openssl giving me errors and apache is not working with https
11,796
As can be seen from the comments above, the immediate problem was that my service wasn't running under HTTPS, just HTTP. openssl s_client
could therefore not connect to it, as there wasn't any SSL to handshake on.
The underlying problem was in my apache configuration. Apache 2.2's NameVirtualHost
directive does not support an argument, I have changed NameVirtualHost manage.xxx
to NameVirtualHost *:80
and it all works fine
Related videos on Youtube
Author by
user95711
Updated on September 18, 2022Comments
-
user95711 over 1 year
I try to configure apache-tomcat with ssl, but find some issues
[root@manage conf]# openssl s_client -state -debug -connect 10.104.1.38:443 -key server.key -cert server.crt CONNECTED(00000003) SSL_connect:before/connect initialization write to 0x80f1e98 [0x811d5e8] (121 bytes => 121 (0x79)) 0000 - 80 77 01 03 01 00 4e 00-00 00 20 00 00 39 00 00 .w....N... ..9.. 0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 8..5............ 0020 - 00 00 33 00 00 32 00 00-2f 03 00 80 00 00 05 00 ..3..2../....... 0030 - 00 04 01 00 80 00 00 15-00 00 12 00 00 09 06 00 ................ 0040 - 40 00 00 14 00 00 11 00-00 08 00 00 06 04 00 80 @............... 0050 - 00 00 03 02 00 80 00 00-ff 0a 86 af 23 f2 2f a1 ............#./. 0060 - 4b 2d 9b f3 a9 d9 0e 1b-34 4d 0c e4 1a 06 b6 25 K-......4M.....% 0070 - 76 04 de bd 6f 50 86 a1-9f v...oP... SSL_connect:SSLv2/v3 write client hello A read from 0x80f1e98 [0x8122b48] (7 bytes => 7 (0x7)) 0000 - 3c 21 44 4f 43 54 59 <!DOCTY SSL_connect:error in SSLv2/v3 read server hello A 23995:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:588:
here's my apache config
[root@manage extra]# cat httpd-ssl.conf Listen 443 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl SSLPassPhraseDialog builtin SSLSessionCache "shmcb:/usr/local/apache/logs/ssl_scache(512000)" SSLSessionCacheTimeout 300 SSLMutex "file:/usr/local/apache/logs/ssl_mutex" <VirtualHost _default_:443> ErrorLog "/usr/local/tomcat/logs/error_log" TransferLog "/usr/local/tomcat/logs/access_log" SSLEngine on SSLProtocol +SSLv3 +TLSv1 SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP+SSLv3: ServerName manage.xyz DocumentRoot /usr/local/tomcat/webapps/xyz ServerAdmin [email protected] Alias /backup "/var/backupdata/" Alias /logbackup "/var/logbackupdata/" Alias /autologbackupdata "/var/autologbackupdata/" Alias /client "/usr/local/xxxx/clientfiles/" Alias /syshealth "/usr/local/tomcat/webapps/xyz/syshealth/" Alias /connection "/tmp" Alias /cacheimages "/var/cacherrdimages" Alias /xyz/images "/usr/local/xxxx/images/" Alias /images "/usr/local/xxxx/images/" Alias /javaplugin "/usr/local/xxxx/javaplugin/" Alias /bandwidthgraph "/var/bandwidthgraphs" Alias /usergraph "/var/bandwidthgraphs/userimage" JkMount /xyz/servlet/* ajp13 JkMount /xyz/*.jsp ajp13 SSLCertificateFile "/usr/local/apache/conf/server.crt" SSLCertificateKeyFile "/usr/local/apache/conf/server.key" SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory "/usr/local/apache/cgi-bin"> SSLOptions +StdEnvVars </Directory> BrowserMatch "MSIE [2-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 CustomLog "/usr/local/apache/logs/ssl_request_log" "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost>
