[Bug 66636] New: hc https handshake tls1.0 (expecting tls1.2)

bugzilla Fri, 09 Jun 2023 00:29:58 -0700

https://bz.apache.org/bugzilla/show_bug.cgi?id=66636


            Bug ID: 66636
           Summary: hc https handshake tls1.0 (expecting tls1.2)
           Product: Apache httpd-2
           Version: 2.4.55
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_proxy_hcheck
          Assignee: [email protected]
          Reporter: [email protected]
  Target Milestone: ---

Created attachment 38582
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=38582&action=edit
tls v1.0 handshake capture

I am running Apache/2.4.41 on ubuntu 20.04 (but have tried 2.4.55 on 23.10 with
the same result..) and configured an load-balancer setup including an
health-check via https and experience an tls handshake issue that is caused by
the fact that tls =< 1.2 is used, which is less than the backend service
accepts. I expect that v1.2 is used considering the current security standards.

To my knowledge I cannot configure this.

My setup:

<VirtualHost 10.130.0.11:443>
    ServerName host.example.com

    DocumentRoot /var/www/html/

    SSLEngine on
    SSLProtocol ALL -SSLv3 -TLSv1 -TLSv1.1

    SSLCertificateFile /etc/pki/org/cert.pem
    SSLCertificateKeyFile /etc/pki/org/key.pem
    SSLCertificateChainFile /etc/pki/org/chain.pem

    SSLVerifyClient require
    SSLVerifyDepth 10
    SSLOptions +StdEnvVars
    SSLCACertificateFile /etc/pki/org/ca.pem

    SSLProxyEngine on
    # no server cert check. for now..
    SSLProxyVerify none
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off
    SSLProxyCheckPeerExpire off

    ProxyPreserveHost Off
    ProxyHCExpr ok234 {%{REQUEST_STATUS} =~ /^[234]/}
    ProxyHCTemplate az_hcheck hcmethod=GET hcuri=/hcheck hcexpr=ok234
hcinterval=30
    <Proxy balancer://backend>
       balancerMember "https://backend-az1.example.com"; route=az1
hctemplate=az_hcheck
       # Volgende regel is de hot-standby
       balancerMember "https://backend-az2.example.com"; route=az2 status=+H
    </Proxy>

    Proxypass        "/test" "balancer://backend/test"
    ProxypassReverse "/test" "balancer://backend/test"
</VirtualHost>

Loaded Modules:
 core_module (static)
 so_module (static)
 watchdog_module (static)
 http_module (static)
 log_config_module (static)
 logio_module (static)
 version_module (static)
 unixd_module (static)
 access_compat_module (shared)
 alias_module (shared)
 auth_basic_module (shared)
 authn_core_module (shared)
 authn_file_module (shared)
 authz_core_module (shared)
 authz_host_module (shared)
 authz_user_module (shared)
 autoindex_module (shared)
 deflate_module (shared)
 dir_module (shared)
 env_module (shared)
 filter_module (shared)
 headers_module (shared)
 lbmethod_byrequests_module (shared)
 mime_module (shared)
 mpm_worker_module (shared)
 negotiation_module (shared)
 proxy_module (shared)
 proxy_balancer_module (shared)
 proxy_hcheck_module (shared)
 proxy_http_module (shared)
 reqtimeout_module (shared)
 setenvif_module (shared)
 slotmem_shm_module (shared)
 socache_shmcb_module (shared)
 ssl_module (shared)
 status_module (shared)

errorlog:

