Dennis, I get the same type of behavior connecting to Tomcat via AJP. This happens to me without SSL. I posted a note about it but I have not gotten any feedback yet. Please keep us updated on your progress, I will do the same.
George On Fri, Oct 3, 2008 at 10:41 AM, Denis McCarthy <[EMAIL PROTECTED]>wrote: > Hi, > We have a java application that, as part of its authentication > process, needs to examine the contents of a X509 certificate from the > client. The application is also a financial based one and therefore > needs to be run entirely over SSL. Our architecture consists of an > httpd 2.2.3 front end and a jetty 6 app server. Jetty and apache talk > using AJP (mod_proxy_ajp on the apache side). For most requests this > seems to work fine. However, occasionally we get some *extremely* > nasty behaviour from apache (it may be caused by jetty, but I'm not > sure as yet). Anyway, we get the following type messages in our apache > log: > > [Fri Oct 03 14:26:43 2008] [error] (120006)APR does not understand > this error code: proxy: read response failed from 172.17.102.156:8009 > (172.17.102.156) > [Fri Oct 03 14:26:43 2008] [error] (70007)The timeout specified has > expired: ajp_ilink_receive() can't receive header > [Fri Oct 03 14:26:43 2008] [error] ajp_read_header: ajp_ilink_receive > failed > [Fri Oct 03 14:26:43 2008] [error] (120006)APR does not understand > this error code: proxy: read response failed from 172.17.102.156:8009 > (172.17.102.156) > [Fri Oct 03 14:29:52 2008] [error] ajp_check_msg_header() got bad signature > 4854 > [Fri Oct 03 14:29:52 2008] [error] ajp_ilink_receive() received bad header > [Fri Oct 03 14:29:52 2008] [error] ajp_read_header: ajp_ilink_receive > failed > [Fri Oct 03 14:29:52 2008] [error] (120007)APR does not understand > this error code: proxy: read response failed from (null) > (172.17.102.156) > > Now, this seems to occur only for certain connection types: For > example, it seems to often occur for connections from MSIE browsers, > as well as on occasions when our java application server times out on > requests (e.g. when our back end takes a very long time to come back > with a response). I suspect these may be related, as I've read that > MSIE browsers don't terminate SSL connections correctly. > > Anyway, when this occurs, the entire apache server seems to freeze up > for several minutes. > > Here's the relevant apache config: > > > Basic ssl config: > > LoadModule ssl_module modules/mod_ssl.so > > Listen 443 > > # Some MIME-types for downloading Certificates and CRLs > # > AddType application/x-x509-ca-cert .crt > AddType application/x-pkcs7-crl .crl > > # Pass Phrase Dialog: > # Configure the pass phrase gathering process. > # The filtering dialog program (`builtin' is a internal > # terminal dialog) has to provide the pass phrase on stdout. > SSLPassPhraseDialog builtin > > SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) > SSLSessionCacheTimeout 600 > > > SSLMutex pthread > > SSLRandomSeed startup file:/dev/urandom 256 > SSLRandomSeed connect builtin > > > ServerAdmin [EMAIL PROTECTED] > > ServerName www.ourapp.com:443 > > ProxyPreserveHost On > ProxyPass /our-app ajp://172.17.102.156:8009/our-app > ProxyPassReverse /our-app ajp://172.17.102.156:8009/our-app > > > SSLEngine on > > SSLCipherSuite > ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL > > SSLCertificateFile /etc/httpd/certs/server.crt > > SSLCertificateKeyFile /etc/httpd/certs/server.key > > SSLCACertificateFile /etc/httpd/certs/ca.crt > > SSLVerifyClient require > > SSLVerifyDepth 1 > > SSLOptions +StdEnvVars +ExportCertData +StrictRequire > > <IfModule setenvif_module> > BrowserMatch ".*MSIE.*" \ > nokeepalive ssl-unclean-shutdown \ > downgrade-1.0 force-response-1.0 > </IfModule> > > > LoadModule proxy_ajp_module modules/mod_proxy_ajp.so > > > In case there's anyone familiar with jetty out there, my jetty AJP > config is very simple > <Configure id="Server" class="org.mortbay.jetty.Server"> > > <!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --> > <!-- Add a AJP listener on port 8009 --> > <!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --> > <Call name="addConnector"> > <Arg> > <New class="org.mortbay.jetty.ajp.Ajp13SocketConnector"> > <Set name="port">8009</Set> > </New> > </Arg> > </Call> > > </Configure> > > (The IP addresses etc. have been changed to protect the innocent) > > If anyone could give any pointers for a solution to this it'd be > great, as the app in question is due to go live shortly, and we'll > have to delay go-live until this issue is resolved. > Thanks > Denis > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: [EMAIL PROTECTED] > " from the digest: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > >