Hide Forgot
We have an RHEL5 load balancer which balances apache httpd traffic between 3 backend servers (via the <Proxy balancer://balancername> and ProxyPass / balancer://balancername/ directives). This has package versions httpd-2.2.3-43.el5_5.3 and openssl-0.9.8e-12.el5_5.7 This works well for most of the time, but it occasionally reports a lot of errors like the following [Thu Mar 17 08:31:47 2011] [error] (502)Unknown error 502: proxy: pass request body failed to 1.2.3.4:443 (1.2.3.4) [Thu Mar 17 08:31:47 2011] [error] proxy: pass request body failed to 1.2.3.4:443 (1.2.3.4) from 5.6.7.8 () sometimes it gets better by itself, in other cases the service continues to return such errors until we restart it. With more logging turned on on a test server this looks like [Thu Mar 17 19:36:39 2011] [info] [client 1.2.3.4] SSL Proxy connect failed [Thu Mar 17 19:36:39 2011] [info] SSL Library Error: 336142597 error:14092105:SSL routines:SSL3_GET_SERVER_HELLO:wrong cipher returned [Thu Mar 17 19:36:39 2011] [info] [client 1.2.3.4] Connection closed to child 0 with abortive shutdown (server 5.6.7.8:443) [Thu Mar 17 19:36:39 2011] [error] (502)Unknown error 502: proxy: pass request body failed to 1.2.3.4:443 (1.2.3.4) [Thu Mar 17 19:36:39 2011] [error] proxy: pass request body failed to 1.2.3.4:443 (1.2.3.4) from 5.6.7.8 () [Thu Mar 17 19:36:39 2011] [info] [client 5.6.7.8] Connection closed to child 14 with standard shutdown (server 5.6.7.8:443) I think I am seeing openssl bug 1795 (eg. see http://marc.info/?t=122788276300003&r=1&w=2 ). This is fixed in later versions of openssl (the cvs commit is http://cvs.openssl.org/chngview?cn=17992 ). Could this fix be backported to the RHEL5 package please? The bug may also be in the RHEL6 openssl098e package.
Hello guys, is there a way how to reproduce this bug other than trying to simulate the reported environment where it occured? Could you please provide some steps how to reproduce this bug and verify the potential patch other than code review? Thanks
Unfortunately I do not have any reproducer - it would have to be a multithreaded SSL client application that tries to connect to the server simultaneously with multiple threads.
My test system was apache running as an https load balancer in front of two apache https backends. I loaded the system by running 20-30 jobs which were repeatedly doing a wget (set to discard the page after retrieving it). The backends were running Blackboard software behind apache but as I was only ever fetching the front page that probably doesn't matter. When I was testing I got it to show these 502 outbursts 3 times that day. I then ran it over the weekend with the patch applied (but without the Blackboard software as I had broken it by filling up the database with log entries) without any further failures. We have also been running the patched openssl on our live system for a week now and not seen any repeat of these 502 outbursts.
It looks like I forgot to mention that the httpd load balancers were using the worker MPM, though I don't know if that is significant.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-1010.html