• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Apache Http Server : SSL Library Error: 336027803 error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO

 
Ranch Hand
Posts: 255
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

I am trying to setup reverse proxy for my internal business users for site validation when the external route is down. I am able to setup multiple routes with corresponding virtual hosts entries in httpd.conf for port 80 : anonymous user. Am afraid am stuck at SSL route and unable to make progress.

Configuration details:-

Apache version: Apache/2.2.29 (Unix) Linux Version: $ cat /etc/*-release Enterprise Linux Enterprise Linux Server release 5.8 (Carthage) Oracle Linux Server release 5.8 Red Hat Enterprise Linux Server release 5.8 (Tikanga)

When I try to access over SSL (*:443) I get empty response on all 3 browsers (IE/Chrome/Firefox). Below is the error log:-

3:16:06 2015] [notice] Digest: generating secret for digest authentication ...
[Wed Jul 08 23:16:06 2015] [notice] Digest: done
[Wed Jul 08 23:16:06 2015] [debug] util_ldap.c(1990): LDAP merging Shared Cache conf: shm=0x21b6ff0 rmm=0x21b7048 for VHOST: stgwww.cos.agilent.com
[Wed Jul 08 23:16:06 2015] [debug] util_ldap.c(1990): LDAP merging Shared Cache conf: shm=0x21b6ff0 rmm=0x21b7048 for VHOST: stgwww.cos.agilent.com
[Wed Jul 08 23:16:06 2015] [info] APR LDAP: Built with OpenLDAP LDAP SDK
[Wed Jul 08 23:16:06 2015] [info] LDAP: SSL support available
[Wed Jul 08 23:16:06 2015] [info] mod_unique_id: using ip addr 127.0.0.1
[Wed Jul 08 23:16:07 2015] [info] Init: Seeding PRNG with 144 bytes of entropy
[Wed Jul 08 23:16:07 2015] [info] Loading certificate & private key of SSL-aware server
[Wed Jul 08 23:16:07 2015] [debug] ssl_engine_pphrase.c(470): unencrypted RSA private key - pass phrase not required
[Wed Jul 08 23:16:07 2015] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Wed Jul 08 23:16:07 2015] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Wed Jul 08 23:16:07 2015] [debug] ssl_scache_shmcb.c(253): shmcb_init allocated 512000 bytes of shared memory
[Wed Jul 08 23:16:07 2015] [debug] ssl_scache_shmcb.c(272): for 511920 bytes (512000 including header), recommending 32 subcaches, 133 indexes each
[Wed Jul 08 23:16:07 2015] [debug] ssl_scache_shmcb.c(306): shmcb_init_memory choices follow
[Wed Jul 08 23:16:07 2015] [debug] ssl_scache_shmcb.c(308): subcache_num = 32
[Wed Jul 08 23:16:07 2015] [debug] ssl_scache_shmcb.c(310): subcache_size = 15992
[Wed Jul 08 23:16:07 2015] [debug] ssl_scache_shmcb.c(312): subcache_data_offset = 3208
[Wed Jul 08 23:16:07 2015] [debug] ssl_scache_shmcb.c(314): subcache_data_size = 12784
[Wed Jul 08 23:16:07 2015] [debug] ssl_scache_shmcb.c(316): index_num = 133
[Wed Jul 08 23:16:07 2015] [info] Shared memory session cache initialised
[Wed Jul 08 23:16:07 2015] [info] Init: Initializing (virtual) servers for SSL
[Wed Jul 08 23:16:07 2015] [info] Configuring server for SSL protocol
[Wed Jul 08 23:16:07 2015] [debug] ssl_engine_init.c(521): Creating new SSL context (protocols: SSLv3, TLSv1)
[Wed Jul 08 23:16:07 2015] [debug] ssl_engine_init.c(759): Configuring permitted SSL ciphers [HIGH:MEDIUM:!aNULL:!MD5]
[Wed Jul 08 23:16:07 2015] [debug] ssl_engine_init.c(843): Configuring server certificate chain (1 CA certificate)
[Wed Jul 08 23:16:07 2015] [debug] ssl_engine_init.c(890): Configuring RSA server certificate
[Wed Jul 08 23:16:07 2015] [debug] ssl_engine_init.c(936): Configuring RSA server private key
[Wed Jul 08 23:16:07 2015] [debug] ssl_engine_init.c(521): Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1)
[Wed Jul 08 23:16:07 2015] [info] mod_ssl/2.2.29 compiled against Server: Apache/2.2.29, Library: OpenSSL/0.9.8e-fips-rhel5
