Home / server / Questions / 966555
In Process
rhellem
Asked: 2019-05-10 05:21:13 +0800 CST

Apache AH01997: SSL handshake failed: sending 502

  • 772

Trying to create a virtual host proxying to an application hosted on Openshift with a really nasty url. When trying to do this I find the following error in the log file

AH01997: SSL handshake failed: sending 502

and in the browser the following is shown

Proxy Error The proxy server could not handle the request GET /. Reason: Error during SSL Handshake with remote server

Which I first thought had something to do with the cipher, but...I do not think so now. So I must admit that I am really not sure what the root cause can be.

Apache info

Server version: Apache/2.4.38 (Win64)
Server built:   Jan 17 2019 19:32:38

Apache config

<VirtualHost *:443>
SSLEngine on
SSLCertificateFile      ${cert_file}
SSLCertificateKeyFile   ${cert_key}

DocumentRoot "${SRVROOT}/htdocs/mattermost/443"

ServerName mattermost.mycorp.com
ServerAlias mattermost.mycorp.com

LogLevel trace6
ErrorLog d:/logs/prod/prod_error_443_mattermost.mycorp.com.log
CustomLog d:/logs/prod/prod_access_443_mattermost.mycorp.com.log mycorpdirect env=!forwarded
CustomLog d:/logs/prod/prod_access_443_mattermost.mycorp.com.log mycorpproxy env=forwarded


SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerName Off
SSLProxyCheckPeerCN Off
SSLProxyProtocol -all +TLSv1.2
SSLProxyCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

ProxyPreserveHost On
ProxyRequests Off
ProxyVia On

#RewriteEngine on
#RewriteRule ^(/.*)  https://mattermost-kalypso.cloudappsk2.11913.2016.dcs.mycorp.com/ [P]
ProxyPass / https://mattermost-kalypso.cloudappsk2.11913.2016.dcs.mycorp.com/

ProxyPassReverse / https://mattermost-kalypso.cloudappsk2.11913.2016.dcs.mycorp.com/

Apache error log

[Thu May 09 15:05:02.694205 2019] [ssl:info] [pid 5668:tid 1836] [remote yy.yy.yy.yy:443] AH02003: SSL Proxy connect failed
[Thu May 09 15:05:02.694205 2019] [ssl:info] [pid 5668:tid 1836] [remote yy.yy.yy.yy:443] AH01998: Connection closed to child 0 with abortive shutdown (server mattermost.mycorp.com:443)
[Thu May 09 15:05:02.694205 2019] [ssl:info] [pid 5668:tid 1836] [remote yy.yy.yy.yy:443] AH01997: SSL handshake failed: sending 502
[Thu May 09 15:05:02.694205 2019] [proxy:error] [pid 5668:tid 1836] (20014)Internal error (specific information not available): [client yyy.yy.y.yyy:65148] AH01084: pass request body failed to yy.yy.yy.yy:443 (mattermost-kalypso.cloudappsk2.11913.2016.dcs.mycorp.com), referer: https://mattermost.mycorp.com/
[Thu May 09 15:05:02.694205 2019] [proxy:error] [pid 5668:tid 1836] [client yyy.yy.y.yyy:65148] AH00898: Error during SSL Handshake with remote server returned by /favicon.ico, referer: https://mattermost.mycorp.com/
[Thu May 09 15:05:02.694205 2019] [proxy_http:error] [pid 5668:tid 1836] [client yyy.yy.y.yyy:65148] AH01097: pass request body failed to yy.yy.yy.yy:443 (mattermost-kalypso.cloudappsk2.11913.2016.dcs.mycorp.com) from yyy.yy.y.yyy (), referer: https://mattermost.mycorp.com/

OpenSSl s_client output

Not all, but the most important stuff ref. my vhost config - tlsv1.2 and the cipher suite

SSL-Session:
Protocol  : TLSv1.2
Cipher    : ECDHE-RSA-AES256-GCM-SHA384

Also verified that Apache has the suite

openssl.exe ciphers "TLSv1.2"

TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_128_GCM_SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
DHE-DSS-AES256-GCM-SHA384
DHE-RSA-AES256-GCM-SHA384
.....

All from openssl

CONNECTED(00000134)
---
Certificate chain
 0 s:CN = *.cloudappsk2.11913.2016.dcs.mycorp.com
   i:CN = openshift-signer@1552839230
 1 s:CN = openshift-signer@1552839230
   i:CN = openshift-signer@1552839230
 2 s:CN = openshift-signer@1552839230
   i:CN = openshift-signer@1552839230
---
Server certificate
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
subject=CN = *.cloudappsk2.11913.2016.dcs.mycorp.com
issuer=CN = openshift-signer@1552839230
---
No client certificate CA names sent
Peer signing digest: SHA512
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3089 bytes and written 480 bytes
Verification error: self signed certificate in certificate chain
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol  : TLSv1.2
Cipher    : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: FB52D3CDAC5F480496BC3E0F98973AE6C13632C8E861EC19884297167067D019
Session-ID-ctx:
Master-Key: 69EF2D7DE36E00753847C99431478828A7E1F55E756E0D282472AB251F85E43404C1940175C2BD0B12EE2537CD7FB148
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
Start Time: 1557334640
Timeout   : 7200 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
Extended master secret: no
---
HTTP/1.0 408 Request Time-out
Cache-Control: no-cache
Connection: close
Content-Type: text/html
<html><body><h1>408 Request Time-out</h1>
Your browser didn't send a complete request in time.
</body></html>
closed
apache-2.4

0 Answers