« Previous Next »

• 02-02-2009, 1:13 PM

  JohnRobertson Joined on 02-02-2009, 12:54 PM Posts 8

  SSL handshake problems with Apache Reply Contact Please help folks !  I have configured a serverfarm server and added httpport and httpsport details for an Oracle HTTP server (basically Apache rebadged).  SSL offloading is disabled and I've added URL rewrite rules to pass on in the clear and when {HTTPS} is on as directed elsewhere. Connections in the clear work fine but when I try https I'm getting a 502. In the apache ssl error log I see SSL call to NZ function nzos_Handshake failed with error 29014  I have IIS server certificates in place to handle client to IIS connections and the OAS has seperate SSL certificates meant to handle the IIS to OAS connection but I suspect I'm missing a step in getting IIS to accept these ? Thanks,

  Tags: Application Request RoutingApplication Request Routing webfarm port http https

• 02-02-2009, 1:23 PM

  In reply to

  wonyoo Joined on 12-15-2007, 6:46 PM Posts 125	Re: SSL handshake problems with Apache Reply Contact A few questions.  1) Are you using an RC release of ARR?  If so, you shouldn't need to manually rewrite the URL rewrite rules.  Which release (either CTP1 or RC) are you using? 2) Could you provide the URL rewrite section of the applicationHost.config?  Thanks
  	Tags: Application Request Routing

• 02-02-2009, 1:42 PM

  In reply to

  JohnRobertson Joined on 02-02-2009, 12:54 PM Posts 8

  Re: SSL handshake problems with Apache Reply Contact 1) I believe it's the RC release - ARR_x86_RC.EXE file dated 3/12/2008 2) <rewrite>             <globalRules>                 <clear />                 <rule name="ARR_anzenOASFarm_loadbalance_SSL" patternSyntax="Wildcard" stopProcessing="true">                     <match url="*" />                     <conditions>                         <add input="{HTTPS}" pattern="on" />                     </conditions>                     <action type="Rewrite" url="https://anzenOASFarm/{R:0}" />                 </rule>                 <rule name="ARR_anzenOASFarm_loadbalance" patternSyntax="Wildcard" stopProcessing="true">                     <match url="*" />                     <action type="Rewrite" url="http://anzenOASFarm/{R:0}" />                 </rule>             </globalRules>         </rewrite>  Thanks for the quick follow up .....

• 02-02-2009, 2:19 PM

  In reply to

  Mike Ayling Joined on 06-27-2006, 1:39 PM Posts 50	Re: SSL handshake problems with Apache Reply Contact I've seen this issue if the certificate on the target server (in this case, "anzenOASFarm") isn't issued to the matching name. In other words, if the certificate on your apache server isn't issued to "anzenOASFarm" then you will get a 502. -Mike

• 02-02-2009, 2:28 PM

  In reply to

  Mike Ayling Joined on 06-27-2006, 1:39 PM Posts 50	Re: SSL handshake problems with Apache Reply Contact I should have been more explicit in my reply... In the case I described, I see that behavior when no server farm is defined to match the rewrite rule.

• 02-03-2009, 6:50 AM

  In reply to

  JohnRobertson Joined on 02-02-2009, 12:54 PM Posts 8

  Re: SSL handshake problems with Apache Reply Contact Thanks for the suggestion Mike, I gave it a try against our system test environment but I'm still getting 502 !  Details have changed since my previous posts as it's a differant env-                 <rule name="ARR_www.osso.ste.rbsgrp.mde_loadbalance_SSL" patternSyntax="Wildcard" stopProcessing="true">                     <match url="*" />                     <conditions logicalGrouping="MatchAll">                         <add input="{HTTPS}" pattern="on" />                     </conditions>                     <action type="Rewrite" url="https://www.osso.ste.rbsgrp.mde/{R:0}" />                 </rule>                 <rule name="ARR_www.osso.ste.rbsgrp.mde_loadbalance" patternSyntax="Wildcard" stopProcessing="true">                     <match url="*" />                     <conditions logicalGrouping="MatchAll" />                     <action type="Rewrite" url="http://www.osso.ste.rbsgrp.mde/{R:0}" />                 </rule>           <webFarm name="www.osso.ste.rbsgrp.mde" enabled="true">             <server address="anztssoa" enabled="true">                 <applicationRequestRouting httpPort="8001" httpsPort="8002" />             </server>             <server address="anztssob" enabled="false">                 <applicationRequestRouting httpPort="8011" httpsPort="8012" />             </server>         </webFarm> If I miss out IIS and go directly to AIX on port 8002 from internet explorer I'm OK and can see certificate for site www.osso.ste.rbsgrp.mde. If I go via IIS it's 502 time again with Apache logging - [Tue Feb  3 11:41:43 2009] [error] mod_ossl: SSL call to NZ function nzos_Handshake failed with error 29014 (server www.osso.ste.rbsgrp.mde:443, client 11.153.106.55) [Tue Feb  3 11:41:43 2009] [error] mod_ossl: Unknown error [Tue Feb  3 11:41:43 2009] [error] mod_ossl: SSL call to NZ function nzos_Handshake failed with error 28864 (server www.osso.ste.rbsgrp.mde:443, client 11.153.106.55) [Tue Feb  3 11:41:43 2009] [error] mod_ossl: SSL IO error [Hint: the client stop the connection unexpectedly] While IIS is logging - #Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken 2009-02-03 11:41:43 W3SVC6 MLAUANZEN01 11.153.106.143 GET / X-ARR-LOG-ID=936c5cb5-d42c-43d8-a27a-6f0352411679 443 - 11.152.62.60 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1) - - www.osso.ste.rbsgrp.mde 502 3 12175 1664 372 109 I'm trying to set this up as a proof of concept that ARR will do a job for us by loadbalancing SSL Apache instances so any suggestions would be greatly appreciated. Finally, I'm wondering if anybody could suggest a friendly debug tool ? I'm a bit scared of Wireshark ! John,

