I have tried the to modify the configuration on the Apache end to no avail. What is the exact location of the file containing the ssl.supportedCiphers parameter?
thx,
juniorc
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I have tested the ciphers and protocols parameter both by editing directly the webserver.properties file and vial the server/ssl tab. In both cases Adito fails to start. For consistency sake, I have replicated - failing - the issue on three different VMs running different distributions and combinations of Apache/OpenSSL … have to try Debian yet .
junorc
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
thank you again for your help. I finally got it to work rebuilding the mod_proxy_connect.so on Apache 2.2.16.
I am now building a VM for those that might want to take advantage of it.
juniorc
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi - i have been trying to implement a proof of concept of this approach using Apache 2.2.25.0 on Windows 7. I got so far everything to work up until the point, where the Agent attempts the CONNECT to establish the connectifon between client and server. The error message I am getting is the same as above ("javax.net.ssl.SSLException: Unsupported record version Unknown-84.84").
You mentioned rebuilding the mod_proxy_connect for Apache - did that fix the problem? If so, how? How did you rebuild mod_proxy_connect?
Thanks!
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Anonymous
-
2011-07-05
Hi Juniorc, I'd like to get a copy of your VM if that is OK?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Anonymous
-
2011-07-06
I still haven't got my reverse proxy to allow the adito agent to work, I think everything is right, I patched mod_proxy_connect but I'm not sure if I did it right. Does anyone have it pre-compiled? I'm running Apache 2.2.14 on an Ubuntu 10.04 server.
This is the error that appears in the agent log -
12:37:08,569 INFO com.maverick.http.ConnectMethod - HTTP CONNECT localhost:8,443 returned
12:37:08,569 INFO com.maverick.http.ConnectMethod - Date: Wed, 06 Jul 2011 11:37:08 GMT
12:37:08,569 INFO com.maverick.http.ConnectMethod - Vary: Accept-Encoding
12:37:08,570 INFO com.maverick.http.ConnectMethod - Content-Length: 219
12:37:08,570 INFO com.maverick.http.ConnectMethod - Keep-Alive: timeout=15, max=100
12:37:08,570 INFO com.maverick.http.ConnectMethod - Connection: Keep-Alive
12:37:08,570 INFO com.maverick.http.ConnectMethod - Content-Type: text/html; charset=iso-8859-1
12:37:08,583 INFO com.adito.agent.client.Agent - An unexpected IO error has occured.
java.io.IOException: Proxy returned HTTP status code 403
at com.maverick.http.HttpConnection.reconnect(HttpConnection.java:126)
at com.maverick.http.HttpConnection.<init>(HttpConnection.java:68)
at com.maverick.http.HttpConnectionManager.getConnection(HttpConnectionManager.java:72)
at com.maverick.http.HttpClient.execute(HttpClient.java:512)
at com.adito.agent.client.Agent.connectAgent(Agent.java:917)
at com.adito.agent.client.Agent.connect(Agent.java:638)
at com.adito.agent.client.Agent.initMain(Agent.java:1673)
at com.adito.agent.client.Agent.main(Agent.java:1410)
12:37:08,591 INFO com.adito.agent.client.Agent - Agent will now exit.
I'm not sure why there is a comma in the port number, I've checked an I haven't put a comma in anywhere in the config.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Anonymous
-
2011-07-06
Hmm, seems I just needed "AllowCONNECT 8443" in my apache configuration.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi,
I'm trying configure OpenVPN ALS behind an apache reverse proxy as well.
The configuration:
One VM host with 2 VMs, 1 for apache reverse proxy, 1 for OpenVPN ALS.
Client connect to OpenVPN ALS through reverse proxy.
OpenVPN ALS patch installed.
Everything works untill agent tries to establish http CONNECT..the following errors seen.
agent.log(client/applet)
13:36:07,385 INFO com.maverick.ssl.SSLTransportJCE - SSL handshake complete using protocol TLSv1 with cipher TLS_RSA_WITH_AES_128_CBC_SHA
13:36:07,385 INFO com.maverick.http.HttpClient - Executing method CONNECT on connection
13:36:07,385 DEBUG com.maverick.http.HttpRequest - CONNECT <vmhost>:834 HTTP/1.0
Connection: Keep-Alive
Host: <vmhost>:4443
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0.2) Gecko/20100101 Firefox/10.0.2
13:36:07,535 DEBUG com.maverick.http.HttpResponse - Received start line: HTTP/1.1 302 Moved Temporarily
(104)Connection reset by peer: SSL input filter read failed.
