It's a one off typically. If I refresh again sometimes it works, sometimes it doesn't. <div class="gmail_quote">On Wed, Apr 29, 2015, 9:14 AM Rob Crittenden <<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Jamie Johnson wrote: > No thoughts on this? Can I provide more information to help? > > > On Tue, Apr 21, 2015, 12:02 PM Jamie Johnson <<a href="mailto:jej2003@gmail.com" target="_blank">jej2003@gmail.com</a> > <mailto:<a href="mailto:jej2003@gmail.com" target="_blank">jej2003@gmail.com</a>>> wrote: > > I am running httpd-2.4.12 and mod_nss-1.0.11 built from source and > am running into an issue where I occasionally get an error where > mod_nss throws the following exception > > SSL Proxy: I don't have the name of the host we're supposed to > connect to so I can't verify that we are connecting to who we think > we should be. Giving up. > > What is strange is that the issue does not happen consistently, > sometimes the error will occur after the first request, other times > after the 5000th. > > Any thoughts about what could be causing this? > > The following is what I'm seeing in the log > > [Wed Apr 08 18:31:07.331041 2015] [:info] [pid 17342:tid > 47143550196032] Connection to child 0 established > (server <a href="http://test.domain.com:443" target="_blank">test.domain.com:443</a> <<a href="http://test.domain.com:443/" target="_blank">http://test.domain.com:443/</a>>, client > 10.81.1.91) > [Wed Apr 08 18:31:07.412436 2015] [:info] [pid 17342:tid > 47143550196032] Initial (No.1) HTTPS request received for child 0 > (server <a href="http://test.domain.com:443" target="_blank">test.domain.com:443</a> <<a href="http://test.domain.com:443/" target="_blank">http://test.domain.com:443/</a>>) > [Wed Apr 08 18:31:07.412499 2015] [authz_core:debug] [pid 17342:tid > 47143550196032] mod_authz_core.c(835): [client <a href="http://10.81.1.91:50727" target="_blank">10.81.1.91:50727</a> > <<a href="http://10.81.1.91:50727/" target="_blank">http://10.81.1.91:50727/</a>>] AH01628: authorization result: granted > (no directives) > [Wed Apr 08 18:31:07.412654 2015] [proxy:debug] [pid 17342:tid > 47143550196032] mod_proxy.c(1163): [client <a href="http://10.81.1.91:50727" target="_blank">10.81.1.91:50727</a> > <<a href="http://10.81.1.91:50727/" target="_blank">http://10.81.1.91:50727/</a>>] AH01143: Running scheme https handler > (attempt 0) > [Wed Apr 08 18:31:07.412669 2015] [proxy:debug] [pid 17342:tid > 47143550196032] proxy_util.c(2140): AH00942: HTTPS: has acquired > connection for (<a href="http://test.domain.com" target="_blank">test.domain.com</a> <<a href="http://test.domain.com/" target="_blank">http://test.domain.com/</a>>) > [Wed Apr 08 18:31:07.412734 2015] [proxy:debug] [pid 17342:tid > 47143550196032] proxy_util.c(2193): [client <a href="http://10.81.1.91:50727" target="_blank">10.81.1.91:50727</a> > <<a href="http://10.81.1.91:50727/" target="_blank">http://10.81.1.91:50727/</a>>] AH00944: > connectinghttps://<a href="http://test.domain.com:8443/test/home.html" target="_blank">test.domain.com:8443/test/home.html</a> to <a href="http://test.domain.com:8443" target="_blank">test.domain.com:8443</a> > <<a href="http://test.domain.com:8443/" target="_blank">http://test.domain.com:8443/</a>> > [Wed Apr 08 18:31:07.412745 2015] [proxy:debug] [pid 17342:tid > 47143550196032] proxy_util.c(2394): [client <a href="http://10.81.1.91:50727" target="_blank">10.81.1.91:50727</a> > <<a