24,923
社区成员
发帖
与我相关
我的任务
分享求助 http2.4.27 加载ssl模块问题
环境:
http2.4.27
php5.6.30
opensll 1.0.2l
ppc-linux-gcc 嵌入式设备
描述:
a.未加载ssl模块 http请求可以响应
b.加载ssl模块 不做重定向或者重写 http请求可以响应 https请求可以响应
c加载ssl模块 做了http 跳转https 响应了http请求,但是浏览器无法收到 301跳转消息包
通过分析代码 http已经处理生成了301消息报文,但是apr_socket阻塞住无法发出;
http-ssl.conf
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed startup file:/dev/urandom 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCacheTimeout 300
<VirtualHost _default_:443>
#General setup for the virtual host
DocumentRoot "/mnt/apps/apache/htdocs"
ServerName 10.20.1.139:443
ServerAdmin qqzgh@163.com
ErrorLog "/mnt/apps/apache/logs/error_log"
TransferLog "/mnt/apps/apache/logs/access_log"
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile "/mnt/apps/apache/conf/server.crt"
SSLCertificateKeyFile "/mnt/apps/apache/conf/server.key"
#SSLCertificateChainFile "/mnt/apps/apache/conf/server-ca.crt"
#SSLCACertificatePath "D:/Program Files/Apache2/conf/ssl.crt"
#SSLCACertificateFile "/mnt/apps/apache/conf/ssl.crt/ca-bundle.crt"
#SSLCARevocationPath "D:/Program Files/Apache2/conf/ssl.crl"
#SSLCARevocationFile "D:/Program Files/Apache2/conf/ssl.crl/ca-bundle.crl"
#SSLVerifyClient require
#SSLVerifyDepth 10
#<Location />
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/mnt/apps/apache/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog "/mnt/apps/apache/logs/ssl_request_log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
SetEnv nokeepalive ssl-unclean-shutdown
</VirtualHost>
http.conf 重定向相关部分
SetEnv nokeepalive force-response-1.0
<VirtualHost *:80>
ServerName 10.20.1.237
Redirect permanent / https://10.20.1.151/
</VirtualHost>
http2.4.27
php5.6.30
opensll 1.0.2l
ppc-linux-gcc 嵌入式设备
描述:
a.未加载ssl模块 http请求可以响应
b.加载ssl模块 不做重定向或者重写 http请求可以响应 https请求可以响应
c加载ssl模块 做了http 跳转https 响应了http请求,但是浏览器无法收到 301跳转消息包
通过分析代码 http已经处理生成了301消息报文,但是apr_socket阻塞住无法发出;
http-ssl.conf
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed startup file:/dev/urandom 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCacheTimeout 300
<VirtualHost _default_:443>
#General setup for the virtual host
DocumentRoot "/mnt/apps/apache/htdocs"
ServerName 10.20.1.139:443
ServerAdmin qqzgh@163.com
ErrorLog "/mnt/apps/apache/logs/error_log"
TransferLog "/mnt/apps/apache/logs/access_log"
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile "/mnt/apps/apache/conf/server.crt"
SSLCertificateKeyFile "/mnt/apps/apache/conf/server.key"
#SSLCertificateChainFile "/mnt/apps/apache/conf/server-ca.crt"
#SSLCACertificatePath "D:/Program Files/Apache2/conf/ssl.crt"
#SSLCACertificateFile "/mnt/apps/apache/conf/ssl.crt/ca-bundle.crt"
#SSLCARevocationPath "D:/Program Files/Apache2/conf/ssl.crl"
#SSLCARevocationFile "D:/Program Files/Apache2/conf/ssl.crl/ca-bundle.crl"
#SSLVerifyClient require
#SSLVerifyDepth 10
#<Location />
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/mnt/apps/apache/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog "/mnt/apps/apache/logs/ssl_request_log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
SetEnv nokeepalive ssl-unclean-shutdown
</VirtualHost>
http.conf 重定向相关部分
SetEnv nokeepalive force-response-1.0
<VirtualHost *:80>
ServerName 10.20.1.237
Redirect permanent / https://10.20.1.151/
</VirtualHost>
...全文
请发表友善的回复…
发表回复
Zerocao99 2017-09-22
- 打赏
- 举报
GDB堆栈:
(gdb) bt
#0 0x0ffa6434 in __read_nocancel () from /lib/libpthread.so.0
#1 0x0fde0f7c in apr_socket_recv (sock=0x101fb1f0,