(32)Broken pipe: core_output_filter: writing data to the network
Connection closed to child 6 with standard shutdown (server isdp-uap1.mimos.my:443)
~
Thanks a lot for Nicolas' instruction and patch. I finally made it to work though I don't use Apache at end due to the issues with client certificate authentication (agent doesn't work with client certificate authentication)
Here I'm sharing my experience and hope it can help for those who are still looking for solution
if ProxyRequests is off or is absent
java.io.IOException: Proxy returned HTTP status code 302
If ProxyPreserveHost is off or is absent
java.net.ConnectException: Connection refused: connect
if profile with reverse proxy is not selected when logging in,
agent cannot start and no CONNECT request is sent out
if no patch for mod_proxy_connect.so
javax.net.ssl.SSLException: Unsupported record version Unknown-84.84
5.If client certificate authentication is configured at apache
java.io.IOException: Received fatal alert: handshake_failure
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
by the way, I succeeded in making mutual authentication to work with ADITO by using clientcert. The link below provide some general instruction but 2 important steps/instructions are missed.
Drop a message if somebody are interesting in this approach.
Re,
And here is my Adito SSL configuration (I don't remember if it is by default) :
Could you try with these parameters (apache and adito) to see if this is a ssl problem?
Nicolas
Nicolas,
I have tried the to modify the configuration on the Apache end to no avail. What is the exact location of the file containing the ssl.supportedCiphers parameter?
thx,
juniorc
Hi,
In $ADITO_HOME/adito/conf/webserver.properties or in the web interface (in server configuration I think).
Nicolas
Nicolas,
interesting development …
I have tested the ciphers and protocols parameter both by editing directly the webserver.properties file and vial the server/ssl tab. In both cases Adito fails to start. For consistency sake, I have replicated - failing - the issue on three different VMs running different distributions and combinations of Apache/OpenSSL … have to try Debian yet .
junorc
Nicolas,
thank you again for your help. I finally got it to work rebuilding the mod_proxy_connect.so on Apache 2.2.16.
I am now building a VM for those that might want to take advantage of it.
juniorc
Hi - i have been trying to implement a proof of concept of this approach using Apache 2.2.25.0 on Windows 7. I got so far everything to work up until the point, where the Agent attempts the CONNECT to establish the connectifon between client and server. The error message I am getting is the same as above ("javax.net.ssl.SSLException: Unsupported record version Unknown-84.84").
You mentioned rebuilding the mod_proxy_connect for Apache - did that fix the problem? If so, how? How did you rebuild mod_proxy_connect?
Thanks!
Hi Juniorc, I'd like to get a copy of your VM if that is OK?
I still haven't got my reverse proxy to allow the adito agent to work, I think everything is right, I patched mod_proxy_connect but I'm not sure if I did it right. Does anyone have it pre-compiled? I'm running Apache 2.2.14 on an Ubuntu 10.04 server.
This is the error that appears in the agent log -
12:37:08,569 INFO com.maverick.http.ConnectMethod - HTTP CONNECT localhost:8,443 returned
12:37:08,569 INFO com.maverick.http.ConnectMethod - Date: Wed, 06 Jul 2011 11:37:08 GMT
12:37:08,569 INFO com.maverick.http.ConnectMethod - Vary: Accept-Encoding
12:37:08,570 INFO com.maverick.http.ConnectMethod - Content-Length: 219
12:37:08,570 INFO com.maverick.http.ConnectMethod - Keep-Alive: timeout=15, max=100
12:37:08,570 INFO com.maverick.http.ConnectMethod - Connection: Keep-Alive
12:37:08,570 INFO com.maverick.http.ConnectMethod - Content-Type: text/html; charset=iso-8859-1
12:37:08,583 INFO com.adito.agent.client.Agent - An unexpected IO error has occured.
