Ssl – Apache2 fails to start with some specific SSLCipherSuite config

apache-2.2opensslsslssl-certificateubuntu-14.04

I have a xxx-ssl.conf config in /etc/apache2/sites-available/ with the following SSL options in it:

SSLEngine on  
SSLCertificateFile    /var/www/ssl/webserver_cert.der  
SSLCertificateKeyFile /var/www/ssl/webserver.key  
SSLCipherSuite NULL-SHA

The key files and cert files are in place. The virtual host (xxx-ssl.conf) is enabled with a2ensite command. The Apache server is reloaded. Unfortunately it fails to start – error log shows the following:

[debug] ssl_engine_init.c(608): Configuring permitted SSL ciphers [!aNULL:!eNULL:!EXP:NULL-SHA]
[error] Unable to configure permitted SSL ciphers
[error] SSL Library Error: 151441516 error:0906D06C:PEM routines:PEM_read_bio:no start line Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
[error] SSL Library Error: 151441516 error:0906D06C:PEM routines:PEM_read_bio:no start line Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
[error] SSL Library Error: 336646329 error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match

In other config files I have the following ciphers as well:

SSLCipherSuite NULL-MD5
SSLCipherSuite NULL-SHA
SSLCipherSuite EXP-DES-CBC-SHA

and they don't work either.
However I do have some working configuration (like SSLCipherSuite DES-CBC-SHA).

Moreover, when I try to run openssl ciphers -s I get the following error:

Error in cipher list
3073530056:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl_lib.c:1312:

Everything was working fine before the Apache and OpenSSL update.

I work on Ubuntu 12.04 LTS.

Apache:

Server version: Apache/2.2.22 (Ubuntu)
Server built:   Jul 15 2016 15:32:38

OpenSSL:

OpenSSL 1.0.1 14 Mar 2012

Could anyone please guide me through the process of finding out, what is going on? Thanks!

Best Answer

I have no idea what you are trying to do with this cipher suites

SSLCipherSuite NULL-MD5
SSLCipherSuite NULL-SHA
SSLCipherSuite EXP-DES-CBC-SHA

because these are horribly insecure. Please consult https://mozilla.github.io/server-side-tls/ssl-config-generator/ for a useful and secure configuration.

Also the following error messages indicate that you certificate and/or private key is not in the correct format:

[error] SSL Library Error: 151441516 error:0906D06C:PEM routines:PEM_read_bio:no start line Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?

If the extension for the file is an indicator of the format this might be related to this setting here, because it looks like your are using the (binary) DER format instead of the required (textual) PEM format:

SSLCertificateFile    /var/www/ssl/webserver_cert.der

Everything was working fine before the Apache and OpenSSL update.

I doubt this. Maybe it was working, but I doubt it was working fine. Maybe you just did not realize before how insecure your configuration was.

Related Solutions

SSL Error – Unable to Read Server Certificate from File

Is it possible that the lines are ^M-terminated? This is a potential issue when moving files from Windows to UNIX systems. One easy way to check is to use vi in "show me the binary" mode, with vi -b /etc/apache2/domain.ssl/domain.ssl.crt/domain.com.crt.

If each line ends with a control-M, like this

you've got a file in Windows line-terminated format, and apache doesn't love those.

Your options include moving the file over again, taking more care; or using the dos2unix command to strip those out; you can also remove them inside vi, if you're careful.

Edit: thanks to @dave_thompson_085, who points out that this answer no longer applies in 2019. That is, Apache/OpenSSL are now tolerant of ^M-terminated lines, so they don't cause problems. That said, other formatting errors, several different examples of which appear in the comments, can still cause problems; check carefully for these if the certificate has been moved across systems.

Apache cannot read certificate file

Looks like you are using CSR instead of the certificate file. Make sure you have created self-signed certificate with openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt and use the server.crt in the SSLCertificateFile setting in apache ssl config. If you are using a commercial signing authority you must use the certificate provided by the authority and not the signing request generated.

Best Answer

Related Solutions

SSL Error – Unable to Read Server Certificate from File

Apache cannot read certificate file

Related Topic