We are having a rather strange problem with a Apache-installation. Here is a short summary:
Currently I'm setting up Apache with https, and server-certificates. This is fairly easy and works straight out of the box – as expected. This is the configuration for this setup:
Listen 443
SSLEngine on
SSLCertificateFile "/progs/apache/ssl/example-site.no.pem"
SSLCertificateKeyFile "/progs/apache/ssl/example-site.no.key"
SSLCACertificateFile "/progs/apache/ssl/ca/example_root.pem"
SSLCADNRequestFile "/progs/apache/ssl/ca/example_intermediate.pem"
SSLVerifyClient none
SSLVerifyDepth 3
SSLOptions +StdEnvVars +ExportCertData
RequestHeader set ssl-ClientCert-Subject-CN "%{SSL_CLIENT_S_DN}s"
RewriteEngine On
ProxyPreserveHost On
ProxyRequests On
SSLProxyEngine On
...
<LocationMatch /secureStuff/$>
SSLVerifyClient require
Order deny,allow
Allow from All
</LocationMatch>
...
<Proxy balancer://exBalancer>
Header add Set-Cookie "EX_ROUTE=EB.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED
BalancerMember http://10.0.0.1:7200 route=ee1 retry=300 flushpackets=off keepalive=on
BalancerMember http://10.0.0.2:7200 route=ee2 retry=300 flushpackets=off keepalive=on status=+H
ProxySet stickysession=EX_ROUTE scolonpathdelim=Off timeout=10 nofailover=off failonstatus=505 maxattempts=1 lbmethod=bybusyness
Order deny,allow
Allow from all
</Proxy>
RewriteCond %{REQUEST_URI} !^/index.html [NC]
RewriteRule ^/(.*)$ balancer://exBalancer/$1 [P,NC]
ProxyPassReverse / balancer://exBalancer/
Header edit Set-Cookie "(.*)" "$1;HttpsOnly"
...
So – everything works fine and as expected for all of the pages that are not a part of the LocationMatch-directive.
When requesting something that matches the LocationMatch-directive, I'm asked for a certificate (hence the SSLVerifyClient required attribute) – and getting all the correct certificates in my browser that is based on the root/intermediate chain. After choosing a certificate and clicking "OK", this is what pops up in the apache logs:
[ssl:info] [pid 9530:tid 25] [client :43357] AH01998: Connection closed to child 86 with abortive shutdown (
[Thu Oct 11 09:27:36.221876 2012] [ssl:debug] [pid 9530:tid 25] ssl_engine_io.c(1171): (70014)End of file found: [client 10.235.128.55:45846] AH02007: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
And this just spams the logs. What is happening here? I can see this configuration working on my local machine, but not on one of our servers. There is no configration differences between the servers, only minor application-wise-changes.
I've tried the following:
1) Removing CA-certificate-checking (works)
2) Adding required CA-certificate for the whole site (works)
3) Adding "SSLVerifyClient optional" does not work
4) ++
Server/Application Information
Local:
-OpenSSL v.1.0.1x
-Apache 2.4.3
-Ubuntu
-mpm: event
-every configuration should be turned on
(failing) server:
-OpenSSL 0.9.8e
-Apache 2.4.2
-SunOS
-mpm: worker
-every configuration should be turned on
Please let me know if more information is needed, I'll provide it instantly.
Brief sum-up:
-Running apache 2.4
-Server certificates works just fine
-Client certificates for some /Locations does not work, fails with errors
PS:
Could it be related with the OpenSSL version and the "Renegotiation" stuff related to TLS/SSLv3?
Best Answer
It seems like there is a problem with the version of apache compiled for the Sun OS that we are using. This is explained here: -http://svn.apache.org/viewvc?view=revision&revision=1373439
In addition to this, we just did an upgrade to openssl v1.0.1c that fixed some other issues..
To sum up: If you use Sun OS and Apache 2.4.0, 2.4.1 or 2.4.2 then you have to upgrade to version 2.4.3, as the issue with SSLCaching is solved there.
Resources:
http://svn.apache.org/viewvc?view=revision&revision=1373439
http://apache-http-server.18135.n6.nabble.com/DO-NOT-REPLY-Bug-53040-New-apache-2-4-1-Solaris-10-ssl-virtual-hosts-dies-after-idle-for-a-while-td4812609.html