openssl giving me errors and apache is not working with https

Question

I try to configure apache-tomcat with ssl, but find some issues

[root@manage conf]# openssl s_client -state -debug -connect 10.104.1.38:443 -key server.key -cert server.crt 
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0x80f1e98 [0x811d5e8] (121 bytes => 121 (0x79))
0000 - 80 77 01 03 01 00 4e 00-00 00 20 00 00 39 00 00   .w....N... ..9..
0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0   8..5............
0020 - 00 00 33 00 00 32 00 00-2f 03 00 80 00 00 05 00   ..3..2../.......
0030 - 00 04 01 00 80 00 00 15-00 00 12 00 00 09 06 00   ................
0040 - 40 00 00 14 00 00 11 00-00 08 00 00 06 04 00 80   @...............
0050 - 00 00 03 02 00 80 00 00-ff 0a 86 af 23 f2 2f a1   ............#./.
0060 - 4b 2d 9b f3 a9 d9 0e 1b-34 4d 0c e4 1a 06 b6 25   K-......4M.....%
0070 - 76 04 de bd 6f 50 86 a1-9f                        v...oP...
SSL_connect:SSLv2/v3 write client hello A
read from 0x80f1e98 [0x8122b48] (7 bytes => 7 (0x7))
0000 - 3c 21 44 4f 43 54 59                              <!DOCTY
SSL_connect:error in SSLv2/v3 read server hello A
23995:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:588:

here's my apache config

[root@manage extra]# cat httpd-ssl.conf 
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl
SSLPassPhraseDialog  builtin
SSLSessionCache        "shmcb:/usr/local/apache/logs/ssl_scache(512000)"
SSLSessionCacheTimeout  300
SSLMutex  "file:/usr/local/apache/logs/ssl_mutex"

<VirtualHost _default_:443>
ErrorLog "/usr/local/tomcat/logs/error_log"
TransferLog "/usr/local/tomcat/logs/access_log"

        SSLEngine on
        SSLProtocol +SSLv3 +TLSv1
        SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP+SSLv3:

        ServerName          manage.xyz
        DocumentRoot        /usr/local/tomcat/webapps/xyz
        ServerAdmin         bugs@xxxx.com
        Alias /backup "/var/backupdata/"
        Alias /logbackup "/var/logbackupdata/"
        Alias /autologbackupdata "/var/autologbackupdata/"
        Alias /client "/usr/local/xxxx/clientfiles/"
        Alias /syshealth "/usr/local/tomcat/webapps/xyz/syshealth/"
        Alias /connection "/tmp"
        Alias /cacheimages "/var/cacherrdimages"
        Alias /xyz/images "/usr/local/xxxx/images/"
        Alias /images "/usr/local/xxxx/images/"
        Alias /javaplugin "/usr/local/xxxx/javaplugin/"
        Alias /bandwidthgraph "/var/bandwidthgraphs"
        Alias /usergraph "/var/bandwidthgraphs/userimage"

        JkMount /xyz/servlet/* ajp13
        JkMount /xyz/*.jsp ajp13

SSLCertificateFile "/usr/local/apache/conf/server.crt"
SSLCertificateKeyFile "/usr/local/apache/conf/server.key"
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/usr/local/apache/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

BrowserMatch "MSIE [2-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
CustomLog "/usr/local/apache/logs/ssl_request_log" "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

