openssl giving me errors and apache is not working with https

apache-2.2 ssl openssl
11,796

As can be seen from the comments above, the immediate problem was that my service wasn't running under HTTPS, just HTTP. openssl s_client could therefore not connect to it, as there wasn't any SSL to handshake on.

The underlying problem was in my apache configuration. Apache 2.2's NameVirtualHost directive does not support an argument, I have changed NameVirtualHost manage.xxx to NameVirtualHost *:80 and it all works fine

Share:
11,796

Related videos on Youtube

user95711
Author by

user95711

Updated on September 18, 2022

Comments

  • user95711
    user95711 over 1 year

    I try to configure apache-tomcat with ssl, but find some issues

    [root@manage conf]# openssl s_client -state -debug -connect 10.104.1.38:443 -key server.key -cert server.crt 
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0x80f1e98 [0x811d5e8] (121 bytes => 121 (0x79))
0000 - 80 77 01 03 01 00 4e 00-00 00 20 00 00 39 00 00   .w....N... ..9..
0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0   8..5............
0020 - 00 00 33 00 00 32 00 00-2f 03 00 80 00 00 05 00   ..3..2../.......
0030 - 00 04 01 00 80 00 00 15-00 00 12 00 00 09 06 00   ................
0040 - 40 00 00 14 00 00 11 00-00 08 00 00 06 04 00 80   @...............
0050 - 00 00 03 02 00 80 00 00-ff 0a 86 af 23 f2 2f a1   ............#./.
0060 - 4b 2d 9b f3 a9 d9 0e 1b-34 4d 0c e4 1a 06 b6 25   K-......4M.....%
0070 - 76 04 de bd 6f 50 86 a1-9f                        v...oP...
SSL_connect:SSLv2/v3 write client hello A
read from 0x80f1e98 [0x8122b48] (7 bytes => 7 (0x7))
0000 - 3c 21 44 4f 43 54 59                              <!DOCTY
SSL_connect:error in SSLv2/v3 read server hello A
23995:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:588:

    here's my apache config

    [root@manage extra]# cat httpd-ssl.conf 
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl
SSLPassPhraseDialog  builtin
SSLSessionCache        "shmcb:/usr/local/apache/logs/ssl_scache(512000)"
SSLSessionCacheTimeout  300
SSLMutex  "file:/usr/local/apache/logs/ssl_mutex"

<VirtualHost _default_:443>
ErrorLog "/usr/local/tomcat/logs/error_log"
TransferLog "/usr/local/tomcat/logs/access_log"

        SSLEngine on
        SSLProtocol +SSLv3 +TLSv1
        SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP+SSLv3:

        ServerName          manage.xyz
        DocumentRoot        /usr/local/tomcat/webapps/xyz
        ServerAdmin         [email protected]
        Alias /backup "/var/backupdata/"
        Alias /logbackup "/var/logbackupdata/"
        Alias /autologbackupdata "/var/autologbackupdata/"
        Alias /client "/usr/local/xxxx/clientfiles/"
        Alias /syshealth "/usr/local/tomcat/webapps/xyz/syshealth/"
        Alias /connection "/tmp"
        Alias /cacheimages "/var/cacherrdimages"
        Alias /xyz/images "/usr/local/xxxx/images/"
        Alias /images "/usr/local/xxxx/images/"
        Alias /javaplugin "/usr/local/xxxx/javaplugin/"
        Alias /bandwidthgraph "/var/bandwidthgraphs"
        Alias /usergraph "/var/bandwidthgraphs/userimage"

        JkMount /xyz/servlet/* ajp13
        JkMount /xyz/*.jsp ajp13

SSLCertificateFile "/usr/local/apache/conf/server.crt"
SSLCertificateKeyFile "/usr/local/apache/conf/server.key"
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/usr/local/apache/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

BrowserMatch "MSIE [2-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
CustomLog "/usr/local/apache/logs/ssl_request_log" "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