The error_log output
[Tue Aug 05 13:44:03 2014] [info] [client 127.0.0.1] Connection to child 2 established (server manage.xyz:443) [Tue Aug 05 13:44:03 2014] [info] Seeding PRNG with 136 bytes of entropy [Tue Aug 05 13:44:03 2014] [debug] ssl_engine_kernel.c(1903): OpenSSL: Handshake: start [Tue Aug 05 13:44:03 2014] [debug] ssl_engine_kernel.c(1911): OpenSSL: Loop: before/accept initialization [Tue Aug 05 13:44:03 2014] [debug] ssl_engine_io.c(1939): OpenSSL: read 7/11 bytes from BIO#8136940 [mem: 813dfc0] (BIO dump follows) [Tue Aug 05 13:44:03 2014] [debug] ssl_engine_io.c(1872): +-------------------------------------------------------------------------+ [Tue Aug 05 13:44:03 2014] [debug] ssl_engine_io.c(1911): | 0000: 15 03 01 00 02 01 ...... | [Tue Aug 05 13:44:03 2014] [debug] ssl_engine_io.c(1915): | 0007 - <SPACES/NULS> [Tue Aug 05 13:44:03 2014] [debug] ssl_engine_io.c(1917): +-------------------------------------------------------------------------+ [Tue Aug 05 13:44:03 2014] [debug] ssl_engine_io.c(1950): OpenSSL: I/O error, 4 bytes expected to read on BIO#8136940 [mem: 813dfc7] [Tue Aug 05 13:44:03 2014] [debug] ssl_engine_kernel.c(1940): OpenSSL: Exit: error in SSLv2/v3 read client hello A [Tue Aug 05 13:44:03 2014] [info] [client 127.0.0.1] (70014)End of file found: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] [Tue Aug 05 13:44:03 2014] [info] [client 127.0.0.1] Connection closed to child 2 with abortive shutdown (server manage.xyz:443) [Tue Aug 05 13:45:37 2014] [error] [client 10.104.1.38] Invalid method in request \x80w\x01\x03\x01
and here's the relevant output when I try without the
-key
and-cert
options:[root@manage extra]# openssl s_client -state -debug -connect 10.104.1.38:443 CONNECTED(00000003) SSL_connect:before/connect initialization write to 0x80f0da0 [0x811c4f8] (121 bytes => 121 (0x79)) 0000 - 80 77 01 03 01 00 4e 00-00 00 20 00 00 39 00 00 .w....N... ..9.. 0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 8..5............ 0020 - 00 00 33 00 00 32 00 00-2f 03 00 80 00 00 05 00 ..3..2../....... 0030 - 00 04 01 00 80 00 00 15-00 00 12 00 00 09 06 00 ................ 0040 - 40 00 00 14 00 00 11 00-00 08 00 00 06 04 00 80 @............... 0050 - 00 00 03 02 00 80 00 00-ff 10 44 3f 7f e0 41 4d ..........D?..AM 0060 - fd 08 dd 10 5b bb f7 10-c6 ec cd 59 b8 ff 55 db ....[......Y..U. 0070 - 70 cd 97 8d af 9d 2a 65-2a p.....*e* SSL_connect:SSLv2/v3 write client hello A read from 0x80f0da0 [0x8121a58] (7 bytes => 7 (0x7)) 0000 - 3c 21 44 4f 43 54 59 <!DOCTY SSL_connect:error in SSLv2/v3 read server hello A 32453:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:588:
apache logs for the same time :
[Tue Aug 05 14:23:49 2014] [error] [client 10.104.1.38] Invalid method in request \x80w\x01\x03\x01
access_log
10.104.1.38 - - [05/Aug/2014:14:23:49 -0400] "\x80w\x01\x03\x01" 501 217
Below are the logs when I restart my Httpd service. No error found I guess.
