How to make Apache httpd proxy to backend https service use TLSv1.2 instead of TLSv1

MichaelKarpel
January 5, 2023
211 views
1 vote
2 Answers

ssl.conf:

SSLEngine on
SSLProxyEngine On
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLProxyProtocol all -SSLv3 -TLSv1 -TLSv1.1

someproxy.conf:

ProxyPass /x https://x:8443
ProxyPassReverse /x https://x:8443
AllowCONNECT 8443

When issuing request via proxy:
curl -k -v -XGET https://localhost/x/y

Getting in the log:

[Thu Jan 05 12:31:40.599913 2023] [proxy_http:error] [pid 14] (103)Software caused connection abort: [client 172.18.0.1:59228] AH01102: error reading status line from remote server x:8443
[Thu Jan 05 12:31:40.599951 2023] [proxy:error] [pid 14] [client 172.18.0.1:59228] AH00898: Error reading from remote server returned by /x/y
172.18.0.1 - - [05/Jan/2023:12:31:40 +0000] "GET /x/y HTTP/1.1" 502 461 "-" "curl/7.68.0" 837 4435

And looking at wireshark packets:

1470438 8882.445761230  172.18.0.13 172.18.0.15 TLSv1   280 Client Hello

Expecting to get TLSv1.2 handshake and not TLSv1 handshake request…
Any suggestions? Some configuration issue?

docker, Centos7, httpd 2.4.6, mod_ssl 2.4.6, openssl 1.0.2k

Tried limiting SSLProxyProtocol to only TLSv1.2 – no change
Tried modifying openssl.cnf to MinProtocol = TLSv1.2 – no change, probably did something wrong…
Tried lowering minimal protocol on backend to TLSv1 – works but not a valid solution…

Answers

Chosen as BEST ANSWER
- MichaelKarpel
- January 12, 2023 at 11:37 am
- 0 votes
0
For now implemented an ugly workaround...

starting nginx inside httpd container
```
server {
listen      8080;
server_name api-https-bridge;

location /x/ {
    resolver 127.0.0.11 valid=30s;
    proxy_pass                    https://x:8443/;

    proxy_ssl_protocols           TLSv1.2 TLSv1.3;
    proxy_ssl_ciphers             HIGH:!aNULL:!MD5;

    proxy_ssl_trusted_certificate /etc/ssl/server-ca.crt;
    proxy_ssl_verify        on;
    proxy_ssl_verify_depth  2;

    proxy_ssl_session_reuse on;
}
```
and updated the httpd proxy config
```
ProxyPass /x http://localhost:8080/x
```
works but adds another proxy hop and not completely stable (nginx runs as background process not monitored for failures and so on...)

If someone have a better idea, i'll gladly try it :-)

(Edit)

- ADarwin
- January 5, 2023 at 3:04 pm
- 0 votes
0
```
[Thu Jan 05 12:31:40.599913 2023] [proxy_http:error] [pid 14] (103)Software caused connection abort: [client 172.18.0.1:59228] AH01102: error reading status line from remote server x:8443
```
This error is due to a race condition that happens in some situations where the connection is reused. As the mod_http documentation states, it is

caused by the race condition that the backend server closed the pooled connection after the connection check by the proxy and before data sent by the proxy reached the backend

and can be prevented by setting proxy-initial-not-pooled in httpd.conf.
Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.