Topic: AH00898: Error during SSL Handshake with remote server

[parivesh]

Hi I upgrade Apache from 2.2 to 2.4.39. i am getting the below error
[pid 1440:tid 420] AH00354: Child: Starting 64 worker threads.
[proxy:error] [pid 1440:tid 1100] (20014)Internal error (specific information not available): [client AH01084: pass request body failed to [::1]:8443 (mysite.com), referer: https://mysite2.com%2F
[proxy:error] [pid 1440:tid 1100] [client 10.10.10.10:56316] AH00898: Error during SSL Handshake with remote server returned by /, referer:

SSLEngine on

SSLProxyEngine On

SSLCertificateFile "C:/Program Files (x86)/Apache Software Foundation/mykey.crt"
SSLCertificateKeyFile "C:/Program Files (x86)/Apache Software Foundation/mykeyfile.key"
SSLProtocol all +TLSv1 +TLSv1.3

SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off



ProxyRequests off
ProxyPass / "https://mysite.com:8443//abc/"
ProxyPassReverse / "https://mysite.com:8443//abc/"

Also not able to include https-ssl.conf if i include it the service is not starting

[mraddi]

Hello,

what is the information you see if you run "httpd.exe -t" (= test your Apache's config) and "httpd.exe -S" (display interesting settings including vhosts) WITH included https-ssl.conf?

In addition I'm not sure what you want to achieve. Do you want to have your Apache running on port 443 and proxying all requests to another webserver running on https://mysite.com:8443/abc/ ? Is a certificate for client authentication needed when accessing the webserver running on port 8443? Which ciphers/TLS-versions are allowed on the backend?

Best regards
Matthias

[parivesh]

Hi MRADDI
please find below details

C:\Apache24\bin>httpd.exe -t
Syntax OK

C:\Apache24\bin>httpd.exe -s
httpd.exe: illegal option -- s
Usage: httpd.exe [-D name] [-d directory] [-f file]
[-C "directive"] [-c "directive"]
[-w] [-k start|restart|stop|shutdown] [-n service_name]
[-k install|config|uninstall] [-n service_name]
[-v] [-V] [-h] [-l] [-L] [-t] [-T] [-S] [-X]
Options:
-D name : define a name for use in <IfDefine name> directives
-d directory : specify an alternate initial ServerRoot
-f file : specify an alternate ServerConfigFile
-C "directive" : process directive before reading config files
-c "directive" : process directive after reading config files
-n name : set service name and use its ServerConfigFile and ServerR
oot
-k start : tell Apache to start
-k restart : tell running Apache to do a graceful restart
-k stop|shutdown : tell running Apache to shutdown
-k install : install an Apache service
-k config : change startup Options of an Apache service
-k uninstall : uninstall an Apache service
-w : hold open the console window on error
-e level : show startup errors of level (see LogLevel)
-E file : log startup errors to file
-v : show version number
-V : show compile settings
-h : list available command line options (this page)
-l : list compiled in modules
-L : list available configuration directives
-t -D DUMP_VHOSTS : show parsed vhost settings
-t -D DUMP_RUN_CFG : show parsed run settings
-S : a synonym for -t -D DUMP_VHOSTS -D DUMP_RUN_CFG
-t -D DUMP_MODULES : show all loaded modules
-M : a synonym for -t -D DUMP_MODULES
-t -D DUMP_INCLUDES: show all included configuration files
-t : run syntax check for config files
-T : start without DocumentRoot(s) check
-X : debug mode (only one worker, do not detach)

Yes Apache is running on 443 port and other webserver is on Port 8443 .
TLS version : TLS 1.0, TLS 1.1, TLS 1.2 is enabled.

With apache 2.2 it was working fine but after upgrade it is now working.

[mraddi]

Hello,

please use "httpd.exe -S" with an uppercase S (when https-ssl.conf is included in your config) to get information about the configured virtual-hosts.

Best regards
Matthias

[James Blond]

You may try

[parivesh]

Hi please find the below out put

C:\Apache24\bin>httpd.exe -S
VirtualHost configuration:
[::1]:443 Hostname (C:/Apache24/conf/httpd.
conf:553)
IP:443 Hostname (C:/Apache24/conf/httpd.
conf:553)
*:80 Hostname (C:/Apache24/conf/httpd.
conf:548)
ServerRoot: "C:/Apache24"
Main DocumentRoot: "C:/Apache24/htdocs"
Main ErrorLog: "C:/Apache24/logs/error.log"
Mutex default: dir="C:/Apache24/logs/" mechanism=default
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
PidFile: "C:/Apache24/logs/httpd.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
Define: SRVROOT=c:/Apache24


But when i uncomment "#" from include httpd-ssl.conf apache service will not start

[parivesh]

Also found one difference while starting the server.

In apache 2.2 when i start service it shows

Apache/2.2.11 (Win32) mod_jk/1.2.28 mod_ssl/2.2.11 OpenSSL/0.9.8i

But in Apache 2.4.39 mo_ssl is missing.

Apache/2.4.39 (Win32) mod_jk/1.2.46 OpenSSL/1.1.1c

[mraddi]

The missing mod_ssl is no hint that SSL is not configued within your Apache's config. On my Apache 2.4 mod_ssl is enabled but not visible in the Apache's Server-Signature

You may check with
apachectl -M (if you are running Linux)
or
httpd.exe -M (if you are running Windows)
which modules are enabled.
If "ssl_module" is not listed you have to enable it.
On Linux a
sudo a2enmod ssl && sudo service apache2 restart
might be sufficient.
On Windows please check that there is no # in front of this line
LoadModule ssl_module modules/mod_ssl.so
to have the mod_ssl-module enabled. A restart of the Apache-service is needed here, too.


Looking again at your origin-post: why you have configured this within your Apache's config?
SSLProtocol all +TLSv1 +TLSv1.3
According to Apache's documentation https://httpd.apache.org/docs/2.4/mod/mod_ssl.html "all" already includes TLSv1.
From security's point of view I would prefer
SSLProtocol -all +TLSv1.2 +TLSv1.3

For narrowing down the error please first remove the proxy-stuff from your config and try to access a file locally available to your Apache running at :443 using your browser. This is for checking if your Apache is serving requests with https on :443.
If this is working fine check if you can access your backend-webserver running at :8443 with your browser. This is for checking if your backend-webserver is able to server https-requests on port 8443.
If this is working, too, re-enable the proxy-config and try to dump the traffic between your Apache and the backend-webserver. Do you see any interesting packets within the SSL-handshake (you may analyze it with Wireshark) that give you a hint that both parties do not find a cipher that is supported on both ends or that a certificate is not trusted?