Hi Eric.
Am 19.02.2012 01:21, schrieb Eric Covener:
What about LogLevel debug
Attached are fresh error logs with LogLevel debug.
From the default and non-default vhost (the later is where the actual
site, as you can see Icinga, runs).
For both cases split up in the 1st access (after I freshly started the
browser) which worked and after the 2nd (some 10 minutes later) that
failed then.
I stripped out all crypto material, if you'd need that please tell me,
then I'll have to set up a fake-CA and certs.
or the access log?
That one is small and particularly boring so I paste it here:
The LogFormat is:
"%{%x %X}t> %A:%p %h; %u %{SSL_CLIENT_VERIFY}x %{SSL_CLIENT_M_VERSION}x
\"%{SSL_CLIENT_S_DN}x\" \"%{SSL_CLIENT_I_DN}x\" %{SSL_CLIENT_M_SERIAL}x;
\"%r\" %s
%>s; %I %O %D; \"%{Host}i\" \"%{Referer}i\" \"%{User-Agent}i\""
This is all from the non-default name based vhost... the default one's
is empty.
1st access with success:
02/19/12 03:30:35> 129.187.131.227:443 91.8.45.224;
/C=DE/O=GermanGrid/OU=LMU/CN=Christoph Anton Mitterer SUCCESS 3
"/C=DE/O=GermanGrid/OU=LMU/CN=Christoph Anton Mitterer"
"/C=DE/O=GermanGrid/CN=GridKa-CA" 3EC4; "GET
/icinga/classic/images/interface/menu_blank.gif HTTP/1.1" 200 200; 538
426 459; "lcg-lrz-monitoring.grid.lrz.de"
"https://lcg-lrz-monitoring.grid.lrz.de/icinga/classic/stylesheets/interface/menu.css";
"Mozilla/5.0 (X11; Linux x86_64; rv:10.0.2) Gecko/20100101
Firefox/10.0.2 Iceweasel/10.0.2"
02/19/12 03:30:35> 129.187.131.227:443 91.8.45.224;
/C=DE/O=GermanGrid/OU=LMU/CN=Christoph Anton Mitterer SUCCESS 3
"/C=DE/O=GermanGrid/OU=LMU/CN=Christoph Anton Mitterer"
"/C=DE/O=GermanGrid/CN=GridKa-CA" 3EC4; "GET
/icinga/classic/images/interface/menu_less.gif HTTP/1.1" 200 200; 506
410 442; "lcg-lrz-monitoring.grid.lrz.de"
"https://lcg-lrz-monitoring.grid.lrz.de/icinga/classic/menu.html";
"Mozilla/5.0 (X11; Linux x86_64; rv:10.0.2) Gecko/20100101
Firefox/10.0.2 Iceweasel/10.0.2"
2nd access (after 10 minutes) with failure:
02/19/12 03:40:50> 129.187.131.227:443 91.8.45.224; - NONE - "-" "-" -;
"GET /icinga/classic/ HTTP/1.1" 403 403; 1158 3564 548;
"lcg-lrz-monitoring.grid.lrz.de" "-" "Mozilla/5.0 (X11; Linux x86_64;
rv:10.0.2) Gecko/20100101 Firefox/10.0.2 Iceweasel/10.0.2"
So it seems a bit like this:
On the 1st access everything works.
Then something bad happens somewhere either in the browsers, or Apache,
or perhaps there are even some OpenSSL contexts kept open?!
2nd access:
I get an error, that no SNI hostname would have been provided, but
still, the ouput appears in the log file of the non-default name based
vhost, strange isn't it?
And I have:
SSLStrictSNIVHostCheck on
so I'd expect to fail any access if no SNI hostname would have been
provided.
The access log (still that one of the non-default name based vhost)
shows the failed access...
SSL client out seems to be lost ("NONE") which is also the reason why
the fakeBasicAuth doesn't work anymore.
But why all this? (Again, happens with Firefox and Chromium)
What's in a decrypted packet trace?
What exactly do you mean and how can I get this?
Thanks,
Chris.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
