SSL Reverse Proxy with Client Certificate is restarting
SSL Reverse Proxy with Client Certificate is restarting
am 20.09.2002 10:38:19 von Lee Hoo Wah
Hi,
I have a problem using Apache/mod_ssl 2.0.39 as a SSL reverse proxy to
connect to a SSL Server.
|HTTP Client|-----http---->|Reverse Proxy|----https---->|Web Server|
There is a Client Certificate on the Reverse Proxy which must be presented
to the Web Server for authentication. But I see from the log files, after
the initial SSL handshaking, immediately after the "Proxy client certificate
callback: (xxx.xxx.xxx:80) found acceptable cert", the child process on the
Reverse Proxy just dies without any error in the log file. The child process
initialises itself all over again. My browser on the front end receives a
"Page not found" error.
I double checked my cert pathing using "openssl" and curl to go into the SSL
server and it works. So I think the certificate should be ok. Are there
anything else that I have left out?
I have also tested against both a IIS 5.0 and an Apache 2.0 web server. Both
returns the same error.
Really appreciate any help that might come along. Thanks in advace.
regards,
Lee Hoo Wah
____________________________________________
[debug] ssl_engine_kernel.c(1854): OpenSSL: Loop: SSLv3 read server hello A
[debug] ssl_engine_kernel.c(1294): Certificate Verification: depth: 2,
subject: /C=US/O=GTE Corporation/CN=GTE CyberTrust Root, issuer: /C=US/O=GTE
Corporation/CN=GTE CyberTrust Root
[debug] ssl_engine_kernel.c(1294): Certificate Verification: depth: 1,
subject: /C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits
liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server
Certification Authority, issuer: /C=US/O=GTE Corporation/CN=GTE CyberTrust
Root
[debug] ssl_engine_kernel.c(1294): Certificate Verification: depth: 0,
subject: /C=SG/ST=Singapore/L=Singapore/O=xxx/OU=xxx/CN=xxx, issuer:
/C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits
liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server
Certification Authority
[debug] ssl_engine_kernel.c(1854): OpenSSL: Loop: SSLv3 read server
certificate A
[debug] ssl_engine_kernel.c(1854): OpenSSL: Loop: SSLv3 read server
certificate request A
[debug] ssl_engine_kernel.c(1854): OpenSSL: Loop: SSLv3 read server done A
[debug] ssl_engine_kernel.c(1620): Proxy client certificate callback:
(xxx.xxx.xxx:80) entered
[debug] ssl_engine_kernel.c(1593): Proxy client certificate callback:
(xxx.xxx.xxx:80) found acceptable cert, sending
/C=xx/O=xxx/OU=xxx/OU=xxx/SN=xxx/CN=xxxx
[notice] Parent: child process exited with status 3221225477 -- Restarting.
<<<<<< CHILD PROCESS DIES
[debug] mpm_winnt.c(562): Parent: Marked listeners as not inheritable.
[info] Init: Initializing OpenSSL library
_______________________________________
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
SSL Reverse Proxy with Client Certificate is dying
am 22.09.2002 04:33:13 von Lee Hoo Wah
Hi,
I have a problem using Apache/mod_ssl 2.0.40 as a SSL reverse proxy to
connect to a SSL Server.
|HTTP Client|-----http---->|Reverse Proxy|----https---->|Web Server|
There is a Client Certificate on the Reverse Proxy which must be presented
to the Web Server for authentication. But I see from the log files, after
the initial SSL handshaking, immediately after the "Proxy client certificate
callback: (xxx.xxx.xxx:80) found acceptable cert", the child process on the
Reverse Proxy just dies without any error in the log file. The child process
initialises itself all over again. My browser on the front end receives a
"Page not found" error.
I double checked my cert pathing using "openssl" and curl to go into the SSL
server and it works. So I think the certificate should be ok. Are there
anything else that I have left out?
I have also tested against both a IIS 5.0 and an Apache 2.0 web server. Both
returns the same error.
Really appreciate any help that might come along. Thanks in advace.
