0

I've come across a very strange issue. On our server, we are running Solaris 10 with httpd 2.2.19 and openssl 1.0.0d. We have only a single virtual host:

<VirtualHost _default_:443> ServerName hostname.example.com:443

With hostname being the correct hostname of course. When we go to navigate to the site using the hostname, the connection fails and I see in the error_log that teh SSL handshake starts, shows the BIO dump, then says:

[debug] ssl_engine_kernel.c(1884): OpenSSL:> Write: SSLv3 read client hello C

[debug] ssl_engine_kernel.c(1903): OpenSSL: Exit: error in error

[debug] ssl_engine_kernel.c(1903): OpenSSL: Exit: error in error

[info] [client 1x.x.x.x] SSL library error 1 in handshake (server hostname.example.com:443)

[info] SSL Library Error: 336204149 error:140A1175:SSL routines:SSL_BYTES_TO_CIPHER_LIST:inappropriate fallback

[info] [client x.x.x.x] Connection closed to child 0 with abortive shutdown (server hostname.example.com:443)

[notice] child pid 28997 exit signal Segmentation fault (11), possible coredump in /usr/local/apache2/logs

Does anybody have any idea what the issue might be? I can't for the life of me think why the hostname would be handled differently from the IP. We have SSL3 protocol disabled in the config, and a long list of ciphers enabled that work on other servers.

Scottie
  • 1

2 Answers2

0

You should not have the port number in the ServerName.

Also are you using NameBased virtual hosting? If so don't use default but use * instead.

So instead of this:

<VirtualHost _default_:443>
    ServerName hostname.example.com:443
</VirtualHost>

have this:

NameVirtualHost *:443
<VirtualHost *:443>
    ServerName hostname.example.com
</VirtualHost>

Per the docs http://httpd.apache.org/docs/2.2/vhosts/examples.html#default:

A default vhost never serves a request that was sent to an address/port that is used for name-based vhosts. If the request contained an unknown or no Host: header it is always served from the primary name-based vhost (the vhost for that address/port appearing first in the configuration file).

Barry Pollard
  • 4,591
  • 15
  • 26
  • Thank you for taking the time to reply. We are not using NameBased virtual hosting. Also, although I see what you mean about the port, we have another server with pretty much the same exact config, and it seems to work properly – Scottie Feb 02 '16 at 20:49
0

So I found the way to fix it, but I'm not 100% sure why this resolved it. I changed the ServerName from hostname.subdomain.domain:443, to hostname.domain:443. The proper name of the server is hostname.subdomain.domain, but I noticed in the hosts file that the IP for this server has:

*IP* hostname hostname.domain

Could this be why? Why would the SSL get all screwy from this?

Scottie
  • 1