==> error_log <== [Tue Aug 05 14:36:44 2014] [info] removed PID file /var/run/httpd.pid (pid=18411) [Tue Aug 05 14:36:44 2014] [notice] caught SIGTERM, shutting down [Tue Aug 05 14:37:09 2014] [info] Init: Seeding PRNG with 136 bytes of entropy [Tue Aug 05 14:37:09 2014] [info] Loading certificate & private key of SSL-aware server [Tue Aug 05 14:37:09 2014] [debug] ssl_engine_pphrase.c(470): unencrypted RSA private key - pass phrase not required [Tue Aug 05 14:37:09 2014] [info] Init: Generating temporary RSA private keys (512/1024 bits) [Tue Aug 05 14:37:09 2014] [info] Init: Generating temporary DH parameters (512/1024 bits) [Tue Aug 05 14:37:09 2014] [info] Init: Initializing (virtual) servers for SSL [Tue Aug 05 14:37:09 2014] [info] Configuring server for SSL protocol [Tue Aug 05 14:37:09 2014] [debug] ssl_engine_init.c(521): Creating new SSL context (protocols: SSLv3, TLSv1) [Tue Aug 05 14:37:09 2014] [debug] ssl_engine_init.c(759): Configuring permitted SSL ciphers [ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP+SSLv3:] [Tue Aug 05 14:37:09 2014] [debug] ssl_engine_init.c(890): Configuring RSA server certificate [Tue Aug 05 14:37:09 2014] [warn] RSA server certificate CommonName (CN) `jat' does NOT match server name!? [Tue Aug 05 14:37:09 2014] [debug] ssl_engine_init.c(936): Configuring RSA server private key [Tue Aug 05 14:37:09 2014] [info] mod_ssl/2.2.27 compiled against Server: Apache/2.2.27, Library: OpenSSL/0.9.8e-fips-rhel5 [Tue Aug 05 14:37:09 2014] [warn] No JkShmFile defined in httpd.conf. Using default /usr/local/apache/logs/jk-runtime-status [Tue Aug 05 14:37:09 2014] [info] Init: Seeding PRNG with 136 bytes of entropy [Tue Aug 05 14:37:09 2014] [info] Loading certificate & private key of SSL-aware server [Tue Aug 05 14:37:09 2014] [debug] ssl_engine_pphrase.c(470): unencrypted RSA private key - pass phrase not required [Tue Aug 05 14:37:09 2014] [info] Init: Generating temporary RSA private keys (512/1024 bits) [Tue Aug 05 14:37:09 2014] [info] Init: Generating temporary DH parameters (512/1024 bits) [Tue Aug 05 14:37:09 2014] [debug] ssl_scache_shmcb.c(253): shmcb_init allocated 512000 bytes of shared memory [Tue Aug 05 14:37:09 2014] [debug] ssl_scache_shmcb.c(272): for 511952 bytes (512000 including header), recommending 32 subcaches, 133 indexes each [Tue Aug 05 14:37:09 2014] [debug] ssl_scache_shmcb.c(306): shmcb_init_memory choices follow [Tue Aug 05 14:37:09 2014] [debug] ssl_scache_shmcb.c(308): subcache_num = 32 [Tue Aug 05 14:37:09 2014] [debug] ssl_scache_shmcb.c(310): subcache_size = 15996 [Tue Aug 05 14:37:09 2014] [debug] ssl_scache_shmcb.c(312): subcache_data_offset = 2144 [Tue Aug 05 14:37:09 2014] [debug] ssl_scache_shmcb.c(314): subcache_data_size = 13852 [Tue Aug 05 14:37:09 2014] [debug] ssl_scache_shmcb.c(316): index_num = 133 [Tue Aug 05 14:37:09 2014] [info] Shared memory session cache initialised [Tue Aug 05 14:37:09 2014] [info] Init: Initializing (virtual) servers for SSL [Tue Aug 05 14:37:09 2014] [info] Configuring server for SSL protocol [Tue Aug 05 14:37:09 2014] [debug] ssl_engine_init.c(521): Creating new SSL context (protocols: SSLv3, TLSv1) [Tue Aug 05 14:37:09 2014] [debug] ssl_engine_init.c(759): Configuring permitted SSL ciphers [ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP+SSLv3:] [Tue Aug 05 14:37:09 2014] [debug] ssl_engine_init.c(890): Configuring RSA server certificate [Tue Aug 05 14:37:09 2014] [warn] RSA server certificate CommonName (CN) `jat' does NOT match server name!? [Tue Aug 05 14:37:09 2014] [debug] ssl_engine_init.c(936): Configuring RSA server private key [Tue Aug 05 14:37:09 2014] [info] mod_ssl/2.2.27 compiled against Server: Apache/2.2.27, Library: OpenSSL/0.9.8e-fips-rhel5 [Tue Aug 05 14:37:09 2014] [warn] No JkShmFile defined in httpd.conf. Using default /usr/local/apache/logs/jk-runtime-status [Tue Aug 05 14:37:09 2014] [notice] Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.40 configured -- resuming normal operations [Tue Aug 05 14:37:09 2014] [info] Server built: Jun 14 2014 05:04:12 [Tue Aug 05 14:37:09 2014] [debug] prefork.c(1023): AcceptMutex: sysvsem (default: sysvsem)
