Description of problem: mod_ssl having timeout issue update httpd server to current version 2.2.11 Version-Release number of selected component (if applicable): 2.2.3 How reproducible: We are seeing timeout error in apache debug log. [Mon Feb 09 10:25:19 2009] [info] [client 12.38.132.137] (70007)The timeout specified has expired: SSL input filter read failed. [Mon Feb 09 10:25:19 2009] [info] [client 12.38.132.137] (70007)The timeout specified has expired: SSL input filter read failed. [Mon Feb 09 10:25:19 2009] [info] [client 12.38.132.137] (70007)The timeout specified has expired: SSL input filter read failed. Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: According apache changelog, this has been fixed between version 2.2.3 and version 2.2.9. Specially in version 2.2.8 release apache has addressed many mod_ssl related issues. Please update httpd package to current version. Thanks in advance.
Thanks for the report. Can you: 1) attach the complete mod_ssl configuration you are using (/etc/httpd/conf.d/ssl.conf), and 2) explain what effect these errors are having on your site, and how they are reproducible. This error message can legitimately occur when, for example, a user hits "abort" in a browser, or a connection times out. I'm not aware of any fixes to the mod_ssl I/O filters in 2.2.x which would be relevant to this type of error message.
1) I am attaching mod_ssl.conf with this ticket. 2) I am using mod_auth_cas to authenticate to wind server (wind server is based on CAS http://www.columbia.edu/acis/rad/authmethods/wind/ ) While mod_auth_cas try to authenticate we get the above mentioned error message. At this point if I hit the url again I will get to the url and I will not have any issue for 30 minutes. Even I clear cache and cookies I will still get through. After 30 minutes I will see the problem again. I will give you my entire set up run through. a) http://example.com ----> https://example.com/nagios/index.html at this point mod_auth_cas take over and send the request to wind login url b) https://wind_server/login upon user entering login information. cas server redirects to destination uri with a ticket. c) mod_auth_cas redirects to wind server validation url https://wind_server/validate. d) at this point wind server sends responds with yes or no. e)If mod_auth_cas receives "yes" responds then it allows user to to the destination url. Every 30 minutes, while processing step "d" and "e" we are seeing timeout error message. Please let me know if you need additional information.
Created attachment 331431 [details] mod_ssl configuration
What problem is being seen by the browser/clients trying to use the server? You say: "While mod_auth_cas try to authenticate we get the above mentioned error message." is this process taking place whilst the active SSL connection to the browser is left open, but inactive? The mod_ssl error indicates that an timeout occurred whilst reading from the browser. The default timeout is 120 seconds. Have you tried increasing that? Have you enabled KeepAlive in the main httpd configuration?
1) Browser sees the following error. Authorization Required This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required. Apache/2.2.3 Server at nagios.cc.columbia.edu Port 443 2) Keep Alive is On and timeout set to 300 seconds.
Created attachment 332431 [details] apache configuration
Created attachment 332432 [details] ssl error log Adding ssl error log
So, all that's been demonstrated here is that mod_auth_cas is intermittently giving authentication errors. Why do you think that there is a mod_ssl or httpd bug here? The timeouts being logged may well be irrelevant.
Reading many mailing threads seem to suggest that apache software foundation has addressed this issue somewhere between 2.2.3 to 2.2.9. I am attaching a link to apache software foundation ticket https://issues.apache.org/bugzilla/show_bug.cgi?id=31759 Also here is a link for complete changelog for apache 2.2. If we look through the changelog we will see many mod_ssl related issues have been addressed on release version 2.2.8 https://issues.apache.org/bugzilla/show_bug.cgi?id=31759
There are no mod_ssl fixes in 2.2.8. Upstream PR 31759 could not cause spurious 401 errors to be sent to the client, which is the symptom described here. I think it would be best if you contact Red Hat support to try to work through this issue: https://www.redhat.com/apps/support/