https://bz.apache.org/bugzilla/show_bug.cgi?id=60441
Bug ID: 60441
Summary: SSL handshake failed
Product: Apache httpd-2
Version: 2.2.31
Hardware: PC
OS: Linux
Status: NEW
Severity: critical
Priority: P2
Component: All
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
In our production system we have a custom compiled version of apache 2.2.31 on
a debian machine with OpenSSL 1.0.1u
Server version: Apache/2.2.31 (Unix)
Server built: Oct 31 2016 13:51:59
Server's Module Magic Number: 20051115:40
Server loaded: APR 1.5.2, APR-Util 1.5.4
Compiled using: APR 1.5.2, APR-Util 1.5.4
Architecture: 64-bit
Server MPM: Worker
threaded: yes (fixed thread count)
forked: yes (variable process count)
Server compiled with....
-D APACHE_MPM_DIR="server/mpm/worker"
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_SYSVSEM_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=128
-D HTTPD_ROOT="/opt/loadbalancer/apache"
-D SUEXEC_BIN="/opt/loadbalancer/apache/bin/suexec"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="conf/mime.types"
-D SERVER_CONFIG_FILE="conf/httpd.conf"
Sometimes during high load we got from the client and ssl handshake failure.
I was able to reproduce the bug with apache banchmark. It always happens above
4 as concurrency level (ab -c 5 -n 2000 -p post.body)
Here the tcpdump that show after the Change Cipher Spec it always happens this
issue.
12 0.001043 193.33.xxx.xxx 10.xxx.xxx.xxx TCP 68
10498→443 [SYN] Seq=0 Win=8192 Len=0 MSS=1420 WS=256 SACK_PERM=1
26 0.016894 193.xxx.xxx.xxx 10.xxx.xxx.xxx TCP 62
10498→443 [ACK] Seq=1 Ack=1 Win=66560 Len=0
35 0.020474 193.xxx.xxx.xxx 10.xxx.xxx.xxx TLSv1.2 573 Client
Hello
49 0.042871 193.xxx.xxx.xxx 10.xxx.xxx.xxx TCP 62
10498→443 [ACK] Seq=518 Ack=2841 Win=66560 Len=0
50 0.043990 193.xxx.xxx.xxx 10.xxx.xxx.xxx TCP 62
10498→443 [ACK] Seq=518 Ack=4873 Win=66560 Len=0
54 0.045390 193.xxx.xxx.xxx 10.xxx.xxx.xxx TLSv1.2 182 Client
Key Exchange, Change Cipher Spec, Encrypted Handshake Message
89 0.091799 193.xxx.xxx.xxx 10.xxx.xxx.xxx TLSv1.2 412
Application Data
109 0.131868 193.xxx.xxx.xxx 10.xxx.xxx.xxx TCP 62
10498→443 [ACK] Seq=1000 Ack=5936 Win=65536 Len=0
110 0.132318 193.xxx.xxx.xxx 10.xxx.xxx.xxx TLSv1.2 87
Encrypted Alert
111 0.132563 193.xxx.xxx.xxx 10.xxx.xxx.xxx TCP 62
10498→443 [FIN, ACK] Seq=1031 Ack=5936 Win=65536 Len=0
I always got and "Content Type: Alert (21)" as Encrypted Alert.
I'm not able to got any error message on the apache itselfe, so could be a
problem in openssl itselfe
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
