<p dir="ltr">Thanks</p>
<br><div class="gmail_quote">On Thu, Apr 30, 2015, 2:43 PM Rob Crittenden <<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Jamie Johnson wrote:<br>
> It's a one off typically. If I refresh again sometimes it works,<br>
> sometimes it doesn't.<br>
<br>
Ok. I've opened a bug to track this,<br>
<a href="https://bugzilla.redhat.com/show_bug.cgi?id=1217596" target="_blank">https://bugzilla.redhat.com/show_bug.cgi?id=1217596</a><br>
<br>
rob<br>
<br>
><br>
><br>
> On Wed, Apr 29, 2015, 9:14 AM Rob Crittenden <<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a><br>
> <mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>>> wrote:<br>
><br>
> Jamie Johnson wrote:<br>
> > No thoughts on this? Can I provide more information to help?<br>
> ><br>
> ><br>
> > On Tue, Apr 21, 2015, 12:02 PM Jamie Johnson <<a href="mailto:jej2003@gmail.com" target="_blank">jej2003@gmail.com</a><br>
> <mailto:<a href="mailto:jej2003@gmail.com" target="_blank">jej2003@gmail.com</a>><br>
> > <mailto:<a href="mailto:jej2003@gmail.com" target="_blank">jej2003@gmail.com</a> <mailto:<a href="mailto:jej2003@gmail.com" target="_blank">jej2003@gmail.com</a>>>> wrote:<br>
> ><br>
> > I am running httpd-2.4.12 and mod_nss-1.0.11 built from source and<br>
> > am running into an issue where I occasionally get an error where<br>
> > mod_nss throws the following exception<br>
> ><br>
> > SSL Proxy: I don't have the name of the host we're supposed to<br>
> > connect to so I can't verify that we are connecting to who we<br>
> think<br>
> > we should be. Giving up.<br>
> ><br>
> > What is strange is that the issue does not happen consistently,<br>
> > sometimes the error will occur after the first request, other<br>
> times<br>
> > after the 5000th.<br>
> ><br>
> > Any thoughts about what could be causing this?<br>
> ><br>
> > The following is what I'm seeing in the log<br>
> ><br>
> > [Wed Apr 08 18:31:07.331041 2015] [:info] [pid 17342:tid<br>
> > 47143550196032] Connection to child 0 established<br>
> > (server <a href="http://test.domain.com:443" target="_blank">test.domain.com:443</a> <<a href="http://test.domain.com:443" target="_blank">http://test.domain.com:443</a>><br>
> <<a href="http://test.domain.com:443/" target="_blank">http://test.domain.com:443/</a>>, client<br>
> > 10.81.1.91)<br>
> > [Wed Apr 08 18:31:07.412436 2015] [:info] [pid 17342:tid<br>
> > 47143550196032] Initial (No.1) HTTPS request received for child 0<br>
> > (server <a href="http://test.domain.com:443" target="_blank">test.domain.com:443</a> <<a href="http://test.domain.com:443" target="_blank">http://test.domain.com:443</a>><br>
> <<a href="http://test.domain.com:443/" target="_blank">http://test.domain.com:443/</a>>)<br>
> > [Wed Apr 08 18:31:07.412499 2015] [authz_core:debug] [pid<br>
> 17342:tid<br>
> > 47143550196032] mod_authz_core.c(835): [client<br>
> <a href="http://10.81.1.91:50727" target="_blank">10.81.1.91:50727</a> <<a href="http://10.81.1.91:50727" target="_blank">http://10.81.1.91:50727</a>><br>
> > <<a href="http://10.81.1.91:50727/" target="_blank">http://10.81.1.91:50727/</a>>] AH01628: authorization result: granted<br>
> > (no directives)<br>
> > [Wed Apr 08 18:31:07.412654 2015] [proxy:debug] [pid 17342:tid<br>
> > 47143550196032] mod_proxy.c(1163): [client <a href="http://10.81.1.91:50727" target="_blank">10.81.1.91:50727</a><br>
> <<a href="http://10.81.1.91:50727" target="_blank">http://10.81.1.91:50727</a>><br>
> > <<a href="http://10.81.1.91:50727/" target="_blank">http://10.81.1.91:50727/</a>>] AH01143: Running scheme https handler<br>
> > (attempt 0)<br>
> > [Wed Apr 08 18:31:07.412669 2015] [proxy:debug] [pid 17342:tid<br>