buf=0x10204cd8 "GET /info.php HTTP/1.1\r\nHost: 10.20.1.237\r\nConnection: k eep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/5 37.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36\r\nUpgra"...,
len=0xbff063fc) at network_io/unix/sendrecv.c:81
#2 0x0fec2b04 in socket_bucket_read (a=0x101ff630, str=0xbff063f8,
len=0xbff063fc, block=<value optimized out>)
at buckets/apr_buckets_socket.c:36
#3 0x10048068 in ap_core_input_filter (f=0x101fb5f8, b=0x101fb738,
mode=AP_MODE_SPECULATIVE, block=APR_NONBLOCK_READ, readbytes=1)
at core_filters.c:235
#4 0x1002d094 in ap_get_brigade (next=0x200, bb=0x10204cd8, mode=8000,
block=APR_BLOCK_READ, readbytes=4) at util_filter.c:553
#5 0x0dee7114 in reqtimeout_filter (f=0x101fb678, bb=0x101fb738,
mode=AP_MODE_SPECULATIVE, block=APR_NONBLOCK_READ, readbytes=1)
at mod_reqtimeout.c:244
#6 0x1002d094 in ap_get_brigade (next=0x200, bb=0x10204cd8, mode=8000,
block=APR_BLOCK_READ, readbytes=4) at util_filter.c:553
#7 0x10065f74 in ap_check_pipeline (c=0x101fb390, bb=0x101fb738,
max_blank_lines=10) at http_request.c:245
#8 0x10066360 in ap_process_request_after_handler (r=0x10206d10)
at http_request.c:386
---Type <return> to continue, or q <return> to quit---
#9 0x10066c14 in ap_process_request (r=0x200) at http_request.c:483
#10 0x100624a0 in ap_process_http_connection (c=0x101fb390) at http_core.c:210
#11 0x10058684 in ap_run_process_connection (c=0x101fb390) at connection.c:42
#12 0x1006d498 in child_main (child_num_arg=<value optimized out>,
child_bucket=<value optimized out>) at prefork.c:612
#13 0x1006d7d0 in make_child (s=0x100f4f58, slot=0, bucket=0) at prefork.c:649
#14 0x1006e50c in prefork_run (_pconf=<value optimized out>, plog=0x100f89b8,
s=0x100f4f58) at prefork.c:863
#15 0x1002b084 in ap_run_mpm (pconf=0x100d00a8, plog=0x100f89b8, s=0x100f4f58)
at mpm_common.c:94
#16 0x1002302c in main (argc=2, argv=0xbff06b14) at main.c:792
Zerocao99 2017-09-22
- 打赏
- 举报
log:
TLSv1.2)
[Fri Sep 22 09:32:07.371995 2017] [ssl:trace1] [pid 1133871366160] ssl_engine_init.c(849): Configuring permitted SSL ciphers [ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL:!aNULL:!eNULL:!EXP]
[Fri Sep 22 09:32:07.373785 2017] [ssl:debug] [pid 1133871366160] ssl_engine_init.c(445): AH01893: Configuring TLS extension handling
[Fri Sep 22 09:32:07.388115 2017] [ssl:trace3] [pid 90] ssl_util_ssl.c(432): [10.20.1.139:443] modssl_X509_match_name: expecting name '10.20.1.139', NOT matched by ID 'hydra'
[Fri Sep 22 09:32:07.389746 2017] [ssl:debug] [pid 0] ssl_util_ssl.c(443): AH02412: [10.20.1.139:443] Cert does not match for name '10.20.1.139' [subject: emailAddress=qqzgh@163.com,CN=hydra,O=hzvc,L=Hangzhou,ST=hzvc,C=CN / issuer: emailAddress=qqzgh@163.com,CN=hydra,O=hzvc,L=Hangzhou,ST=hzvc,C=CN / serial: 8FD3E2E4D8372305 / notbefore: Sep 15 02:00:02 2017 GMT / notafter: Sep 15 02:00:02 2018 GMT]
[Fri Sep 22 09:32:07.390058 2017] [ssl:warn] [pid 7456396864241496933] AH01909: 10.20.1.139:443:0 server certificate does NOT include an ID which matches the server name
[Fri Sep 22 09:32:07.390325 2017] [ssl:info] [pid 7456396864241496933] AH02568: Certificate and private key 10.20.1.139:443:0 configured from /mnt/apps/apache/conf/server.crt and /mnt/apps/apache/conf/server.key
[Fri Sep 22 09:32:07.392770 2017] [ssl:info] [pid 0] AH01876: mod_ssl/2.4.27 compiled against Server: Apache/2.4.27, Library: OpenSSL/1.0.2a
[Fri Sep 22 09:32:08.385797 2017] [ssl:trace2] [pid 3201214604] ssl_engine_rand.c(126): Init: Seeding PRNG with 136 bytes of entropy
[Fri Sep 22 09:32:08.387266 2017] [ssl:warn] [pid -4697630152266350451] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache]
