Ssl – openssl giving me errors and apache is not working with https

apache-2.2opensslssl

I try to configure apache-tomcat with ssl, but find some issues

[root@manage conf]# openssl s_client -state -debug -connect 10.104.1.38:443 -key server.key -cert server.crt 
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0x80f1e98 [0x811d5e8] (121 bytes => 121 (0x79))
0000 - 80 77 01 03 01 00 4e 00-00 00 20 00 00 39 00 00   .w....N... ..9..
0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0   8..5............
0020 - 00 00 33 00 00 32 00 00-2f 03 00 80 00 00 05 00   ..3..2../.......
0030 - 00 04 01 00 80 00 00 15-00 00 12 00 00 09 06 00   ................
0040 - 40 00 00 14 00 00 11 00-00 08 00 00 06 04 00 80   @...............
0050 - 00 00 03 02 00 80 00 00-ff 0a 86 af 23 f2 2f a1   ............#./.
0060 - 4b 2d 9b f3 a9 d9 0e 1b-34 4d 0c e4 1a 06 b6 25   K-......4M.....%
0070 - 76 04 de bd 6f 50 86 a1-9f                        v...oP...
SSL_connect:SSLv2/v3 write client hello A
read from 0x80f1e98 [0x8122b48] (7 bytes => 7 (0x7))
0000 - 3c 21 44 4f 43 54 59                              <!DOCTY
SSL_connect:error in SSLv2/v3 read server hello A
23995:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:588:

here's my apache config

[root@manage extra]# cat httpd-ssl.conf 
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl
SSLPassPhraseDialog  builtin
SSLSessionCache        "shmcb:/usr/local/apache/logs/ssl_scache(512000)"
SSLSessionCacheTimeout  300
SSLMutex  "file:/usr/local/apache/logs/ssl_mutex"

<VirtualHost _default_:443>
ErrorLog "/usr/local/tomcat/logs/error_log"
TransferLog "/usr/local/tomcat/logs/access_log"

        SSLEngine on
        SSLProtocol +SSLv3 +TLSv1
        SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP+SSLv3:

        ServerName          manage.xyz
        DocumentRoot        /usr/local/tomcat/webapps/xyz
        ServerAdmin         bugs@xxxx.com
        Alias /backup "/var/backupdata/"
        Alias /logbackup "/var/logbackupdata/"
        Alias /autologbackupdata "/var/autologbackupdata/"
        Alias /client "/usr/local/xxxx/clientfiles/"
        Alias /syshealth "/usr/local/tomcat/webapps/xyz/syshealth/"
        Alias /connection "/tmp"
        Alias /cacheimages "/var/cacherrdimages"
        Alias /xyz/images "/usr/local/xxxx/images/"
        Alias /images "/usr/local/xxxx/images/"
        Alias /javaplugin "/usr/local/xxxx/javaplugin/"
        Alias /bandwidthgraph "/var/bandwidthgraphs"
        Alias /usergraph "/var/bandwidthgraphs/userimage"

        JkMount /xyz/servlet/* ajp13
        JkMount /xyz/*.jsp ajp13

SSLCertificateFile "/usr/local/apache/conf/server.crt"
SSLCertificateKeyFile "/usr/local/apache/conf/server.key"
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/usr/local/apache/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

BrowserMatch "MSIE [2-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
CustomLog "/usr/local/apache/logs/ssl_request_log" "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