[Wed Jul 08 23:16:07 2015] [debug] proxy_util.c(1829): proxy: grabbed scoreboard slot 11 in child 6098 for worker proxy:reverse
[Wed Jul 08 23:16:07 2015] [debug] proxy_util.c(1945): proxy: initialized single connection worker 11 in child 6098 for (*)
---------
truncated for ease of reading
---------
[Wed Jul 08 23:19:02 2015] [info] [client 192.168.244.1] Connection to child 0 established (server stgwww.cos.agilent.com:443)
[Wed Jul 08 23:19:02 2015] [info] Seeding PRNG with 144 bytes of entropy
[Wed Jul 08 23:19:02 2015] [debug] ssl_engine_kernel.c(1903): OpenSSL: Handshake: start
[Wed Jul 08 23:19:02 2015] [debug] ssl_engine_kernel.c(1911): OpenSSL: Loop: before/accept initialization
[Wed Jul 08 23:19:02 2015] [debug] ssl_engine_io.c(1939): OpenSSL: read 11/11 bytes from BIO#22341b0 [mem: 223b880] (BIO dump follows)
[Wed Jul 08 23:19:02 2015] [debug] ssl_engine_io.c(1872): +-------------------------------------------------------------------------+
[Wed Jul 08 23:19:02 2015] [debug] ssl_engine_io.c(1911): | 0000: 43 4f 4e 4e 45 43 54 20-73 74 67 CONNECT stg |
[Wed Jul 08 23:19:02 2015] [debug] ssl_engine_io.c(1917): +-------------------------------------------------------------------------+
**[Wed Jul 08 23:19:02 2015] [debug] ssl_engine_kernel.c(1940): OpenSSL: Exit: error in SSLv2/v3 read client hello A
[Wed Jul 08 23:19:02 2015] [info] [client 192.168.244.1] SSL library error 1 in handshake (server stgwww.cos.agilent.com:443)
[Wed Jul 08 23:19:02 2015] [info] SSL Library Error: 336027803 error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request speaking HTTP to HTTPS port!?
[Wed Jul 08 23:19:02 2015] [info] [client 192.168.244.1] Connection closed to child 0 with abortive shutdown (server stgwww.cos.agilent.com:443)**
[Wed Jul 08 23:19:02 2015] [info] [client 192.168.244.1] Connection to child 1 established (server stgwww.cos.agilent.com:443)
[Wed Jul 08 23:19:02 2015] [info] Seeding PRNG with 144 bytes of entropy
[Wed Jul 08 23:19:02 2015] [debug] ssl_engine_kernel.c(1903): OpenSSL: Handshake: start
[Wed Jul 08 23:19:02 2015] [debug] ssl_engine_kernel.c(1911): OpenSSL: Loop: before/accept initialization
[Wed Jul 08 23:19:02 2015] [debug] ssl_engine_io.c(1939): OpenSSL: read 11/11 bytes from BIO#22341b0 [mem: 223b880] (BIO dump follows)
[Wed Jul 08 23:19:02 2015] [debug] ssl_engine_io.c(1872): +-------------------------------------------------------------------------+
[Wed Jul 08 23:19:02 2015] [debug] ssl_engine_io.c(1911): | 0000: 43 4f 4e 4e 45 43 54 20-73 74 67 CONNECT stg |
[Wed Jul 08 23:19:02 2015] [debug] ssl_engine_io.c(1917): +-------------------------------------------------------------------------+
[Wed Jul 08 23:19:02 2015] [debug] ssl_engine_kernel.c(1940): OpenSSL: Exit: error in SSLv2/v3 read client hello A
[Wed Jul 08 23:19:02 2015] [info] [client 192.168.244.1] SSL library error 1 in handshake (server stgwww.cos.agilent.com:443)
[Wed Jul 08 23:19:02 2015] [info] SSL Library Error: 336027803 error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request speaking HTTP to HTTPS port!?
[Wed Jul 08 23:19:02 2015] [info] [client 192.168.244.1] Connection closed to child 1 with abortive shutdown (server stgwww.cos.agilent.com:443)
[Wed Jul 08 23:19:02 2015] [info] [client 192.168.244.1] Connection to child 4 established (server stgwww.cos.agilent.com:443)
[Wed Jul 08 23:19:02 2015] [info] Seeding PRNG with 144 bytes of entropy
[Wed Jul 08 23:19:02 2015] [debug] ssl_engine_kernel.c(1903): OpenSSL: Handshake: start
[Wed Jul 08 23:19:02 2015] [debug] ssl_engine_kernel.c(1911): OpenSSL: Loop: before/accept initialization
[Wed Jul 08 23:19:02 2015] [debug] ssl_engine_io.c(1939): OpenSSL: read 11/11 bytes from BIO#22341b0 [mem: 223b880] (BIO dump follows)

