[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

potential TLSv1.3 rproxy issue with openssl 1.1.1 and httpd 2.4.37?

Hey everyone,

   I have an apache http server (version 2.4.37) that is using SSL (version 1.1.1) to communicate to an F5 back-end through mod_proxy and mod_proxy_http.  

   The server is configured with a SSLProxyProtocol string that allows for TLSv1.3, and I am seeing an error that looks like the following:

[Thu Nov 01 20:00:27.687919 2018] [ssl:info] [pid 86604:tid 47699324180224] [remote PRIVATEIPREDACTED:443] AH01964: Connection to child 0 established (server PRIVATEDNSNAMEREDACTED:443)

[Thu Nov 01 20:00:27.687937 2018] [ssl:trace2] [pid 86604:tid 47699324180224] ssl_engine_rand.c(126): Proxy: Seeding PRNG with 144 bytes of entropy

[Thu Nov 01 20:00:27.687999 2018] [ssl:trace4] [pid 86604:tid 47699324180224] ssl_engine_io.c(1667): [remote PRIVATEIPREDACTED:443] coalesce: have 0 bytes, adding 675 more

[Thu Nov 01 20:00:27.688005 2018] [ssl:trace4] [pid 86604:tid 47699324180224] ssl_engine_io.c(1727): [remote PRIVATEIPREDACTED:443] coalesce: passing on 675 bytes

[Thu Nov 01 20:00:27.688009 2018] [ssl:trace3] [pid 86604:tid 47699324180224] ssl_engine_io.c(1239): [remote PRIVATEIPREDACTED:443] SNI extension for SSL Proxy request set to 'PRIVATEDNSNAMEREDACTED'

[Thu Nov 01 20:00:27.688014 2018] [ssl:trace3] [pid 86604:tid 47699324180224] ssl_engine_kernel.c(2191): [remote PRIVATEIPREDACTED:443] OpenSSL: Handshake: start

[Thu Nov 01 20:00:27.688043 2018] [ssl:trace3] [pid 86604:tid 47699324180224] ssl_engine_kernel.c(2200): [remote PRIVATEIPREDACTED:443] OpenSSL: Loop: before SSL initialization

[Thu Nov 01 20:00:27.688293 2018] [ssl:trace4] [pid 86604:tid 47699324180224] ssl_engine_io.c(2220): [remote PRIVATEIPREDACTED:443] OpenSSL: write 7/7 bytes to BIO#2b61fc008b80 [mem: 2b61fc027750] (BIO dump follows)

[Thu Nov 01 20:00:27.688299 2018] [ssl:trace7] [pid 86604:tid 47699324180224] ssl_engine_io.c(2143): [remote PRIVATEIPREDACTED:443] +-------------------------------------------------------------------------+

[Thu Nov 01 20:00:27.688302 2018] [ssl:trace7] [pid 86604:tid 47699324180224] ssl_engine_io.c(2181): [remote PRIVATEIPREDACTED:443] | 0000: 15 03 01 00 02 02 50                             ......P          |

[Thu Nov 01 20:00:27.688304 2018] [ssl:trace7] [pid 86604:tid 47699324180224] ssl_engine_io.c(2187): [remote PRIVATEIPREDACTED:443] +-------------------------------------------------------------------------+

[Thu Nov 01 20:00:27.688307 2018] [ssl:trace3] [pid 86604:tid 47699324180224] ssl_engine_kernel.c(22PRIVATEIPREDACTED[remote PRIVATEIPREDACTED:443] OpenSSL: Write: error

[Thu Nov 01 20:00:27.688311 2018] [ssl:trace3] [pid 86604:tid 47699324180224] ssl_engine_kernel.c(2229): [remote PRIVATEIPREDACTED:443] OpenSSL: Exit: error in error

[Thu Nov 01 20:00:27.688313 2018] [ssl:info] [pid 86604:tid 47699324180224] [remote PRIVATEIPREDACTED:443] AH02003: SSL Proxy connect failed

[Thu Nov 01 20:00:27.688335 2018] [ssl:info] [pid 86604:tid 47699324180224] SSL Library Error: error:14228044:SSL routines:construct_ca_names:internal error

[Thu Nov 01 20:00:27.688338 2018] [ssl:info] [pid 86604:tid 47699324180224] [remote PRIVATEIPREDACTED:443] AH01998: Connection closed to child 0 with abortive shutdown (server PRIVATEDNSNAMEREDACTED:443)

[Thu Nov 01 20:00:27.688353 2018] [ssl:info] [pid 86604:tid 47699324180224] [remote PRIVATEIPREDACTED:443] AH01997: SSL handshake failed: sending 502

[Thu Nov 01 20:00:27.688366 2018] [proxy_http:error] [pid 86604:tid 47699324180224] (PRIVATEIPREDACTED software caused connection abort: [client PRIVATEIPREDACTED:60171] AH01PRIVATEIPREDACTED error reading status line from remote server PRIVATEDNSNAMEREDACTED:443

   This is causing the back-end connection to fail.

   Narrowing the scope of the SSLProxyProtocol string to not allow for TLS 1.3 relieves the issue and allows proper communication to occur.

   Can anyone else confirm the issue?  If so, is there a bug report yet or would you like me to make one?

   If this is an issue with the release, I would mention that we also saw a different issue we had to patch ourselves with the apache http server proxy protocol SSL code between the releases of 2.4.29 and 2.4.33 (there were security fixes in this release so not upgrading wasn't a great option), perhaps there could be some additional automated testing for the use case of an SSL enabled proxy?  Unless of course we find I am doing something stupid at which point disregard that suggestion.

Dan Oliver