> > 47143550196032] proxy_util.c(2140): AH00942: HTTPS: has acquired<br>
> > connection for (<a href="http://test.domain.com" target="_blank">test.domain.com</a> <<a href="http://test.domain.com" target="_blank">http://test.domain.com</a>><br>
> <<a href="http://test.domain.com/" target="_blank">http://test.domain.com/</a>>)<br>
> > [Wed Apr 08 18:31:07.412734 2015] [proxy:debug] [pid 17342:tid<br>
> > 47143550196032] proxy_util.c(2193): [client <a href="http://10.81.1.91:50727" target="_blank">10.81.1.91:50727</a><br>
> <<a href="http://10.81.1.91:50727" target="_blank">http://10.81.1.91:50727</a>><br>
> > <<a href="http://10.81.1.91:50727/" target="_blank">http://10.81.1.91:50727/</a>>] AH00944:<br>
> > connectinghttps://<a href="http://test.domain.com:8443/test/home.html" target="_blank">test.domain.com:8443/test/home.html</a><br>
> <<a href="http://test.domain.com:8443/test/home.html" target="_blank">http://test.domain.com:8443/test/home.html</a>> to <a href="http://test.domain.com:8443" target="_blank">test.domain.com:8443</a><br>
> <<a href="http://test.domain.com:8443" target="_blank">http://test.domain.com:8443</a>><br>
> > <<a href="http://test.domain.com:8443/" target="_blank">http://test.domain.com:8443/</a>><br>
> > [Wed Apr 08 18:31:07.412745 2015] [proxy:debug] [pid 17342:tid<br>
> > 47143550196032] proxy_util.c(2394): [client <a href="http://10.81.1.91:50727" target="_blank">10.81.1.91:50727</a><br>
> <<a href="http://10.81.1.91:50727" target="_blank">http://10.81.1.91:50727</a>><br>
> > <<a href="http://10.81.1.91:50727/" target="_blank">http://10.81.1.91:50727/</a>>] AH00947: connected /test/home.html<br>
> > <a href="http://totest.domain.com:8443" target="_blank">totest.domain.com:8443</a> <<a href="http://totest.domain.com:8443" target="_blank">http://totest.domain.com:8443</a>><br>
> <<a href="http://test.domain.com:8443/" target="_blank">http://test.domain.com:8443/</a>><br>
> > [Wed Apr 08 18:31:07.412752 2015] [:debug] [pid 17342:tid<br>
> > 47143550196032] nss_engine_io.c(658): SSL connection destroyed<br>
> > without being closed<br>
> > [Wed Apr 08 18:31:07.412859 2015] [proxy:debug] [pid 17342:tid<br>
> > 47143550196032] proxy_util.c(2636): AH00951: HTTPS: backend socket<br>
> > is disconnected.<br>
> > [Wed Apr 08 18:31:07.412910 2015] [proxy:debug] [pid 17342:tid<br>
> > 47143550196032] proxy_util.c(2771): AH02824: HTTPS: connection<br>
> > established with <a href="http://10.81.1.183:8443" target="_blank">10.81.1.183:8443</a> <<a href="http://10.81.1.183:8443" target="_blank">http://10.81.1.183:8443</a>><br>
> > <<a href="http://10.81.1.183:8443/" target="_blank">http://10.81.1.183:8443/</a>>(<a href="http://test.domain.com" target="_blank">test.domain.com</a><br>
> <<a href="http://test.domain.com" target="_blank">http://test.domain.com</a>> <<a href="http://test.domain.com/" target="_blank">http://test.domain.com/</a>>)<br>
> > [Wed Apr 08 18:31:07.412923 2015] [proxy:debug] [pid 17342:tid<br>
> > 47143550196032] proxy_util.c(2923): AH00962: HTTPS: connection<br>
> > complete to <a href="http://10.81.1.183:8443" target="_blank">10.81.1.183:8443</a> <<a href="http://10.81.1.183:8443" target="_blank">http://10.81.1.183:8443</a>><br>
> > <<a href="http://10.81.1.183:8443/" target="_blank">http://10.81.1.183:8443/</a>>(<a href="http://test.domain.com" target="_blank">test.domain.com</a><br>
> <<a href="http://test.domain.com" target="_blank">http://test.domain.com</a>> <<a href="http://test.domain.com/" target="_blank">http://test.domain.com/</a>>)<br>
> > [Wed Apr 08 18:31:07.412928 2015] [:info] [pid 17342:tid<br>