  Tags: Application Request RoutingApplication Request Routing webfarm port http https

• 02-03-2009, 10:47 AM

  In reply to

  Mike Ayling Joined on 06-27-2006, 1:39 PM Posts 50

  Re: SSL handshake problems with Apache Reply Contact Right, basically what I can tell is this... When ARR makes the "child" https request, whether it be to a defined server/node in an ARR web farm or a direct proxy request to a server not defined in the ARR webfarms collection ,the request will result in a 502 if the defined server address does not match the certificate. I think my initial posts may have been a bit confusing. If you were to go back to your original configuration, where the ARR farm name was "anzenOASFarm" and then add only one server with address "www.osso.ste.rbsgrp.mde" (make sure dns resolves to one of the target nodes, or modify the hosts file on the ARR server), then the request should succeed without error. I realize this is less than ideal as you then only have 1 server in the ARR farm, but unfortunately that seems to be the current behavior. -Mike

• 02-03-2009, 11:44 AM

  In reply to

  JohnRobertson Joined on 02-02-2009, 12:54 PM Posts 8

  Re: SSL handshake problems with Apache Reply Contact I gave that a try Mike but the 502 won't go away -                  <rule name="ARR_ServerSTEname_loadbalance_SSL" patternSyntax="Wildcard" stopProcessing="true">                     <match url="*" />                     <conditions logicalGrouping="MatchAll">                         <add input="{HTTPS}" pattern="on" />                     </conditions>                     <action type="Rewrite" url="https://ServerSTEname/{R:0}" />                 </rule>                 <rule name="ARR_ServerSTEname_loadbalance" patternSyntax="Wildcard" stopProcessing="true">                     <match url="*" />                     <conditions logicalGrouping="MatchAll" />                     <action type="Rewrite" url="http://ServerSTEname/{R:0}" />                 </rule>         <webFarm name="ServerSTEname" enabled="true">             <server address="www.osso.ste.rbsgrp.mde" enabled="true">                 <applicationRequestRouting httpPort="8001" httpsPort="8002" />             </server>         </webFarm>   I'm almost glad that wasn't the issue because it would have been telling me that ARR could do SSL or load balancing but not both ! Any other idea's ?

• 02-03-2009, 11:50 AM

  In reply to

  JohnRobertson Joined on 02-02-2009, 12:54 PM Posts 8	Re: SSL handshake problems with Apache Reply Contact Here's what I see in my failed request log - ModuleName ApplicationRequestRouting Notification 128 HttpStatus 502 HttpReason Bad Gateway HttpSubStatus 3 ErrorCode 2147954575 ConfigExceptionInfo  Notification EXECUTE_REQUEST_HANDLER Although I'm not sure that gives any new or helpfull information ....

