0

I am trying to get ssl working on an oracleLinux server running apache httpd 2.4.37.

My virtualHost block is as follows:

<VirtualHost phxacrstage.oraclecorp.com:443>
    ServerName  phxacrstage.oraclecorp.com:443
    DocumentRoot /var/www/html
ErrorLog logs/phxacrstage-ssl-error_log
TransferLog logs/phxacrstage-ssl-access_log
LogLevel warn

SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA
SSLCertificateFile /etc/pki/tls/certs/phxacrstage.oraclecorp.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/phxacrstage.oraclecorp.com.key
SSLCertificateChainFile /etc/pki/tls/certs/CombinedSHA-1RootSHA-256Intermediate-09-JUN-2021.crt
</VirtualHost>

When I use curl to test the configuration with the command:

curl -v http://phxacrstage.oraclecorp.com:443

I get:

    * Rebuilt URL to: http://phxacrstage.oraclecorp.com:443/
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
    
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 100.104.244.56...
    * TCP_NODELAY set
    * Connected to phxacrstage.oraclecorp.com (100.104.244.56) port 443 (#0)
    > GET / HTTP/1.1
    > Host: phxacrstage.oraclecorp.com:443
    > User-Agent: curl/7.61.1
    > Accept: */*
    > 
    < HTTP/1.1 200 OK
    < Date: Thu, 21 Apr 2022 21:24:39 GMT
    < Server: Apache/2.4.37 (Oracle Linux) OpenSSL/1.1.1k
    < Last-Modified: Wed, 20 Apr 2022 23:33:57 GMT
    < ETag: "7c-5dd1e6d6516db"
    < Accept-Ranges: bytes
    < Content-Length: 124
    < Content-Type: text/html; charset=UTF-8
    < 
    { [124 bytes data]
    
100   124  100   124    0     0  41333      0 --:--:-- --:--:-- --:--:-- 41333
    * Connection #0 to host phxacrstage.oraclecorp.com left intact
    <html>
    <head>
    <title>PHXAcrStage1 server</title>
    </head>
    <body>
    <h1>Welcome to the PHXAcrStage1 server</h1>
    </body>
    </html>

which is what I would expect. However if I use curl to access the site as follows:

curl -v https://phxacrstage.oraclecorp.com

I get the following output:

    * Rebuilt URL to: https://phxacrstage.oraclecorp.com/
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
    
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 100.104.244.56...
    * TCP_NODELAY set
    * Connected to phxacrstage.oraclecorp.com (100.104.244.56) port 443 (#0)
    * ALPN, offering h2
    * ALPN, offering http/1.1
    * successfully set certificate verify locations:
    *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
      CApath: none
    } [5 bytes data]
    * TLSv1.3 (OUT), TLS handshake, Client hello (1):
    } [512 bytes data]
    * error:1408F10B:SSL routines:ssl3_get_record:wrong version number

0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 * Closing connection 0 curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

As can be seen in this result, apache is using /etc/pki/tls/certs/ca-bundle.crt for the certificate chain even though I specifically tell apache tot use a different certificate bundle in my only virtualhost block above.

From a different server I tried to retrieve the certificate chain using:

openssl s_client -connect phxacrstage.oraclecorp.com:443

I got back:

139886046541632:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:332:
CONNECTED(00000003)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 324 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---



I am seeing the following in my access_log:

10.154.171.241 - - [21/Apr/2022:22:30:45 +0000] "\x16\x03\x01\x02" 400 226 `"-" "-"`

The output from apachectl -S is:



    Passing arguments to httpd using apachectl is no longer supported.
    You can only start/stop/restart httpd using this script.
    If you want to pass extra arguments to httpd, edit the
    /etc/sysconfig/httpd config file.
    VirtualHost configuration:
    100.104.246.211:443    phxacrstage.oraclecorp.com (/etc/httpd/conf.d/acrtool_ssl.conf:13)
    100.102.121.253:80     acrstage.oraclecorp.com (/etc/httpd/conf.d/acrtool.conf:23)
    ServerRoot: "/etc/httpd"
    Main DocumentRoot: "/var/www/html"
    Main ErrorLog: "/etc/httpd/logs/error_log"
    Mutex default: dir="/etc/httpd/run/" mechanism=default 
    Mutex cache-socache: using_defaults
    Mutex authdigest-opaque: using_defaults
    Mutex watchdog-callback: using_defaults
    Mutex proxy-balancer-shm: using_defaults
    Mutex rewrite-map: using_defaults
    Mutex ssl-stapling-refresh: using_defaults
    Mutex authdigest-client: using_defaults
    Mutex lua-ivm-shm: using_defaults
    Mutex ssl-stapling: using_defaults
    Mutex proxy: using_defaults
    Mutex authn-socache: using_defaults
    Mutex ssl-cache: using_defaults
    PidFile: "/etc/httpd/run/httpd.pid"
    Define: DUMP_VHOSTS
    Define: DUMP_RUN_CFG
    User: name="apache" id=48
    Group: name="apache" id=48
user207421
  • 305,947
  • 44
  • 307
  • 483
dnraikes
  • 275
  • 1
  • 4
  • 14
  • I'll ask the silly question first -- Did you restart Apache after making this change? – Tim Roberts Apr 21 '22 at 21:51
  • Indeed I did :-) I thought of that thing first. – dnraikes Apr 21 '22 at 21:54
  • When I try to access https://phxacrstage.oraclecorp.com in my browser (google Chrome), I get a message saying that the wrong version of ssl was used so I assume it is picking up the ca-bundle.crt rather than my official bundle. – dnraikes Apr 21 '22 at 21:56
  • 1
    In your FINAL output, I think that's just telling you where `curl` is looking for certificates. That's not an Apache result. – Tim Roberts Apr 21 '22 at 22:00
  • Ok, but still it isn't using my certificate and certificate bundle otherwise it would be able to complete the handshake. – dnraikes Apr 21 '22 at 22:10
  • I also tried openssl to get the certificate chain from the server using – dnraikes Apr 21 '22 at 22:11
  • Can you attach the output of `apachectl -S`? – Tim Roberts Apr 21 '22 at 22:41
  • apachectl -S returns nothing, but according to the help it is a synonym for several other options and I will post the output in the original question. – dnraikes Apr 21 '22 at 22:50
  • Interesting that they have different IP addresses. Is your machine reachable through several different IPs? – Tim Roberts Apr 21 '22 at 23:12
  • 1
    **wrong version** does not mean the wrong certificate. It means you are connecting using the wrong scheme (e.g. using http to connect to https). – John Hanley Apr 21 '22 at 23:36

0 Answers0