SSL connection between Apache and Tomcat failing

This is a multi-part message in MIME format.

------_=_NextPart_001_01CA06DD.FCE1EBC2
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

I've got a website which uses Apache 2.2 as the front end with Tomcat
5.5.23 as the backend and am using mod_ssl and mod_proxy to link to the
two together in Windows server 2003. Normally there isn't an issue with
two servers serving the website but recently (and mainly with , it
appears, mobile browsers), I'm getting the following errors:

i Jul 17 09:52:29 2009] [debug] ssl_engine_kernel.c(1760): OpenSSL:
Loop: SSLv3 read finished A

[Fri Jul 17 09:52:29 2009] [debug] ssl_engine_kernel.c(1756): OpenSSL:
Handshake: done

[Fri Jul 17 09:52:29 2009] [info] Connection: Client IP: 130.246.76.83,
Protocol: TLSv1, Cipher: DHE-RSA-AES256-SHA (256/256 bits)

[Fri Jul 17 09:52:29 2009] [debug] ssl_engine_io.c(1817): OpenSSL: read
5/5 bytes from BIO#7d0ad8 [mem: 4a3aaa8] (BIO dump follows)

[Fri Jul 17 09:52:29 2009] [debug] ssl_engine_io.c(1750):
+----------------------------------------------------------- ------------
--+

Dump details ..... |

[Fri Jul 17 09:52:29 2009] [debug] ssl_engine_io.c(1795):
+----------------------------------------------------------- ------------
--+

[Fri Jul 17 09:52:29 2009] [debug] ssl_engine_io.c(1817): OpenSSL: read
992/992 bytes from BIO#7d0ad8 [mem: 4a3aaad] (BIO dump follows)

[Fri Jul 17 09:52:29 2009] [debug] ssl_engine_io.c(1750):
+----------------------------------------------------------- ------------
--+

Dump details

[Fri Jul 17 09:52:29 2009] [debug] ssl_engine_io.c(1795):
+----------------------------------------------------------- ------------
--+

[Fri Jul 17 09:52:29 2009] [info] Initial (No.1) HTTPS request received
for child 245 (server dev.jiscmail.ac.uk:443)

[Fri Jul 17 09:52:35 2009] [debug] ssl_engine_io.c(1828): OpenSSL: I/O
error, 5 bytes expected to read on BIO#73e708 [mem: 4a169e0]

[Fri Jul 17 09:52:35 2009] [info] [client 130.246.76.83] (OS 10060)A
connection attempt failed because the connected party did not properly
respond after a period of time, or established connection failed because
connected host has failed to respond. : SSL input filter read failed.

[Fri Jul 17 09:52:35 2009] [debug] ssl_engine_kernel.c(1770): OpenSSL:
Write: SSL negotiation finished successfully

=20

I'd be grateful for any pointers in getting to the root of this issue
(or ruling out mod_ssl issues).=20

=20

Thanks,=20

=20

Iain


-- =0AScanned by iCritical.=0A

------_=_NextPart_001_01CA06DD.FCE1EBC2
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" =
xmlns=3D"http://www.w3.org/TR/REC-html40">


charset=3Dus-ascii">

-- =0A
Scanned by iCritical.=0A

Re: SSL connection between Apache and Tomcat failing

------=_Part_127361_115640072.1247840031309
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Iain:=20

Wow! Am I glad to hear from you! I've been wrestling with exactly this prob=
lem - error on: OpenSSL: read 5/5 bytes from BIO - for a few weeks now; was=
beginning to think I was losing my mind. (while we leave that possibility =
aside for the moment(!),) here's what's different about our environment:=20

Apache/2.2.11 (Unix - Solaris SPARC) mod_ssl/2.2.11 OpenSSL/0.9.8k PHP/5.2.=
9 . We are using certificate authentication. Seeing this behavior under Fir=
efox (Mac); haven't tried it using mobile browsers, though, presumably, you=
may be using a Mozilla-based mobile browser... We've recently upgraded to =
these current versions of Apache and OpenSSL, but the error behavior has no=
t been impacted. The incessant prompting for certificate can be interrupted=
by setting Firefox's Advanced-Encryption-When a server requests my certifi=
cate-Select one automatically option. The above read error persists, howeve=
r...=20

