logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in  RSS Apache Lounge  


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.



Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: AH00898: Error during SSL Handshake with remote server
Author
parivesh



Joined: 05 Jul 2019
Posts: 4
Location: India

PostPosted: Fri 05 Jul '19 11:00    Post subject: AH00898: Error during SSL Handshake with remote server Reply with quote

Hi I upgrade Apache from 2.2 to 2.4.39. i am getting the below error
[pid 1440:tid 420] AH00354: Child: Starting 64 worker threads.
[proxy:error] [pid 1440:tid 1100] (20014)Internal error (specific information not available): [client AH01084: pass request body failed to [::1]:8443 (mysite.com), referer: https://mysite2.com%2F
[proxy:error] [pid 1440:tid 1100] [client 10.10.10.10:56316] AH00898: Error during SSL Handshake with remote server returned by /, referer:

SSLEngine on

SSLProxyEngine On

SSLCertificateFile "C:/Program Files (x86)/Apache Software Foundation/mykey.crt"
SSLCertificateKeyFile "C:/Program Files (x86)/Apache Software Foundation/mykeyfile.key"
SSLProtocol all +TLSv1 +TLSv1.3

SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off



ProxyRequests off
ProxyPass / "https://mysite.com:8443//abc/"
ProxyPassReverse / "https://mysite.com:8443//abc/"

Also not able to include https-ssl.conf if i include it the service is not starting
Back to top
mraddi



Joined: 27 Jun 2016
Posts: 100
Location: Schömberg, Baden-Württemberg, Germany

PostPosted: Wed 10 Jul '19 22:29    Post subject: Reply with quote

Hello,

what is the information you see if you run "httpd.exe -t" (= test your Apache's config) and "httpd.exe -S" (display interesting settings including vhosts) WITH included https-ssl.conf?

In addition I'm not sure what you want to achieve. Do you want to have your Apache running on port 443 and proxying all requests to another webserver running on https://mysite.com:8443/abc/ ? Is a certificate for client authentication needed when accessing the webserver running on port 8443? Which ciphers/TLS-versions are allowed on the backend?

Best regards
Matthias
Back to top
parivesh



Joined: 05 Jul 2019
Posts: 4
Location: India

PostPosted: Wed 24 Jul '19 11:30    Post subject: Reply with quote

Hi MRADDI
please find below details

C:\Apache24\bin>httpd.exe -t
Syntax OK

C:\Apache24\bin>httpd.exe -s
httpd.exe: illegal option -- s
Usage: httpd.exe [-D name] [-d directory] [-f file]
[-C "directive"] [-c "directive"]
[-w] [-k start|restart|stop|shutdown] [-n service_name]
[-k install|config|uninstall] [-n service_name]
[-v] [-V] [-h] [-l] [-L] [-t] [-T] [-S] [-X]
Options:
-D name : define a name for use in <IfDefine name> directives
-d directory : specify an alternate initial ServerRoot
-f file : specify an alternate ServerConfigFile
-C "directive" : process directive before reading config files
-c "directive" : process directive after reading config files
-n name : set service name and use its ServerConfigFile and ServerR
oot
-k start : tell Apache to start
-k restart : tell running Apache to do a graceful restart
-k stop|shutdown : tell running Apache to shutdown
-k install : install an Apache service
-k config : change startup Options of an Apache service
-k uninstall : uninstall an Apache service
-w : hold open the console window on error
-e level : show startup errors of level (see LogLevel)
-E file : log startup errors to file
-v : show version number
-V : show compile settings
-h : list available command line options (this page)
-l : list compiled in modules
-L : list available configuration directives
-t -D DUMP_VHOSTS : show parsed vhost settings
-t -D DUMP_RUN_CFG : show parsed run settings
-S : a synonym for -t -D DUMP_VHOSTS -D DUMP_RUN_CFG
-t -D DUMP_MODULES : show all loaded modules
-M : a synonym for -t -D DUMP_MODULES
-t -D DUMP_INCLUDES: show all included configuration files
-t : run syntax check for config files
-T : start without DocumentRoot(s) check
-X : debug mode (only one worker, do not detach)

Yes Apache is running on 443 port and other webserver is on Port 8443 .
TLS version : TLS 1.0, TLS 1.1, TLS 1.2 is enabled.