The error_log output

[Tue Aug 05 13:44:03 2014] [info] [client 127.0.0.1] Connection to child 2 established (server manage.xyz:443)
[Tue Aug 05 13:44:03 2014] [info] Seeding PRNG with 136 bytes of entropy
[Tue Aug 05 13:44:03 2014] [debug] ssl_engine_kernel.c(1903): OpenSSL: Handshake: start
[Tue Aug 05 13:44:03 2014] [debug] ssl_engine_kernel.c(1911): OpenSSL: Loop: before/accept initialization
[Tue Aug 05 13:44:03 2014] [debug] ssl_engine_io.c(1939): OpenSSL: read 7/11 bytes from BIO#8136940 [mem: 813dfc0] (BIO dump follows)
[Tue Aug 05 13:44:03 2014] [debug] ssl_engine_io.c(1872): +-------------------------------------------------------------------------+
[Tue Aug 05 13:44:03 2014] [debug] ssl_engine_io.c(1911): | 0000: 15 03 01 00 02 01                                ......           |
[Tue Aug 05 13:44:03 2014] [debug] ssl_engine_io.c(1915): | 0007 - <SPACES/NULS>
[Tue Aug 05 13:44:03 2014] [debug] ssl_engine_io.c(1917): +-------------------------------------------------------------------------+
[Tue Aug 05 13:44:03 2014] [debug] ssl_engine_io.c(1950): OpenSSL: I/O error, 4 bytes expected to read on BIO#8136940 [mem: 813dfc7]
[Tue Aug 05 13:44:03 2014] [debug] ssl_engine_kernel.c(1940): OpenSSL: Exit: error in SSLv2/v3 read client hello A
[Tue Aug 05 13:44:03 2014] [info] [client 127.0.0.1] (70014)End of file found: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
[Tue Aug 05 13:44:03 2014] [info] [client 127.0.0.1] Connection closed to child 2 with abortive shutdown (server manage.xyz:443)
[Tue Aug 05 13:45:37 2014] [error] [client 10.104.1.38] Invalid method in request \x80w\x01\x03\x01

and here's the relevant output when I try without the -key and -cert options:

[root@manage extra]# openssl s_client -state -debug -connect 10.104.1.38:443
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0x80f0da0 [0x811c4f8] (121 bytes => 121 (0x79))
0000 - 80 77 01 03 01 00 4e 00-00 00 20 00 00 39 00 00   .w....N... ..9..
0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0   8..5............
0020 - 00 00 33 00 00 32 00 00-2f 03 00 80 00 00 05 00   ..3..2../.......
0030 - 00 04 01 00 80 00 00 15-00 00 12 00 00 09 06 00   ................
0040 - 40 00 00 14 00 00 11 00-00 08 00 00 06 04 00 80   @...............
0050 - 00 00 03 02 00 80 00 00-ff 10 44 3f 7f e0 41 4d   ..........D?..AM
0060 - fd 08 dd 10 5b bb f7 10-c6 ec cd 59 b8 ff 55 db   ....[......Y..U.
0070 - 70 cd 97 8d af 9d 2a 65-2a                        p.....*e*
SSL_connect:SSLv2/v3 write client hello A
read from 0x80f0da0 [0x8121a58] (7 bytes => 7 (0x7))
0000 - 3c 21 44 4f 43 54 59                              <!DOCTY
SSL_connect:error in SSLv2/v3 read server hello A
32453:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:588:

apache logs for the same time :

[Tue Aug 05 14:23:49 2014] [error] [client 10.104.1.38] Invalid method in request \x80w\x01\x03\x01

access_log

10.104.1.38 - - [05/Aug/2014:14:23:49 -0400] "\x80w\x01\x03\x01" 501 217

Below are the logs when I restart my Httpd service. No error found I guess.