java.io.IOException: Proxy returned HTTP status code 403
at com.maverick.http.HttpConnection.reconnect(HttpConnection.java:126)
at com.maverick.http.HttpConnection.<init>(HttpConnection.java:68)
at com.maverick.http.HttpConnectionManager.getConnection(HttpConnectionManager.java:72)
at com.maverick.http.HttpClient.execute(HttpClient.java:512)
at com.adito.agent.client.Agent.connectAgent(Agent.java:917)
at com.adito.agent.client.Agent.connect(Agent.java:638)
at com.adito.agent.client.Agent.initMain(Agent.java:1673)
at com.adito.agent.client.Agent.main(Agent.java:1410)
12:37:08,591 INFO com.adito.agent.client.Agent - Agent will now exit.
I'm not sure why there is a comma in the port number, I've checked an I haven't put a comma in anywhere in the config.
Hmm, seems I just needed "AllowCONNECT 8443" in my apache configuration.
Hi,
I'm trying configure OpenVPN ALS behind an apache reverse proxy as well.
The configuration:
One VM host with 2 VMs, 1 for apache reverse proxy, 1 for OpenVPN ALS.
Client connect to OpenVPN ALS through reverse proxy.
OpenVPN ALS patch installed.
Everything works untill agent tries to establish http CONNECT..the following errors seen.
agent.log(client/applet)
13:36:07,385 INFO com.maverick.ssl.SSLTransportJCE - SSL handshake complete using protocol TLSv1 with cipher TLS_RSA_WITH_AES_128_CBC_SHA
13:36:07,385 INFO com.maverick.http.HttpClient - Executing method CONNECT on connection
13:36:07,385 DEBUG com.maverick.http.HttpRequest - CONNECT <vmhost>:834 HTTP/1.0
Connection: Keep-Alive
Host: <vmhost>:4443
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0.2) Gecko/20100101 Firefox/10.0.2
13:36:07,535 DEBUG com.maverick.http.HttpResponse - Received start line: HTTP/1.1 302 Moved Temporarily
var/log/apache2/ssl_access.log
10.1.25.78 - - "CONNECT <VMhost>:834 HTTP/1.0" 302 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0.2) Gecko/20100101 Firefox/10.0.2"
/var/log/apache2/error.log
(104)Connection reset by peer: SSL input filter read failed.
(32)Broken pipe: core_output_filter: writing data to the network
Connection closed to child 6 with standard shutdown (server isdp-uap1.mimos.my:443)
~
adito/logs/adito.log
06-03-2012 13:36:10 DEBUG HttpConnection - REQUEST:
CONNECT / HTTP/1.1
Host: <VMhost>:4443
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0.2) Gecko/2
============
Any help would be great.. Thanks!
UPDATE
The following works out of the box without need for any workaround.
user@localhost:~# lsb_release -a
No LSB modules are available.
Distributor ID:Ubuntu
Description:Ubuntu 12.04.4 LTS
Release:12.04
Codename:precise
user@localhost:~# openssl version
OpenSSL 1.0.1 14 Mar 2012
user@localhost:~# apachectl -version
Server version: Apache/2.2.22 (Ubuntu)
Server built: Jul 12 2013 13:37:15
Cheers,
Thanks for the info - I'll be trying that out this weekend! Thanks!!!
Thanks a lot for Nicolas' instruction and patch. I finally made it to work though I don't use Apache at end due to the issues with client certificate authentication (agent doesn't work with client certificate authentication)
Here I'm sharing my experience and hope it can help for those who are still looking for solution
if ProxyRequests is off or is absent
java.io.IOException: Proxy returned HTTP status code 302
If ProxyPreserveHost is off or is absent
java.net.ConnectException: Connection refused: connect
if profile with reverse proxy is not selected when logging in,
agent cannot start and no CONNECT request is sent out
if no patch for mod_proxy_connect.so
javax.net.ssl.SSLException: Unsupported record version Unknown-84.84
5.If client certificate authentication is configured at apache
java.io.IOException: Received fatal alert: handshake_failure
by the way, I succeeded in making mutual authentication to work with ADITO by using clientcert. The link below provide some general instruction but 2 important steps/instructions are missed.
Drop a message if somebody are interesting in this approach.
http://comments.gmane.org/gmane.comp.networking.adito.devel/288