With apache 2.2 it was working fine but after upgrade it is now working.
Back to top
mraddi



Joined: 27 Jun 2016
Posts: 100
Location: Schömberg, Baden-Württemberg, Germany

PostPosted: Wed 24 Jul '19 11:36    Post subject: Reply with quote

Hello,

please use "httpd.exe -S" with an uppercase S Very Happy (when https-ssl.conf is included in your config) to get information about the configured virtual-hosts.

Best regards
Matthias
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6684
Location: Germany, Next to Hamburg

PostPosted: Wed 24 Jul '19 16:16    Post subject: Reply with quote

You may try

Code:

SetEnv proxy-sendchunked


From https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#request-bodies
Back to top
parivesh



Joined: 05 Jul 2019
Posts: 4
Location: India

PostPosted: Thu 25 Jul '19 13:02    Post subject: Reply with quote

Hi please find the below out put

C:\Apache24\bin>httpd.exe -S
VirtualHost configuration:
[::1]:443 Hostname (C:/Apache24/conf/httpd.
conf:553)
IP:443 Hostname (C:/Apache24/conf/httpd.
conf:553)
*:80 Hostname (C:/Apache24/conf/httpd.
conf:548)
ServerRoot: "C:/Apache24"
Main DocumentRoot: "C:/Apache24/htdocs"
Main ErrorLog: "C:/Apache24/logs/error.log"
Mutex default: dir="C:/Apache24/logs/" mechanism=default
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
PidFile: "C:/Apache24/logs/httpd.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
Define: SRVROOT=c:/Apache24


But when i uncomment "#" from include httpd-ssl.conf apache service will not start Sad
Back to top
parivesh



Joined: 05 Jul 2019
Posts: 4
Location: India

PostPosted: Thu 25 Jul '19 14:10    Post subject: Reply with quote

Also found one difference while starting the server.

In apache 2.2 when i start service it shows

Apache/2.2.11 (Win32) mod_jk/1.2.28 mod_ssl/2.2.11 OpenSSL/0.9.8i

But in Apache 2.4.39 mo_ssl is missing.

Apache/2.4.39 (Win32) mod_jk/1.2.46 OpenSSL/1.1.1c
Back to top
mraddi



Joined: 27 Jun 2016
Posts: 100
Location: Schömberg, Baden-Württemberg, Germany

PostPosted: Sat 27 Jul '19 20:31    Post subject: Reply with quote

The missing mod_ssl is no hint that SSL is not configued within your Apache's config. On my Apache 2.4 mod_ssl is enabled but not visible in the Apache's Server-Signature

You may check with
apachectl -M (if you are running Linux)
or
httpd.exe -M (if you are running Windows)
which modules are enabled.
If "ssl_module" is not listed you have to enable it.
On Linux a
sudo a2enmod ssl && sudo service apache2 restart
might be sufficient.
On Windows please check that there is no # in front of this line
LoadModule ssl_module modules/mod_ssl.so
to have the mod_ssl-module enabled. A restart of the Apache-service is needed here, too.


Looking again at your origin-post: why you have configured this within your Apache's config?
SSLProtocol all +TLSv1 +TLSv1.3
According to Apache's documentation https://httpd.apache.org/docs/2.4/mod/mod_ssl.html "all" already includes TLSv1.
From security's point of view I would prefer
SSLProtocol -all +TLSv1.2 +TLSv1.3

For narrowing down the error please first remove the proxy-stuff from your config and try to access a file locally available to your Apache running at :443 using your browser. This is for checking if your Apache is serving requests with https on :443.
If this is working fine check if you can access your backend-webserver running at :8443 with your browser. This is for checking if your backend-webserver is able to server https-requests on port 8443.
If this is working, too, re-enable the proxy-config and try to dump the traffic between your Apache and the backend-webserver. Do you see any interesting packets within the SSL-handshake (you may analyze it with Wireshark) that give you a hint that both parties do not find a cipher that is supported on both ends or that a certificate is not trusted?
Back to top


Reply to topic   Topic: AH00898: Error during SSL Handshake with remote server View previous topic :: View next topic
Post new topic   Forum Index -> Apache