R: SSL reverse proxy using certificates to IIS server
am 23.10.2002 11:01:33 von Claudio CampettoTry putting this line in the server config: The proxy server received an invalid
SSLProxyProtocol SSLv3
Hope this helps.
Claudio Campetto.
-----Messaggio originale-----
Da: Keith Sparacin [mailto:ksparacin@ti.com]
Inviato: mercoledì 23 ottobre 2002 3.15
A: modssl-users@modssl.org
Oggetto: SSL reverse proxy using certificates to IIS server
Has anyone gotten an Apache 2.0.43 SSL reverse proxy working to an IIS
backend server requiring certificate verification on the IIS server
side? I can reverse proxy Apache to an SSL Unix server and an SSL IIS
server (neither requiring certificates). I can also reverse proxy
Apache to an SSL Unix server requiring certificate verification. I
have not been able to get it working to an IIS server requiring
certificate verification. I have verified that the Apache
certificates are valid using openssl to retrieve web pages from the
IIS server:
openssl s_client -connect IIS-server:443 -cert user.crt -key
user.key -CAfile ca-bundle.crt
GET / HTTP/1.0
Originally when I tried the reverse proxy to the IIS server I would
get a segmentation fault in ssl_engine_kernel.c. For some reason
info->x_pkey was a NULL pointer. I modified the code shown below to
get around this:
$ diff ssl_engine_kernel.c{.ORIG,}
1606,1607c1606,1609
< *pkey = info->x_pkey->dec_pkey; \
< EVP_PKEY_reference_inc(*pkey)
---
> if (info->x_pkey != 0) { \
> *pkey = info->x_pkey->dec_pkey; \
> EVP_PKEY_reference_inc(*pkey); \
> }
Now when I use openssl to connect to the reverse proxy I get:
HTTP/1.1 502 Proxy Error
Date: Wed, 23 Oct 2002 01:00:39 GMT
Server: Apache/2.0.43 (Unix) mod_ssl/2.0.43 OpenSSL/0.9.6g DAV/2
Content-Length: 453
Connection: close
Content-Type: text/html; charset=iso-8859-1
Proxy Error
response from an upstream server.
The proxy server could not handle the request
Reason: Error reading from remote server
Apache/2.0.43 Server at host Port 443
read:errno=0
The Apache error log shows:
[Tue Oct 22 17:31:19 2002] [info] Connection: Client IP: xxx.xxx.xxx.xxx,
Protocol: TLSv1, Cipher: RC4-MD5 (128/128 bits)
[Tue Oct 22 17:31:19 2002] [error] SSL error on reading data
[Tue Oct 22 17:31:19 2002] [error] SSL Library Error: 336162922
error:1409706A:lib(20):func(151):reason(106)
[Tue Oct 22 17:31:19 2002] [error] [client xxx.xxx.xxx.xxx] proxy: error
reading status line from remote server IIS-server
[Tue Oct 22 17:31:19 2002] [error] [client xxx.xxx.xxx.xxx] proxy: Error
reading from remote server returned by /
[Tue Oct 22 17:31:19 2002] [debug] ssl_engine_kernel.c(1866): OpenSSL:
Write: SSL negotiation finished successfully
[Tue Oct 22 17:31:19 2002] [info] Connection to child 1 closed with
standard shutdown(server host:443, client xxx.xxx.xxx.xxx)
[Tue Oct 22 17:31:19 2002] [debug] ssl_engine_kernel.c(1866): OpenSSL:
Write: SSL negotiation finished successfully
[Tue Oct 22 17:31:19 2002] [info] Connection to child 1 closed with
standard shutdown(server host:443, client xxx.xxx.xxx.xxx)
I don't know enough about SSL to know what is going on. It looks like
the SSL_read() is failing but I do not know why. If I don't get
anywhere with this i'm thinking about trying the expermental code in
Apache 1.3.27 to see if I have any luck. Any input would be welcome.
Thanks.
Keith
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org