    The error_log output

    [Tue Aug 05 13:44:03 2014] [info] [client 127.0.0.1] Connection to child 2 established (server manage.xyz:443)
[Tue Aug 05 13:44:03 2014] [info] Seeding PRNG with 136 bytes of entropy
[Tue Aug 05 13:44:03 2014] [debug] ssl_engine_kernel.c(1903): OpenSSL: Handshake: start
[Tue Aug 05 13:44:03 2014] [debug] ssl_engine_kernel.c(1911): OpenSSL: Loop: before/accept initialization
[Tue Aug 05 13:44:03 2014] [debug] ssl_engine_io.c(1939): OpenSSL: read 7/11 bytes from BIO#8136940 [mem: 813dfc0] (BIO dump follows)
[Tue Aug 05 13:44:03 2014] [debug] ssl_engine_io.c(1872): +-------------------------------------------------------------------------+
[Tue Aug 05 13:44:03 2014] [debug] ssl_engine_io.c(1911): | 0000: 15 03 01 00 02 01                                ......           |
[Tue Aug 05 13:44:03 2014] [debug] ssl_engine_io.c(1915): | 0007 - <SPACES/NULS>
[Tue Aug 05 13:44:03 2014] [debug] ssl_engine_io.c(1917): +-------------------------------------------------------------------------+
[Tue Aug 05 13:44:03 2014] [debug] ssl_engine_io.c(1950): OpenSSL: I/O error, 4 bytes expected to read on BIO#8136940 [mem: 813dfc7]
[Tue Aug 05 13:44:03 2014] [debug] ssl_engine_kernel.c(1940): OpenSSL: Exit: error in SSLv2/v3 read client hello A
[Tue Aug 05 13:44:03 2014] [info] [client 127.0.0.1] (70014)End of file found: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
[Tue Aug 05 13:44:03 2014] [info] [client 127.0.0.1] Connection closed to child 2 with abortive shutdown (server manage.xyz:443)
[Tue Aug 05 13:45:37 2014] [error] [client 10.104.1.38] Invalid method in request \x80w\x01\x03\x01

    and here's the relevant output when I try without the -key and -cert options:

    [root@manage extra]# openssl s_client -state -debug -connect 10.104.1.38:443
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0x80f0da0 [0x811c4f8] (121 bytes => 121 (0x79))
0000 - 80 77 01 03 01 00 4e 00-00 00 20 00 00 39 00 00   .w....N... ..9..
0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0   8..5............
0020 - 00 00 33 00 00 32 00 00-2f 03 00 80 00 00 05 00   ..3..2../.......
0030 - 00 04 01 00 80 00 00 15-00 00 12 00 00 09 06 00   ................
0040 - 40 00 00 14 00 00 11 00-00 08 00 00 06 04 00 80   @...............
0050 - 00 00 03 02 00 80 00 00-ff 10 44 3f 7f e0 41 4d   ..........D?..AM
0060 - fd 08 dd 10 5b bb f7 10-c6 ec cd 59 b8 ff 55 db   ....[......Y..U.
0070 - 70 cd 97 8d af 9d 2a 65-2a                        p.....*e*
SSL_connect:SSLv2/v3 write client hello A
read from 0x80f0da0 [0x8121a58] (7 bytes => 7 (0x7))
0000 - 3c 21 44 4f 43 54 59                              <!DOCTY
SSL_connect:error in SSLv2/v3 read server hello A
32453:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:588:

    apache logs for the same time :

    [Tue Aug 05 14:23:49 2014] [error] [client 10.104.1.38] Invalid method in request \x80w\x01\x03\x01

    access_log

    10.104.1.38 - - [05/Aug/2014:14:23:49 -0400] "\x80w\x01\x03\x01" 501 217

    Below are the logs when I restart my Httpd service. No error found I guess.

