From nobody Thu Nov  3 17:37:54 2022
X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4N39vV2pkZz4hVm3
	for <freebsd-questions@mlmmj.nyi.freebsd.org>; Thu,  3 Nov 2022 17:37:58 +0000 (UTC)
	(envelope-from johnl@iecc.com)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "gal.iecc.com", Issuer "Let's Encrypt Authority X3" (not verified))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4N39vT02W3z3xWy
	for <freebsd-questions@freebsd.org>; Thu,  3 Nov 2022 17:37:56 +0000 (UTC)
	(envelope-from johnl@iecc.com)
Received: (qmail 21785 invoked from network); 3 Nov 2022 17:37:56 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:subject:mime-version:content-type:content-transfer-encoding:cleverness; s=5517.6363fc74.k2211; bh=hRnWnX5n23du+VYNdMF1Vn125AgqxTW9LA8HtOwU2OQ=; b=lLV3lLLiMWUWGrNYlG5yNfCZDgK+Ia/g49wroOg3KDNZS30hh59KUcfqR65XIGOsMkEG9ZJ7yBtUoPK5ko2wdIhNKKhA2geOThpVM1k+O79Qr3pNtdT6Kh7os6SCZtIIj93DgTPFAk3KSwAaCCFkFINxmBeU5WezFtFmjAompaoiUsdEZaSwPcXtepbnVsZksfW91bCMWrrZqVl3p3ZzQekXL7uGK0xv/2p7icQNA0S4wBZS0kpWM6H/EQxZ2Sy48rj/aMPZmuTs/5P+bpn2l0aTkC9iKTB67IsabzMaga0ZBwemzvaYL3jIlG6QftkC2YMeiWbJcwkpO3YEQM/Vuw==
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170])
  by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170])
 with ESMTPS (TLS1.3 ECDHE-RSA AES-256-GCM AEAD) via TCP6; 03 Nov 2022 17:37:55 -0000
Received: by ary.qy (Postfix, from userid 501)
	id 2946D4E0281E; Thu,  3 Nov 2022 13:37:54 -0400 (EDT)
Date: 3 Nov 2022 13:37:54 -0400
Message-Id: <20221103173755.2946D4E0281E@ary.qy>
From: "John Levine" <johnl@iecc.com>
To: freebsd-questions@freebsd.org
Subject: Strange apache problem
Organization: Taughannock Networks
X-Headerized: yes
Cleverness: minimal
List-Id: User questions <freebsd-questions.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-questions
List-Help: <mailto:questions+help@freebsd.org>
List-Post: <mailto:questions@freebsd.org>
List-Subscribe: <mailto:questions+subscribe@freebsd.org>
List-Unsubscribe: <mailto:questions+unsubscribe@freebsd.org>
Sender: owner-freebsd-questions@freebsd.org
X-BeenThere: freebsd-questions@freebsd.org
Mime-Version: 1.0
Content-type: text/plain; charset=utf-8
Content-transfer-encoding: 8bit
X-Rspamd-Queue-Id: 4N39vT02W3z3xWy
X-Spamd-Bar: -----
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=iecc.com header.s=5517.6363fc74.k2211 header.b=lLV3lLLi;
	dmarc=pass (policy=none) header.from=iecc.com;
	spf=pass (mx1.freebsd.org: domain of johnl@iecc.com designates 2001:470:1f07:1126:0:43:6f73:7461 as permitted sender) smtp.mailfrom=johnl@iecc.com
X-Spamd-Result: default: False [-5.40 / 15.00];
	DWL_DNSWL_LOW(-1.00)[iecc.com:dkim];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-1.00)[-1.000];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	DMARC_POLICY_ALLOW(-0.50)[iecc.com,none];
	RCVD_DKIM_ARC_DNSWL_MED(-0.50)[];
	MV_CASE(0.50)[];
	RCVD_IN_DNSWL_MED(-0.40)[2001:470:1f07:1126:0:43:6f73:7461:from,2001:470:1f07:1126:0:78:696d:6170:received];
	R_SPF_ALLOW(-0.20)[+ip6:2001:470:1f07:1126::/64];
	R_DKIM_ALLOW(-0.20)[iecc.com:s=5517.6363fc74.k2211];
	MIME_GOOD(-0.10)[text/plain];
	ARC_NA(0.00)[];
	FROM_EQ_ENVFROM(0.00)[];
	MLMMJ_DEST(0.00)[freebsd-questions@freebsd.org];
	MIME_TRACE(0.00)[0:+];
	DKIM_TRACE(0.00)[iecc.com:+];
	HAS_ORG_HEADER(0.00)[];
	RCVD_TLS_LAST(0.00)[];
	FROM_HAS_DN(0.00)[];
	RCVD_COUNT_THREE(0.00)[3];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	RCPT_COUNT_ONE(0.00)[1];
	TO_DN_NONE(0.00)[];
	ASN(0.00)[asn:6939, ipnet:2001:470::/32, country:US]
X-ThisMailContainsUnwantedMimeParts: N

I'm running apache 2.4 on FreeBSD 13.1-RELEASE.  Packages are up to date,
haven't installed kernel patches yet.

Starting about a week ago, sometimes the web server sort of ignores incoming
https connections.  The client connects, then nothing happens and the client
times out.  If I restart the web server, the client reports that the connection
is reset.  I see this from different clients on different machines connecting
from different networks, so it's not just one dodgy browser.

What is strange is if I retry the same web page from the same client a
few minutes later, it often works. The command line gnutls-cli usually
hangs, while LibreSSL 2.8.3 s_client works (that's the version of
openssl that comes with MacOS.)

I have tried rebuilding apache from source, no difference.  When I say it works
later from the same client, literally nothing has changed other than that I tried
later.  The server has been up for 165 days and this only started about a week ago.

Any suggestions keeping in mind that sometimes it works and sometimes
it doesn't with no pattern I can see? I'm baffled.

R's,
John