Apache2 fails to start with some specific SSLCipherSuite config

apache-2.2 ssl ssl-certificate ubuntu-14.04 openssl
5,479

I have no idea what you are trying to do with this cipher suites

SSLCipherSuite NULL-MD5
SSLCipherSuite NULL-SHA
SSLCipherSuite EXP-DES-CBC-SHA

because these are horribly insecure. Please consult https://mozilla.github.io/server-side-tls/ssl-config-generator/ for a useful and secure configuration.

Also the following error messages indicate that you certificate and/or private key is not in the correct format:

[error] SSL Library Error: 151441516 error:0906D06C:PEM routines:PEM_read_bio:no start line Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?

If the extension for the file is an indicator of the format this might be related to this setting here, because it looks like your are using the (binary) DER format instead of the required (textual) PEM format:

SSLCertificateFile    /var/www/ssl/webserver_cert.der

Everything was working fine before the Apache and OpenSSL update.

I doubt this. Maybe it was working, but I doubt it was working fine. Maybe you just did not realize before how insecure your configuration was.

Share:
5,479
Ihnash
Author by

Ihnash

Updated on September 18, 2022

Comments

  • Ihnash
    Ihnash over 1 year

    I have a xxx-ssl.conf config in /etc/apache2/sites-available/ with the following SSL options in it:

    SSLEngine on  
SSLCertificateFile    /var/www/ssl/webserver_cert.der  
SSLCertificateKeyFile /var/www/ssl/webserver.key  
SSLCipherSuite NULL-SHA

    The key files and cert files are in place. The virtual host (xxx-ssl.conf) is enabled with a2ensite command. The Apache server is reloaded. Unfortunately it fails to start - error log shows the following:

    [debug] ssl_engine_init.c(608): Configuring permitted SSL ciphers [!aNULL:!eNULL:!EXP:NULL-SHA]
[error] Unable to configure permitted SSL ciphers
[error] SSL Library Error: 151441516 error:0906D06C:PEM routines:PEM_read_bio:no start line Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
[error] SSL Library Error: 151441516 error:0906D06C:PEM routines:PEM_read_bio:no start line Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
[error] SSL Library Error: 336646329 error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match

    In other config files I have the following ciphers as well:

    SSLCipherSuite NULL-MD5
SSLCipherSuite NULL-SHA
SSLCipherSuite EXP-DES-CBC-SHA

    and they don't work either. However I do have some working configuration (like SSLCipherSuite DES-CBC-SHA).

    Moreover, when I try to run openssl ciphers -s I get the following error:

    Error in cipher list
3073530056:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl_lib.c:1312:

    Everything was working fine before the Apache and OpenSSL update.

    I work on Ubuntu 12.04 LTS.

    Apache: 

    Server version: Apache/2.2.22 (Ubuntu)
Server built:   Jul 15 2016 15:32:38

    OpenSSL:

    OpenSSL 1.0.1 14 Mar 2012

    Could anyone please guide me through the process of finding out, what is going on? Thanks!

    • Steffen Ullrich
      Steffen Ullrich over 7 years
      It must be openssl ciphers -s '....your cipher suite...' and not just openssl ciphers -s. Otherwise it will show the error you see.
  • Ihnash
    Ihnash over 7 years
    Thanks for your response. I understand that these cipher suites are insecure but I really need them for internal purposes. These are required by the test environment and are used locally. And this configuration did work before the update... maybe it was insecure, but it did not make Apache crash on start.
  • Steffen Ullrich
    Steffen Ullrich over 7 years
    @Ihnash: I think you need to show more then just selected parts of the config. Especially you need to show the parts which relate to the error messages. Also, it is not clear what you had before the upgrade and if the upgrade changed parts of the configuration. It might just be that you have used insecure features which are now disabled. The use of the broken EXP cipher suite you have might be just one such example.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Restart of nginx service fails because of /etc/nginx/nginx.conf test failure
How to install godaddy's ssl on apache
ssl_error_bad_mac_alert error in Firefox
How to debug curl? gnutls_handshake failed -unexpected TLS packet (OpenSSL)
SSL URL gives a 404
Extract key from JKS keystore to use with apache2 and tomcat
stop apache from asking for SSL password each restart
SSL Library Error: X509_check_private_key:key values mismatch
Unable to openssl verify SSL certificate
Error while creating self-signed SSL certificate