Saturday, October 23, 2010

Fun with SSL

I am working on a project where mutual authentication with SSL has to be done between a Apache mod_proxy and some proxy server at a third party.

I personally did not designed or built the system and after doing an upgrade of httpd one of the instances did not restart when I told it to. It went down and said SSL is already loaded ... fail.

The idea of this server is to listen to tcp/443 and based on the URI redirect to a virtual host running on a specific port. These virtual hosts do some mod_rewrite magic and inject the SSL certificate and then connect to the third party. According to the project manager this can only be done with mod_proxy and no other proxy would allow you to do this.

I tried to restart the other virtual hosts and they went down and up without any problems. So it was just the httpd listening on port 443 that was not coming up.

Since Google is your friend when you got an error message that basically just tells you "sorry, SSL is already in use". I looked at a couple of forum posts and it was pretty clear immediately that it had something to do with the http.conf file.

In the httpd.conf file there was an include directive to load all .conf files from a conf.d directory. So analyzing them one by one I figured out that one of them contained the instructions to load the mod_ssl.so and of course there was the mod_ssl configuration file which loads mod_ssl.so as well.

Once I commented out the lines in the other file everything was back up and running.

No comments: