My application is a very simple https-only apache (2.4.43) server with
mod_ssl (openssl 1.1.1g) in Linux (crux distribution 3.5).
Using log levels up to trace8, I am unable to get anything useful past
[...] [ssl:info] [...] [...] AH01964: Connection to child 64 established
The browser-client eventually times out with a "connected to ..." status
in the meantime. The openssl s_client utility supports the hypothesis
that the ServerHello preparation and/or transmission is blocked somehow
in the mod_ssl logic:
and then nothing ... until I stop the httpd, then openssl s_client exits
after reporting an un-initialized SSL connection:
read from 0x969df0 [0x96f3d0] (7 bytes => -1 (0xFFFFFFFFFFFFFFFF))
no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 307 bytes
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
That's it for the difficulty I face. I am quite familiar with the TLS
concepts, I did not encounter any configuration where the mod_ssl logic
would complain about something wrong or noticeable in the ClientHello
message. I mean the suspected mod_ssl "freeze" is the systematic outcome
irrespective of the typical SSL/TLS configuration variants. E.g. same
symptoms irrespective of enabling port 80/http with Require all denied
or granted, or moving the CA certificate from SSLCertificateFile to
Except for one [ssl:warn] which I cleared with an SSLSessionCache
[...] [ssl:warn] [...] AH01873: Init: Session Cache is not configured
(knowing what breaks the limited success may be useful for troubleshooting).
I Include below (a) the apache configuration file (comment lines
removed), (b) a portion of the apache log, and build-time configuration
for (c) apache and (d) openssl.
My next step is to look at the mod_ssl source code, starting where the
AH01964 log mesage is emitted.
Obviously any hint would be very much appreciated. If I solve the issue,
I should report to the mailing list for the record.
It appears that you're trying to use a custom openssl installation
to build your httpd, but at a casual glance, I haven't seen anything
that would actually make your httpd use that openssl installation.
Make sure that only the correct openssl headers are included during the
build, and that the LD_LIBRARY_PATH, LD_RUN_PATH or preferrably
DT_RUNPATH or DT_RPATH are set so that the matching libraries are
loaded and used (typically using -Wl,-R,/<path>). Also, make sure that
no other modules or libraries are - possibly indirectly - linked against other
versions of openssl and load those during runtime. Use ldd against all
binaries involved to make sure.
If you want to dig deeper, I'd recommend re-compiling with debug infos (-g),
running with mpm_prefork for simplicity, attaching one httpd process that's
stuck in the ssl handshake and getting a full backtrace (bt full).
To unsubscribe, e-mail: [hidden email] For additional commands, e-mail: [hidden email]