The primary impact is - apparently - that the SSL session is constantly re-=
negotiated for GET of each page element; loading of a single page might gen=
erate 8-10 prompts for the certificate. We have fiddled with various settin=
gs for the Renogotiation buffer, including which buffer engine is used, its=
size, etc., all to no avail. Some of the settings result in Apache configu=
ration errors, so I wonder if we're into an Apache - or mod_ssl - 'black ho=
le' region.=20

My quick research on this indicates that others have run into it, some have=
simply ignored it, but none have solved it.=20

Hopefully we'll come up with something. Lou=20

----- Original Message -----=20
From: "I Emsley (Iain)" =20
To: modssl-users@modssl.org=20
Sent: Friday, July 17, 2009 8:56:23 AM GMT -05:00 US/Canada Eastern=20
Subject: SSL connection between Apache and Tomcat failing=20




Iâ€=99ve got a website which uses Apache 2.2 as the front end with Tomc=
at 5.5.23 as the backend and am using mod_ssl and mod_proxy to link to the =
two together in Windows server 2003. Normally there isnâ€=99t an issue =
with two servers serving the website but recently (and mainly with , it app=
ears, mobile browsers), Iâ€=99m getting the following errors:=20

i Jul 17 09:52:29 2009] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: S=
SLv3 read finished A=20

[Fri Jul 17 09:52:29 2009] [debug] ssl_engine_kernel.c(1756): OpenSSL: Hand=
shake: done=20

[Fri Jul 17 09:52:29 2009] [info] Connection: Client IP: 130.246.76.83, Pro=
tocol: TLSv1, Cipher: DHE-RSA-AES256-SHA (256/256 bits)=20

[Fri Jul 17 09:52:29 2009] [debug] ssl_engine_io.c(1817): OpenSSL: read 5/5=
bytes from BIO=20

------=_Part_127361_115640072.1247840031309
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable

<=
div style=3D'font-family: Arial; font-size: 12pt; color: #000000'>Iain:
=

Wow!  Am I glad to hear from you!  I've been wrestling with e=
xactly this problem - t: bold;">error on: OpenSSL: read 5/5 bytes from BIO - for a few wee=
ks now; was beginning to think I was losing my mind. (while we leave that p=
ossibility aside for the moment(!),) here's what's different about our envi=
ronment:

Apache/2.2.11 (Unix - Solaris SPARC) mod_ssl/2.2.11 O=
penSSL/0.9.8k PHP/5.2.9.  We are using certificate authenticati=
on. Seeing this behavior under Firefox (Mac); haven't tried it using mobile=
browsers, though, presumably, you may be using a Mozilla-based mobile brow=
ser...  We've recently upgraded to these current versions of Apache an=
d OpenSSL, but the error behavior has not been impacted.  The incessan=
t prompting for certificate can be interrupted by setting Firefox's Advance=
d-Encryption-When a server requests my certificate-Select one automatically=
option.  The above read error persists, however...

The primary=
impact is - apparently - that the SSL session is : italic;">constantly re-negotiated for GET of each page element; lo=
ading of a single page might generate 8-10 prompts for the certificate.&nbs=
p; We have fiddled with various settings for the Renogotiation buffer, incl=
uding which buffer engine is used, its size, etc., all to no avail.  S=
ome of the settings result in Apache configuration errors, so I wonder if w=
e're into an Apache - or mod_ssl - 'black hole' region.

My quick res=
earch on this indicates that others have run into it, some have simply igno=
red it, but none have solved it.

Hopefully we'll come up with someth=
ing.     Lou

----- Original Message -----
Fro=
m: "I Emsley (Iain)" <iain.emsley@stfc.ac.uk>
To: modssl-users@mod=
ssl.org
Sent: Friday, July 17, 2009 8:56:23 AM GMT -05:00 US/Canada East=
ern
Subject: SSL connection between Apache and Tomcat failing

Please remove my email from the list

This is a multi-part message in MIME format.

------_=_NextPart_001_01CA06E9.04566E8E
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Please remove my email from the list
=20

------_=_NextPart_001_01CA06E9.04566E8E
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable



charset=3Dus-ascii">