httpd-config.xml:-

#
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed startup file:/dev/urandom 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512


Listen 443
NameVirtualHost *:443

# Some MIME-types for downloading Certificates and CRLs
#
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl

SSLPassPhraseDialog builtin

SSLSessionCache "shmcb:/usr/local/apache2/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300
SSLMutex "file:/usr/local/apache2/logs/ssl_mutex"

##
## SSL Virtual Host Context
##

<VirtualHost _default_:443>

# General setup for the virtual host
DocumentRoot "/usr/local/apache2/htdocs"
ServerName xxxxx:443
ServerAdmin you@example.com
ErrorLog "/usr/local/apache2/logs/error_log"
TransferLog "/usr/local/apache2/logs/access_log"

# Enable/Disable SSL for this virtual host.
SSLEngine on

# SSL Protocol support:
SSLProtocol all -SSLv2

# SSL Cipher Suite:
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5


# Server Certificate:
SSLCertificateFile "/usr/local/apache2/conf/ssl.crt"

# Server Private Key:
SSLCertificateKeyFile "/usr/local/apache2/conf/ssl.key"

# Server Certificate Chain:
SSLCertificateChainFile "/home/sandeep/sandeep.crt"

<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/usr/local/apache2/cgi-bin">
SSLOptions +StdEnvVars
</Directory>


BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

# Per-Server Logging:
CustomLog "/usr/local/apache2/logs/ssl_request_log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

SSLProxyEngine on
SSLProxyVerify none

SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

ProxyPass / http://www.google.com
ProxyPassReverse / http://www.google.com
</VirtualHost>

