Linux – Problem with apache + ssl: length mismatch error and ocasional bad request

we migrated a server from slicehost to linode recently, we copied the config from one server to the other. Everything works perfectly except that we get:

Occasional errors with "Bad Request", this error is not common, you can use it all day and not see it, and the next day it will happen a lot.

apart from that, a lot of the time, event though the request works fine we get some errors.

using ssldump we get:

New TCP connection #1: myip(39831) <-> develserk(443)
1 1  0.2316 (0.2316)  C>S SSLv2 compatible client hello
  Version 3.1 
  cipher suites
  Unknown value 0x39  
  Unknown value 0x38  
  Unknown value 0x35  
  TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA  
  TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA  
  TLS_RSA_WITH_3DES_EDE_CBC_SHA  
  SSL2_CK_3DES  
  Unknown value 0x33  
  Unknown value 0x32  
  Unknown value 0x2f  
  SSL2_CK_RC2  
  TLS_RSA_WITH_RC4_128_SHA  
  TLS_RSA_WITH_RC4_128_MD5  
  SSL2_CK_RC4  
  TLS_DHE_RSA_WITH_DES_CBC_SHA  
  TLS_DHE_DSS_WITH_DES_CBC_SHA  
  TLS_RSA_WITH_DES_CBC_SHA  
  SSL2_CK_DES  
  TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA  
  TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA  
  TLS_RSA_EXPORT_WITH_DES40_CBC_SHA  
  TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5  
  SSL2_CK_RC2_EXPORT40  
  TLS_RSA_EXPORT_WITH_RC4_40_MD5  
  SSL2_CK_RC4_EXPORT40  
1 2  0.2429 (0.0112)  S>C  Handshake
      ServerHello
        Version 3.1 
        session_id[32]=
          9a 1e ae c4 5f df 99 47 97 40 42 71 97 eb b9 14 
          96 2d 11 ac c0 00 15 67 4e f3 7d 65 4e c4 30 e9 
        cipherSuite         Unknown value 0x39
        compressionMethod                   NULL
1 3  0.2429 (0.0000)  S>C  Handshake
      Certificate
1 4  0.2429 (0.0000)  S>C  Handshake
      ServerKeyExchange
1 5  0.2429 (0.0000)  S>C  Handshake
      ServerHelloDone
1 6  0.4965 (0.2536)  C>S  Handshake
      ClientKeyExchange
1 7  0.4965 (0.0000)  C>S  ChangeCipherSpec
1 8  0.4965 (0.0000)  C>S  Handshake
1 9  0.5040 (0.0075)  S>C  ChangeCipherSpec
1 10 0.5040 (0.0000)  S>C  Handshake
ERROR: Length mismatch

from the apache error.log

[Fri Aug 27 14:50:05 2010] [debug] ssl_engine_io.c(1892): OpenSSL: I/O error, 5 bytes expected to read on BIO#b80c1e70 [mem: b8100918]

the server is ubuntu 10.04.1

the apache version is 2.2.14-5ubuntu8

the openssl version is 0.9.8k-7ubuntu8

Best Answer

It appears that your SSL handshake is dieing during cipher negotiation.

I would check your SSLCipherSuite Apache configuration directive. The URL below points to the Apache documentation for this directive.

http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslciphersuite

Both sides have to support a common set of ciphers, or the connection will fail.

Hope this helps.

Best Answer

Related Solutions

Apache – Configuring VirtualHost with Mod-Proxy and SSL

Ssl – Problem with SVN+Apache/SSL/SSPI and large commits/imports

Related Topic