1

I have a problem with one of my virtualhost. My config: a reverse proxy with Centos 7 + apache 2.4 and a backend with Microsoft IIS 6.0.

When I do a curl from the proxy to the virtualhost (curl -k https://blabla.com/) I get a proxy error:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Proxy Error</title>
</head><body>
<h1>Proxy Error</h1>
The proxy server could not handle the request <em><a href="/">GET&nbsp;/</a></em>.<p>
Reason: <strong>Error during SSL Handshake with remote server</strong></p><p />
</body></html>

When I look at the packets it is what I get:

1) Client sends [SYN] to server.
2) Server sends [SYN,ACK] to client.
3) Client sends [ACK] to server.
4) Client sends the message “Client Hello” to the server.
5) Server sends its public key with the message “Server Hello, Certificate, Server Hello Done”
6) Client sends its public key with the message “Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message”
7) Server sends encrypted handshake message with the message “Change Cipher Spec, Encrypted Handshake Message”
8) Client sends [FIN,ACK]
9) Server sends RST

The cypher the server wants to use is tls_rsa_with_3des_ede_cbc_sha.

I do not have access to the backend server.

But when I do the same but from the proxy to the real IP of the backend (e.g. curl -k https://10.0.0.1/), it works perfectly. It is just when passing by the proxy that it does not work.

Do you know what is going wrong?

Julien Nyczak
  • 11
  • 1
  • 2
  • What was logged in apache's log? – Michael Hampton Aug 28 '18 at 20:19
  • [proxy:error] [pid 22332] (502)Unknown error 502: [client 200.1.1.1:35868] AH01084: pass request body failed to 10.0.0.1:443 (10.0.0.1) [Tue Aug 28 17:05:44.834597 2018] [proxy:error] [pid 22332] [client 200.1.1.1:35868] AH00898: Error during SSL Handshake with remote server returned by / [Tue Aug 28 17:05:44.834605 2018] [proxy_http:error] [pid 22332] [client 200.1.1.1:35868] AH01097: pass request body failed to 10.0.0.1:443 (10.0.0.1) from 200.1.1.1 () – Julien Nyczak Aug 28 '18 at 20:27
  • That really doesn't say much, unfortunately. But I would _guess_ that Apache's TLS library (OpenSSL?) is not configured to use such obsolete ciphers that IIS seems to want. – Michael Hampton Aug 28 '18 at 20:30
  • The thing is that I have another virtual host with the same backend type, and there it works fine with the same cypher :/ – Julien Nyczak Aug 28 '18 at 20:33
  • You should post your Apache configuration. There are other things that may cause this problem. [Example](https://serverfault.com/q/538086/126632) – Michael Hampton Aug 28 '18 at 20:35
  • Thanks a lot mate! My config was just missing this line: SSLProxyCheckPeerExpire off Now it works! – Julien Nyczak Aug 28 '18 at 20:51
  • If that fixed the problem, you can post your own answer and accept it. BTW, such a cipher is vulnerable, and IIS 6 (really?) is end of life for years. Work out a plan to get rid of such, instead of keeping the bombs. – Lex Li Aug 28 '18 at 20:56
  • OK! The thing that it is a client of mine to whom I did a favor upgrading his WAF. The backends are administrated by them :) I already told them they are kind of outdated... – Julien Nyczak Aug 28 '18 at 21:01

0 Answers0