The error_log output

[Tue Aug 05 13:44:03 2014] [info] [client 127.0.0.1] Connection to child 2 established (server manage.xyz:443)
[Tue Aug 05 13:44:03 2014] [info] Seeding PRNG with 136 bytes of entropy
[Tue Aug 05 13:44:03 2014] [debug] ssl_engine_kernel.c(1903): OpenSSL: Handshake: start
[Tue Aug 05 13:44:03 2014] [debug] ssl_engine_kernel.c(1911): OpenSSL: Loop: before/accept initialization
[Tue Aug 05 13:44:03 2014] [debug] ssl_engine_io.c(1939): OpenSSL: read 7/11 bytes from BIO#8136940 [mem: 813dfc0] (BIO dump follows)
[Tue Aug 05 13:44:03 2014] [debug] ssl_engine_io.c(1872): +-------------------------------------------------------------------------+
[Tue Aug 05 13:44:03 2014] [debug] ssl_engine_io.c(1911): | 0000: 15 03 01 00 02 01                                ......           |
[Tue Aug 05 13:44:03 2014] [debug] ssl_engine_io.c(1915): | 0007 - <SPACES/NULS>
[Tue Aug 05 13:44:03 2014] [debug] ssl_engine_io.c(1917): +-------------------------------------------------------------------------+
[Tue Aug 05 13:44:03 2014] [debug] ssl_engine_io.c(1950): OpenSSL: I/O error, 4 bytes expected to read on BIO#8136940 [mem: 813dfc7]
[Tue Aug 05 13:44:03 2014] [debug] ssl_engine_kernel.c(1940): OpenSSL: Exit: error in SSLv2/v3 read client hello A
[Tue Aug 05 13:44:03 2014] [info] [client 127.0.0.1] (70014)End of file found: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
[Tue Aug 05 13:44:03 2014] [info] [client 127.0.0.1] Connection closed to child 2 with abortive shutdown (server manage.xyz:443)
[Tue Aug 05 13:45:37 2014] [error] [client 10.104.1.38] Invalid method in request \x80w\x01\x03\x01

and here's the relevant output when I try without the -key and -cert options:

[root@manage extra]# openssl s_client -state -debug -connect 10.104.1.38:443
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0x80f0da0 [0x811c4f8] (121 bytes => 121 (0x79))
0000 - 80 77 01 03 01 00 4e 00-00 00 20 00 00 39 00 00   .w....N... ..9..
0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0   8..5............
0020 - 00 00 33 00 00 32 00 00-2f 03 00 80 00 00 05 00   ..3..2../.......
0030 - 00 04 01 00 80 00 00 15-00 00 12 00 00 09 06 00   ................
0040 - 40 00 00 14 00 00 11 00-00 08 00 00 06 04 00 80   @...............
0050 - 00 00 03 02 00 80 00 00-ff 10 44 3f 7f e0 41 4d   ..........D?..AM
0060 - fd 08 dd 10 5b bb f7 10-c6 ec cd 59 b8 ff 55 db   ....[......Y..U.
0070 - 70 cd 97 8d af 9d 2a 65-2a                        p.....*e*
SSL_connect:SSLv2/v3 write client hello A
read from 0x80f0da0 [0x8121a58] (7 bytes => 7 (0x7))
0000 - 3c 21 44 4f 43 54 59                              <!DOCTY
SSL_connect:error in SSLv2/v3 read server hello A
32453:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:588:

apache logs for the same time :

[Tue Aug 05 14:23:49 2014] [error] [client 10.104.1.38] Invalid method in request \x80w\x01\x03\x01

access_log

10.104.1.38 - - [05/Aug/2014:14:23:49 -0400] "\x80w\x01\x03\x01" 501 217

Below are the logs when I restart my Httpd service. No error found I guess.