==> error_log <==
[Tue Aug 05 14:36:44 2014] [info] removed PID file /var/run/httpd.pid (pid=18411)
[Tue Aug 05 14:36:44 2014] [notice] caught SIGTERM, shutting down
[Tue Aug 05 14:37:09 2014] [info] Init: Seeding PRNG with 136 bytes of entropy
[Tue Aug 05 14:37:09 2014] [info] Loading certificate & private key of SSL-aware server
[Tue Aug 05 14:37:09 2014] [debug] ssl_engine_pphrase.c(470): unencrypted RSA private key - pass phrase not required
[Tue Aug 05 14:37:09 2014] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Tue Aug 05 14:37:09 2014] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Tue Aug 05 14:37:09 2014] [info] Init: Initializing (virtual) servers for SSL
[Tue Aug 05 14:37:09 2014] [info] Configuring server for SSL protocol
[Tue Aug 05 14:37:09 2014] [debug] ssl_engine_init.c(521): Creating new SSL context (protocols: SSLv3, TLSv1)
[Tue Aug 05 14:37:09 2014] [debug] ssl_engine_init.c(759): Configuring permitted SSL ciphers [ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP+SSLv3:]
[Tue Aug 05 14:37:09 2014] [debug] ssl_engine_init.c(890): Configuring RSA server certificate
[Tue Aug 05 14:37:09 2014] [warn] RSA server certificate CommonName (CN) `jat' does NOT match server name!?
[Tue Aug 05 14:37:09 2014] [debug] ssl_engine_init.c(936): Configuring RSA server private key
[Tue Aug 05 14:37:09 2014] [info] mod_ssl/2.2.27 compiled against Server: Apache/2.2.27, Library: OpenSSL/0.9.8e-fips-rhel5
[Tue Aug 05 14:37:09 2014] [warn] No JkShmFile defined in httpd.conf. Using default /usr/local/apache/logs/jk-runtime-status
[Tue Aug 05 14:37:09 2014] [info] Init: Seeding PRNG with 136 bytes of entropy
[Tue Aug 05 14:37:09 2014] [info] Loading certificate & private key of SSL-aware server
[Tue Aug 05 14:37:09 2014] [debug] ssl_engine_pphrase.c(470): unencrypted RSA private key - pass phrase not required
[Tue Aug 05 14:37:09 2014] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Tue Aug 05 14:37:09 2014] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Tue Aug 05 14:37:09 2014] [debug] ssl_scache_shmcb.c(253): shmcb_init allocated 512000 bytes of shared memory
[Tue Aug 05 14:37:09 2014] [debug] ssl_scache_shmcb.c(272): for 511952 bytes (512000 including header), recommending 32 subcaches, 133 indexes each
[Tue Aug 05 14:37:09 2014] [debug] ssl_scache_shmcb.c(306): shmcb_init_memory choices follow
[Tue Aug 05 14:37:09 2014] [debug] ssl_scache_shmcb.c(308): subcache_num = 32
[Tue Aug 05 14:37:09 2014] [debug] ssl_scache_shmcb.c(310): subcache_size = 15996
[Tue Aug 05 14:37:09 2014] [debug] ssl_scache_shmcb.c(312): subcache_data_offset = 2144
[Tue Aug 05 14:37:09 2014] [debug] ssl_scache_shmcb.c(314): subcache_data_size = 13852
[Tue Aug 05 14:37:09 2014] [debug] ssl_scache_shmcb.c(316): index_num = 133
[Tue Aug 05 14:37:09 2014] [info] Shared memory session cache initialised
[Tue Aug 05 14:37:09 2014] [info] Init: Initializing (virtual) servers for SSL
[Tue Aug 05 14:37:09 2014] [info] Configuring server for SSL protocol
[Tue Aug 05 14:37:09 2014] [debug] ssl_engine_init.c(521): Creating new SSL context (protocols: SSLv3, TLSv1)
[Tue Aug 05 14:37:09 2014] [debug] ssl_engine_init.c(759): Configuring permitted SSL ciphers [ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP+SSLv3:]
[Tue Aug 05 14:37:09 2014] [debug] ssl_engine_init.c(890): Configuring RSA server certificate
[Tue Aug 05 14:37:09 2014] [warn] RSA server certificate CommonName (CN) `jat' does NOT match server name!?
[Tue Aug 05 14:37:09 2014] [debug] ssl_engine_init.c(936): Configuring RSA server private key
[Tue Aug 05 14:37:09 2014] [info] mod_ssl/2.2.27 compiled against Server: Apache/2.2.27, Library: OpenSSL/0.9.8e-fips-rhel5
[Tue Aug 05 14:37:09 2014] [warn] No JkShmFile defined in httpd.conf. Using default /usr/local/apache/logs/jk-runtime-status
[Tue Aug 05 14:37:09 2014] [notice] Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.40 configured -- resuming normal operations
[Tue Aug 05 14:37:09 2014] [info] Server built: Jun 14 2014 05:04:12
[Tue Aug 05 14:37:09 2014] [debug] prefork.c(1023): AcceptMutex: sysvsem (default: sysvsem)

Best Answer

As can be seen from the comments above, the immediate problem was that my service wasn't running under HTTPS, just HTTP. openssl s_client could therefore not connect to it, as there wasn't any SSL to handshake on.

