.html to test.domain.com:8443 > > > > > It is right before this line that the proxy determines if there is an > > SSL connection and sets the appropriate hostname. > > > > Now for some reason the proxy already has an open connection so it > > closes it and opens a new one. I'm not sure if this is related > either. > > > > When it fails is it a one-off or do all subsequent requests fail as > > well? > > > > rob > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: