Apache2 fails to start with some specific SSLCipherSuite config
I have no idea what you are trying to do with this cipher suites
SSLCipherSuite NULL-MD5
SSLCipherSuite NULL-SHA
SSLCipherSuite EXP-DES-CBC-SHA
because these are horribly insecure. Please consult https://mozilla.github.io/server-side-tls/ssl-config-generator/ for a useful and secure configuration.
Also the following error messages indicate that you certificate and/or private key is not in the correct format:
[error] SSL Library Error: 151441516 error:0906D06C:PEM routines:PEM_read_bio:no start line Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
If the extension for the file is an indicator of the format this might be related to this setting here, because it looks like your are using the (binary) DER format instead of the required (textual) PEM format:
SSLCertificateFile /var/www/ssl/webserver_cert.der
Everything was working fine before the Apache and OpenSSL update.
I doubt this. Maybe it was working, but I doubt it was working fine. Maybe you just did not realize before how insecure your configuration was.
Ihnash
Updated on September 18, 2022Comments
-
Ihnash over 1 year
I have a xxx-ssl.conf config in
/etc/apache2/sites-available/
with the following SSL options in it:SSLEngine on SSLCertificateFile /var/www/ssl/webserver_cert.der SSLCertificateKeyFile /var/www/ssl/webserver.key SSLCipherSuite NULL-SHA
The key files and cert files are in place. The virtual host (xxx-ssl.conf) is enabled with a2ensite command. The Apache server is reloaded. Unfortunately it fails to start - error log shows the following:
[debug] ssl_engine_init.c(608): Configuring permitted SSL ciphers [!aNULL:!eNULL:!EXP:NULL-SHA] [error] Unable to configure permitted SSL ciphers [error] SSL Library Error: 151441516 error:0906D06C:PEM routines:PEM_read_bio:no start line Bad file contents or format - or even just a forgotten SSLCertificateKeyFile? [error] SSL Library Error: 151441516 error:0906D06C:PEM routines:PEM_read_bio:no start line Bad file contents or format - or even just a forgotten SSLCertificateKeyFile? [error] SSL Library Error: 336646329 error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match
In other config files I have the following ciphers as well:
SSLCipherSuite NULL-MD5 SSLCipherSuite NULL-SHA SSLCipherSuite EXP-DES-CBC-SHA
and they don't work either. However I do have some working configuration (like
SSLCipherSuite DES-CBC-SHA
).Moreover, when I try to run
openssl ciphers -s
I get the following error:Error in cipher list 3073530056:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl_lib.c:1312:
Everything was working fine before the Apache and OpenSSL update.
I work on Ubuntu 12.04 LTS.
Apache:
Server version: Apache/2.2.22 (Ubuntu) Server built: Jul 15 2016 15:32:38
OpenSSL:
OpenSSL 1.0.1 14 Mar 2012
Could anyone please guide me through the process of finding out, what is going on? Thanks!
-
Steffen Ullrich over 7 yearsIt must be
openssl ciphers -s '....your cipher suite...'
and not justopenssl ciphers -s
. Otherwise it will show the error you see.
-
-
Ihnash over 7 yearsThanks for your response. I understand that these cipher suites are insecure but I really need them for internal purposes. These are required by the test environment and are used locally. And this configuration did work before the update... maybe it was insecure, but it did not make Apache crash on start.
-
Steffen Ullrich over 7 years@Ihnash: I think you need to show more then just selected parts of the config. Especially you need to show the parts which relate to the error messages. Also, it is not clear what you had before the upgrade and if the upgrade changed parts of the configuration. It might just be that you have used insecure features which are now disabled. The use of the broken EXP cipher suite you have might be just one such example.