https reverse proxy and mod_nss may fail with error "don't have the name of the host we're supposed to connect to"

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 5
  • Apache, mod_proxy, mod-nss
    httpd-2.2.3-45
mod_nss-1.0.8-3

Issue

Updating mod_nss from mod_nss-1.0.3-8.el5 to mod_nss-1.0.8-3.el5 or mod_nss-1.0.8-4.el5 may result in errors for all HTTP virtual hosts when using mod_proxy for HTTPS configured with mod_nss.
The Apache errors are like below:

==> /var/log/httpd/error_log <==
[Sat Jul 09 01:46:11 2011] [error] SSL Proxy: I don't have the name of the host we're supposed to connect to so I can't verify that we are connecting to who we think we should be. Giving up.
[Sat Jul 09 01:46:11 2011] [error] (20014)Internal error: proxy: pass request body failed to 74.125.226.68:443 (encrypted.google.com)
[Sat Jul 09 01:46:11 2011] [error] proxy: pass request body failed to 74.125.226.68:443 (encrypted.google.com) from 10.14.5.23 ()
==> /var/log/httpd/access_log <==
10.14.5.23 - - [09/Jul/2011:01:46:11 -0700] "GET / HTTP/1.1" 400 304

Resolution

Apply patch described in bugzilla number 00692868, or contact Red Hat Support for patch

Root Cause

Update the reverse proxy patch to use c_remote_host instead of proxy-request-hostname.

Diagnostic Steps

Have a RHEL 5 test system with Apache, mod_proxy, mod_nss-1.0.3.8, and configured for SSL, for example:

certutil -L -d /etc/httpd/alias
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

cacert                                                       CTu,Cu,Cu
Server-Cert                                                  u,u,u
alpha                                                        u,pu,u

certutil -K -d /etc/httpd/alias
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services                  "
< 0> rsa      f067fbb75b8c800efa80e159c297e6eca5a70ff4   NSS Certificate DB:cacert
< 1> rsa      ae17674e86813f1b51009783c7020c01a44a6d64   NSS Certificate DB:alpha
< 2> rsa      69f4d3f0d2bf88ecec9a1acd7be6415658c31d37   NSS Certificate DB:Server-Cert

ls -l /etc/httpd/modules/mod_proxy.so
-rwxr-xr-x 1 root root 76984 Apr 15 04:03 /etc/httpd/modules/mod_proxy.so

Do not use mod_ssl, but NSS instead:

vi /etc/httpd/conf/httpd.conf
# Include conf.d/*.conf
Include conf.d/nss.conf

Leaving mod_ssl mixed with mod_nss may create other errors such as:

==> /var/log/httpd/error_log <==
[Sat Jul 09 01:26:18 2011] [error] [client 74.125.226.76] SSL Proxy requested for ca1.example.com:8443 but not enabled [Hint: SSLProxyEngine]
[Sat Jul 09 01:26:18 2011] [error] proxy: HTTPS: failed to enable ssl support for 74.125.226.76:443 (encrypted.google.com)
==> /var/log/httpd/access_log <==
10.14.5.23 - - [09/Jul/2011:01:26:18 -0700] "GET / HTTP/1.1" 500 612

Set NSS configuration for proxy, at the end of nss.conf:

vi /etc/httpd/conf.d/nss.conf
...
# testms bz 692868
ProxyPass / https://encrypted.google.com:443/
ProxyPassReverse / https://encrypted.google.com:443/
NSSEnforceValidCerts on
NSSProxyEngine on
NSSProxyCipherSuite -rsa_rc4_128_md5,-rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
# end testms bz 692868

Restart Apache:

/etc/init.d/httpd start

And test:

elinks -dump https://10.14.5.23:8443/
                                  Bad Request
   Your browser sent a request that this server could not understand.
    Apache/2.2.3 (Red Hat) Server at 10.14.5.23 Port 8443
==> /var/log/httpd/error_log <==
[Sat Jul 09 01:46:11 2011] [error] SSL Proxy: I don't have the name of the host we're supposed to connect to so I can't verify that we are connecting to who we think we should be. Giving up.
[Sat Jul 09 01:46:11 2011] [error] (20014)Internal error: proxy: pass request body failed to 74.125.226.68:443 (encrypted.google.com)
[Sat Jul 09 01:46:11 2011] [error] proxy: pass request body failed to 74.125.226.68:443 (encrypted.google.com) from 10.14.5.23 ()
==> /var/log/httpd/access_log <==
10.14.5.23 - - [09/Jul/2011:01:46:11 -0700] "GET / HTTP/1.1" 400 304

Applying the Bugzilla 692868 patch provides with:

/etc/init.d/httpd stop
rpm -e mod_nss-1.0.3-8.el5
rpm -i ~/mod_nss-1.0.8-5.x86_64.rpm

httpd-2.2.3-45.el5_6.1
mod_nss-1.0.8-5

/etc/init.d/httpd start
lsof -i :8443
elinks -dump https://10.14.5.23:8443/
   [1]
   _____________________
                                        [2]iGoogle | [3]Settings | [4]Sign in
                            Go to [5]classic Google.

          ...snip...

==> /var/log/httpd/access_log <==
10.14.5.23 - - [09/Jul/2011:04:58:19 -0700] "GET / HTTP/1.1" 200 10220

The file /etc/httpd/conf.d/nss.conf was like this:

LoadModule nss_module modules/libmodnss.so
Listen 8443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl
NSSPassPhraseDialog  builtin
NSSPassPhraseHelper /usr/sbin/nss_pcache
NSSSessionCacheSize 10000
NSSSessionCacheTimeout 100
NSSSession3CacheTimeout 86400
NSSRandomSeed startup builtin
NSSRenegotiation off
NSSRequireSafeNegotiation off
ErrorLog /etc/httpd/logs/error_log
TransferLog /etc/httpd/logs/access_log
LogLevel warn
NSSEngine on
NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
NSSProtocol SSLv3,TLSv1
NSSNickname Server-Cert
NSSCertificateDatabase /etc/httpd/alias
    NSSOptions +StdEnvVars
    NSSOptions +StdEnvVars
ProxyPass / https://encrypted.google.com:443/
ProxyPassReverse / https://encrypted.google.com:443/
NSSEnforceValidCerts on
NSSProxyEngine on
NSSProxyCipherSuite -rsa_rc4_128_md5,-rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha

Comments

See Red Hat Bugzilla 692868 - https (with mod_nss) fails with reverse proxy when using with mod_proxy
and Apache Bug 36468
and https://www.redhat.com/archives/mod_nss-list/2010-May/msg00003.html

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.