1

We got an Apache webserver which is configured to use SNI with GnuTLS. Everything works and the server delivers the correct cert to clients.

Except for when connecting directly from the Apache-host.

# curl -v https://example.com

* About to connect() to example.com port 443 (#0)
*   Trying xxx.xxx.xxx.xxx...
* connected
* Connected to example.com (xxx.xxx.xxx.xxx) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
    CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
* Closing connection #0
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

The same comandline works when executed from another Computer.

After some testing I found out that the problem happens when source IP and destination IP are the same.

# curl -v --interface 127.0.0.1 https://example.com works perfectly and the TLS handshake succeeds.

The Server has two interfaces configured. As long as the interface IP does not match the IP of the resolved hostname everything works.

For now I was able to do a workaround for the problem but cannot figure out what is causing this behaviour.

~# lsb_release -si -sr
Debian
7.8

~# apache2 -v
Server version: Apache/2.2.22 (Debian)
Server built:   Dec 23 2014 22:48:29

~# gnutls-cli -v
gnutls-cli (GnuTLS) 2.12.20
Packaged by Debian (2.12.20-8+deb7u3)

~# host example.com
example.com has address xxx.xxx.xxx.xxx


~# ifconfig |grep inet -B1
eth0       Link encap:Ethernet  HWaddr 00:aa:bb:cc:dd:ee
          inet addr:yyy.yyy.yyy.yyy Bcast:yyy.yyy.yyy.zzz Mask:255.255.255.248
--
eth1       Link encap:Ethernet  HWaddr 00:aa:bb:cc:dd:ef
          inet addr:xxx.xxx.xxx.xxx  Bcast:xxx.xxx.zzz.zzz  Mask:255.255.0.0
--
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0

~# cat ports.conf
Listen xxx.xxx.xxx.xxx:443
Listen yyy.yyy.yyy.yyy:443
Listen xxx.xxx.xxx.xxx:80
Listen yyy.yyy.yyy.yyy:80
NameVirtualHost xxx.xxx.xxx.xxx:443
NameVirtualHost yyy.yyy.yyy.yyy:443
NameVirtualHost xxx.xxx.xxx.xxx:80
NameVirtualHost yyy.yyy.yyy.yyy:80

~# cat sites-enabled/example.com.conf
<VirtualHost xxx.xxx.xxx.xxx:80>
        DocumentRoot "/var/www/com.example"
        ServerName example.com
        Redirect permanent / https://example.com/
        ErrorLog ${APACHE_LOG_DIR}/example.com.error.log
        CustomLog ${APACHE_LOG_DIR}/example.com.access.log combined
        <Directory "/var/www/com.example">
                allow from all
                Options +Indexes
                </Directory>
</VirtualHost>

<VirtualHost xxx.xxx.xxx.xxx:443>
        GnuTLSEnable on
        GnuTLSSessionTickets on
        GnuTLSPriorities SECURE128:-VERS-SSL3.0:+COMP-DEFLATE
        DocumentRoot "/var/www/com.example"
        ServerName example.com
        ErrorLog ${APACHE_LOG_DIR}/example.com.error.log
        CustomLog ${APACHE_LOG_DIR}/example.com.access.log combined
        GnuTLSCertificateFile /etc/ssl/certs/example.com.pem
        GnuTLSKeyFile /etc/ssl/private/example.com.key
        <Directory "/var/www/com.example">
                allow from all
                Options +Indexes
        </Directory>
</VirtualHost>
Merl
  • 111
  • 4
  • 1
    Do you have a _really good reason_ for using GnuTLS? – Michael Hampton Jul 02 '15 at 16:11
  • OpenSSL did not work in our setup and right now we don´t have the time to get it to work. Besides the question is not weather it is a good idea to use GnuTLS or not. – Merl Jul 03 '15 at 08:21
  • OpenSSL works fine out of the box. GnuTLS also should, though you may not be quite as secure. I saw your ssllabs.com report. And after that I'd go back to OpenSSL... If you're having problems with both of them, then something else is probably going on that you haven't told us about. – Michael Hampton Jul 03 '15 at 15:35
  • If OpenSSL _would_ work out of the box we would use it. One VHOST works, two work, maybe three work, four -> apache crashes. But this is a complete different problem and we don´t have the time to fix that now. I was in the believe that I could ask questions here and get answers to the question and that discussions which tool is the better one are not popular here. GnuTLS – as you said – works out of the box and thus we stay with it for now. Thus I would like to get back to the question: why does it not deliver the SSL cert if src == dst ip? And please give constructive answers. – Merl Jul 03 '15 at 16:02

0 Answers0