> > 47143550196032] Connection to child 0 established<br>
> > (server <a href="http://test.domain.com:443" target="_blank">test.domain.com:443</a> <<a href="http://test.domain.com:443" target="_blank">http://test.domain.com:443</a>><br>
> <<a href="http://test.domain.com:443/" target="_blank">http://test.domain.com:443/</a>>, client<br>
> > 10.81.1.183)<br>
> > [Wed Apr 08 18:31:07.424280 2015] [:error] [pid 17342:tid<br>
> > 47143550196032] SSL Proxy: I don't have the name of the host we're<br>
> > supposed to connect to so I can't verify that we are connecting to<br>
> > who we think we should be. Giving up.<br>
> > [Wed Apr 08 18:31:07.424330 2015] [:info] [pid 17342:tid<br>
> > 47143550196032] SSL library error -12276 writing data<br>
> > [Wed Apr 08 18:31:07.424337 2015] [:info] [pid 17342:tid<br>
> > 47143550196032] SSL Library Error: -12276 Requested domain<br>
> name does<br>
> > not match the server's certificate<br>
> > [Wed Apr 08 18:31:07.424344 2015] [proxy:error] [pid 17342:tid<br>
> > 47143550196032] (20014)Internal error: [client<br>
> <a href="http://10.81.1.91:50727" target="_blank">10.81.1.91:50727</a> <<a href="http://10.81.1.91:50727" target="_blank">http://10.81.1.91:50727</a>><br>
> > <<a href="http://10.81.1.91:50727/" target="_blank">http://10.81.1.91:50727/</a>>] AH01084: pass request body failed<br>
> > to10.81.1.183:8443 <<a href="http://10.81.1.183:8443/" target="_blank">http://10.81.1.183:8443/</a>> (<a href="http://test.domain.com" target="_blank">test.domain.com</a><br>
> <<a href="http://test.domain.com" target="_blank">http://test.domain.com</a>><br>
> > <<a href="http://test.domain.com/" target="_blank">http://test.domain.com/</a>>)<br>
> > [Wed Apr 08 18:31:07.424352 2015] [proxy_http:error] [pid<br>
> 17342:tid<br>
> > 47143550196032] [client <a href="http://10.81.1.91:50727" target="_blank">10.81.1.91:50727</a><br>
> <<a href="http://10.81.1.91:50727" target="_blank">http://10.81.1.91:50727</a>> <<a href="http://10.81.1.91:50727/" target="_blank">http://10.81.1.91:50727/</a>>]<br>
> > AH01097: pass request body failed to <a href="http://10.81.1.183:8443" target="_blank">10.81.1.183:8443</a><br>
> <<a href="http://10.81.1.183:8443" target="_blank">http://10.81.1.183:8443</a>><br>
> > <<a href="http://10.81.1.183:8443/" target="_blank">http://10.81.1.183:8443/</a>>(<a href="http://test.domain.com" target="_blank">test.domain.com</a><br>
> <<a href="http://test.domain.com" target="_blank">http://test.domain.com</a>><br>
> > <<a href="http://test.domain.com/" target="_blank">http://test.domain.com/</a>>) from 10.81.1.91 ()<br>
> > [Wed Apr 08 18:31:07.424356 2015] [proxy:debug] [pid 17342:tid<br>
> > 47143550196032] proxy_util.c(2155): AH00943: HTTPS: has released<br>
> > connection for (<a href="http://test.domain.com" target="_blank">test.domain.com</a> <<a href="http://test.domain.com" target="_blank">http://test.domain.com</a>><br>
> <<a href="http://test.domain.com/" target="_blank">http://test.domain.com/</a>>)<br>
> > [Wed Apr 08 18:31:07.424385 2015] [:info] [pid 17342:tid<br>
> > 47143550196032] Connection to child 0 closed<br>
> > (server <a href="http://test.domain.com:443" target="_blank">test.domain.com:443</a> <<a href="http://test.domain.com:443" target="_blank">http://test.domain.com:443</a>><br>
> <<a href="http://test.domain.com:443/" target="_blank">http://test.domain.com:443/</a>>, client<br>
> > 10.81.1.183)<br>
> > [Wed Apr 08 18:31:07.424394 2015] [proxy:debug] [pid 17342:tid<br>
> > 47143550196032] proxy_util.c(2864): [remote <a href="http://10.81.1.183:8443" target="_blank">10.81.1.183:8443</a><br>