href="http://10.81.1.91:50727/" target="_blank">http://10.81.1.91:50727/</a>>] AH00947: connected /test/home.html > <a href="http://totest.domain.com:8443" target="_blank">totest.domain.com:8443</a> <<a href="http://test.domain.com:8443/" target="_blank">http://test.domain.com:8443/</a>> > [Wed Apr 08 18:31:07.412752 2015] [:debug] [pid 17342:tid > 47143550196032] nss_engine_io.c(658): SSL connection destroyed > without being closed > [Wed Apr 08 18:31:07.412859 2015] [proxy:debug] [pid 17342:tid > 47143550196032] proxy_util.c(2636): AH00951: HTTPS: backend socket > is disconnected. > [Wed Apr 08 18:31:07.412910 2015] [proxy:debug] [pid 17342:tid > 47143550196032] proxy_util.c(2771): AH02824: HTTPS: connection > established with <a href="http://10.81.1.183:8443" target="_blank">10.81.1.183:8443</a> > <<a href="http://10.81.1.183:8443/" target="_blank">http://10.81.1.183:8443/</a>>(<a href="http://test.domain.com" target="_blank">test.domain.com</a> <<a href="http://test.domain.com/" target="_blank">http://test.domain.com/</a>>) > [Wed Apr 08 18:31:07.412923 2015] [proxy:debug] [pid 17342:tid > 47143550196032] proxy_util.c(2923): AH00962: HTTPS: connection > complete to <a href="http://10.81.1.183:8443" target="_blank">10.81.1.183:8443</a> > <<a href="http://10.81.1.183:8443/" target="_blank">http://10.81.1.183:8443/</a>>(<a href="http://test.domain.com" target="_blank">test.domain.com</a> <<a href="http://test.domain.com/" target="_blank">http://test.domain.com/</a>>) > [Wed Apr 08 18:31:07.412928 2015] [:info] [pid 17342:tid > 47143550196032] Connection to child 0 established > (server <a href="http://test.domain.com:443" target="_blank">test.domain.com:443</a> <<a href="http://test.domain.com:443/" target="_blank">http://test.domain.com:443/</a>>, client > 10.81.1.183) > [Wed Apr 08 18:31:07.424280 2015] [:error] [pid 17342:tid > 47143550196032] SSL Proxy: I don't have the name of the host we're > supposed to connect to so I can't verify that we are connecting to > who we think we should be. Giving up. > [Wed Apr 08 18:31:07.424330 2015] [:info] [pid 17342:tid > 47143550196032] SSL library error -12276 writing data > [Wed Apr 08 18:31:07.424337 2015] [:info] [pid 17342:tid > 47143550196032] SSL Library Error: -12276 Requested domain name does > not match the server's certificate > [Wed Apr 08 18:31:07.424344 2015] [proxy:error] [pid 17342:tid > 47143550196032] (20014)Internal error: [client <a href="http://10.81.1.91:50727" target="_blank">10.81.1.91:50727</a> > <<a href="http://10.81.1.91:50727/" target="_blank">http://10.81.1.91:50727/</a>>] AH01084: pass request body failed > to10.81.1.183:8443 <<a href="http://10.81.1.183:8443/" target="_blank">http://10.81.1.183:8443/</a>> (<a href="http://test.domain.com" target="_blank">test.domain.com</a> > <<a href="http://test.domain.com/" target="_blank">http://test.domain.com/</a>>) > [Wed Apr 08 18:31:07.424352 2015] [proxy_http:error] [pid 17342:tid > 47143550196032] [client <a href="http://10.81.1.91:50727" target="_blank">10.81.1.91:50727</a> <<a href="http://10.81.1.91:50727/" target="_blank">http://10.81.1.91:50727/</a>>] > AH01097: pass request body failed to <a href="http://10.81.1.183:8443" target="_blank">10.81.1.183:8443</a> > <<a href="http://10.81.1.183:8443/" target="_blank">http://10.81.1.183:8443/</a>>(<a href="http://test.domain.com" target="_blank">test.domain.com</a> > <<a href="http://test.domain.com/" target="_blank">http://test.domain.com/</a>>) from 