Modules Enabled:-

LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_dbm_module modules/mod_authn_dbm.so
LoadModule authn_anon_module modules/mod_authn_anon.so
LoadModule authn_dbd_module modules/mod_authn_dbd.so
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authn_alias_module modules/mod_authn_alias.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authz_dbm_module modules/mod_authz_dbm.so
LoadModule authz_owner_module modules/mod_authz_owner.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule authz_default_module modules/mod_authz_default.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule file_cache_module modules/mod_file_cache.so
LoadModule cache_module modules/mod_cache.so
LoadModule disk_cache_module modules/mod_disk_cache.so
LoadModule mem_cache_module modules/mod_mem_cache.so
LoadModule dbd_module modules/mod_dbd.so
LoadModule dumpio_module modules/mod_dumpio.so
LoadModule echo_module modules/mod_echo.so
LoadModule reqtimeout_module modules/mod_reqtimeout.so
LoadModule ext_filter_module modules/mod_ext_filter.so
LoadModule include_module modules/mod_include.so
LoadModule filter_module modules/mod_filter.so
LoadModule substitute_module modules/mod_substitute.so
LoadModule charset_lite_module modules/mod_charset_lite.so
LoadModule deflate_module modules/mod_deflate.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule log_forensic_module modules/mod_log_forensic.so
LoadModule logio_module modules/mod_logio.so
LoadModule env_module modules/mod_env.so
LoadModule mime_magic_module modules/mod_mime_magic.so
LoadModule cern_meta_module modules/mod_cern_meta.so
LoadModule expires_module modules/mod_expires.so
LoadModule headers_module modules/mod_headers.so
LoadModule ident_module modules/mod_ident.so
LoadModule usertrack_module modules/mod_usertrack.so
LoadModule unique_id_module modules/mod_unique_id.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule version_module modules/mod_version.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_scgi_module modules/mod_proxy_scgi.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule mime_module modules/mod_mime.so
LoadModule dav_module modules/mod_dav.so
LoadModule status_module modules/mod_status.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule asis_module modules/mod_asis.so
LoadModule info_module modules/mod_info.so
LoadModule cgi_module modules/mod_cgi.so
LoadModule dav_fs_module modules/mod_dav_fs.so
LoadModule dav_lock_module modules/mod_dav_lock.so
LoadModule vhost_alias_module modules/mod_vhost_alias.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule dir_module modules/mod_dir.so
LoadModule imagemap_module modules/mod_imagemap.so
LoadModule actions_module modules/mod_actions.so
LoadModule speling_module modules/mod_speling.so
LoadModule userdir_module modules/mod_userdir.so
LoadModule alias_module modules/mod_alias.so
LoadModule rewrite_module modules/mod_rewrite.so

Please appreciate any help on this?

Thanks.
 
Saloon Keeper
Posts: 27764
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
When you use mod_proxy with Apache/Tomcat, Apache handles the SSL transport. The actual tunnel from Apache to Tomcat (via mod_proxy) is done in clear text, not encrypted.

Unless you're really paranoid or have set up a pretty questionable infrastructure, that's OK, since normally the Apache-to-Tomcat channel is either on the same machine (hence essentiall un-tappable) or at least behind the firewall, where the only security risk is from in-house snooping. Which a VPN can probably help with at the hardware level, it it's a concern.
 
Rithanya Laxmi
Ranch Hand
Posts: 255
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Tim,

I am not getting this ? are you telling the creation of self signed certificate might be a problem? how we can resolve this error ? Please clarify.

Thanks.
 
Tim Holloway
Saloon Keeper
Posts: 27764
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hmmm. I just looked closer. Are you really doing a REVERSE proxy here? Your ProxyPass is to an external site.

And it's google.com which has gotten all righteous about using SSL ever since the NSA scandal.

Your message was "ttps proxy request speaking HTTP to HTTPS port!? " and that sounds about right if you did a proxy forward to google.com and it wanted https.
 
Rithanya Laxmi
Ranch Hand
Posts: 255
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks Tim, are you telling we need to change the reverse proxy as below with https for 443 instead of http?

ProxyPass / https://www.google.com
ProxyPassReverse / https://www.google.com


where for virtual host 80 we will have "http":-

ProxyPass / http://www.google.com
ProxyPassReverse / http://www.google.com

Please clarify.
 
Tim Holloway
Saloon Keeper
Posts: 27764
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Have you tried it?

I'm not sure if Apache will automatically encrypt properly or not, but at least you'd be addressing https instead of http. So if that doesn't work, I'd recommend google. I did some research on this general area about 2 months ago, but my conclusion was that I didn't want to bother with back-end software-based encryption. However, if you're querying google, you don't have that option.
 
Wanna see my flashlight? How about this tiny ad?
a bit of art, as a gift, the permaculture playing cards
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic