This service will be undergoing maintenance at 00:00 UTC, 2016-09-28. It is expected to last about 1 hours
Bug 338401 - mod_nss does not work with mod_proxy
mod_nss does not work with mod_proxy
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: mod_nss (Show other bugs)
5.0
All Linux
medium Severity high
: rc
: ---
Assigned To: Rob Crittenden
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-10-18 13:12 EDT by Rob Crittenden
Modified: 2010-10-22 15:36 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-01-20 15:34:55 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Rob Crittenden 2007-10-18 13:12:38 EDT
It is not possible to use mod_nss with mod_proxy, even when proxying to an
unsecured host.

The reason is that mod_proxy uses some functions provided by mod_ssl to identify
the protocol, enable or disable the SSL engine and to retrieve SSL variables.
Comment 1 RHEL Product and Program Management 2008-06-04 18:48:17 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 3 Rob Crittenden 2008-07-16 16:00:11 EDT
mod_proxy uses several functions that are provided by mod_ssl to provide SSL
support: ssl_proxy_enable, ssl_engine_disable, ssl_is_https and ssl_var_lookup.

Without these functions mod_proxy does not work at all if mod_nss is used for
SSL. This is because mod_proxy will call into these mod_ssl functions and
mod_ssl will say "huh? I'm not providing SSL".

So for example. If you set up Apache to use mod_nss for SSL and configure it as
a reverse proxy:

ProxyPass /testme http://localhost:8080/testme
ProxyPassReverse /testme http://localhost:8080/testme

then go to https://yourhost:8443/testme it will fail.

The solution is for mod_nss to optionally register those functions. It can only
do so if mod_ssl is not loaded. If mod_nss registers those functions then
mod_proxy will work in the above configuration.
Comment 5 Rob Crittenden 2008-07-24 11:34:14 EDT
To test this you need to be sure that mod_ssl is not loaded, either by renaming
ssl.conf to ssl.conf.old or removing the mod_ssl package.

Before upgrading the package, create /etc/httpd/conf.d/proxy.conf with these as
the contents:

ProxyPass / http://www.redhat.com/
ProxyPassReverse / http://www.redhat.com/

I tested with curl but you can use Firefox as well. By default mod_nss is
configured to listen on port 8443. Point your client at
https://yourhost.example.com:8443/ ala

% curl -k https://yourhost.example.com:8443/

Prior to installing the new package the request will hang.

After installing the updated mod_nss package you should receive the contents of
the web site you are proxying for (www.redhat.com in this case).
Comment 9 Chandrasekar Kannan 2008-12-01 14:50:39 EST
rob, my test has failed.

[root@dhcp-126 conf.d]# cat proxy.conf 
ProxyPass / http://www.redhat.com/
ProxyPassReverse / http://www.redhat.com/

[root@dhcp-126 conf.d]# man curl
[root@dhcp-126 conf.d]# curl -v -k https://localhost:8443/
* About to connect() to localhost port 8443
*   Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 8443
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSLv2, Client hello (1):
SSLv3, TLS handshake, Server hello (2):
SSLv3, TLS handshake, CERT (11):
SSLv3, TLS handshake, Server finished (14):
SSLv3, TLS handshake, Client key exchange (16):
SSLv3, TLS change cipher, Client hello (1):
SSLv3, TLS handshake, Finished (20):
SSLv3, TLS change cipher, Client hello (1):
SSLv3, TLS handshake, Finished (20):
SSL connection using AES256-SHA
* Server certificate:
*        subject: /C=US/O=example.com/CN=dhcp-126.sjc.redhat.com
*        start date: 2008-12-01 05:44:13 GMT
*        expire date: 2012-12-01 05:44:13 GMT
*        common name: dhcp-126.sjc.redhat.com (does not match 'localhost')
*        issuer: /C=US/O=example.com/CN=Certificate Shack
* SSL certificate verify result: self signed certificate in certificate chain
(19), continuing anyway.
> GET / HTTP/1.1
> User-Agent: curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5
OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
> Host: localhost:8443
> Accept: */*
> 
* Empty reply from server
* Connection #0 to host localhost left intact
curl: (52) Empty reply from server
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
[root@dhcp-126 conf.d]# curl -v -k https://dhcp-126.sjc.redhat.com:8443/
* About to connect() to dhcp-126.sjc.redhat.com port 8443
*   Trying 10.14.54.126... connected
* Connected to dhcp-126.sjc.redhat.com (10.14.54.126) port 8443
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSLv2, Client hello (1):
SSLv3, TLS handshake, Server hello (2):
SSLv3, TLS handshake, CERT (11):
SSLv3, TLS handshake, Server finished (14):
SSLv3, TLS handshake, Client key exchange (16):
SSLv3, TLS change cipher, Client hello (1):
SSLv3, TLS handshake, Finished (20):
SSLv3, TLS change cipher, Client hello (1):
SSLv3, TLS handshake, Finished (20):
SSL connection using AES256-SHA
* Server certificate:
*        subject: /C=US/O=example.com/CN=dhcp-126.sjc.redhat.com
*        start date: 2008-12-01 05:44:13 GMT
*        expire date: 2012-12-01 05:44:13 GMT
*        common name: dhcp-126.sjc.redhat.com (matched)
*        issuer: /C=US/O=example.com/CN=Certificate Shack
* SSL certificate verify result: self signed certificate in certificate chain
(19), continuing anyway.
> GET / HTTP/1.1
> User-Agent: curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5
OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
> Host: dhcp-126.sjc.redhat.com:8443
> Accept: */*
> 
* Empty reply from server
* Connection #0 to host dhcp-126.sjc.redhat.com left intact
curl: (52) Empty reply from server
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
[root@dhcp-126 conf.d]# curl -v -k https://dhcp-126.sjc.redhat.com:8443/
* About to connect() to dhcp-126.sjc.redhat.com port 8443
*   Trying 10.14.54.126... connected
* Connected to dhcp-126.sjc.redhat.com (10.14.54.126) port 8443
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSLv2, Client hello (1):
SSLv3, TLS handshake, Server hello (2):
SSLv3, TLS handshake, CERT (11):
SSLv3, TLS handshake, Server finished (14):
SSLv3, TLS handshake, Client key exchange (16):
SSLv3, TLS change cipher, Client hello (1):
SSLv3, TLS handshake, Finished (20):
SSLv3, TLS change cipher, Client hello (1):
SSLv3, TLS handshake, Finished (20):
SSL connection using AES256-SHA
* Server certificate:
*        subject: /C=US/O=example.com/CN=dhcp-126.sjc.redhat.com
*        start date: 2008-12-01 05:44:13 GMT
*        expire date: 2012-12-01 05:44:13 GMT
*        common name: dhcp-126.sjc.redhat.com (matched)
*        issuer: /C=US/O=example.com/CN=Certificate Shack
* SSL certificate verify result: self signed certificate in certificate chain
(19), continuing anyway.
> GET / HTTP/1.1
> User-Agent: curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5
OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
> Host: dhcp-126.sjc.redhat.com:8443
> Accept: */*
> 
* Empty reply from server
* Connection #0 to host dhcp-126.sjc.redhat.com left intact
curl: (52) Empty reply from server
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):


