Bug 338401
| Summary: | mod_nss does not work with mod_proxy | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Rob Crittenden <rcritten> |
| Component: | mod_nss | Assignee: | Rob Crittenden <rcritten> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | medium | ||
| Version: | 5.0 | CC: | bszoko, ckannan, geoffbeier, jorton, mkoci, sputhenp, syeghiay, tao |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2009-01-20 20:34:55 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Rob Crittenden
2007-10-18 17:12:38 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release. mod_proxy uses several functions that are provided by mod_ssl to provide SSL support: ssl_proxy_enable, ssl_engine_disable, ssl_is_https and ssl_var_lookup. Without these functions mod_proxy does not work at all if mod_nss is used for SSL. This is because mod_proxy will call into these mod_ssl functions and mod_ssl will say "huh? I'm not providing SSL". So for example. If you set up Apache to use mod_nss for SSL and configure it as a reverse proxy: ProxyPass /testme http://localhost:8080/testme ProxyPassReverse /testme http://localhost:8080/testme then go to https://yourhost:8443/testme it will fail. The solution is for mod_nss to optionally register those functions. It can only do so if mod_ssl is not loaded. If mod_nss registers those functions then mod_proxy will work in the above configuration. To test this you need to be sure that mod_ssl is not loaded, either by renaming ssl.conf to ssl.conf.old or removing the mod_ssl package. Before upgrading the package, create /etc/httpd/conf.d/proxy.conf with these as the contents: ProxyPass / http://www.redhat.com/ ProxyPassReverse / http://www.redhat.com/ I tested with curl but you can use Firefox as well. By default mod_nss is configured to listen on port 8443. Point your client at https://yourhost.example.com:8443/ ala % curl -k https://yourhost.example.com:8443/ Prior to installing the new package the request will hang. After installing the updated mod_nss package you should receive the contents of the web site you are proxying for (www.redhat.com in this case). rob, my test has failed. [root@dhcp-126 conf.d]# cat proxy.conf ProxyPass / http://www.redhat.com/ ProxyPassReverse / http://www.redhat.com/ [root@dhcp-126 conf.d]# man curl [root@dhcp-126 conf.d]# curl -v -k https://localhost:8443/ * About to connect() to localhost port 8443 * Trying 127.0.0.1... connected * Connected to localhost (127.0.0.1) port 8443 * successfully set certificate verify locations: * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * SSLv2, Client hello (1): SSLv3, TLS handshake, Server hello (2): SSLv3, TLS handshake, CERT (11): SSLv3, TLS handshake, Server finished (14): SSLv3, TLS handshake, Client key exchange (16): SSLv3, TLS change cipher, Client hello (1): SSLv3, TLS handshake, Finished (20): SSLv3, TLS change cipher, Client hello (1): SSLv3, TLS handshake, Finished (20): SSL connection using AES256-SHA * Server certificate: * subject: /C=US/O=example.com/CN=dhcp-126.sjc.redhat.com * start date: 2008-12-01 05:44:13 GMT * expire date: 2012-12-01 05:44:13 GMT * common name: dhcp-126.sjc.redhat.com (does not match 'localhost') * issuer: /C=US/O=example.com/CN=Certificate Shack * SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway. > GET / HTTP/1.1 > User-Agent: curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5 > Host: localhost:8443 > Accept: */* > * Empty reply from server * Connection #0 to host localhost left intact curl: (52) Empty reply from server * Closing connection #0 * SSLv3, TLS alert, Client hello (1): [root@dhcp-126 conf.d]# curl -v -k https://dhcp-126.sjc.redhat.com:8443/ * About to connect() to dhcp-126.sjc.redhat.com port 8443 * Trying 10.14.54.126... connected * Connected to dhcp-126.sjc.redhat.com (10.14.54.126) port 8443 * successfully set certificate verify locations: * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * SSLv2, Client hello (1): SSLv3, TLS handshake, Server hello (2): SSLv3, TLS handshake, CERT (11): SSLv3, TLS handshake, Server finished (14): SSLv3, TLS handshake, Client key exchange (16): SSLv3, TLS change cipher, Client hello (1): SSLv3, TLS handshake, Finished (20): SSLv3, TLS change cipher, Client