Description of problem: Reported from mailing list I am running httpd-2.4.12 and mod_nss-1.0.11 built from source and am running into an issue where I occasionally get an error where mod_nss throws the following exception SSL Proxy: I don't have the name of the host we're supposed to connect to so I can't verify that we are connecting to who we think we should be. Giving up. What is strange is that the issue does not happen consistently, sometimes the error will occur after the first request, other times after the 5000th. Any thoughts about what could be causing this? The following is what I'm seeing in the log [Wed Apr 08 18:31:07.331041 2015] [:info] [pid 17342:tid 47143550196032] Connection to child 0 established (server test.domain.com:443, client 10.81.1.91) [Wed Apr 08 18:31:07.412436 2015] [:info] [pid 17342:tid 47143550196032] Initial (No.1) HTTPS request received for child 0 (server test.domain.com:443) [Wed Apr 08 18:31:07.412499 2015] [authz_core:debug] [pid 17342:tid 47143550196032] mod_authz_core.c(835): [client 10.81.1.91:50727] AH01628: authorization result: granted (no directives) [Wed Apr 08 18:31:07.412654 2015] [proxy:debug] [pid 17342:tid 47143550196032] mod_proxy.c(1163): [client 10.81.1.91:50727] AH01143: Running scheme https handler (attempt 0) [Wed Apr 08 18:31:07.412669 2015] [proxy:debug] [pid 17342:tid 47143550196032] proxy_util.c(2140): AH00942: HTTPS: has acquired connection for (test.domain.com) [Wed Apr 08 18:31:07.412734 2015] [proxy:debug] [pid 17342:tid 47143550196032] proxy_util.c(2193): [client 10.81.1.91:50727] AH00944: connectinghttps://test.domain.com:8443/test/home.html to test.domain.com:8443 [Wed Apr 08 18:31:07.412745 2015] [proxy:debug] [pid 17342:tid 47143550196032] proxy_util.c(2394): [client 10.81.1.91:50727] AH00947: connected /test/home.html totest.domain.com:8443 [Wed Apr 08 18:31:07.412752 2015] [:debug] [pid 17342:tid 47143550196032] nss_engine_io.c(658): SSL connection destroyed without being closed [Wed Apr 08 18:31:07.412859 2015] [proxy:debug] [pid 17342:tid 47143550196032] proxy_util.c(2636): AH00951: HTTPS: backend socket is disconnected. [Wed Apr 08 18:31:07.412910 2015] [proxy:debug] [pid 17342:tid 47143550196032] proxy_util.c(2771): AH02824: HTTPS: connection established with 10.81.1.183:8443(test.domain.com) [Wed Apr 08 18:31:07.412923 2015] [proxy:debug] [pid 17342:tid 47143550196032] proxy_util.c(2923): AH00962: HTTPS: connection complete to 10.81.1.183:8443(test.domain.com) [Wed Apr 08 18:31:07.412928 2015] [:info] [pid 17342:tid 47143550196032] Connection to child 0 established (server test.domain.com:443, client 10.81.1.183) [Wed Apr 08 18:31:07.424280 2015] [:error] [pid 17342:tid 47143550196032] SSL Proxy: I don't have the name of the host we're supposed to connect to so I can't verify that we are connecting to who we think we should be. Giving up. [Wed Apr 08 18:31:07.424330 2015] [:info] [pid 17342:tid 47143550196032] SSL library error -12276 writing data [Wed Apr 08 18:31:07.424337 2015] [:info] [pid 17342:tid 47143550196032] SSL Library Error: -12276 Requested domain name does not match the server's certificate [Wed Apr 08 18:31:07.424344 2015] [proxy:error] [pid 17342:tid 47143550196032] (20014)Internal error: [client 10.81.1.91:50727] AH01084: pass request body failed to10.81.1.183:8443 (test.domain.com) [Wed Apr 08 18:31:07.424352 2015] [proxy_http:error] [pid 17342:tid 47143550196032] [client 10.81.1.91:50727] AH01097: pass request body failed to 10.81.1.183:8443(test.domain.com) from 10.81.1.91 () [Wed Apr 08 18:31:07.424356 2015] [proxy:debug] [pid 17342:tid 47143550196032] proxy_util.c(2155): AH00943: HTTPS: has released connection for (test.domain.com) [Wed Apr 08 18:31:07.424385 2015] [:info] [pid 17342:tid 47143550196032] Connection to child 0 closed (server test.domain.com:443, client 10.81.1.183) [Wed Apr 08 18:31:07.424394 2015] [proxy:debug] [pid 17342:tid 47143550196032] proxy_util.c(2864): [remote 10.81.1.183:8443] AH02642: proxy: connection shutdown [Wed Apr 08 18:31:07.424686 2015] [:info] [pid 17342:tid 47143550196032] Connection to child 0 closed (server test.domain.com:443, client 10.81.1.91) My configuration is as follows for the virtual host <VirtualHost _default_:443> ErrorLog /var/log/httpd/error_log TransferLog /var/log/httpd/access_log LogLevel debug NSSEngine on NSSCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 NSSNickname "*.domain.com" NSSCertificateDatabase /etc/httpd/wildcard NSSVerifyClient optional NSSOptions +ExportCertData +StdEnvVars <Files ~ "\.(cgi|shtml|phtml|php3?)$"> NSSOptions +StdEnvVars </Files> <Directory "/var/www/cgi-bin"> NSSOptions +StdEnvVars </Directory> ServerName test.domain.com NSSProxyEngine on NSSProxyProtocol TLSv1.0,TLSv1.1,TLSv1.2 NSSProxyCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA ProxyRequests off ProxyPass /test https://test.domain.com:8443/test ProxyPassReverse /test https://test.domain.com:8443/test </VirtualHost> Version-Release number of selected component (if applicable): httpd-2.4.12 and mod_nss-1.0.11 How reproducible: intermittent
This message is a reminder that Fedora 21 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 21. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '21'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 21 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 21 changed to end-of-life (EOL) status on 2015-12-01. Fedora 21 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.
This bug appears to have been reported against 'rawhide' during the Fedora 26 development cycle. Changing version to '26'.
This message is a reminder that Fedora 26 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 26. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '26'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 26 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 26 changed to end-of-life (EOL) status on 2018-05-29. Fedora 26 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.