[Fri Sep 22 09:32:08.387573 2017] [ssl:info] [pid 3544412350750654464] AH01887: Init: Initializing (virtual) servers for SSL
[Fri Sep 22 09:32:08.387904 2017] [ssl:info] [pid 4294967296000000] AH01914: Configuring server 10.20.1.139:443 for SSL protocol
[Fri Sep 22 09:32:08.388176 2017] [ssl:trace3] [pid 1133871366160] ssl_engine_init.c(542): Creating new SSL context (protocols: TLSv1, TLSv1.1, TLSv1.2)
[Fri Sep 22 09:32:08.395138 2017] [ssl:trace1] [pid 1133871366160] ssl_engine_init.c(849): Configuring permitted SSL ciphers [ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL:!aNULL:!eNULL:!EXP]
[Fri Sep 22 09:32:08.397076 2017] [ssl:debug] [pid 1133871366160] ssl_engine_init.c(445): AH01893: Configuring TLS extension handling
[Fri Sep 22 09:32:08.411751 2017] [ssl:trace3] [pid 90] ssl_util_ssl.c(432): [10.20.1.139:443] modssl_X509_match_name: expecting name '10.20.1.139', NOT matched by ID 'hydra'
[Fri Sep 22 09:32:08.413204 2017] [ssl:debug] [pid 0] ssl_util_ssl.c(443): AH02412: [10.20.1.139:443] Cert does not match for name '10.20.1.139' [subject: emailAddress=qqzgh@163.com,CN=hydra,O=hzvc,L=Hangzhou,ST=hzvc,C=CN / issuer: emailAddress=qqzgh@163.com,CN=hydra,O=hzvc,L=Hangzhou,ST=hzvc,C=CN / serial: 8FD3E2E4D8372305 / notbefore: Sep 15 02:00:02 2017 GMT / notafter: Sep 15 02:00:02 2018 GMT]
[Fri Sep 22 09:32:08.413512 2017] [ssl:warn] [pid 7456396864241496933] AH01909: 10.20.1.139:443:0 server certificate does NOT include an ID which matches the server name
[Fri Sep 22 09:32:08.413773 2017] [ssl:info] [pid 7456396864241496933] AH02568: Certificate and private key 10.20.1.139:443:0 configured from /mnt/apps/apache/conf/server.crt and /mnt/apps/apache/conf/server.key
[Fri Sep 22 09:32:08.416402 2017] [ssl:info] [pid 3544412350750654464] AH01876: mod_ssl/2.4.27 compiled against Server: Apache/2.4.27, Library: OpenSSL/1.0.2a
[Fri Sep 22 09:32:08.433744 2017] [core:trace4] [pid 3269209339458390404] mpm_common.c(533): mpm child 0 (gen 446744/slot 1263183600) (null)
[Fri Sep 22 09:32:08.447623 2017] [core:trace4] [pid 3269209339458390404] mpm_common.c(533): mpm child 4294967296 (gen 446744/slot 1263183600) (null)
[Fri Sep 22 09:32:08.451565 2017] [core:trace4] [pid 3269209339458390404] mpm_common.c(533): mpm child 8589934592 (gen 446744/slot 1263183600) (null)
[Fri Sep 22 09:32:08.483722 2017] [core:trace4] [pid 3269209339458390404] mpm_common.c(533): mpm child 12884901888 (gen 446744/slot 1263183600) (null)
[Fri Sep 22 09:32:08.487852 2017] [core:trace4] [pid 3269209339458390404] mpm_common.c(533): mpm child 17179869184 (gen 446744/slot 1263183600) (null)
[Fri Sep 22 09:32:08.488208 2017] [mpm_prefork:notice] [pid -4697630097525527985] AH00163: Apache/2.4.27 (Unix) PHP/5.6.30 OpenSSL/1.0.2l configured -- resuming normal operations
[Fri Sep 22 09:32:08.488471 2017] [mpm_prefork:info] [pid -4697630097525527985] AH00164: Server built: Sep 21 2017 14:46:56
[Fri Sep 22 09:32:08.489481 2017] [core:notice] [pid -5264766341591597056] AH00094: Command line: '/mnt/apps/apache/bin/httpd'
[Fri Sep 22 09:32:08.489802 2017] [core:debug] [pid -4697666158070945403] log.c(1546): AH02639: Using SO_REUSEPORT: no (1)
[Fri Sep 22 09:32:08.490356 2017] [mpm_prefork:debug] [pid 3216930504704000] prefork.c(916): AH00165: Accept mutex: sysvsem (default: sysvsem)
[Fri Sep 22 09:32:15.305618 2017] [core:trace5] [pid 4048800054630066405] protocol.c(645): [client 10.20.1.131:51596] Request received from client: GET / HTTP/1.1
[Fri Sep 22 09:32:15.308027 2017] [http:trace4] [pid 1420861080862720] http_request.c(420): [client 10.20.1.131:51596] Headers received from client:
