Mod_proxy Error During Ssl Handshake With Remote Server
Contents |
here for a quick overview of the site Help Center Detailed answers to any questions you might have Meta Discuss the workings and policies of this site About Us Learn more about Stack ssl handshake with remote server failed Overflow the company Business Learn more about hiring developers or posting ads with us (502)unknown error 502: proxy: pass request body failed to Stack Overflow Questions Jobs Documentation Tags Users Badges Ask Question x Dismiss Join the Stack Overflow Community Stack Overflow is a ah00898: error during ssl handshake with remote server returned by community of 6.2 million programmers, just like you, helping each other. Join them; it only takes a minute: Sign up Error during SSL Handshake with remote server up vote 40 down vote favorite 13 I have sslproxyverify Apache2 (listening on 443) and a web app running on Tomcat7 (listening on 8443) on Ubuntu. I set apache2 as reverse proxy so that I access the web app through port 443 instead of 8443. Besides, I need to have SSL communication not only between browser and apache2 but also between apache2 and tomcat7, thus I set SSL on both apache2 and tomcat7. If I try to access the web app
Sslproxycheckpeername
by directly contacting tomcat7, everything is fine. The problem is that when I try to access the tomcat's web app through apache2 (reverse proxy), on the browser appears the error: Proxy Error The proxy server could not handle the request GET /web_app. Reason: Error during SSL Handshake with remote server apache tomcat ssl reverse-proxy share|improve this question edited Sep 18 '13 at 13:19 Qben 1,78821221 asked Sep 18 '13 at 12:37 user2791481 301144 Apache does not truest the certificate you have installed on the tomcat. Is it a self-signed cert? Or is it made by an in-house CA? –MK. Sep 18 '13 at 12:55 1 It is self signed with this command: openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt –user2791481 Sep 18 '13 at 12:58 1 serverfault.com/questions/356678/… I think this is what you want: SSLProxyVerify none SSLProxyCheckPeerCN off –MK. Sep 18 '13 at 13:03 7 Better to set SSLProxyCACertificateFile to your private CA certicate, instead of just turning off verification. –nathan.f77 Jan 9 '14 at 0:22 add a comment| 1 Answer 1 active oldest votes up vote 84 down vote The comment by MK pointed me in the right direction. In the case of Apache 2.4 and up, there are different default
Start here for a quick overview of the site Help Center Detailed answers to any questions you might have
Sslproxycheckpeercn
Meta Discuss the workings and policies of this site About Us ah00898: error reading from remote server returned by Learn more about Stack Overflow the company Business Learn more about hiring developers or posting ads with us ah01084: pass request body failed Server Fault Questions Tags Users Badges Unanswered Ask Question _ Server Fault is a question and answer site for system and network administrators. Join them; it only takes http://stackoverflow.com/questions/18872482/error-during-ssl-handshake-with-remote-server a minute: Sign up Here's how it works: Anybody can ask a question Anybody can answer The best answers are voted up and rise to the top proxy:error AH00898: Error during SSL Handshake with remote server up vote 8 down vote favorite 4 I have a server that acts as a front-end for a cPanel mailserver in http://serverfault.com/questions/538086/proxyerror-ah00898-error-during-ssl-handshake-with-remote-server a network. The apache proxy on the front-end server ran for 152 days without fault then suddenly I now get 500/502 errors when using it to access the webmail clients of the mailserver. The front-end server uses a signed SSL cert, the cPanel sever is using a self signed cert. Here is the error log output from the front-end server when it first started happening: [Tue Sep 10 18:22:52.959291 2013] [proxy:error] [pid 19531] (502)Unknown error 502: [client 173.xx.xx.xx:9558] AH01084: pass request body failed to 184.xx.xx.xx:2096 (184.xx.xx.xx), referer: https://domain.com:2096/cpsess12385596/3rdparty/roundcube/?_task=mail&_refresh=1&_mbox=INBOX
[Tue Sep 10 18:22:52.959469 2013] [proxy:error] [pid 19531] [client 173.xx.xx.xx:9558] AH00898: Error during SSL Handshake with remote server returned by /cpsess12385596/3rdparty/roundcube/, referer: https://domain.com:2096/cpsess12385596/3rdparty/roundcube/?_task=mail&_refresh=1&_mbox=INBOX The front-end server is an EC2 instance running Apache/2.4.6 (Amazon) My VirtualHost setup for the proxy on this server is as follows: < VirtualHost *:2096> ServerName domain.com
SSLEngine on SSLProxyEngine on SSLProxyVerify none SSLProxyCheckPeerCN off SSLCertificateFile /x/x/x/domain.com.crt SSLCertificateKeyFile /x/x/x/domain.com.key SSLCACertificateFile /x/x/x/domain.com.cabundle ProxyPass / https://184.xx.xx.xx:2096/ ProxyPassReverse / https://184.xx.xx.xx:2096/ ProxyPassReverseCookieDomain 184.xx.xx.xx:2096 domain.com ProxyPassReverseCookiePath / / SetOutputFilter INFLATE;proxy-html;DEFLATE ProxyHTMLURLMap https://Favorite Rating: Usere getting HTTP 502 error accessing secure Web server via Access Gateway with TLS 1.2 enabledThis document (7015539) is provided subject to the disclaimer at the end of https://www.netiq.com/support/kb/doc.php?id=7015539 this document. Environment NetIQ Access Manager 4.0NetIQ Access Manager Access Gateway Service running on RHEL 6.5TLS 1.2 OpenSSL enabled on Access Gateway as per https://www.netiq.com/documentation/netiqaccessmanager4/enable_tls_nam40/data/enable_tls_nam40.html Reverse Proxy -> Web Servers -> Web Server Trusted Root: Do not verify enabled Situation Access Manager 4.0 setup and working well. To improve security, all SSL/TLS transactions were set to use TLS 1.2. Both the NAM Identity remote server Server and Access Gateway Server components were updated as per the above doc to enable TLS 1.2 (installed the additional apache package using the install_AG_Openssl101.sh script). After making the changes, all proxy services except one worked.Users accessing the problem secure Web server woul dget 502 errors, and the error_log file on the AG would report the following: [error] (502)Unknown error 502: proxy: pass ssl handshake with request body failed to 10.175.121.57:443 (10.175.121.57) AMEVENTID#8: proxy: Error during SSL Handshake with remote server returned by Tests were done adding a few SSL advanced options, but to no avail. These options included: - SSLProxyCheckPeerCN off - SSLProxyProtocol +SSLv2 +SSLv3 +TLSv1 +TLSv1.1 - SSLProxyVerify none LAN traces show that the AG would close the TCP connection after the Server Hello Done is returned from the secure web server. Resolution Modified the Advanced Options for this proxy service to include the following:SSLProxyCipherSuite ALL:!EDH:!DHE:!ECDHE:!ECDH:!ADH:RC4+RSA:!EDH:+HIGH:+MEDIUM:+LOW:!SSLv2:!3DES:!DES:+EXP Cause The cipher sent back from the Web server is something Apache failed to handle correctly, hence the TCP FIN to close the connection with the Web server.By using the SSLProxyCipherSuite advanced option above, the list of supported ciphers the AG could negotiate was reduced. The Web server then responded with a cipher than AG supported and the SSL handshake was able to complete successfully. DisclaimerThis Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are