Problem with Reverse Proxy and Client authentication

Hello,

we want to setup a reverse proxy (http in, https to the backend IBM HTT=
P
Server) with client authentication to the backend.
On Linux and WinNT 4 SP5 (with Apache 2.044 and OpenSSL 0.97) we are bo=
th
getting segmentation faults or exits (see below). We checked the
communication through openssl directly and it worked.

Anyone any hint, we are getting desperate? Thanks!

Our configuration:

SSLProxyEngine on
ProxyRequests On
ProxyVia On
SSLProxyMachineCertificateFile d:\apache\client_cert.pem
SSLProxyVerify optional_no_ca
SSLProxyVerifyDepth 10
SSLProxyCipherSuite ALL
ProxyPass /myapp https://backendserver/app
ProxyPassReverse /myapp/ https://backendserver/app/
....

Apache error_log from WinNT:
[Mon Mar 24 11:02:59 2003] [info] Server: Apache/2.0.44, Interface:
mod_ssl/2.0.44, Library: OpenSSL/0.9.7a
....
[Mon Mar 24 11:24:49 2003] [debug] ssl_engine_kernel.c(1236): Certifica=
te
Verification: Verifiable Issuer is configured as optional, therefore we=
're
accepting the certificate
[Mon Mar 24 11:24:49 2003] [debug] ssl_engine_kernel.c(1198): Certifica=
te
Verification: depth: 0, subject: /C=3DDE/ST=3DNRW/L=3DDuesseldorf/O=3DW=
estdeutsche
Landesbank-Girozentrale-Duesseldorf/Muenster/OU=3DWestLB Systems
GmbH/OU=3DTerms of use at www.verisign.com/rpa
(c)00/CN=3Dwpdirect.westlb.sko.de, issuer: /O=3DVeriSign Trust
Network/OU=3DVeriSign, Inc./OU=3DVeriSign International Server CA - Cla=
ss
3/OU=3Dwww.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign=

[Mon Mar 24 11:24:49 2003] [debug] ssl_engine_kernel.c(1236): Certifica=
te
Verification: Verifiable Issuer is configured as optional, therefore we=
're
accepting the certificate
[Mon Mar 24 11:24:49 2003] [debug] ssl_engine_kernel.c(1766): OpenSSL:
Loop: SSLv3 read server certificate A
[Mon Mar 24 11:24:49 2003] [debug] ssl_engine_kernel.c(1766): OpenSSL:
Loop: SSLv3 read server certificate request A
[Mon Mar 24 11:24:49 2003] [debug] ssl_engine_kernel.c(1766): OpenSSL:
Loop: SSLv3 read server done A
[Mon Mar 24 11:24:49 2003] [debug] ssl_engine_kernel.c(1532): Proxy cli=
ent
certificate callback: (localhost:443) entered
[Mon Mar 24 11:24:49 2003] [debug] ssl_engine_kernel.c(1504): Proxy cli=
ent
certificate callback: (localhost:443) found acceptable cert, sending
/C=3DDE/ST=3DNRW/L=3DDuesseldorf/O=3DWPS Bank AG/CN=3DMYCLIENT
[Mon Mar 24 11:24:51 2003] [notice] Parent: child process exited with
status 3221225477 -- Restarting.



Mit freundlichen Grüßen
--
Steffen Fischer, I/T Architect
IBM Deutschland GmbH, Karl-Arnold-Platz 1a, D-40474 Duesseldorf
Tel: +49 (0) 211 476-2986 Fax: -2391 Mobile: +49 (0) 175 433 1187
email: steffen.fischer@de.ibm.com
project email: ibm_fischers@wpsbank.de
project phone: +49 (0) 211 826 - 74276

Diese Nachricht ist vertraulich. Sie ist ausschliesslich fuer
den im Adressfeld ausgewiesenen Adressaten bestimmt.
Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten
wir um eine kurze Nachricht. Jede unbefugte Weiterleitung
oder Fertigung einer Kopie ist unzulaessig. Da wir nicht die
Echtheit oder Vollstaendigkeit der in dieser Nachricht
enthaltenen Informationen garantieren koennen, schliessen wir
die rechtliche Verbindlichkeit der vorstehenden Erklaerungen
und Aeusserungen aus. Wir verweisen in diesem Zusammenhang
auch auf die fuer die Bank geltenden Regelungen ueber die
Verbindlichkeit von Willenserklaerungen mit verpflichtendem
Inhalt, die in den bankueblichen Unterschriftenverzeichnissen
bekannt gemacht werden.