[2023-06-05 17:07:11.047547] [proxy_hcheck:trace3] [pid 6832:tid
139638129731264] host.example.com Checking balancer://ca-lca-pre worker:
https://backend-az1.example.com  [9] (7f00093f6328)
[2023-06-05 17:07:11.047903] [proxy:debug] [pid 6832:tid 139638129731264]
host.example.com AH00924: worker https://backend-az1.example.com shared already
initialized
[2023-06-05 17:07:11.048001] [proxy:debug] [pid 6832:tid 139638129731264]
host.example.com AH00927: initializing worker https://backend-az1.example.com
local
[2023-06-05 17:07:11.048110] [proxy:debug] [pid 6832:tid 139638129731264]
host.example.com AH00930: initialized pool in child 6832 for
(backend-az1.example.com:443) min=0 max=50 smax=50
[2023-06-05 17:07:11.048339] [proxy_hcheck:debug] [pid 6832:tid
139638129731264] host.example.com AH03248: Creating hc worker 7f00093f6328 for
https://backend-az1.example.com:443
[2023-06-05 17:07:11.048396] [proxy:debug] [pid 6832:tid 139638129731264]
host.example.com AH00925: initializing worker 7f00093f6328 shared
[2023-06-05 17:07:11.048460] [proxy:debug] [pid 6832:tid 139638129731264]
host.example.com AH00927: initializing worker 7f00093f6328 local
[2023-06-05 17:07:11.048519] [proxy:debug] [pid 6832:tid 139638129731264]
host.example.com AH00930: initialized pool in child 6832 for
(backend-az1.example.com:443) min=0 max=50 smax=50
[2023-06-05 17:07:11.048562] [proxy_hcheck:debug] [pid 6832:tid
139638129731264] host.example.com AH03256: Health checking
https://backend-az1.example.com
[2023-06-05 17:07:11.048604] [proxy:debug] [pid 6832:tid 139638129731264]
host.example.com AH00942: HCOH: has acquired connection for
(backend-az1.example.com:443)
[2023-06-05 17:07:11.048718] [proxy:trace2] [pid 6832:tid 139638129731264]
host.example.com HCOH: fam 2 socket created to connect to
backend-az1.example.com:443
[2023-06-05 17:07:11.061642] [proxy:debug] [pid 6832:tid 139638129731264]
host.example.com AH02824: HCOH: connection established with ###.###.###.###:443
(backend-az1.example.com:443)
[2023-06-05 17:07:11.061850] [proxy:debug] [pid 6832:tid 139638129731264]
host.example.com AH00962: HCOH: connection complete to ###.###.###.###:443
(backend-az1.example.com)
[2023-06-05 17:07:11.061909] [ssl:info] [pid 6832:tid 139638129731264]
###.###.###.###:443 host.example.com AH01964: Connection to child 0 established
(server host.example.com:443)
[2023-06-05 17:07:11.062123] [ssl:trace2] [pid 6832:tid 139638129731264]
host.example.com Proxy: Seeding PRNG with 656 bytes of entropy
[2023-06-05 17:07:11.062293] [proxy_hcheck:trace7] [pid 6832:tid
139638129731264] host.example.com GET /health HTTP/1.1\r\nHost:
backend-az1.example.com:443\r\n\r\n
[2023-06-05 17:07:11.062354] [ssl:trace3] [pid 6832:tid 139638129731264]
###.###.###.###:443 host.example.com OpenSSL: Handshake: start
[2023-06-05 17:07:11.062447] [ssl:trace3] [pid 6832:tid 139638129731264]
###.###.###.###:443 host.example.com OpenSSL: Loop: before SSL initialization
[2023-06-05 17:07:11.062817] [ssl:trace6] [pid 6832:tid 139638129731264]
###.###.###.###:443 host.example.com bio_filter_out_write: 517 bytes
[2023-06-05 17:07:11.062912] [core:trace6] [pid 6832:tid 139638129731264]
###.###.###.###:443 host.example.com writev_nonblocking: 517/517
[2023-06-05 17:07:11.062948] [ssl:trace4] [pid 6832:tid 139638129731264]
###.###.###.###:443 host.example.com OpenSSL: write 517/517 bytes to
BIO#7f0004009dc0 [mem: 7f0004018b90] (BIO dump follows)
[2023-06-05 17:07:11.062974] [ssl:trace7] [pid 6832:tid 139638129731264]
###.###.###.###:443 host.example.com
+-------------------------------------------------------------------------+
[2023-06-05 17:07:11.063002] [ssl:trace7] [pid 6832:tid 139638129731264]
###.###.###.###:443 host.example.com | 0000: 16 03 01 02 00 01 00 01-fc 03 03
24 3a 16 75 97  ...........$:.u. |
..
[2023-06-05 17:07:11.063610] [ssl:trace7] [pid 6832:tid 139638129731264]
###.###.###.###:443 host.example.com | 0517 - <SPACES/NULS>
[2023-06-05 17:07:11.063637] [ssl:trace7] [pid 6832:tid 139638129731264]
###.###.###.###:443 host.example.com
+-------------------------------------------------------------------------+
[2023-06-05 17:07:11.063666] [ssl:trace6] [pid 6832:tid 139638129731264]
###.###.###.###:443 host.example.com bio_filter_out_write: flush
[2023-06-05 17:07:11.063698] [ssl:trace3] [pid 6832:tid 139638129731264]
###.###.###.###:443 host.example.com OpenSSL: Loop: SSLv3/TLS write client
hello
[2023-06-05 17:07:11.063729] [ssl:trace1] [pid 6832:tid 139638129731264]
###.###.###.###:443 host.example.com BUG: bio_filter_in_ctrl() should not be
called with cmd=76
[2023-06-05 17:07:11.075260] [ssl:trace4] [pid 6832:tid 139638129731264]
###.###.###.###:443 host.example.com OpenSSL: I/O error, 5 bytes expected to
read on BIO#7f0004009e90 [mem: 7f000400f8b3]
[2023-06-05 17:07:11.075384] [ssl:trace1] [pid 6832:tid 139638129731264]
###.###.###.###:443 host.example.com BUG: bio_filter_in_ctrl() should not be
called with cmd=76
[2023-06-05 17:07:11.075419] [ssl:trace3] [pid 6832:tid 139638129731264]
###.###.###.###:443 host.example.com OpenSSL: Exit: error in SSLv3/TLS write
client hello
[2023-06-05 17:07:11.075450] [ssl:info] [pid 6832:tid 139638129731264]
###.###.###.###:443 host.example.com AH02003: SSL Proxy connect failed
[2023-06-05 17:07:11.075481] [ssl:info] [pid 6832:tid 139638129731264]
###.###.###.###:443 host.example.com AH01998: Connection closed to child 0 with
abortive shutdown (server host.example.com:443)
[2023-06-05 17:07:11.075554] [ssl:info] [pid 6832:tid 139638129731264]
###.###.###.###:443 host.example.com AH01997: SSL handshake failed: sending 502
[2023-06-05 17:07:11.075593] [proxy:debug] [pid 6832:tid 139638129731264]
host.example.com AH00943: HCOH: has released connection for
(backend-az1.example.com:443)
[2023-06-05 17:07:11.075651] [proxy_hcheck:debug] [pid 6832:tid
139638129731264] host.example.com AH03251: Health check GET11 Status (1) for
7f00093f6328.
[2023-06-05 17:07:11.075682] [proxy_hcheck:info] [pid 6832:tid 139638129731264]
host.example.com AH03303: Health check DISABLING
https://backend-az1.example.com

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[Bug 66636] New: hc https handshake tls1.0 (expecting tls1.2)

Reply via email to