Ssl – Apache sending wrong SSL certificate on some connections / browsers

apache-2.2sslssl-certificate

I have a bit of a strange problem and I hope someone can help!

I have just moved servers (both Linux running Apache 2.2) and re-installed everything and pretty much everything is back up and running, however I am getting an error where the SSL certificate is appearing correctly (web browsers are gettign the padlock etc.) in all browsers apart from IE 8 on Windows XP.

It doesn't seem to be that IE8 doesn't trust the cert I have it – seems to be that this browser is seeing the default (self signed) SSLCertificateKeyFile from my ssl.conf rather than the once specified in httpd.conf, and this is causing the security error to show in IE8.

Also from a couple of the web based SSL checkers, when I use exactly the same domain name, one will show my correct GeoTrust cert and another will show the self-signed one!

I changed the DNS well over a week ago so I don't think it is that, plus the cert details given by IE8 for the self-signed cert match the self-signed one on the server.

Any help would be much appreciated as this really has me stumped!

Thanks

Stuart

Best Answer

Do you have any sites still configured to use the self-signed cert? Dig through your virtualhosts, or just rename the self-signed cert's file and then see if apache will successfully restart, or whether it errors out trying to load that certificate.

As @HUB stated, you likely have success serving the correct certificate to clients support TLS SNI, but for clients that don't support it, they get the first certificate that Apache loaded for that port - which is the self-signed certificate.

Related Solutions

Ssl – Multiple SSL Certificate on Apache

It's pretty simple to have a different cert for a different IP address; just put the SSL cert stuff inside the virtualhosts for each.

Having multiple virtualhosts on a single IP won't really work at this point. There's some technologies that might work for that down the road, but the user population isn't running browsers that can do it. The user agent (browser) establishes an SSL connection and verifies the SSL connection before telling the server what host it's connecting to. You really need a separate IP for each SSL virtualhost.

<VirtualHost 1.1.1.1:443>
        ServerName foo
        DocumentRoot /var/www/foo
        CustomLog /var/log/httpd/foo.ssl_access_log combined
        ErrorLog /var/log/httpd/foo.ssl_error_log

        SSLEngine on
        SSLProtocol all -SSLv2
        SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
        SSLCertificateFile /etc/pki/tls/certs/foo.crt
        SSLCertificateKeyFile /etc/pki/tls/private/foo.key
</VirtualHost>

<VirtualHost 2.2.2.2:443>
        ServerName bar
        DocumentRoot /var/www/bar
        CustomLog /var/log/httpd/bar.ssl_access_log combined
        ErrorLog /var/log/httpd/bar.ssl_error_log

        SSLEngine on
        SSLProtocol all -SSLv2
        SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
        SSLCertificateFile /etc/pki/tls/certs/bar.crt
        SSLCertificateKeyFile /etc/pki/tls/private/bar.key
</VirtualHost>

SSL connection errors from Apache

The issue you are having is that intermittently, the signature on the message recieved by the browser is wrong.

This can happen for a very large number of reasons. For instance, you may be experiencing an openssl bug, a hardware failure (bad RAM or CPU), some kind of freak coincidence with your key (astronomically unlikely). Or, you may be experiencing exactly what the MAC is designed to detect: someone may be tampering with your traffic enroute.

Since your certificate is self-signed, go ahead and replace it, restart apache, and continue, just as a troubleshooting step. If this doesn't work, check that you are running the latest version of openssl (or just change the openssl version for the fun of it). If you still get MAC errors, investigate whether you have a hardware failure or network tampering going on.

This part of the error is particularly telling:

OpenSSL: error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed

This indicates that most likely the message has been modified from the version that was signed, and possibly truncated.

Related Topic