[root@dhcp-126 conf.d]# rpm -q mod_nss
mod_nss-1.0.3-6.el5
[root@dhcp-126 conf.d]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 5.3 Beta (Tikanga)
Comment 10 Chandrasekar Kannan 2008-12-01 15:11:27 EST
error_log has [Mon Dec 01 04:10:03 2008] [notice] child pid 28252 exit signal Segmentation fault (11)
Comment 12 Rob Crittenden 2008-12-01 18:08:45 EST
I get the feeling that the httpd installed, httpd-2.2.3-19, is broken. I see that the build was deleted from brew. I updated to httpd-2.2.3-22 on the test system and that seems to have fixed it.

Joe, what release of httpd will be targeted for 5.3?
Comment 13 Chandrasekar Kannan 2008-12-01 18:17:16 EST
I installed rhel 5.3 beta fwiw. I can update and give it a shot again
Comment 14 Chandrasekar Kannan 2008-12-02 00:51:21 EST
Rob - works ok with RHEL 5.3 - snapshot3 build. 

[root@dhcp-126 ~]# rpm -q mod_nss
mod_nss-1.0.3-6.el5
[root@dhcp-126 ~]# rpm -q httpd
httpd-2.2.3-22.el5


marking bug VERIFIED
Comment 15 Joe Orton 2008-12-02 04:09:39 EST
There were mod_proxy bugs in -19, yup.
Comment 17 bszoko 2008-12-17 10:26:34 EST
Anyone know where I can find the 2.2.3-22 build?
Thanks
Comment 18 Joe Orton 2008-12-18 07:16:09 EST
(In reply to comment #17)
> Anyone know where I can find the 2.2.3-22 build?
> Thanks

There are packages up at:

http://people.redhat.com/jorton/Tikanga-httpd/
Comment 19 errata-xmlrpc 2009-01-20 15:34:55 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-0075.html
Comment 20 bszoko 2009-01-20 17:34:12 EST
Greetings,
   Thank you for your update.
I created a ticket on our specific issue with mod_nss and mod_proxy.

Service Request: 1881684 - [SEG] mod_nss fails with reverse proxy, mod_proxy

This is the last comment in the above Request:

12-JAN-2009 13:55:29 	Yates, Matthew T
SEG has created a bugzilla for this issue and has aligned it with RHEL 5.4.

The upstream patch was only against httpd 2.0 and with the extensive changes especially in the proxy code since 2.2 and the refactoring to allow for persistent proxy connections it is unclear how the previous change would now be implemented.  So they are continuing to look into this and I will keep you updated.

Regards,
Matthew 


The ERRATA states the rpm from July is the functioning version.
This is the version we have in place and it fails to function.
Also I built the 5.3 beta with the httpd build listed above and the identical error is created there as well.
Please feel free to view the request.
Uncertain if my issue is directly related to this bug.

My organization will be requesting a fix for version RHEL 5.2.

Thanks

Note You need to log in before you can comment on or make changes to this bug.