SSL reverse proxy using certificates to IIS server

SSL reverse proxy using certificates to IIS server

am 23.10.2002 03:14:38 von Keith Sparacin

Has anyone gotten an Apache 2.0.43 SSL reverse proxy working to an IIS
backend server requiring certificate verification on the IIS server
side? I can reverse proxy Apache to an SSL Unix server and an SSL IIS
server (neither requiring certificates). I can also reverse proxy
Apache to an SSL Unix server requiring certificate verification. I
have not been able to get it working to an IIS server requiring
certificate verification. I have verified that the Apache
certificates are valid using openssl to retrieve web pages from the
IIS server:

openssl s_client -connect IIS-server:443 -cert user.crt -key
user.key -CAfile ca-bundle.crt
GET / HTTP/1.0



Originally when I tried the reverse proxy to the IIS server I would
get a segmentation fault in ssl_engine_kernel.c. For some reason
info->x_pkey was a NULL pointer. I modified the code shown below to
get around this:

$ diff ssl_engine_kernel.c{.ORIG,}
1606,1607c1606,1609
< *pkey = info->x_pkey->dec_pkey; \
< EVP_PKEY_reference_inc(*pkey)
---
> if (info->x_pkey != 0) { \
> *pkey = info->x_pkey->dec_pkey; \
> EVP_PKEY_reference_inc(*pkey); \
> }

Now when I use openssl to connect to the reverse proxy I get:

HTTP/1.1 502 Proxy Error
Date: Wed, 23 Oct 2002 01:00:39 GMT
Server: Apache/2.0.43 (Unix) mod_ssl/2.0.43 OpenSSL/0.9.6g DAV/2
Content-Length: 453
Connection: close
Content-Type: text/html; charset=iso-8859-1



502 Proxy Error

Proxy Error


The proxy server received an invalid
response from an upstream server.

The proxy server could not handle the request href="/">GET /.


Reason: Error reading from remote server



Apache/2.0.43 Server at host Port 443


read:errno=0

The Apache error log shows:

[Tue Oct 22 17:31:19 2002] [info] Connection: Client IP: xxx.xxx.xxx.xxx,
Protocol: TLSv1, Cipher: RC4-MD5 (128/128 bits)
[Tue Oct 22 17:31:19 2002] [error] SSL error on reading data
[Tue Oct 22 17:31:19 2002] [error] SSL Library Error: 336162922
error:1409706A:lib(20):func(151):reason(106)
[Tue Oct 22 17:31:19 2002] [error] [client xxx.xxx.xxx.xxx] proxy: error
reading status line from remote server IIS-server
[Tue Oct 22 17:31:19 2002] [error] [client xxx.xxx.xxx.xxx] proxy: Error
reading from remote server returned by /
[Tue Oct 22 17:31:19 2002] [debug] ssl_engine_kernel.c(1866): OpenSSL:
Write: SSL negotiation finished successfully
[Tue Oct 22 17:31:19 2002] [info] Connection to child 1 closed with
standard shutdown(server host:443, client xxx.xxx.xxx.xxx)
[Tue Oct 22 17:31:19 2002] [debug] ssl_engine_kernel.c(1866): OpenSSL:
Write: SSL negotiation finished successfully
[Tue Oct 22 17:31:19 2002] [info] Connection to child 1 closed with
standard shutdown(server host:443, client xxx.xxx.xxx.xxx)

I don't know enough about SSL to know what is going on. It looks like
the SSL_read() is failing but I do not know why. If I don't get
anywhere with this i'm thinking about trying the expermental code in
Apache 1.3.27 to see if I have any luck. Any input would be welcome.
Thanks.

Keith
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org