WebObjects, SSL, Apache 2.2, FreeBSD problems

I still didn’t have time to investigate this deeply, but here goes anyway, as I didn’t find the answer to this anywhere.

I had the problem described in the Apache 2.2 adaptor: SSL fails on FreeBSD amd64 thread in the WebObjects-Deploy mailing list. As the thread suggests, the problem is not related to 64 bits at all, but with a problem related to the SSL client certificate becoming corrupted somewhere between an SSL request entering apache and leaving to the selected WebObjects application instance.

The thread suggests a little hack in the Wonder’s Adaptor code to ignore the SSL client certificate stuff, but I found that to be a little too dirty. So I dug this as much as time allowed.

I found the adaptor will forward all the SSL http headers it has to the application. This allows the application to analyse the SSL information (like the certificates themselves, the certificate information, etc) if, for some reason, that’s needed. However, the SSL client certificate information is becoming corrupted, and screws up the request, making it invalid. As the application will not reply to what it believes to be an invalid http request, the adaptor thinks the application is non-responsive, and considers it invalid for some minutes. That’s why the user starts to get the infamous “No instance available” message.

I still don’t know if this is an Apache, mod_ssl, WO Adaptor or whatever bug. But I know how to work around it, avoiding this error. As the problem is related to providing the SSL information to the adaptor, I chose to simply block it. This can be done in the Apache configuration. Just add this to the right context (usually the SSL virtual host configuration block):


SSLOptions -FakeBasicAuth -ExportCertData -StrictRequire -StdEnvVars

This will hide all the SSL information from the adaptor, avoiding the error. I’ll try to dig this a little more if I have some free time and update this post.

One thought on “WebObjects, SSL, Apache 2.2, FreeBSD problems

  1. Mukesh M

    Thanks for posting this. I am not using any virtual hosts and my app is not setup to use SSL. However we do use a third party web agent for singe sign on and it does use SSL. I have added the following in Apache httpd.conf but am not sure if this is working as I am still seeing the ‘No Instance available’ messages regularly.

    SSLRandomSeed startup builtin
    SSLRandomSeed connect builtin
    SSLOptions -FakeBasicAuth -ExportCertData -StrictRequire -StdEnvVars

    Do you know if there is a way to determine if the ssl information is/is not being sent to the adaptor?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>