==> error_log <==
[Tue Aug 05 14:36:44 2014] [info] removed PID file /var/run/httpd.pid (pid=18411)
[Tue Aug 05 14:36:44 2014] [notice] caught SIGTERM, shutting down
[Tue Aug 05 14:37:09 2014] [info] Init: Seeding PRNG with 136 bytes of entropy
[Tue Aug 05 14:37:09 2014] [info] Loading certificate & private key of SSL-aware server
[Tue Aug 05 14:37:09 2014] [debug] ssl_engine_pphrase.c(470): unencrypted RSA private key - pass phrase not required
[Tue Aug 05 14:37:09 2014] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Tue Aug 05 14:37:09 2014] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Tue Aug 05 14:37:09 2014] [info] Init: Initializing (virtual) servers for SSL
[Tue Aug 05 14:37:09 2014] [info] Configuring server for SSL protocol
[Tue Aug 05 14:37:09 2014] [debug] ssl_engine_init.c(521): Creating new SSL context (protocols: SSLv3, TLSv1)
[Tue Aug 05 14:37:09 2014] [debug] ssl_engine_init.c(759): Configuring permitted SSL ciphers [ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP+SSLv3:]
[Tue Aug 05 14:37:09 2014] [debug] ssl_engine_init.c(890): Configuring RSA server certificate
[Tue Aug 05 14:37:09 2014] [warn] RSA server certificate CommonName (CN) `jat' does NOT match server name!?
[Tue Aug 05 14:37:09 2014] [debug] ssl_engine_init.c(936): Configuring RSA server private key
[Tue Aug 05 14:37:09 2014] [info] mod_ssl/2.2.27 compiled against Server: Apache/2.2.27, Library: OpenSSL/0.9.8e-fips-rhel5
[Tue Aug 05 14:37:09 2014] [warn] No JkShmFile defined in httpd.conf. Using default /usr/local/apache/logs/jk-runtime-status
[Tue Aug 05 14:37:09 2014] [info] Init: Seeding PRNG with 136 bytes of entropy
[Tue Aug 05 14:37:09 2014] [info] Loading certificate & private key of SSL-aware server
[Tue Aug 05 14:37:09 2014] [debug] ssl_engine_pphrase.c(470): unencrypted RSA private key - pass phrase not required
[Tue Aug 05 14:37:09 2014] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Tue Aug 05 14:37:09 2014] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Tue Aug 05 14:37:09 2014] [debug] ssl_scache_shmcb.c(253): shmcb_init allocated 512000 bytes of shared memory
[Tue Aug 05 14:37:09 2014] [debug] ssl_scache_shmcb.c(272): for 511952 bytes (512000 including header), recommending 32 subcaches, 133 indexes each
[Tue Aug 05 14:37:09 2014] [debug] ssl_scache_shmcb.c(306): shmcb_init_memory choices follow
[Tue Aug 05 14:37:09 2014] [debug] ssl_scache_shmcb.c(308): subcache_num = 32
[Tue Aug 05 14:37:09 2014] [debug] ssl_scache_shmcb.c(310): subcache_size = 15996
[Tue Aug 05 14:37:09 2014] [debug] ssl_scache_shmcb.c(312): subcache_data_offset = 2144
[Tue Aug 05 14:37:09 2014] [debug] ssl_scache_shmcb.c(314): subcache_data_size = 13852
[Tue Aug 05 14:37:09 2014] [debug] ssl_scache_shmcb.c(316): index_num = 133
[Tue Aug 05 14:37:09 2014] [info] Shared memory session cache initialised
[Tue Aug 05 14:37:09 2014] [info] Init: Initializing (virtual) servers for SSL
[Tue Aug 05 14:37:09 2014] [info] Configuring server for SSL protocol
[Tue Aug 05 14:37:09 2014] [debug] ssl_engine_init.c(521): Creating new SSL context (protocols: SSLv3, TLSv1)
[Tue Aug 05 14:37:09 2014] [debug] ssl_engine_init.c(759): Configuring permitted SSL ciphers [ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP+SSLv3:]
[Tue Aug 05 14:37:09 2014] [debug] ssl_engine_init.c(890): Configuring RSA server certificate
[Tue Aug 05 14:37:09 2014] [warn] RSA server certificate CommonName (CN) `jat' does NOT match server name!?
[Tue Aug 05 14:37:09 2014] [debug] ssl_engine_init.c(936): Configuring RSA server private key
[Tue Aug 05 14:37:09 2014] [info] mod_ssl/2.2.27 compiled against Server: Apache/2.2.27, Library: OpenSSL/0.9.8e-fips-rhel5
[Tue Aug 05 14:37:09 2014] [warn] No JkShmFile defined in httpd.conf. Using default /usr/local/apache/logs/jk-runtime-status
[Tue Aug 05 14:37:09 2014] [notice] Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.40 configured -- resuming normal operations
[Tue Aug 05 14:37:09 2014] [info] Server built: Jun 14 2014 05:04:12
[Tue Aug 05 14:37:09 2014] [debug] prefork.c(1023): AcceptMutex: sysvsem (default: sysvsem)