    ==> error_log <==
[Tue Aug 05 14:36:44 2014] [info] removed PID file /var/run/httpd.pid (pid=18411)
[Tue Aug 05 14:36:44 2014] [notice] caught SIGTERM, shutting down
[Tue Aug 05 14:37:09 2014] [info] Init: Seeding PRNG with 136 bytes of entropy
[Tue Aug 05 14:37:09 2014] [info] Loading certificate & private key of SSL-aware server
[Tue Aug 05 14:37:09 2014] [debug] ssl_engine_pphrase.c(470): unencrypted RSA private key - pass phrase not required
[Tue Aug 05 14:37:09 2014] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Tue Aug 05 14:37:09 2014] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Tue Aug 05 14:37:09 2014] [info] Init: Initializing (virtual) servers for SSL
[Tue Aug 05 14:37:09 2014] [info] Configuring server for SSL protocol
[Tue Aug 05 14:37:09 2014] [debug] ssl_engine_init.c(521): Creating new SSL context (protocols: SSLv3, TLSv1)
[Tue Aug 05 14:37:09 2014] [debug] ssl_engine_init.c(759): Configuring permitted SSL ciphers [ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP+SSLv3:]
[Tue Aug 05 14:37:09 2014] [debug] ssl_engine_init.c(890): Configuring RSA server certificate
[Tue Aug 05 14:37:09 2014] [warn] RSA server certificate CommonName (CN) `jat' does NOT match server name!?
[Tue Aug 05 14:37:09 2014] [debug] ssl_engine_init.c(936): Configuring RSA server private key
[Tue Aug 05 14:37:09 2014] [info] mod_ssl/2.2.27 compiled against Server: Apache/2.2.27, Library: OpenSSL/0.9.8e-fips-rhel5
[Tue Aug 05 14:37:09 2014] [warn] No JkShmFile defined in httpd.conf. Using default /usr/local/apache/logs/jk-runtime-status
[Tue Aug 05 14:37:09 2014] [info] Init: Seeding PRNG with 136 bytes of entropy
[Tue Aug 05 14:37:09 2014] [info] Loading certificate & private key of SSL-aware server
[Tue Aug 05 14:37:09 2014] [debug] ssl_engine_pphrase.c(470): unencrypted RSA private key - pass phrase not required
[Tue Aug 05 14:37:09 2014] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Tue Aug 05 14:37:09 2014] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Tue Aug 05 14:37:09 2014] [debug] ssl_scache_shmcb.c(253): shmcb_init allocated 512000 bytes of shared memory
[Tue Aug 05 14:37:09 2014] [debug] ssl_scache_shmcb.c(272): for 511952 bytes (512000 including header), recommending 32 subcaches, 133 indexes each
[Tue Aug 05 14:37:09 2014] [debug] ssl_scache_shmcb.c(306): shmcb_init_memory choices follow
[Tue Aug 05 14:37:09 2014] [debug] ssl_scache_shmcb.c(308): subcache_num = 32
[Tue Aug 05 14:37:09 2014] [debug] ssl_scache_shmcb.c(310): subcache_size = 15996
[Tue Aug 05 14:37:09 2014] [debug] ssl_scache_shmcb.c(312): subcache_data_offset = 2144
[Tue Aug 05 14:37:09 2014] [debug] ssl_scache_shmcb.c(314): subcache_data_size = 13852
[Tue Aug 05 14:37:09 2014] [debug] ssl_scache_shmcb.c(316): index_num = 133
[Tue Aug 05 14:37:09 2014] [info] Shared memory session cache initialised
[Tue Aug 05 14:37:09 2014] [info] Init: Initializing (virtual) servers for SSL
[Tue Aug 05 14:37:09 2014] [info] Configuring server for SSL protocol
[Tue Aug 05 14:37:09 2014] [debug] ssl_engine_init.c(521): Creating new SSL context (protocols: SSLv3, TLSv1)
[Tue Aug 05 14:37:09 2014] [debug] ssl_engine_init.c(759): Configuring permitted SSL ciphers [ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP+SSLv3:]
[Tue Aug 05 14:37:09 2014] [debug] ssl_engine_init.c(890): Configuring RSA server certificate
[Tue Aug 05 14:37:09 2014] [warn] RSA server certificate CommonName (CN) `jat' does NOT match server name!?
[Tue Aug 05 14:37:09 2014] [debug] ssl_engine_init.c(936): Configuring RSA server private key
[Tue Aug 05 14:37:09 2014] [info] mod_ssl/2.2.27 compiled against Server: Apache/2.2.27, Library: OpenSSL/0.9.8e-fips-rhel5
[Tue Aug 05 14:37:09 2014] [warn] No JkShmFile defined in httpd.conf. Using default /usr/local/apache/logs/jk-runtime-status
[Tue Aug 05 14:37:09 2014] [notice] Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.40 configured -- resuming normal operations
[Tue Aug 05 14:37:09 2014] [info] Server built: Jun 14 2014 05:04:12
[Tue Aug 05 14:37:09 2014] [debug] prefork.c(1023): AcceptMutex: sysvsem (default: sysvsem)
    • MadHatter
      MadHatter over 9 years
