From rcritten at redhat.com Wed Jan 2 18:16:46 2019 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 2 Jan 2019 13:16:46 -0500 Subject: [Mod_nss-list] Having problems with 1.0.18 In-Reply-To: References: Message-ID: James Chamberlain wrote: > Hello, > > I am testing out mod_nss 1.0.18 using the following combo:?Server: > Apache/2.4.20, Interface: mod_nss/1.0.18, Library: NSS/3.40.1 > > The requests from clients are coming in via https and being reverse > proxied to an http endpoint using mod_proxy. > > The response to the browser takes a long time, but eventually the > following is returned: > > > Bad Request > > Your browser sent a request that this server could not understand. > > > Here is an excerpt from the httpd error log: > > [Mon Dec 17 15:58:13.927232 2018] [:info] [pid 24535:tid > 140117113034496] SSL library error 0 writing data > > [Mon Dec 17 15:58:13.927274 2018] [:info] [pid 24535:tid > 140117113034496] SSL Library Error: 0 Unknown > > [Mon Dec 17 15:58:13.927331 2018] [proxy:error] [pid 24535:tid > 140117113034496] (20014)Internal error (specific information not > available): [client 192.168.20.1:52182 ] > AH01084: pass request body failed to 127.0.0.1:6400 > (127.0.0.1) > > [Mon Dec 17 15:58:13.927369 2018] [proxy_http:error] [pid 24535:tid > 140117113034496] [client 192.168.20.1:52182 ] > AH01097: pass request body failed to 127.0.0.1:6400 > (127.0.0.1) from 192.168.20.1 (testclient) > > [Mon Dec 17 15:58:13.927382 2018] [proxy:debug] [pid 24535:tid > 140117113034496] proxy_util.c(2330): AH00943: HTTP: has released > connection for (127.0.0.1) > > [Mon Dec 17 15:58:13.927398 2018] [:debug] [pid 24535:tid > 140117113034496] nss_engine_io.c(666): SSL connection destroyed without > being closed > > > I'm not sure where to look for the problem. This all used to work just > fine. Can anybody point me in the right direction? The only major change in 1.0.18 is to fix an issue with reverse proxies introduced in Apache 2.4.33. It would appear the change isn't backwards compatible with 2.4.20 (I did it last April and don't remember if I did any testing on older Apache releases). So for now downgrading seems like the best bet. The only other changes were some minor issues detected by clang-analyze. I'm not sure it is worth the effort to try to detect the version of Apache and register the proxy callbacks dynamically or not. rob From james.chamberlain at gmail.com Wed Jan 2 19:18:07 2019 From: james.chamberlain at gmail.com (James Chamberlain) Date: Wed, 2 Jan 2019 14:18:07 -0500 Subject: [Mod_nss-list] Having problems with 1.0.18 In-Reply-To: References: Message-ID: Turns out I had the wrong version in my previous message. It is actually this: Apache/2.4.37 (Unix) mod_nss/1.0.18 NSS/3.40.1 mod_jk/1.2.37 configured -- resuming normal operations For some reason the log shows the other version first, but I confirmed that it is in fact 2.4.37. Is there any additional logging or debugging that you think could help in identifying what is going on? Thank you, - James On Wed, Jan 2, 2019 at 1:16 PM Rob Crittenden wrote: > James Chamberlain wrote: > > Hello, > > > > I am testing out mod_nss 1.0.18 using the following combo: Server: > > Apache/2.4.20, Interface: mod_nss/1.0.18, Library: NSS/3.40.1 > > > > The requests from clients are coming in via https and being reverse > > proxied to an http endpoint using mod_proxy. > > > > The response to the browser takes a long time, but eventually the > > following is returned: > > > > > > Bad Request > > > > Your browser sent a request that this server could not understand. > > > > > > Here is an excerpt from the httpd error log: > > > > [Mon Dec 17 15:58:13.927232 2018] [:info] [pid 24535:tid > > 140117113034496] SSL library error 0 writing data > > > > [Mon Dec 17 15:58:13.927274 2018] [:info] [pid 24535:tid > > 140117113034496] SSL Library Error: 0 Unknown > > > > [Mon Dec 17 15:58:13.927331 2018] [proxy:error] [pid 24535:tid > > 140117113034496] (20014)Internal error (specific information not > > available): [client 192.168.20.1:52182 ] > > AH01084: pass request body failed to 127.0.0.1:6400 > > (127.0.0.1) > > > > [Mon Dec 17 15:58:13.927369 2018] [proxy_http:error] [pid 24535:tid > > 140117113034496] [client 192.168.20.1:52182 ] > > AH01097: pass request body failed to 127.0.0.1:6400 > > (127.0.0.1) from 192.168.20.1 (testclient) > > > > [Mon Dec 17 15:58:13.927382 2018] [proxy:debug] [pid 24535:tid > > 140117113034496] proxy_util.c(2330): AH00943: HTTP: has released > > connection for (127.0.0.1) > > > > [Mon Dec 17 15:58:13.927398 2018] [:debug] [pid 24535:tid > > 140117113034496] nss_engine_io.c(666): SSL connection destroyed without > > being closed > > > > > > I'm not sure where to look for the problem. This all used to work just > > fine. Can anybody point me in the right direction? > > The only major change in 1.0.18 is to fix an issue with reverse proxies > introduced in Apache 2.4.33. It would appear the change isn't backwards > compatible with 2.4.20 (I did it last April and don't remember if I did > any testing on older Apache releases). > > So for now downgrading seems like the best bet. The only other changes > were some minor issues detected by clang-analyze. > > I'm not sure it is worth the effort to try to detect the version of > Apache and register the proxy callbacks dynamically or not. > > rob > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Jan 7 16:11:32 2019 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 7 Jan 2019 11:11:32 -0500 Subject: [Mod_nss-list] Having problems with 1.0.18 In-Reply-To: References: Message-ID: <61e9022a-2586-5a5b-86a2-c120c558151c@redhat.com> James Chamberlain wrote: > Turns out I had the wrong version in my previous message. It is actually > this: > > Apache/2.4.37 (Unix) mod_nss/1.0.18 NSS/3.40.1 mod_jk/1.2.37 configured > -- resuming normal operations > > For some reason the log shows the other version first, but I confirmed > that it is in fact 2.4.37. > > Is there any additional logging or debugging that you think could help > in identifying what is going on? You might check the proxy log to see if it is being contact at all. If it is then a network trace may show TLS handshake errors. There are TRACE log levels in Apache which might provide additional output in the proxy module. rob > > Thank you, > > - James > > On Wed, Jan 2, 2019 at 1:16 PM Rob Crittenden > wrote: > > James Chamberlain wrote: > > Hello, > > > > I am testing out mod_nss 1.0.18 using the following combo:?Server: > > Apache/2.4.20, Interface: mod_nss/1.0.18, Library: NSS/3.40.1 > > > > The requests from clients are coming in via https and being reverse > > proxied to an http endpoint using mod_proxy. > > > > The response to the browser takes a long time, but eventually the > > following is returned: > > > > > >? ?Bad Request > > > > Your browser sent a request that this server could not understand. > > > > > > Here is an excerpt from the httpd error log: > > > > [Mon Dec 17 15:58:13.927232 2018] [:info] [pid 24535:tid > > 140117113034496] SSL library error 0 writing data > > > > [Mon Dec 17 15:58:13.927274 2018] [:info] [pid 24535:tid > > 140117113034496] SSL Library Error: 0 Unknown > > > > [Mon Dec 17 15:58:13.927331 2018] [proxy:error] [pid 24535:tid > > 140117113034496] (20014)Internal error (specific information not > > available): [client 192.168.20.1:52182 > ] > > AH01084: pass request body failed to 127.0.0.1:6400 > > > (127.0.0.1) > > > > [Mon Dec 17 15:58:13.927369 2018] [proxy_http:error] [pid 24535:tid > > 140117113034496] [client 192.168.20.1:52182 > ] > > AH01097: pass request body failed to 127.0.0.1:6400 > > > (127.0.0.1) from 192.168.20.1 (testclient) > > > > [Mon Dec 17 15:58:13.927382 2018] [proxy:debug] [pid 24535:tid > > 140117113034496] proxy_util.c(2330): AH00943: HTTP: has released > > connection for (127.0.0.1) > > > > [Mon Dec 17 15:58:13.927398 2018] [:debug] [pid 24535:tid > > 140117113034496] nss_engine_io.c(666): SSL connection destroyed > without > > being closed > > > > > > I'm not sure where to look for the problem. This all used to work just > > fine. Can anybody point me in the right direction? > > The only major change in 1.0.18 is to fix an issue with reverse proxies > introduced in Apache 2.4.33. It would appear the change isn't backwards > compatible with 2.4.20 (I did it last April and don't remember if I did > any testing on older Apache releases). > > So for now downgrading seems like the best bet. The only other changes > were some minor issues detected by clang-analyze. > > I'm not sure it is worth the effort to try to detect the version of > Apache and register the proxy callbacks dynamically or not. > > rob >