Has anyone gotten an Apache 2.0.43 SSL reverse proxy working to an IIS
backend server requiring certificate verification on the IIS server
side? I can reverse proxy Apache to an SSL Unix server and an SSL IIS
server (neither requiring certificates). I can also reverse proxy
Apache to an SSL Unix server requiring certificate verification. I
have not been able to get it working to an IIS server requiring
certificate verification. I have verified that the Apache
certificates are valid using openssl to retrieve web pages from the
IIS server:
openssl s_client -connect IIS-server:443 -cert user.crt -key
user.key -CAfile ca-bundle.crt
GET / HTTP/1.0
<Web page content...>
Originally when I tried the reverse proxy to the IIS server I would
get a segmentation fault in ssl_engine_kernel.c. For some reason
info->x_pkey was a NULL pointer. I modified the code shown below to
get around this:
$ diff ssl_engine_kernel.c{.ORIG,}
1606,1607c1606,1609
< *pkey = info->x_pkey->dec_pkey; \
< EVP_PKEY_reference_inc(*pkey)
---
> if (info->x_pkey != 0) { \
> *pkey = info->x_pkey->dec_pkey; \
> EVP_PKEY_reference_inc(*pkey); \
> }
Now when I use openssl to connect to the reverse proxy I get:
HTTP/1.1 502 Proxy Error
Date: Wed, 23 Oct 2002 01:00:39 GMT
Server: Apache/2.0.43 (Unix) mod_ssl/2.0.43 OpenSSL/0.9.6g DAV/2
Content-Length: 453
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>502 Proxy Error</title>
</head><body>
<h1>Proxy Error</h1>
<p>The proxy server received an invalid
response from an upstream server.<br />
The proxy server could not handle the request <em><a
href="/">GET /</a></em>.<p>
Reason: <strong>Error reading from remote server</strong></p></p>
<hr />
<address>Apache/2.0.43 Server at host Port 443</address>
</body></html>
read:errno=0
The Apache error log shows:
[Tue Oct 22 17:31:19 2002] [info] Connection: Client IP: xxx.xxx.xxx.xxx,
Protocol: TLSv1, Cipher: RC4-MD5 (128/128 bits)
[Tue Oct 22 17:31:19 2002] [error] SSL error on reading data
[Tue Oct 22 17:31:19 2002] [error] SSL Library Error: 336162922
error:1409706A:lib(20):func(151):reason(106)
[Tue Oct 22 17:31:19 2002] [error] [client xxx.xxx.xxx.xxx] proxy: error
reading status line from remote server IIS-server
[Tue Oct 22 17:31:19 2002] [error] [client xxx.xxx.xxx.xxx] proxy: Error
reading from remote server returned by /
[Tue Oct 22 17:31:19 2002] [debug] ssl_engine_kernel.c(1866): OpenSSL:
Write: SSL negotiation finished successfully
[Tue Oct 22 17:31:19 2002] [info] Connection to child 1 closed with
standard shutdown(server host:443, client xxx.xxx.xxx.xxx)
[Tue Oct 22 17:31:19 2002] [debug] ssl_engine_kernel.c(1866): OpenSSL:
Write: SSL negotiation finished successfully
[Tue Oct 22 17:31:19 2002] [info] Connection to child 1 closed with
standard shutdown(server host:443, client xxx.xxx.xxx.xxx)
I don't know enough about SSL to know what is going on. It looks like
the SSL_read() is failing but I do not know why. If I don't get
anywhere with this i'm thinking about trying the expermental code in
Apache 1.3.27 to see if I have any luck. Any input would be welcome.
Thanks.
Keith
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
