Apache HTTP 2.2.13 - SSL handshake issue

Apache HTTP 2.2.13 - SSL handshake issue

am 08.10.2009 13:45:20 von apauser

-------boundalter150977
Content-Type: text/plain
Content-Transfer-Encoding: 8bit

undefined
-------boundalter150977
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Content-Disposition: inline

Dear All,

On my apache 2.2.13, SSL handshake sometimes fails/works.

1) The client connects the server
2) The server prompts the client for authentication
3) The user is prompted to select the its certificate and enter password from its browser.

Using a sniffer, we can see that the request 3) is properly sent over the network but we do not see it in apache.

Investigating the LOG file, we found an error as following for each occurence of the issue:
[debug] ssl_engine_io.c(1958): OpenSSL: I/O error, 11 bytes expected to read on BIO#9ce76b0 [mem: 9d41d28]

- Is the error found in the LOG the reason of the error in SSL handshake?
- What is the reason for such error?

See below my virtual host config:
<VirtualHost _default_:443>
>#  General setup for the virtual host
DocumentRoot "/usr/local/apache2/htdocs"
ServerName ausersrv
ServerAdmin ausersrv@ausersrv.net
ErrorLog "|/usr/local/apache2/bin/crono
log
/usr/local/apache2/logs/error-%Y-%m-%d.log"
CustomLog "|/usr/local/apache2/bin/cronolog  /usr/local/apache2/logs/log-%Y%m%d.log" common

SSLEngine on

SSLCipherSuite AES128-SHA:DES-CBC3-SHA

SSLCertificateFile /usr/local/apache2/conf/ausersrv.cer

#   Server Private Key:

SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/server.key

SSLCACertificateFile /usr/local/apache2/conf/ca.crt

SSLVerifyClient require

SSLOptions +ExportCertData +StdEnvVars
<Files ~ "\\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/usr/local/apache2/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

#SetEnvIf User-Agent ".*MSIE.*" nokeepali
ve ssl-unclean-shutdown
KeepAliveTimeout 15
KeepAlive 5


ProxyPass / http://193.168.125.233/
ProxyPassReverse /
http://193.168.125.233/

</VirtualHost>    

Regards,

Bernard.



-------boundalter150977--

Re: Apache HTTP 2.2.13 - SSL handshake issue

am 08.10.2009 14:13:32 von Toomas Aas

apauser@skynet.be wrote:

>
> On my apache 2.2.13, SSL handshake sometimes fails/works.
>

I don't know the answer to your problem, but see my yesterday's message
with subject "Firefox SSL handshake error after Apache upgrade". Would be
interesting to know, if you enable similar BrowserMatch directive, does the
issue go away? Maybe we're on to something here...

--
Toomas Aas

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: Apache HTTP 2.2.13 - SSL handshake issue

am 08.10.2009 14:38:53 von Bernard Fonze

Thanks for your help...

On an other system, I have a similar problem even though the directive is s=
et as following

BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
Downgrade-1.0 force-response-1.0

In addition, I am using MSIE and not firefox :-(

-----Original Message-----
From: Toomas Aas [mailto:toomas.aas@raad.tartu.ee]
Sent: Thursday, October 08, 2009 2:14 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Apache HTTP 2.2.13 - SSL handshake issue

apauser@skynet.be wrote:

>
> On my apache 2.2.13, SSL handshake sometimes fails/works.
>

I don't know the answer to your problem, but see my yesterday's message wit=
h subject "Firefox SSL handshake error after Apache upgrade". Would be inte=
resting to know, if you enable similar BrowserMatch directive, does the iss=
ue go away? Maybe we're on to something here...

--
Toomas Aas

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org



Bernard Fonze
Senior Analyst-Programmer
E-mail : BFonze@isabel.eu
Tel : +32 (0)2 545.14.75
Fax : +32

Isabel NV/S.A.
Keizerinlaan 13-15 Boulevard de l'Imp=E9ratrice
1000 Brussels - Belgium
RPR Bruxelles / RPM Brussel: BE 0455 530 509
http://www.isabel.eu/ http://www.zoomit.eu/

Zoomit is a Registered Trademark of Isabel NV/S.A.
Disclaimer : http://www.isabel.eu/gps/en/disclaimer/mailing.php


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org