• 02-03-2009, 12:52 PM

  In reply to

  anilr Joined on 05-23-2006, 10:13 PM Redmond, WA Posts 2,343

  Re: SSL handshake problems with Apache Reply Contact The RC build of ARR expects the certificate name from the end server to contain the server name rather than the site name - this issue is fixed in RTW.  The workaround for this would be to either install a certificate matching the server-name or not use SSL between ARR and the content server. Anil Ruia Senior Software Design Engineer IIS Core Server

• 02-03-2009, 1:05 PM

  In reply to

  Mike Ayling Joined on 06-27-2006, 1:39 PM Posts 50

  Re: SSL handshake problems with Apache Reply Contact Will this behavior be configurable in RTW? It would be nice to have a config attribute for ARR to ignore certificate errors, whether they are mis-matched names or expired certificates. Maybe something like this to map cleanly to WinHttpRequestOption_SslErrorIgnoreFlags if that's what you guys are using:  <attribute name="sslErrorIgnoreFlags" type="flags" defaultValue="None" >     <flag name="None" value="0"/>     <flag name="UnknownCertAuthorityOrRoot" value="1"/>     <flag name="WrongUsage" value="2"/>     <flag name="InvalidCommonName" value="4"/>     <flag name="CertificateExpired" value="8"/> </attribute>

• 02-04-2009, 11:10 AM

  In reply to

  JohnRobertson Joined on 02-02-2009, 12:54 PM Posts 8

  Re: SSL handshake problems with Apache Reply Contact Thanks for the update Anil, I only have one AIX server for my proof of concept environment with several OAS instances listening on different ports.  I also have requirements that the solution supports - ·                      Virtual hosting ·                      Load balancing ·                      Secure Sockets Layer (SSL) for all HTTP traffic ·                      Session persistence If I understand your response correctly then the current RC build of ARR does not support both Virtual hosting and SSL at the same time.  Would I be right in assuming that RTW = Release To World (ie formally supported product) ? If so, would you care to give informal, indicative timescales for RTW ?  I have a formal request for this information going through the proper channels and it is the response from that which we will use to inform our design decision but I'd be interested in your view.  My project is slated to go live Oct 09 but we have many long test cycles to go through before then ! Thanks,

• 02-04-2009, 1:36 PM

  In reply to

  anilr Joined on 05-23-2006, 10:13 PM Redmond, WA Posts 2,343

  Re: SSL handshake problems with Apache Reply Contact We are not going to make it configurable for RTW, just ignore mismatched names in the case where server name does not match hostname - also, I am just curious why you are doing SSL between ARR and the content server (and thus doubling the cost of SSL on the ARR server and adding cost of SSL on the content server) - I would assume that ARR and the content server would be in the same trust boundary. Also, RTW for ARR is imminent, definitely within a month, probably less. Anil Ruia Senior Software Design Engineer IIS Core Server

• 02-04-2009, 4:45 PM

  In reply to

  Mike Ayling Joined on 06-27-2006, 1:39 PM Posts 50

  Re: SSL handshake problems with Apache Reply Contact That's not necessarily a valid assumption... It may be desirable to make various independent and external services available within a single domain name. ARR's ability to reverse proxy makes that possible. An example might be a third party ecommerce application which is only available via https: https://www.mydomain.com/store (IIS7 + ARR) => https://www.thirdpartyecomm.com/stores/123456 (external brandX web server) Anyway, for what it's worth maybe add it to your backlog as a feature request for more fine-grained control of the proxy behavior when dealing with SSL errors. thanks -Mike

• 02-10-2009, 11:11 AM

  In reply to

  JohnRobertson Joined on 02-02-2009, 12:54 PM Posts 8

  Re: SSL handshake problems with Apache Reply Contact Chaps, I've tried it out with SSL Certificates on OAS server which matched both the full and short physical server name but the 502's still won't go away ! In an attempt to get to the root of the problem I'm avoiding ARR and now using a simple URL rewrite rule with the short certificate on OAS - <globalRules>                 <clear />                 <rule name="ARR_anzenOASFarm_loadbalance_SSL" patternSyntax="Wildcard" stopProcessing="true">                     <match url="*" />                     <conditions logicalGrouping="MatchAll">                         <add input="{HTTPS}" pattern="on" />                     </conditions>                     <action type="Rewrite" url="https://frcmde38ka:7002/{R:0}" />                 </rule> When I go to https://frcmde38ka:7002 from IE on the IIS box I don't get any SSL warnings and can see a trusted certificate issued to frcmde38ka.  Using the MMC certificates snap-in I can see that the issuing authority is in Trusted Root Certification Authorities \ Certificates. Now go through IIS rewrite rule and client gets a 502 with this written to the IIS log - #Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken 2009-02-10 15:53:04 W3SVC6 MLAUANZEN01 11.153.106.143 GET / X-ARR-LOG-ID=6166a547-5a3b-4cbf-9b67-c7f93e519ee5 443 - 11.152.62.60 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1) - - FRCMDE38KA:7002 502 3 12175 1664 372 468 Do I need the certificate issued to in uppercase ?  Any other ideas ?  Should I post a seperate topic in the URL rewrite forum ? Thanks in advance .....

  Tags: Application Request Routing