10.81.1.91 () > [Wed Apr 08 18:31:07.424356 2015] [proxy:debug] [pid 17342:tid > 47143550196032] proxy_util.c(2155): AH00943: HTTPS: has released > connection for (<a href="http://test.domain.com" target="_blank">test.domain.com</a> <<a href="http://test.domain.com/" target="_blank">http://test.domain.com/</a>>) > [Wed Apr 08 18:31:07.424385 2015] [:info] [pid 17342:tid > 47143550196032] Connection to child 0 closed > (server <a href="http://test.domain.com:443" target="_blank">test.domain.com:443</a> <<a href="http://test.domain.com:443/" target="_blank">http://test.domain.com:443/</a>>, client > 10.81.1.183) > [Wed Apr 08 18:31:07.424394 2015] [proxy:debug] [pid 17342:tid > 47143550196032] proxy_util.c(2864): [remote <a href="http://10.81.1.183:8443" target="_blank">10.81.1.183:8443</a> > <<a href="http://10.81.1.183:8443/" target="_blank">http://10.81.1.183:8443/</a>>] AH02642: proxy: connection shutdown > [Wed Apr 08 18:31:07.424686 2015] [:info] [pid 17342:tid > 47143550196032] Connection to child 0 closed > (server <a href="http://test.domain.com:443" target="_blank">test.domain.com:443</a> <<a href="http://test.domain.com:443/" target="_blank">http://test.domain.com:443/</a>>, client > 10.81.1.91) > > > My configuration is as follows for the virtual host > > <VirtualHost _default_:443> > > ErrorLog /var/log/httpd/error_log > > TransferLog /var/log/httpd/access_log > > LogLevel debug > > NSSEngine on > > NSSCipherSuite > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA > > NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 > > NSSNickname "*.<a href="http://domain.com" target="_blank">domain.com</a> <<a href="http://domain.com/" target="_blank">http://domain.com/</a>>" > > NSSCertificateDatabase /etc/httpd/wildcard > > NSSVerifyClient optional > > NSSOptions +ExportCertData +StdEnvVars > > <Files ~ "\.(cgi|shtml|phtml|php3?)$"> > > NSSOptions +StdEnvVars > > </Files> > > <Directory "/var/www/cgi-bin"> > > NSSOptions +StdEnvVars > > </Directory> > > ServerName <a href="http://test.domain.com" target="_blank">test.domain.com</a> <<a href="http://test.domain.com/" target="_blank">http://test.domain.com/</a>> > > NSSProxyEngine on > > NSSProxyProtocol TLSv1.0,TLSv1.1,TLSv1.2 > > NSSProxyCipherSuite > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA > > ProxyRequests off > > ProxyPass /test <a href="https://test.domain.com:8443/test" target="_blank">https://test.domain.com:8443/test</a> > > ProxyPassReverse /test <a href="https://test.domain.com:8443/test" target="_blank">https://test.domain.com:8443/test</a> > > </VirtualHost> Sorry for the delay. It looks like there have been changes in mod_proxy to support SNI. mod_nss doesn't support SNI currently (though a user has kindly contributed some patches). I'm not sure if this is related or it's just a red herring. The key that the hostname is probably set is this line: proxy_util.c(2394): [client <a href="http://10.81.1.91:50727" target="_blank">10.81.1.91:50727</a>] AH00947: connected /test/home.html to <a href="http://test.domain.com:8443" target="_blank">test.domain.com:8443</a> It is right before this line that the proxy determines if there is an SSL connection and sets the appropriate hostname. Now for some reason the proxy already has an open connection so it closes it and opens a new one. I'm not sure if this is related either. When it fails is it a one-off or do all subsequent requests fail as well? rob </blockquote></div>