-
MadHatter over 9 yearsIs there any particular reason why you're testing a connection to the server using its own key and certificate (or so I infer from the filenames)? Do you get any better results from a simple
openssl s_client -state -debug -connect 10.104.1.38:443
? -
MadHatter over 9 yearswith this, I found the same result - er, sorry, what? Do you mean that you got the same result with the command I typed, and if so, could we see that command and the resulting apache logs?
-
user95711 over 9 yearsSee,I have attached logs in Question.
-
MadHatter over 9 yearsI get exactly the same output from both server and client when I try to connect to a non-SSL service with
openssl s_client
. At the moment, I'm very supicious that, for whatever reason, SSL is not being enabled on that apache listener. Could you do aservice httpd restart
(or OS/distro equivalent) and see if apache logs any problems with the key/certificate files at restart time? -
user95711 over 9 years[root@manage conf]#
telnet 10.104.1.38 443
Trying 10.104.1.38... Connected to 10.104.1.38. Escape character is '^]'. get / <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>501 Method Not Implemented</title> </head><body> <h1>Method Not Implemented</h1> <p>get to /index.html not supported.<br /> </p> </body></html> Connection closed by foreign host. -
user95711 over 9 yearssee, telnet is also give me text output, it should not happen ideally.
-
MadHatter over 9 yearsNever mind ideally, it should not happen at all. I don't know what to make of the error
RSA server certificate CommonName (CN) 'jat' does NOT match server name!?
though I don't like the look of it, but the long and the short of it is that you don't have SSL enabled on this particular port and address. Is there any occurrence of a port-443-related statement anywhere else in the configs that might be overriding the config you've shown? -
user95711 over 9 years
RSA server certificate CommonName (CN) 'jat' does NOT match server name!
I have resolved this warning. And I could not found any statement related to 443 in all conf files. -
MadHatter over 9 yearsTo be honest, I'm no apache expert. We've shown that the problem is definitely that apache isn't doing SSL on that address and port. If I were you I'd now start stripping out all extraneous statements from the config, to see if I could get apache to start serving a single static document via HTTPS; all you really need is
SSLEngine On
, a key and certificate file, and aDocumentRoot
to serve the file from. If you do that and you get SSL, then you can start adding your other config back to see what breaks it. Other than that, I don't have much to suggest; sorry. -
user95711 over 9 yearsI have used "NameVirtualHost manage.xxx" for domain support, changed it with "NameVirtualHost *:80" and it works fine. thanks for the replies...
-
MadHatter over 9 yearsOne of us should write that up, so you can accept it as an answer and put this question to bed. It is very bad form to leave a question permanently unanswered on SF! Would you like to write it up, or should I?
-
MadHatter over 9 yearsOK, you wrote it up (I've tried to improve it a bit), thank you. In about two days the site should let you accept that answer, by clicking the tick outline next to it. Once you've done that, your obligations are fulfilled! Thanks.
-
-
MastaJeet over 9 yearsFor posterity: "\x80w\x01\x03\x01" == client attempting to use SSL/TLS when the server isn't configured to do so.