> <<a href="http://10.81.1.183:8443" target="_blank">http://10.81.1.183:8443</a>><br>
> > <<a href="http://10.81.1.183:8443/" target="_blank">http://10.81.1.183:8443/</a>>] AH02642: proxy: connection shutdown<br>
> > [Wed Apr 08 18:31:07.424686 2015] [:info] [pid 17342:tid<br>
> > 47143550196032] Connection to child 0 closed<br>
> > (server <a href="http://test.domain.com:443" target="_blank">test.domain.com:443</a> <<a href="http://test.domain.com:443" target="_blank">http://test.domain.com:443</a>><br>
> <<a href="http://test.domain.com:443/" target="_blank">http://test.domain.com:443/</a>>, client<br>
> > 10.81.1.91)<br>
> ><br>
> ><br>
> > My configuration is as follows for the virtual host<br>
> ><br>
> > <VirtualHost _default_:443><br>
> ><br>
> > ErrorLog /var/log/httpd/error_log<br>
> ><br>
> > TransferLog /var/log/httpd/access_log<br>
> ><br>
> > LogLevel debug<br>
> ><br>
> > NSSEngine on<br>
> ><br>
> > NSSCipherSuite<br>
> ><br>
> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA<br>
> ><br>
> > NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2<br>
> ><br>
> > NSSNickname "*.<a href="http://domain.com" target="_blank">domain.com</a> <<a href="http://domain.com" target="_blank">http://domain.com</a>><br>
> <<a href="http://domain.com/" target="_blank">http://domain.com/</a>>"<br>
> ><br>
> > NSSCertificateDatabase /etc/httpd/wildcard<br>
> ><br>
> > NSSVerifyClient optional<br>
> ><br>
> > NSSOptions +ExportCertData +StdEnvVars<br>
> ><br>
> > <Files ~ "\.(cgi|shtml|phtml|php3?)$"><br>
> ><br>
> > NSSOptions +StdEnvVars<br>
> ><br>
> > </Files><br>
> ><br>
> > <Directory "/var/www/cgi-bin"><br>
> ><br>
> > NSSOptions +StdEnvVars<br>
> ><br>
> > </Directory><br>
> ><br>
> > ServerName <a href="http://test.domain.com" target="_blank">test.domain.com</a> <<a href="http://test.domain.com" target="_blank">http://test.domain.com</a>><br>
> <<a href="http://test.domain.com/" target="_blank">http://test.domain.com/</a>><br>
> ><br>
> > NSSProxyEngine on<br>
> ><br>
> > NSSProxyProtocol TLSv1.0,TLSv1.1,TLSv1.2<br>
> ><br>
> > NSSProxyCipherSuite<br>
> ><br>
> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA<br>
> ><br>
> > ProxyRequests off<br>
> ><br>
> > ProxyPass /test <a href="https://test.domain.com:8443/test" target="_blank">https://test.domain.com:8443/test</a><br>
> ><br>
> > ProxyPassReverse /test <a href="https://test.domain.com:8443/test" target="_blank">https://test.domain.com:8443/test</a><br>
> ><br>
> > </VirtualHost><br>
><br>
> Sorry for the delay.<br>
><br>
> It looks like there have been changes in mod_proxy to support SNI.<br>
> mod_nss doesn't support SNI currently (though a user has kindly<br>
> contributed some patches). I'm not sure if this is related or it's just<br>
> a red herring.<br>
><br>
> The key that the hostname is probably set is this line:<br>
><br>
> proxy_util.c(2394): [client <a href="http://10.81.1.91:50727" target="_blank">10.81.1.91:50727</a><br>
> <<a href="http://10.81.1.91:50727" target="_blank">http://10.81.1.91:50727</a>>] AH00947: connected<br>
> /test/home.html to <a href="http://test.domain.com:8443" target="_blank">test.domain.com:8443</a> <<a href="http://test.domain.com:8443" target="_blank">http://test.domain.com:8443</a>><br>
><br>
> It is right before this line that the proxy determines if there is an<br>
> SSL connection and sets the appropriate hostname.<br>
><br>
> Now for some reason the proxy already has an open connection so it<br>
> closes it and opens a new one. I'm not sure if this is related either.<br>
><br>
> When it fails is it a one-off or do all subsequent requests fail as<br>
> well?<br>
><br>
> rob<br>
><br>
<br>
</blockquote></div>