      Is there any particular reason why you're testing a connection to the server using its own key and certificate (or so I infer from the filenames)? Do you get any better results from a simple openssl s_client -state -debug -connect 10.104.1.38:443?
    • MadHatter
      MadHatter over 9 years
      with this, I found the same result - er, sorry, what? Do you mean that you got the same result with the command I typed, and if so, could we see that command and the resulting apache logs?
    • user95711
      user95711 over 9 years
      See,I have attached logs in Question.
    • MadHatter
      MadHatter over 9 years
      I get exactly the same output from both server and client when I try to connect to a non-SSL service with openssl s_client. At the moment, I'm very supicious that, for whatever reason, SSL is not being enabled on that apache listener. Could you do a service httpd restart (or OS/distro equivalent) and see if apache logs any problems with the key/certificate files at restart time?
    • user95711
      user95711 over 9 years
      [root@manage conf]# telnet 10.104.1.38 443 Trying 10.104.1.38... Connected to 10.104.1.38. Escape character is '^]'. get / <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>501 Method Not Implemented</title> </head><body> <h1>Method Not Implemented</h1> <p>get to /index.html not supported.<br /> </p> </body></html> Connection closed by foreign host.
    • user95711
      user95711 over 9 years
      see, telnet is also give me text output, it should not happen ideally.
    • MadHatter
      MadHatter over 9 years
      Never mind ideally, it should not happen at all. I don't know what to make of the error RSA server certificate CommonName (CN) 'jat' does NOT match server name!? though I don't like the look of it, but the long and the short of it is that you don't have SSL enabled on this particular port and address. Is there any occurrence of a port-443-related statement anywhere else in the configs that might be overriding the config you've shown?
    • user95711
      user95711 over 9 years
      RSA server certificate CommonName (CN) 'jat' does NOT match server name! I have resolved this warning. And I could not found any statement related to 443 in all conf files.
    • MadHatter
      MadHatter over 9 years
      To be honest, I'm no apache expert. We've shown that the problem is definitely that apache isn't doing SSL on that address and port. If I were you I'd now start stripping out all extraneous statements from the config, to see if I could get apache to start serving a single static document via HTTPS; all you really need is SSLEngine On, a key and certificate file, and a DocumentRoot to serve the file from. If you do that and you get SSL, then you can start adding your other config back to see what breaks it. Other than that, I don't have much to suggest; sorry.
    • user95711
      user95711 over 9 years
      I have used "NameVirtualHost manage.xxx" for domain support, changed it with "NameVirtualHost *:80" and it works fine. thanks for the replies...
    • MadHatter
      MadHatter over 9 years
      One of us should write that up, so you can accept it as an answer and put this question to bed. It is very bad form to leave a question permanently unanswered on SF! Would you like to write it up, or should I?
    • MadHatter
      MadHatter over 9 years
      OK, you wrote it up (I've tried to improve it a bit), thank you. In about two days the site should let you accept that answer, by clicking the tick outline next to it. Once you've done that, your obligations are fulfilled! Thanks.
  • MastaJeet
    MastaJeet over 9 years
    For posterity: "\x80w\x01\x03\x01" == client attempting to use SSL/TLS when the server isn't configured to do so.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Apache fails to start, ssl issue
Setting up SSL: Recompiling Apache with mod_ssl
Openssl, my private key is either missing or lost
Restart of nginx service fails because of /etc/nginx/nginx.conf test failure
How to install godaddy's ssl on apache
Apache2 fails to start with some specific SSLCipherSuite config
ssl_error_bad_mac_alert error in Firefox
ssl_error_handshake_failure_alert with Commercial CA-based client certificate
How to debug curl? gnutls_handshake failed -unexpected TLS packet (OpenSSL)
How to run a virtualhost 443 without an SSL cert?