Apache HTTPD 2.2.6 + mod_ssl 2.2.6 -- odd error...

My organization recently switched its SSL Certificate vendor and the new
supplier (COMODO) insists (reasonably) that we use 2048-bit Private and Public 
keys.

So I take a running Apache installation, HTTPD v2.2.6, with mod_ssl v2.2.6 and
openssl v0.9.8g running on Solaris 10, currently using a Thawte certificate, 
and upgrade it for the new vendor's certificates.

I implement the new certificates. reboot httpd, and both aspects where the new 
certificate is used in the server (mod_ssl and an additional module, mod_cosign 
from http://weblogin.org) seem to be working properly.  That is, mod_cosign 
works as expected providing single signon features, and mod_ssl appears to be 
encrypting properly.  Short of sniffing the wire to verify the data between 
browser and server, the little padlock icons are proudly displayed by the 
browser and page info displays confirm security by the vendor expected, dates 
expected, etc.

But my httpd log files present an unexpected error each and every time a
browser visits an SSL encrypted page (2 examples cited):

User interface error
unable to load Private Key
22188:error:0906A068:PEM routines:PEM_do_header:bad password
  read:/on10/build-nd/G10U10B0B/usr/src/common/openssl/crypto/pem/pem_lib.c:401:

User interface error
unable to load Private Key
22439:error:0906A068:PEM routines:PEM_do_header:bad password
  read:/on10/build-nd/G10U10B0B/usr/src/common/openssl/crypto/pem/pem_lib.c:401:

Re: Apache HTTPD 2.2.6 + mod_ssl 2.2.6 -- odd error...

On Nov 30, 2010, at 8:37 PM, J.Lance Wilkinson wrote:

> But my httpd log files present an unexpected error each and every time a
> browser visits an SSL encrypted page (2 examples cited):

So there is no discernible negative impact on the client?

> User interface error
> unable to load Private Key
> 22439:error:0906A068:PEM routines:PEM_do_header:bad password
> read:/on10/build-nd/G10U10B0B/usr/src/common/openssl/crypto/pem/pem_lib.c:401:
> 
> Any idea what these might be?

It's hard to guess what's going on here without a backtrace.  A cursory glance at the OpenSSL source suggests
that things FAIL when this error is triggered, so successful SSL connections seem unlikely under those
circumstances.  I would not be surprised if this should cause your server to fail to start.  

So the fact that it doesn't happen when the server starts (which is when we read the SSL private keys and
certificates from disk), and does not cause the connections to the browser to fail, suggests that this
does not have anything to do with mod_ssl.  

What other modules do you have that might be reading a private key from a PEM blob on every request?  

> I have already verified that the private key file is NOT password protected. I've also seen notations on
both sites for Apache and mod_ssl:
> 
>        "Why does my 2048-bit private key not work?"
>        http://www.modssl.org/docs/2.8/ssl_faq.html

"mod_proxy" | bundling | timeout | connection losts

Hi Apache2 professionals,

we identified the following problem when using "mod_proxy_ajp" in combination with a balancer
configuration (see detailed configuration below), that:
- multiple HTTP requests seem to use the SAME AJP "CHANNEL"
- when just ONE request is exceeding the configured "ProxySet timeout" configuration (see detailed
config below), the following error is displayed within the central Apache2 error log (exact the time
interval after the long running request):
  [Mon Nov 29 17:17:11 2010] [error] (70007)The timeout specified has expired: ajp_ilink_receive() can't
receive header
- when this log entry occurs, all connections running over the above AJP channel are cut - including
connections that do run much more shorter than the timeout interval specified. Possibly, Apache2
assumes the Apache Tomcat instance is not reachable anymore and switches from one to the other Tomcat server.
- all clients running over this AJP-connection are lost and loose the connection to the server

Here the long running request (duration is specified in microseconds):
10.35.32.123 - - [29/Nov/2010:17:12:11 +0100] "POST /xxx/Dispatcher HTTP/1.1" 500 538 "<request url>"
"Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR
3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR3.0.4506.2152; .NET CLR
3.5.30729)" "JSESSIONID=80AC6DFF149E802C3AA8735996CE7AA0.rb-wcmstc1;
"80AC6DFF149E802C3AA8735996CE7AA0.rb-wcmstc1" "-" 300456752

Here, the following configuration snippet - including the timeout interval:
<Proxy balancer://fs4server>
    BalancerMember ajp://rb-wcmstc1.xx.xxxxx.xxx:8009 loadfactor=100 retry=10 route=rb-wcmstc1
    BalancerMember ajp://rb-wcmstc2.xx.xxxxx.xxx:8009 loadfactor=100 retry=10 route=rb-wcmstc2

    ProxySet stickysession=JSESSIONID|jsessionid
    ProxySet lbmethod=byrequests
    ProxySet scolonpathdelim=On

Apache 2.0 reverse proxy

I install
Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7d DAV/2 on 
solaris platform. 

I want configure my apache how reverse proxy. 
I 
want to configure my reverse proxy as a https site. But to reach that 
site, https must go through an http proxy.
I have configured

On 
SSLProxyEngine
ServerName myserver
ProxyPass / https://test:443/

ProxyPassReverse / https://test:443/
SSLProxyCACertificateFile # / etc 
/ apache / ssl.crt / cacerts.crt
* ProxyRemote http://10.10.10.10.:8080

But when I try to connect I receive on Error log
[Wed Dec 01 09:51:40 
2010] [notice] Digest: generating secret for digest authentication ...

