FAQ
I'm an IIS admin and new to the list. I've done the best I can with
mod_ssl documentation, google, etc, and can't find anyone else who's even
experienced my problem, much less found a solution. That, of course, makes
me wonder whether I'm even understanding it correctly, but I see it plain
as day in my WireShark traces.

I've got a race condition with a slow IIS server. The IIS server
successfully TLS connects to my Apache server, and sends an encrypted
request. The Apache server responds successfully, and the IIS server is
usually happy and done. 5 seconds later, a TLS Rec Layer-1 Encrypted Alert
is transmitted by the Apache server and the TLS conversation is
terminated. Every now and again, though, the negotiation is complicated by
the IIS server when it submits a second or third encrypted request through
the existing, open TLS channel. 999 times in 1000 all these negotiations
are flawless.

1 time in 1000 the slow IIS server takes exactly 5 seconds to decide to
send an additional encrypted request (TLS Application Data). When this
happens, the encrypted request crosses the TLS Rec Layer-1 Encrypted Alert
on the wire, resulting in "The underlying connection was closed: The
connection was closed unexpectedly."

I don't see any directive in mod_ssl that allows me to extend that 5
second conversation timeout. What am I overlooking? I'm able to modify the
SSLSessionCacheTimeout directive, but that has no impact on the 5 second
timeout around any particular conversation.

Has anyone else seen this kind of behavior?

Search Discussions

  • Eric Covener at Feb 17, 2012 at 8:04 pm

    On Fri, Feb 17, 2012 at 3:02 PM, wrote:
    5 seconds later, a TLS Rec Layer-1 Encrypted Alert
    Is your base Apache KeepaliveTimeout 5 seconds and this alert is just
    a close_notify?

    ---------------------------------------------------------------------
    The official User-To-User support forum of the Apache HTTP Server Project.
    See <URL:http://httpd.apache.org/userslist.html> for more info.
    To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    " from the digest: users-digest-unsubscribe@httpd.apache.org
    For additional commands, e-mail: users-help@httpd.apache.org
  • Kmknox at Feb 17, 2012 at 8:16 pm

    Eric Covener wrote on 02/17/2012 03:04:29 PM:
    On Fri, Feb 17, 2012 at 3:02 PM, wrote:
    5 seconds later, a TLS Rec Layer-1 Encrypted Alert
    Is your base Apache KeepaliveTimeout 5 seconds and this alert is just
    a close_notify?
    We've not explicitly defined any of the keepalive settings, so they should
    default to 15 seconds, not 5, right?

    I see where I might be able to force accurate ssl shutdowns, which may
    help. If the channel is left open until .NET explicitly acks its closure,
    this could end my issue. This assumes .NET would follow the shutdown
    handshake protocols, but it might be worth a try.
  • Eric Covener at Feb 17, 2012 at 8:20 pm

    On Fri, Feb 17, 2012 at 3:15 PM, wrote:

    Eric Covener <covener@gmail.com> wrote on 02/17/2012 03:04:29 PM:

    On Fri, Feb 17, 2012 at 3:02 PM,  wrote:
    5 seconds later, a TLS Rec Layer-1 Encrypted Alert
    Is your base Apache KeepaliveTimeout 5 seconds and this alert is just
    a close_notify?
    We've not explicitly defined any of the keepalive settings, so they should
    default to 15 seconds, not 5, right?
    5 seconds in 2.2 manual and 2.2 code:

    --
    Eric Covener
    covener@gmail.com

    ---------------------------------------------------------------------
    The official User-To-User support forum of the Apache HTTP Server Project.
    See <URL:http://httpd.apache.org/userslist.html> for more info.
    To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    " from the digest: users-digest-unsubscribe@httpd.apache.org
    For additional commands, e-mail: users-help@httpd.apache.org
  • Kmknox at Feb 17, 2012 at 8:35 pm

    Eric Covener wrote on 02/17/2012 03:20:18 PM:
    On Fri, Feb 17, 2012 at 3:15 PM, wrote:


    Eric Covener <covener@gmail.com> wrote on 02/17/2012 03:04:29 PM:

    On Fri, Feb 17, 2012 at 3:02 PM, wrote:
    5 seconds later, a TLS Rec Layer-1 Encrypted Alert
    Is your base Apache KeepaliveTimeout 5 seconds and this alert is just
    a close_notify?
    We've not explicitly defined any of the keepalive settings, so they
    should
    default to 15 seconds, not 5, right?
    5 seconds in 2.2 manual and 2.2 code:
    Oops. I see it now. Thanks for the correction.
  • Kmknox at Feb 17, 2012 at 9:31 pm

    Eric Covener <covener@gmail.com> wrote on 02/17/2012 03:20:18 PM:
    On Fri, Feb 17, 2012 at 3:15 PM, wrote:


    Eric Covener <covener@gmail.com> wrote on 02/17/2012 03:04:29 PM:

    On Fri, Feb 17, 2012 at 3:02 PM, wrote:
    5 seconds later, a TLS Rec Layer-1 Encrypted Alert
    Is your base Apache KeepaliveTimeout 5 seconds and this alert is
    just
    a close_notify?
    We've not explicitly defined any of the keepalive settings, so they
    should
    default to 15 seconds, not 5, right?
    5 seconds in 2.2 manual and 2.2 code:
    Oops. I see it now. Thanks for the correction.
    Thank you, Eric. Modifying the keepalive directly modified the
    transmission of the encrypted alert. It was indeed a keepalive terminator.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupusers @
categoriesapache
postedFeb 17, '12 at 8:03p
activeFeb 17, '12 at 9:31p
posts6
users2
websitehttpd.apache.org
irc#httpd

2 users in discussion

Kmknox: 4 posts Eric Covener: 2 posts

People

Translate

site design / logo © 2022 Grokbase