[Bug 68517] New: Getting AH00898: Error during SSL Handshake with remote server while using apache as reverse proxy

bugzilla Mon, 22 Jan 2024 03:31:14 -0800

https://bz.apache.org/bugzilla/show_bug.cgi?id=68517


            Bug ID: 68517
           Summary: Getting AH00898: Error during SSL Handshake with
                    remote server while using apache as reverse proxy
           Product: Apache httpd-2
           Version: 2.5-HEAD
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: major
          Priority: P2
         Component: All
          Assignee: bugs@httpd.apache.org
          Reporter: sbhanwr...@gmail.com
  Target Milestone: ---

We have installed apache 2.4.58 in a new directory, We use the same setting and
SSL certificate wallets as apache 2.4.57 . However, we keep getting 502 bad
gateway issue in newer apache while its working fine in apache 2.4.57 on same
server 


I tried tried below settings as well, but no luck.

    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerExpire off

I have verified by proxyCA with curl, it works fine.

I struggled with this issue for couple of weeks.

Thanks a lot,

The error log:

[Thu Jan 18 15:00:11.652886 2024] [proxy:error] [pid 8119:tid 140431891339008]
(20014)Internal error (specific information not available): [client
x.x.x.x.x.x.:40441] AH01084: pass request body failed to x.x.x.x.x.x.:443
(innoprosys.com)
[Thu Jan 18 15:00:11.652931 2024] [proxy:error] [pid 8119:tid 140431891339008]
[client x.x.x.x.x.x.:40441] AH00898: Error during SSL Handshake with remote
server returned by /xxx/xxx/xxx/api/
[Thu Jan 18 15:00:11.652934 2024] [proxy_http:error] [pid 8119:tid
140431891339008] [client x.x.x.x.x.x.:40441] AH01097: pass request body failed
to x.x.x.x.x.x.:443 (xxxx.com) from x.x.x.x.x.x. ()

SSL Logs :

[18/Jan/2024:15:00:11 +0300] XXXXX TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "GET
/XXX/XXX/XXX/api/?key=TMS1LN9X4TZRP3MKGU0B HTTP/1.1" 273


The VH config:


Listen 5995

SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES

SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES


SSLHonorCipherOrder on 

#   SSL Protocol support:

SSLProtocol all -SSLv3


SSLPassPhraseDialog  builtin

SSLSessionCache        "shmcb:/u01/apache/httpd-2.4.58/logs/ssl_scache(512000)"
SSLSessionCacheTimeout  300


<VirtualHost _default_:5995>

#   General setup for the virtual host
DocumentRoot "/u01/apache/httpd-2.4.58/htdocs"
ServerName xxxxx.xxx.com.sa:5995
ServerAdmin y...@example.com
ErrorLog "/u01/apache/httpd-2.4.58/logs/error_log"
TransferLog "/u01/apache/httpd-2.4.58/logs/access_log"


SSLEngine on

#   Server Certificate:

SSLCertificateFile
"/u01/apache/httpd-2.4.58/nwc-config/certificates/server/xxx.xx.com.sa.pem"






#   Server Private Key:

SSLCertificateKeyFile
"/u01/apache/httpd-2.4.58/nwc-config/certificates/server/xxxxx.xxx.com.sa_key1.key"



SSLCACertificatePath "/u01/apache/httpd-2.4.58/nwc-config/certificates/ca"


#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/u01/apache/httpd-2.4.58/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>


BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0


#   compact non-error SSL logfile on a virtual host basis.
CustomLog "/u01/apache/httpd-2.4.58/logs/ssl_request_log" \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

   SSLProxyEngine On
   SSLProxyProtocol all -SSLv3 -TLSv1.1


SSLProxyCACertificatePath "/u01/apache/httpd-2.4.58/nwc-config/certificates/ca"

ProxyRequests On
ProxyVia On
ProxyPreserveHost Off


  <Location /xxx/xxx/xxx/api/>
    ProxyPass https://xxx.com/xxx/xxx/xxx/api/
    ProxyPassReverse https://xxxx.com/xxx/apis/xxx/api/
   </Location>

</VirtualHost>                                  


The compile settings:

./httpd -V
Server version: Apache/2.4.58 (Unix)
Server built:   Jan 15 2024 12:58:36
Server's Module Magic Number: 20120211:129
Server loaded:  APR 1.7.4, APR-UTIL 1.6.3, PCRE 8.45 2021-06-15
Compiled using: APR 1.7.4, APR-UTIL 1.6.3, PCRE 8.45 2021-06-15
Architecture:   64-bit
Server MPM:     event
  threaded:     yes (fixed thread count)
    forked:     yes (variable process count)
Server compiled with....
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_PROC_PTHREAD_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=256
 -D HTTPD_ROOT="/u01/apache/httpd-2.4.58"
 -D SUEXEC_BIN="/u01/apache/httpd-2.4.58/bin/suexec"
 -D DEFAULT_PIDLOG="logs/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org
For additional commands, e-mail: bugs-h...@httpd.apache.org

[Bug 68517] New: Getting AH00898: Error during SSL Handshake with remote server while using apache as reverse proxy

Reply via email to