This message is confidential and may be privileged. It is
intended solely for the named addressee. If you are not the
intended recipient please inform us. Any unauthorised
dissemination, distribution or copying hereof is prohibited.
As we cannot guarantee the genuineness or completeness of
the information contained in this message, the statements
set forth above are not legally binding. In connection
therewith, we also refer to the governing regulations of
WestLB concerning signatory authority published in the
standard bank signature lists with regard to the legally
binding effect of statements made with the intent to
obligate WestLB.
=


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Problem with Reverse Proxy and Client authentication

hi steffen


>ProxyPass /myapp https://backendserver/app
>ProxyPassReverse /myapp/ https://backendserver/app/

.....any specific reason for the missing trailing slashes in the ProxyPass
directive, or is this only a typo?

regards
michael
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Antwort: Re: Problem with Reverse Proxy and Client authentication

Hallo Michael,

ja, nur Tippfehler. Das Problem ist mittlerweile behoben. ModSSL hatte
Schwierigkeiten mit dem Clientzertifikat, was OpenSSL erzeugt hat. Von =
Hand
gepatched funktioniert das jetzt.



Mit freundlichen Grüßen
--
Steffen Fischer, I/T Architect
IBM Deutschland GmbH, Karl-Arnold-Platz 1a, D-40474 Duesseldorf
Tel: +49 (0) 211 476-2986 Fax: -2391 Mobile: +49 (0) 175 433 1187
email: steffen.fischer@de.ibm.com
project email: ibm_fischers@wpsbank.de
project phone: +49 (0) 211 826 - 74276


=
=20
=
=20
=
=20
Michael.Straessle@bk.admin.ch =
=20
=
=20
Gesendet von: owner-modssl-users@modssl.org =
=20
=
=20
=
=20
27.03.03 10:17 =
=20
=
=20
=
=20
Bitte antworten an modssl-users =
=20
=
=20
=
=20
=
=20
=
=20


An: modssl-users@modssl.org
Kopie:
Thema: Re: Problem with Reverse Proxy and Client authentication


hi steffen


>ProxyPass /myapp https://backendserver/app
>ProxyPassReverse /myapp/ https://backendserver/app/

.....any specific reason for the missing trailing slashes in the ProxyPa=
ss
directive, or is this only a typo?

regards
michael
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org




|------------------------------------+---------------------- -----------=
---|
|Diese Nachricht ist vertraulich. Sie|This message is confidential and =
may|
|ist ausschliesslich fuer |be privileged. It is =
|
|den im Adressfeld ausgewiesenen |intended solely for the named =
|
|Adressaten bestimmt. |addressee. If you are not the =
|
|Sollten Sie nicht der vorgesehene |intended recipient please inform =
us.|
|Empfaenger sein, so bitten |Any unauthorised =
|
|wir um eine kurze Nachricht. Jede |dissemination, distribution or =
|
|unbefugte Weiterleitung |copying hereof is prohibited. =
|
|oder Fertigung einer Kopie ist |As we cannot guarantee the =
|
|unzulaessig. Da wir nicht die |genuineness or completeness of =
|
|Echtheit oder Vollstaendigkeit der |the information contained in this=
|
|in dieser Nachricht |message, the statements =
|
|enthaltenen Informationen |set forth above are not legally =
|
|garantieren koennen, schliessen wir |binding. In connection =
|
|die rechtliche Verbindlichkeit der |therewith, we also refer to our =
|
|vorstehenden Erklaerungen |governing regulations of =
|
|und Aeusserungen aus. Wir verweisen |concerning signatory authority =
|
|in diesem Zusammenhang |published in the =
|
|auch auf die fuer uns geltenden |standard bank or company signatur=
e |
|Regelungen ueber die |lists with regard to the =
|
|Verbindlichkeit von |legally binding effect of stateme=
nts|
|Willenserklaerungen mit |made with the intent to =
|
|verpflichtendem |obligate us. =
|
|Inhalt, die in den bank- bzw. | =
|
|unternehmensueblichen | =
|
|Unterschriftenverzeichnissen bekannt| =
|
|gemacht werden. | =
|
|------------------------------------+---------------------- -----------=
---|


=


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org