hello (1): SSLv3, TLS handshake, Finished (20): SSL connection using AES256-SHA * Server certificate: * subject: /C=US/O=example.com/CN=dhcp-126.sjc.redhat.com * start date: 2008-12-01 05:44:13 GMT * expire date: 2012-12-01 05:44:13 GMT * common name: dhcp-126.sjc.redhat.com (matched) * issuer: /C=US/O=example.com/CN=Certificate Shack * SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway. > GET / HTTP/1.1 > User-Agent: curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5 > Host: dhcp-126.sjc.redhat.com:8443 > Accept: */* > * Empty reply from server * Connection #0 to host dhcp-126.sjc.redhat.com left intact curl: (52) Empty reply from server * Closing connection #0 * SSLv3, TLS alert, Client hello (1): [root@dhcp-126 conf.d]# curl -v -k https://dhcp-126.sjc.redhat.com:8443/ * About to connect() to dhcp-126.sjc.redhat.com port 8443 * Trying 10.14.54.126... connected * Connected to dhcp-126.sjc.redhat.com (10.14.54.126) port 8443 * successfully set certificate verify locations: * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * SSLv2, Client hello (1): SSLv3, TLS handshake, Server hello (2): SSLv3, TLS handshake, CERT (11): SSLv3, TLS handshake, Server finished (14): SSLv3, TLS handshake, Client key exchange (16): SSLv3, TLS change cipher, Client hello (1): SSLv3, TLS handshake, Finished (20): SSLv3, TLS change cipher, Client hello (1): SSLv3, TLS handshake, Finished (20): SSL connection using AES256-SHA * Server certificate: * subject: /C=US/O=example.com/CN=dhcp-126.sjc.redhat.com * start date: 2008-12-01 05:44:13 GMT * expire date: 2012-12-01 05:44:13 GMT * common name: dhcp-126.sjc.redhat.com (matched) * issuer: /C=US/O=example.com/CN=Certificate Shack * SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway. > GET / HTTP/1.1 > User-Agent: curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5 > Host: dhcp-126.sjc.redhat.com:8443 > Accept: */* > * Empty reply from server * Connection #0 to host dhcp-126.sjc.redhat.com left intact curl: (52) Empty reply from server * Closing connection #0 * SSLv3, TLS alert, Client hello (1): [root@dhcp-126 conf.d]# rpm -q mod_nss mod_nss-1.0.3-6.el5 [root@dhcp-126 conf.d]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 5.3 Beta (Tikanga) error_log has [Mon Dec 01 04:10:03 2008] [notice] child pid 28252 exit signal Segmentation fault (11) I get the feeling that the httpd installed, httpd-2.2.3-19, is broken. I see that the build was deleted from brew. I updated to httpd-2.2.3-22 on the test system and that seems to have fixed it. Joe, what release of httpd will be targeted for 5.3? I installed rhel 5.3 beta fwiw. I can update and give it a shot again Rob - works ok with RHEL 5.3 - snapshot3 build. [root@dhcp-126 ~]# rpm -q mod_nss mod_nss-1.0.3-6.el5 [root@dhcp-126 ~]# rpm -q httpd httpd-2.2.3-22.el5 marking bug VERIFIED There were mod_proxy bugs in -19, yup. Anyone know where I can find the 2.2.3-22 build? Thanks (In reply to comment #17) > Anyone know where I can find the 2.2.3-22 build? > Thanks There are packages up at: http://people.redhat.com/jorton/Tikanga-httpd/ An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2009-0075.html Greetings, Thank you for your update. I created a ticket on our specific issue with mod_nss and mod_proxy. Service Request: 1881684 - [SEG] mod_nss fails with reverse proxy, mod_proxy This is the last comment in the above Request: 12-JAN-2009 13:55:29 Yates, Matthew T SEG has created a bugzilla for this issue and has aligned it with RHEL 5.4. The upstream patch was only against httpd 2.0 and with the extensive changes especially in the proxy code since 2.2 and the refactoring to allow for persistent proxy connections it is unclear how the previous change would now be implemented. So they are continuing to look into this and I will keep you updated. Regards, Matthew The ERRATA states the rpm from July is the functioning version. This is the version we have in place and it fails to function. Also I built the 5.3 beta with the httpd build listed above and the identical error is created there as well. Please feel free to view the request. Uncertain if my issue is directly related to this bug. My organization will be requesting a fix for version RHEL 5.2. Thanks |