I use mod_proxy for reverse proxy https connection, it is running fine
with apache 2.0.43 , but when I upgrade it to 2.0.46, more than 50% of the
https connetions will fail, httpd child process is just died.
2.0.44 and 2.0.45 have the same problem, their child process is just died in
more than 50% https connections. I tried also to upgrade openssl
to the latest version 0.9.7b, and recompile apache, but it doesn't help,
since maybe it is not openssl's bug. and this behaviour is resproducible in
another server, I tried it here with redhat 7.0 and gentoo 1.4. both of them
have the same problem with apache 2.0.44,2.0.45 and 2.0.46 no mater which
openssl version and have a stable connection with 2.0.43.
here is my config:
NameVirtualHost xxx.5.131.41:443
SSLProxyEngine on
ServerName iniskp.mydomain.org
ProxyPass / https://iniskp.mydomain.org/
ProxyPassReverse/ https://iniskp.mydomain.org/
LogLeveldebug
SSLEngine on
SSLCertificateFile conf/ssl/server.crt
SSLCertificateKeyFile conf/ssl/server.key
And here is the error log when the connections failed:
.
[Fri Jun 13 18:18:52 2003] [debug] ssl_engine_io.c(1462):
+-+
[Fri Jun 13 18:18:52 2003] [debug] proxy_http.c(109): proxy: HTTP:
canonicalising URL //iniskp.mydomain.org/
[Fri Jun 13 18:18:52 2003] [debug] mod_proxy.c(459): Trying to run scheme_handler
[Fri Jun 13 18:18:52 2003] [debug] proxy_http.c(1076): proxy: HTTP: serving URL
https://iniskp.mydomain.org/
[Fri Jun 13 18:18:52 2003] [debug] proxy_http.c(221): proxy: HTTP connecting
https://iniskp.mydomain.org/ to iniskp.mydomain.org:443
[Fri Jun 13 18:18:52 2003] [debug] proxy_util.c(1203): proxy: HTTP: fam 2 socket
created to connect to iniskp.mydomain.org
[Fri Jun 13 18:18:52 2003] [debug] proxy_http.c(370): proxy: socket is connected
[Fri Jun 13 18:18:52 2003] [debug] proxy_http.c(404): proxy: connection complete
to xxx.5.67.95:443 (iniskp.mydomain.org)
[Fri Jun 13 18:18:52 2003] [info] Connection to child 3 established (server
iniskp.mydomain.org:443, client xxx.5.67.95)
[Fri Jun 13 18:18:52 2003] [info] Seeding PRNG with 136 bytes of entropy
[Fri Jun 13 18:18:52 2003] [debug] ssl_engine_kernel.c(1766): OpenSSL:
Handshake: start
[Fri Jun 13 18:18:52 2003] [debug] ssl_engine_kernel.c(1774): OpenSSL: Loop:
before/connect initialization
[Fri Jun 13 18:18:52 2003] [debug] ssl_engine_kernel.c(1774): OpenSSL: Loop:
SSLv2/v3 write client hello A
[Fri Jun 13 18:18:52 2003] [debug] ssl_engine_io.c(1484): OpenSSL: read 0/7
bytes from BIO#8194ea0 [mem: 81a1c98] (BIO dump follows)
[Fri Jun 13 18:18:52 2003] [debug] ssl_engine_io.c(1431):
+-+
[Fri Jun 13 18:18:52 2003] [debug] ssl_engine_io.c(1462):
+-+
[Fri Jun 13 18:18:52 2003] [info] SSL Proxy connect failed
[Fri Jun 13 18:18:52 2003] [info] Connection to child 3 closed with abortive
shutdown(server iniskp.mydomain.org:443, client xxx.5.67.95)
.
And here is a successfull connection right after above connection:
.
[Fri Jun 13 18:18:53 2003] [debug] proxy_http.c(109): proxy: HTTP:
canonicalising URL //iniskp.mydomain.org/
[Fri Jun 13 18:18:53 2003] [debug] mod_proxy.c(459): Trying to run scheme_handler
[Fri Jun 13 18:18:53 2003] [debug] proxy_http.c(1076): proxy: HTTP: serving URL
https://iniskp.mydomain.org/
[Fri Jun 13 18:18:53 2003] [debug] proxy_http.c(221): proxy: HTTP connecting
https://iniskp.mydomain.org/ to iniskp.mydomain.org:443
[Fri Jun 13 18:18:53 2003] [debug] proxy_util.c(1203): proxy: HTTP: fam 2 socket
created to connect to iniskp.mydomain.org
[Fri Jun 13 18:18:53 2003] [debug] proxy_http.c(370): proxy: socket is connected
[Fri Jun 13 18:18:53 2003] [debug] proxy_http.c(404): proxy: connection complete
to xxx.5.67.95:443 (iniskp.mydomain.org)
[Fri Jun 13 18:18:53 2003] [info] Connection to child 5 established (server
iniskp.mydomain.org:443, client xxx.5.67.95)
[Fri Jun 13 18:18:53 2003] [info] Seeding PRNG with 136 bytes of entropy
[Fri Jun 13 18:18:53 2003] [debug] ssl_engine_kernel.c(1766): OpenSSL:
Handshake: start
[Fri Jun 13 18:18:53 2003] [debug] ssl_engine_kernel.c(1774): OpenSSL: Loop:
before/connect initialization
[Fri Jun 13 18:18:53 2003] [debug] ssl_engine_kernel.c(1774): OpenSSL: Loop:
SSLv2/v3 write client hello A
[Fri Jun 13 18:18:53 2003] [debug] ssl_engine_io.c(1484): OpenSSL: read 7/7
bytes from BIO#8194ea0 [mem: 81a3ca0] (BIO dump follows)
[Fri Jun 13 18:18:53 2003] [debug] ssl_engine_io.c(1431):
+-+
[Fri Jun 13 18:18:53 2003] [debug] ssl_engine_io.c(1456):
| : 16 03 01 03 68 02h. |
[Fri Jun 13 18:18:53 2003] [debug] ssl_engine_io.c(1460):
| 0007 -
.
The difference is in "ssl