[Wed Dec 01 09:51:40 2010] [notice] Digest: done
[Wed Dec 01 09:51:40 
2010] [notice] Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7d DAV/2 
configured -- resuming normal operations
[Wed Dec 01 09:51:52 2010] 
[error] (20014)Error string not specified yet: proxy: pass request body 

Re: CLOSE_WAIT management with apche2 and mod_python

On 11/25/2010 9:33 AM, Damiano Barboni wrote:
> 
> Since the resources utilization is high, I would like to manage the
> CLOSE_WAIT status and I would like to force the server process to end.

Ending the server process will have ENOEFFECT.  The network socket stack
in the OS entirely owns the CLOSE_WAIT socket to satisfy the configured
MTU, which you can muck with in your kernel/sockets configuration.

That isn't actually an httpd question at all.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe <at> httpd.apache.org
   "   from the digest: users-digest-unsubscribe <at> httpd.apache.org
For additional commands, e-mail: users-help <at> httpd.apache.org

Re: Call for translation

On 11/26/2010 3:50 PM, Rich Bowen wrote:
> 
> If you are able to translate into any language, please let us know. Either respond to this
> note, or, better yet, join the docs <at> httpd.apache.org mailing list (send a note to
> docs-subscribe <at> httpd.apache.org) and join the conversation there. You don't need to know
> how to program in C, and you don't even need to know how to use svn, or write HTML or XML,
> although these things are helpful, and if you participate for very long, you're sure to
> learn.

If you have extremely limited time, you can still participate by reviewing the
translations submitted by others.  Due to some prior total failures of seeking
review, even the "It Worked!" page in one language was meaningless drivel.

So please subscribe as Rich indicates and raise your hand when a translation is
offered in one of your primary languages which you would be willing to review.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe <at> httpd.apache.org
   "   from the digest: users-digest-unsubscribe <at> httpd.apache.org
For additional commands, e-mail: users-help <at> httpd.apache.org

Remove cookie from request

Hi,

Is it possible to remove a cookie from an incoming request before the
request is passed to a mod jk handler?

Regards

Ben Short

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe <at> httpd.apache.org
   "   from the digest: users-digest-unsubscribe <at> httpd.apache.org
For additional commands, e-mail: users-help <at> httpd.apache.org

Re: Remove cookie from request

----- "Ben Short" <ben <at> benshort.co.uk> wrote:

> Hi,
> 
> Is it possible to remove a cookie from an incoming request before the
> request is passed to a mod jk handler?

RequestHeader unset Cookie
Header unset Set-Cookie

See also:
http://httpd.apache.org/docs/current/mod/mod_headers.html#order
http://httpd.apache.org/docs/current/mod/mod_headers.html#early

> Regards
> 
> Ben Short

i

--

-- 
Igor Galić

Tel: +43 (0) 664 886 22 883
Mail: i.galic <at> brainsware.org
URL: http://brainsware.org/

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.

pass request body failed

Re: Apache 2.0 reverse proxy

----- daytan379 <at> tiscali.it wrote:

> I install
> Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7d DAV/2 on 
> solaris platform. 
> 
> I want configure my apache how reverse proxy. 
> I want to configure my reverse proxy as a https site. But to reach that
> site, https must go through an http proxy.

This doesn't make *any* sense (to me).

> I have configured
> 
> On 
> SSLProxyEngine
> ServerName myserver
> ProxyPass / https://test:443/
> 
> ProxyPassReverse / https://test:443/

What 

> SSLProxyCACertificateFile # / etc 

is 

> / apache / ssl.crt / cacerts.crt

This?

> * ProxyRemote http://10.10.10.10.:8080

It looks broken, one way or the other. Please paste your
*real* configuration.
The only thing that I can read from it is that:
ProxyRemote takes two arguments, hence the error.

You shouldn't need ProxyRemote at all in your configuration.

Or am I misunderstanding your set-up?

 
> But when I try to connect I receive on Error log
> [Wed Dec 01 09:51:40 
> 2010] [notice] Digest: generating secret for digest authentication
> ...
> 
> [Wed Dec 01 09:51:40 2010] [notice] Digest: done
> [Wed Dec 01 09:51:40 
> 2010] [notice] Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7d
> DAV/2 
> configured -- resuming normal operations
> [Wed Dec 01 09:51:52 2010] 
> [error] (20014)Error string not specified yet: proxy: pass request
> body 
> failed to 10.10.10.10:8080 (10.10.10.10)
> [Wed Dec 01 09:51:52 2010] 
> [error] (20014)Error string not specified yet: proxy: pass request
> body 
> failed to 10.10.10.10:8080 (10.10.10.10) from 10.10.13.11 ()
> 
> Any Ideas 
> ?
> Than'k 
> Giovanni

So long,
i

--

-- 
Igor Galić

Tel: +43 (0) 664 886 22 883
Mail: i.galic <at> brainsware.org
URL: http://brainsware.org/

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe <at> httpd.apache.org
   "   from the digest: users-digest-unsubscribe <at> httpd.apache.org
For additional commands, e-mail: users-help <at> httpd.apache.org