regards,
Lee Hoo Wah
____________________________________________
[debug] ssl_engine_kernel.c(1854): OpenSSL: Loop: SSLv3 read server hello A
[debug] ssl_engine_kernel.c(1294): Certificate Verification: depth: 2,
subject: /C=US/O=GTE Corporation/CN=GTE CyberTrust Root, issuer: /C=US/O=GTE
Corporation/CN=GTE CyberTrust Root
[debug] ssl_engine_kernel.c(1294): Certificate Verification: depth: 1,
subject: /C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits
liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server
Certification Authority, issuer: /C=US/O=GTE Corporation/CN=GTE CyberTrust
Root
[debug] ssl_engine_kernel.c(1294): Certificate Verification: depth: 0,
subject: /C=SG/ST=Singapore/L=Singapore/O=xxx/OU=xxx/CN=xxx, issuer:
/C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits
liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server
Certification Authority
[debug] ssl_engine_kernel.c(1854): OpenSSL: Loop: SSLv3 read server
certificate A
[debug] ssl_engine_kernel.c(1854): OpenSSL: Loop: SSLv3 read server
certificate request A
[debug] ssl_engine_kernel.c(1854): OpenSSL: Loop: SSLv3 read server done A
[debug] ssl_engine_kernel.c(1620): Proxy client certificate callback:
(xxx.xxx.xxx:80) entered
[debug] ssl_engine_kernel.c(1593): Proxy client certificate callback:
(xxx.xxx.xxx:80) found acceptable cert, sending
/C=xx/O=xxx/OU=xxx/OU=xxx/SN=xxx/CN=xxxx
[notice] Parent: child process exited with status 3221225477 -- Restarting.
<<<<<< CHILD PROCESS DIES
[debug] mpm_winnt.c(562): Parent: Marked listeners as not inheritable.
[info] Init: Initializing OpenSSL library
_______________________________________
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
RE: SSL Reverse Proxy with Client Certificate is dying
am 22.09.2002 07:23:37 von Lee Hoo Wah
Hi all,
Apologies for duplicating this email again. I had some problems with my
mailbox and thought that the original email did not get through. I also
updated the version of the Apache version from 2.0.39 to 2.0.40 because I
tested both with the same results.
Regarding the question itself, I would really appreciate if somebody could
give some suggestions.
Thanks again.
regards,
Lee Hoo Wah
-----Original Message-----
From: Lee Hoo Wah [mailto:leehw@epremiumsystems.com]
Sent: Sunday, September 22, 2002 10:33 AM
To: modssl-users@modssl.org
Subject: SSL Reverse Proxy with Client Certificate is dying
Hi,
I have a problem using Apache/mod_ssl 2.0.40 as a SSL reverse proxy to
connect to a SSL Server.
|HTTP Client|-----http---->|Reverse Proxy|----https---->|Web Server|
There is a Client Certificate on the Reverse Proxy which must be presented
to the Web Server for authentication. But I see from the log files, after
the initial SSL handshaking, immediately after the "Proxy client certificate
callback: (xxx.xxx.xxx:80) found acceptable cert", the child process on the
Reverse Proxy just dies without any error in the log file. The child process
initialises itself all over again. My browser on the front end receives a
"Page not found" error.
I double checked my cert pathing using "openssl" and curl to go into the SSL
server and it works. So I think the certificate should be ok. Are there
anything else that I have left out?
I have also tested against both a IIS 5.0 and an Apache 2.0 web server. Both
returns the same error.
Really appreciate any help that might come along. Thanks in advace.
regards,
Lee Hoo Wah
____________________________________________
[debug] ssl_engine_kernel.c(1854): OpenSSL: Loop: SSLv3 read server hello A
[debug] ssl_engine_kernel.c(1294): Certificate Verification: depth: 2,
subject: /C=US/O=GTE Corporation/CN=GTE CyberTrust Root, issuer: /C=US/O=GTE
Corporation/CN=GTE CyberTrust Root
[debug] ssl_engine_kernel.c(1294): Certificate Verification: depth: 1,
subject: /C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits
liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server
Certification Authority, issuer: /C=US/O=GTE Corporation/CN=GTE CyberTrust
Root
[debug] ssl_engine_kernel.c(1294): Certificate Verification: depth: 0,
subject: /C=SG/ST=Singapore/L=Singapore/O=xxx/OU=xxx/CN=xxx, issuer:
/C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits
liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server
Certification Authority
[debug] ssl_engine_kernel.c(1854): OpenSSL: Loop: SSLv3 read server
certificate A
[debug] ssl_engine_kernel.c(1854): OpenSSL: Loop: SSLv3 read server
certificate request A
[debug] ssl_engine_kernel.c(1854): OpenSSL: Loop: SSLv3 read server done A
[debug] ssl_engine_kernel.c(1620): Proxy client certificate callback:
(xxx.xxx.xxx:80) entered
[debug] ssl_engine_kernel.c(1593): Proxy client certificate callback:
(xxx.xxx.xxx:80) found acceptable cert, sending
/C=xx/O=xxx/OU=xxx/OU=xxx/SN=xxx/CN=xxxx
[notice] Parent: child process exited with status 3221225477 -- Restarting.
<<<<<< CHILD PROCESS DIES
[debug] mpm_winnt.c(562): Parent: Marked listeners as not inheritable.
[info] Init: Initializing OpenSSL library
_______________________________________
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org