[Fri Sep 22 09:32:15.308357 2017] [http:trace4] [pid 1420861080914316] http_request.c(424): [client 10.20.1.131:51596] Host: 10.20.1.139
[Fri Sep 22 09:32:15.308623 2017] [http:trace4] [pid 1420861080914316] http_request.c(424): [client 10.20.1.131:51596] Connection: keep-alive
[Fri Sep 22 09:32:15.308872 2017] [http:trace4] [pid 1420861080914316] http_request.c(424): [client 10.20.1.131:51596] Upgrade-Insecure-Requests: 1
[Fri Sep 22 09:32:15.309127 2017] [http:trace4] [pid 1420861080914316] http_request.c(424): [client 10.20.1.131:51596] User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.101 Safari/537.36
[Fri Sep 22 09:32:15.309390 2017] [http:trace4] [pid 1420861080914316] http_request.c(424): [client 10.20.1.131:51596] Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
[Fri Sep 22 09:32:15.309654 2017] [http:trace4] [pid 1420861080914316] http_request.c(424): [client 10.20.1.131:51596] Accept-Encoding: gzip, deflate
[Fri Sep 22 09:32:15.309909 2017] [http:trace4] [pid 1420861080914316] http_request.c(424): [client 10.20.1.131:51596] Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
[Fri Sep 22 09:32:15.311079 2017] [core:trace3] [pid -5264766341591597056] request.c(119): [client 10.20.1.131:51596] auth phase 'translate' gave status 301: /
[Fri Sep 22 09:32:15.312896 2017] [http:trace3] [pid -4697667995223195648] http_filters.c(1128): [client 10.20.1.131:51596] Response sent with status 301, headers:
[Fri Sep 22 09:32:15.313225 2017] [http:trace5] [pid -4697667995223144052] http_filters.c(1135): [client 10.20.1.131:51596] Date: Fri, 22 Sep 2017 01:32:15 GMT
[Fri Sep 22 09:32:15.313497 2017] [http:trace5] [pid -4697667995223144052] http_filters.c(1138): [client 10.20.1.131:51596] Server: Apache/2.4.27 (Unix) PHP/5.6.30 OpenSSL/1.0.2l
[Fri Sep 22 09:32:15.313830 2017] [http:trace4] [pid 7597103252248146478] http_filters.c(957): [client 10.20.1.131:51596] Location: https://10.20.1.139/
[Fri Sep 22 09:32:15.314121 2017] [http:trace4] [pid 7597103251707709836] http_filters.c(957): [client 10.20.1.131:51596] Content-Length: 228
[Fri Sep 22 09:32:15.314387 2017] [http:trace4] [pid 7597103251707709836] http_filters.c(957): [client 10.20.1.131:51596] Keep-Alive: timeout=5, max=100
[Fri Sep 22 09:32:15.314652 2017] [http:trace4] [pid 7597103251707709836] http_filters.c(957): [client 10.20.1.131:51596] Connection: Keep-Alive
[Fri Sep 22 09:32:15.315253 2017] [http:trace4] [pid 7597103251707709836] http_filters.c(957): [client 10.20.1.131:51596] Content-Type: text/html; charset=iso-8859-1
[Fri Sep 22 09:32:15.503399 2017] [core:trace4] [pid 4294967296] mpm_common.c(533): mpm child 21474836480 (gen 446744/slot 1263183600) (null)
[Fri Sep 22 09:32:16.509297 2017] [core:trace4] [pid 4294967296] mpm_common.c(533): mpm child 25769803776 (gen 446744/slot 1263183600) (null)
[Fri Sep 22 09:32:16.513846 2017] [core:trace4] [pid 4294967296] mpm_common.c(533): mpm child 30064771072 (gen 446744/slot 1263183600) (null)
[Fri Sep 22 09:32:30.931405 2017] [core:trace6] [pid 0] core_filters.c(525): [client 10.20.1.131:51597] core_output_filter: flushing because of FLUSH bucket
[Fri Sep 22 09:32:38.498919 2017] [core:trace6] [pid -5264766341591545460] core_filters.c(525): [client 10.20.1.131:51596] core_output_filter: flushing because of FLUSH bucket
[Fri Sep 22 09:32:38.501226 2017] [core:trace6] [pid 1420861082782352] core_filters.c(525): [client 10.20.1.131:51596] core_output_filter: flushing because of FLUSH bucket
