Apache AH01997:SSL 握手失败:发送 502

tag-icon tag-icon apache-2.4 virtualhost reverse-proxy openssl
Apache AH01997:SSL 握手失败:发送 502

尝试创建一个虚拟主机,代理到 Openshift 上托管的应用程序,该应用程序的 URL 非常糟糕。尝试执行此操作时,我在日志文件中发现以下错误

AH01997:SSL 握手失败:发送 502

浏览器中显示以下内容

代理错误代理服务器无法处理请求 GET /。原因:与远程服务器 SSL 握手期间出错

我最初以为这与密码有关,但是……我现在不这么认为了。所以我必须承认,我真的不确定根本原因是什么。

Apache 信息

Server version: Apache/2.4.38 (Win64)
Server built:   Jan 17 2019 19:32:38

Apache 配置

<VirtualHost *:443>
SSLEngine on
SSLCertificateFile      ${cert_file}
SSLCertificateKeyFile   ${cert_key}

DocumentRoot "${SRVROOT}/htdocs/mattermost/443"

ServerName mattermost.mycorp.com
ServerAlias mattermost.mycorp.com

LogLevel trace6
ErrorLog d:/logs/prod/prod_error_443_mattermost.mycorp.com.log
CustomLog d:/logs/prod/prod_access_443_mattermost.mycorp.com.log mycorpdirect env=!forwarded
CustomLog d:/logs/prod/prod_access_443_mattermost.mycorp.com.log mycorpproxy env=forwarded


SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerName Off
SSLProxyCheckPeerCN Off
SSLProxyProtocol -all +TLSv1.2
SSLProxyCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

ProxyPreserveHost On
ProxyRequests Off
ProxyVia On

#RewriteEngine on
#RewriteRule ^(/.*)  https://mattermost-kalypso.cloudappsk2.11913.2016.dcs.mycorp.com/ [P]
ProxyPass / https://mattermost-kalypso.cloudappsk2.11913.2016.dcs.mycorp.com/

ProxyPassReverse / https://mattermost-kalypso.cloudappsk2.11913.2016.dcs.mycorp.com/

Apache 错误日志

[Thu May 09 15:05:02.694205 2019] [ssl:info] [pid 5668:tid 1836] [remote yy.yy.yy.yy:443] AH02003: SSL Proxy connect failed
[Thu May 09 15:05:02.694205 2019] [ssl:info] [pid 5668:tid 1836] [remote yy.yy.yy.yy:443] AH01998: Connection closed to child 0 with abortive shutdown (server mattermost.mycorp.com:443)
[Thu May 09 15:05:02.694205 2019] [ssl:info] [pid 5668:tid 1836] [remote yy.yy.yy.yy:443] AH01997: SSL handshake failed: sending 502
[Thu May 09 15:05:02.694205 2019] [proxy:error] [pid 5668:tid 1836] (20014)Internal error (specific information not available): [client yyy.yy.y.yyy:65148] AH01084: pass request body failed to yy.yy.yy.yy:443 (mattermost-kalypso.cloudappsk2.11913.2016.dcs.mycorp.com), referer: https://mattermost.mycorp.com/
[Thu May 09 15:05:02.694205 2019] [proxy:error] [pid 5668:tid 1836] [client yyy.yy.y.yyy:65148] AH00898: Error during SSL Handshake with remote server returned by /favicon.ico, referer: https://mattermost.mycorp.com/
[Thu May 09 15:05:02.694205 2019] [proxy_http:error] [pid 5668:tid 1836] [client yyy.yy.y.yyy:65148] AH01097: pass request body failed to yy.yy.yy.yy:443 (mattermost-kalypso.cloudappsk2.11913.2016.dcs.mycorp.com) from yyy.yy.y.yyy (), referer: https://mattermost.mycorp.com/

OpenSSl s_client 输出

并非全部,但最重要的内容请参考我的 vhost 配置 - tlsv1.2 和密码套件

SSL-Session:
Protocol  : TLSv1.2
Cipher    : ECDHE-RSA-AES256-GCM-SHA384

还验证了 Apache 有该套件

openssl.exe ciphers "TLSv1.2"

TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_128_GCM_SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
DHE-DSS-AES256-GCM-SHA384
DHE-RSA-AES256-GCM-SHA384
.....

全部来自 openssl

CONNECTED(00000134)
---
Certificate chain
 0 s:CN = *.cloudappsk2.11913.2016.dcs.mycorp.com
   i:CN = openshift-signer@1552839230
 1 s:CN = openshift-signer@1552839230
   i:CN = openshift-signer@1552839230
 2 s:CN = openshift-signer@1552839230
   i:CN = openshift-signer@1552839230
---
Server certificate
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
subject=CN = *.cloudappsk2.11913.2016.dcs.mycorp.com
issuer=CN = openshift-signer@1552839230
---
No client certificate CA names sent
Peer signing digest: SHA512
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3089 bytes and written 480 bytes
Verification error: self signed certificate in certificate chain
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol  : TLSv1.2
Cipher    : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: FB52D3CDAC5F480496BC3E0F98973AE6C13632C8E861EC19884297167067D019
Session-ID-ctx:
Master-Key: 69EF2D7DE36E00753847C99431478828A7E1F55E756E0D282472AB251F85E43404C1940175C2BD0B12EE2537CD7FB148
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
Start Time: 1557334640
Timeout   : 7200 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
Extended master secret: no
---
HTTP/1.0 408 Request Time-out
Cache-Control: no-cache
Connection: close
Content-Type: text/html
<html><body><h1>408 Request Time-out</h1>
Your browser didn't send a complete request in time.
</body></html>
closed

相关内容