[ic] mod_interchange, openssl, and mozilla not mixing well

interchange-users@interchange.redhat.com interchange-users@interchange.redhat.com
Fri Feb 22 16:58:01 2002 

I'm reporting a problem with a workaround that has hit at least one
other person in the past (archive message below).  Just in case others
have (or will) hit it, I'm posting the bug description here.

###  Environment:  ###

Red Hat 7.2, P-III 1.2, SCSI (dedicated server)
Apache/1.3.22 
mod_ssl/2.8.5 
OpenSSL/0.9.6b

+ IC 4.8.3 using mod_interchange

###  Problem:  ###

Mozilla (all versions, tested 0.9.8 and nightly 2/21/02) browsers only
get first 7,937 bytes when using mod_interchange, but work perfectly
when using a regular cgi-bin link.

Apache error_log:
[Fri Feb 22 13:26:51 2002] [error] mod_ssl: SSL error on writing data
(OpenSSL library error follows)
[Fri Feb 22 13:26:51 2002] [error] OpenSSL:
error:1409F07F:lib(20):func(159):reason(127)
[Fri Feb 22 13:26:51 2002] [error] access to /ds/test_ssl.html failed
for 63.145.198.45, reason: error while sending response

(No Interchange error log)

###  Work-around:  ###

Use the cgi-bin link instead of mod_interchange.  

I hope that helps someone.  If anyone is using the above combination of
software and it is working with Mozilla, I would love to hear about it.
I'm happy with the workaround, but perhaps an enterprising someone will
find the druthers to fix it.  :-)

+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Dan Browning, Sr. Tech Consultant
| Kavod Technologies, 1498 SE Tech Center Pl Ste 170
| Vancouver, WA 98683  <dan.browning@kavod.com>
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If today is the first day of the rest of your life, what the hell was
yesterday?

(Posted by Scott Moat)

http://interchange.redhat.com/pipermail/interchange-users/2001-May/00803
4.html

> I am having a weird problem.  I upgraded everything 
> (interchange, linux,
> apache, ect.) and setup mod-interchange.  But the check out button
> doesnt
> work on some systems.  (like mine) It will work sometimes and it will
> always
> work when I use open link in new window.  I appears like it 
> tries a few
> times and then comes up I have tried this on a few other 
> systems with IE
> and
> most of those will actually get to the checkout page and then get a
> different error.  All of them that I have tried that have problems are
> either behind a firewall or my system is on through a proxy 
> server.  Any
> thoughts this is the error in the ssl-error.log
> 
> [Sun May 13 20:19:59 2001] [error] mod_ssl: SSL error on writing data
> (OpenSSL library error follows)
> [Sun May 13 20:19:59 2001] [error] OpenSSL: error:1409F07F:SSL
> routines:SSL3_WRITE_PENDING:bad write retry
> [Sun May 13 20:19:59 2001] [error] access to 
> /store/process.html failed
> for
> 192.168.0.16, reason: error while sending response
> [Sun May 13 20:19:59 2001] [error] (104)Connection reset by 
> peer: access
> to
> /store/process.html failed for 192.168.0.16, reason: error sending
> headers
> to client
> 
> it was suggested before that I may not have the ssl virtual 
> server setup
> properly.  i think it is but I am not 100% sure
> 
> I seen this from Mike in an email message answering this 
> question but I
> unfortunately need it to be laid out a little clearer.  I have my own
> certificate.  If I need to do the 3 steps, how do I do them I 
> am still a
> newbie at all this.
> 
> Thanks,
> 
> Scott
> 
> 
> I have been dealing with this one for four years and I am still
> waiting...
> 8-)
> 
> As far as I can tell, the problem is the splitting of the domains.
> There are situations with proxy servers, cookies, and such that cannot
> be dealt with to my knowledge.
> 
> The best I have been able to come up with is:
> 
>     1. Use "WideOpen Yes" (catalog.cfg) to ignore the 
> host-qualification
>     Accompany this with "SessionExpire 20 minutes" to make security
>     better.
>     2. Use GET method on the basket form for transitioning to
>     checkout.
>     3. Use the "Mall Yes" (minivend.cfg) directive to cover the case
>     where people get cookies from more than one store on your servers.
> 
> What really solves it is getting an SSL cert and keeping everything
> in the same domain. I strongly recommend this to my clients, telling
> them they will easily eat up the cost in consulting time and lost
> business. Trying to save $125 by not buying a cert is a very false
> economy.