|

»

»

mod_ssl - Users

SSL connection between Apache and Tomcat failing

View: New views

3 Messages — Rating Filter: Alert me

	SSL connection between Apache and Tomcat failing by Emsley, I (Iain)-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Some parts of this message have been removed. Learn more about Nabble's security policy. I’ve got a website which uses Apache 2.2 as the front end with Tomcat 5.5.23 as the backend and am using mod_ssl and mod_proxy to link to the two together in Windows server 2003. Normally there isn’t an issue with two servers serving the website but recently (and mainly with , it appears, mobile browsers), I’m getting the following errors: i Jul 17 09:52:29 2009] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 read finished A [Fri Jul 17 09:52:29 2009] [debug] ssl_engine_kernel.c(1756): OpenSSL: Handshake: done [Fri Jul 17 09:52:29 2009] [info] Connection: Client IP: 130.246.76.83, Protocol: TLSv1, Cipher: DHE-RSA-AES256-SHA (256/256 bits) [Fri Jul 17 09:52:29 2009] [debug] ssl_engine_io.c(1817): OpenSSL: read 5/5 bytes from BIO#7d0ad8 [mem: 4a3aaa8] (BIO dump follows) [Fri Jul 17 09:52:29 2009] [debug] ssl_engine_io.c(1750): +-------------------------------------------------------------------------+ Dump details ..... \| [Fri Jul 17 09:52:29 2009] [debug] ssl_engine_io.c(1795): +-------------------------------------------------------------------------+ [Fri Jul 17 09:52:29 2009] [debug] ssl_engine_io.c(1817): OpenSSL: read 992/992 bytes from BIO#7d0ad8 [mem: 4a3aaad] (BIO dump follows) [Fri Jul 17 09:52:29 2009] [debug] ssl_engine_io.c(1750): +-------------------------------------------------------------------------+ Dump details [Fri Jul 17 09:52:29 2009] [debug] ssl_engine_io.c(1795): +-------------------------------------------------------------------------+ [Fri Jul 17 09:52:29 2009] [info] Initial (No.1) HTTPS request received for child 245 (server dev.jiscmail.ac.uk:443) [Fri Jul 17 09:52:35 2009] [debug] ssl_engine_io.c(1828): OpenSSL: I/O error, 5 bytes expected to read on BIO#73e708 [mem: 4a169e0] [Fri Jul 17 09:52:35 2009] [info] [client 130.246.76.83] (OS 10060)A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. : SSL input filter read failed. [Fri Jul 17 09:52:35 2009] [debug] ssl_engine_kernel.c(1770): OpenSSL: Write: SSL negotiation finished successfully I’d be grateful for any pointers in getting to the root of this issue (or ruling out mod_ssl issues). Thanks, Iain -- Scanned by iCritical.
	Re: SSL connection between Apache and Tomcat failing by Lou Picciano :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Some parts of this message have been removed. Learn more about Nabble's security policy. Iain: Wow! Am I glad to hear from you! I've been wrestling with exactly this problem - error on: OpenSSL: read 5/5 bytes from BIO - for a few weeks now; was beginning to think I was losing my mind. (while we leave that possibility aside for the moment(!),) here's what's different about our environment: Apache/2.2.11 (Unix - Solaris SPARC) mod_ssl/2.2.11 OpenSSL/0.9.8k PHP/5.2.9. We are using certificate authentication. Seeing this behavior under Firefox (Mac); haven't tried it using mobile browsers, though, presumably, you may be using a Mozilla-based mobile browser... We've recently upgraded to these current versions of Apache and OpenSSL, but the error behavior has not been impacted. The incessant prompting for certificate can be interrupted by setting Firefox's Advanced-Encryption-When a server requests my certificate-Select one automatically option. The above read error persists, however... The primary impact is - apparently - that the SSL session is constantly re-negotiated for GET of each page element; loading of a single page might generate 8-10 prompts for the certificate. We have fiddled with various settings for the Renogotiation buffer, including which buffer engine is used, its size, etc., all to no avail. Some of the settings result in Apache configuration errors, so I wonder if we're into an Apache - or mod_ssl - 'black hole' region. My quick research on this indicates that others have run into it, some have simply ignored it, but none have solved it. Hopefully we'll come up with something. Lou ----- Original Message ----- From: "I Emsley (Iain)" <iain.emsley@...> To: modssl-users@... Sent: Friday, July 17, 2009 8:56:23 AM GMT -05:00 US/Canada Eastern Subject: SSL connection between Apache and Tomcat failing I’ve got a website which uses Apache 2.2 as the front end with Tomcat 5.5.23 as the backend and am using mod_ssl and mod_proxy to link to the two together in Windows server 2003. Normally there isn’t an issue with two servers serving the website but recently (and mainly with , it appears, mobile browsers), I’m getting the following errors: i Jul 17 09:52:29 2009] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 read finished A [Fri Jul 17 09:52:29 2009] [debug] ssl_engine_kernel.c(1756): OpenSSL: Handshake: done [Fri Jul 17 09:52:29 2009] [info] Connection: Client IP: 130.246.76.83, Protocol: TLSv1, Cipher: DHE-RSA-AES256-SHA (256/256 bits) [Fri Jul 17 09:52:29 2009] [debug] ssl_engine_io.c(1817): OpenSSL: read 5/5 bytes from BIO
	Please remove my email from the list by Tan, Liao :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Some parts of this message have been removed. Learn more about Nabble's security policy. Please remove my email from the list