Is there any particular reason why you're testing a connection to the server using its own key and certificate (or so I infer from the filenames)? Do you get any better results from a simple `openssl s_client -state -debug -connect 10.104.1.38:443`? — MadHatter, Aug 05 '14 at 08:31
with this, I found the same result. actually I am trying to configure apache(2.)-tomcat over HTTPS. with HTTP it works fine,but in HTTPS browser gives error like "Error code: ERR_SSL_PROTOCOL_ERROR" in chrome and "Error code: ssl_error_rx_record_too_long" in mozzila — user95711, Aug 05 '14 at 08:44
*with this, I found the same result* - er, sorry, what? Do you mean that you got the same result with the command I typed, and if so, could we see that command and the resulting apache logs? — MadHatter, Aug 05 '14 at 08:47
I get exactly the same output from both server and client when I try to connect to a non-SSL service with `openssl s_client`. At the moment, I'm very supicious that, for whatever reason, SSL is not being enabled on that apache listener. Could you do a `service httpd restart` (or OS/distro equivalent) and see if apache logs any problems with the key/certificate files at restart time? — MadHatter, Aug 05 '14 at 08:57
I could not found any error during restart time, just stuck where it goes wrong. without https it just work all fine. — user95711, Aug 05 '14 at 09:07
[root@manage conf]# `telnet 10.104.1.38 443` Trying 10.104.1.38... Connected to 10.104.1.38. Escape character is '^]'. get / 501 Method Not Implemented
Method Not Implemented

get to /index.html not supported.

Connection closed by foreign host. — user95711, Aug 05 '14 at 09:08
see, telnet is also give me text output, it should not happen ideally. — user95711, Aug 05 '14 at 09:09
Never mind ideally, it should not happen **at all**. I don't know what to make of the error `RSA server certificate CommonName (CN) 'jat' does NOT match server name!?` though I don't like the look of it, but the long and the short of it is that you don't have SSL enabled on this particular port and address. Is there any occurrence of a port-443-related statement anywhere else in the configs that might be overriding the config you've shown? — MadHatter, Aug 05 '14 at 09:13
`RSA server certificate CommonName (CN) 'jat' does NOT match server name!` I have resolved this warning. And I could not found any statement related to 443 in all conf files. — user95711, Aug 05 '14 at 09:28
To be honest, I'm no apache expert. We've shown that the problem is definitely that apache isn't doing SSL on that address and port. If I were you I'd now start stripping out all extraneous statements from the config, to see if I could get apache to start serving a single static document via HTTPS; all you really need is `SSLEngine On`, a key and certificate file, and a `DocumentRoot` to serve the file from. If you do that and you get SSL, then you can start adding your other config back to see what breaks it. Other than that, I don't have much to suggest; sorry. — MadHatter, Aug 05 '14 at 09:44
I have used "NameVirtualHost manage.xxx" for domain support, changed it with "NameVirtualHost *:80" and it works fine. thanks for the replies... — user95711, Aug 05 '14 at 12:03
One of us should write that up, so you can accept it as an answer and put this question to bed. It is very bad form to leave a question permanently unanswered on SF! Would you like to write it up, or should I? — MadHatter, Aug 05 '14 at 12:40
OK, you wrote it up (I've tried to improve it a bit), thank you. In about two days the site should let you accept that answer, by clicking the tick outline next to it. Once you've done that, your obligations are fulfilled! Thanks. — MadHatter, Aug 06 '14 at 08:11

score 1 · Accepted Answer · edited Aug 06 '14 at 08:09

1

As can be seen from the comments above, the immediate problem was that my service wasn't running under HTTPS, just HTTP. openssl s_client could therefore not connect to it, as there wasn't any SSL to handshake on.

The underlying problem was in my apache configuration. Apache 2.2's NameVirtualHost directive does not support an argument, I have changed NameVirtualHost manage.xxx to NameVirtualHost *:80 and it all works fine

edited Aug 06 '14 at 08:09

MadHatter

79,770
20
184
232

answered Aug 06 '14 at 01:14

user95711

211
3
4
11

1

For posterity: "\x80w\x01\x03\x01" == client attempting to use SSL/TLS when the server isn't configured to do so. – Mark Wagner Aug 06 '14 at 02:40

openssl giving me errors and apache is not working with https

Method Not Implemented

1 Answers1