The underlying problem was in my apache configuration. Apache 2.2's NameVirtualHost directive does not support an argument, I have changed NameVirtualHost manage.xxx to NameVirtualHost *:80 and it all works fine

Related Solutions

Linux – Apache2 quietly breaking, won’t make apache2.pid

Hmm, I am pretty suspicious of the config file

/etc/apache2/vhosts.d/30_subversion_ssl_vhost.conf

When you remove the '-D SSL' you will cause all parts of the configuration files that are enclosed in ... to be skipped. The default SSL vhost file on my Gentoo box is wrapped in that tag so I wonder if, by removing the '-D SSL', you are preventing the config in 30_subversion_ssl_vhost.conf from being run at all and if that is what is allowing Apache to start.

If you temporarily remove the file 30_subversion_ssl_vhost.conf from /etc/apache2/vhosts.d does Apache run? Are there any other SSL related vhost.conf files in vhosts.d? My reasonably fresh/unused Apache install's vhosts.d directory looks like this:

# pwd && ls
/etc/apache2/vhosts.d
00_default_ssl_vhost.conf  00_default_vhost.conf  default_vhost.include

edit 1:

So much for that theory :) I am now wondering if the problem is with the Apache SSL setup itself. I apologize if I am covering ground you have already checked but I am wondering if you could do the following to help verify your Apache install.

On my Apache install with working SSL the use flags are as follows:

# emerge -av apache

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild     U ] www-servers/apache-2.2.11-r2 [2.2.11] USE="ssl -debug -doc -ldap (-selinux) -sni -static -suexec -threads" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias -asis -auth_digest -authn_dbd -cern_meta -charset_lite -dbd -dumpio -ident -imagemap -log_forensic -proxy -proxy_ajp -proxy_balancer -proxy_connect -proxy_ftp -proxy_http -substitute -version" APACHE2_MPMS="-event -itk -peruser -prefork -worker" 64 kB

In particular do you have the 'ssl' USE flag set?

Also, could you use equery to verify the integrity of your apache2 install? If you do not have the equery command you can install it by running 'emerge -av gentoolkit'. The following command should verify the integrity of your apache install:

equery check apache

On my server the above command gives the following output:

[ Checking www-servers/apache-2.2.11 ]
!!! /etc/apache2/vhosts.d/00_default_ssl_vhost.conf has wrong mtime (is 1256620928, should be 1246793824)
!!! /etc/apache2/modules.d/00_default_settings.conf has wrong mtime (is 1246796304, should be 1246793824)
!!! /etc/conf.d/apache2 has incorrect md5sum
 * 429 out of 432 files good

edit 2:

Well the install looks good to me, so much for theory 2. I am wondering if we can coax Apache into giving some more information on startup. In /etc/conf.d/apache2 if you change your APACHE2_OPTS line from:

APACHE2_OPTS="-D DEFAULT_VHOST -D INFO -D SSL -D SSL_DEFAULT_VHOST -D LANGUAGE"

APACHE2_OPTS="-X -e debug -D DEFAULT_VHOST -D INFO -D SSL -D SSL_DEFAULT_VHOST -D LANGUAGE"

and then start Apache (/etc/init.d/apache2 start) the daemon should stay in the foreground (the -X flag) and output debuging messages as it starts (the -e debug option). Maybe this will give a clue as to why it is dying on startup.

Openssl keeps giving me “unknown option” errors

Ok, this is kind of weird, but you're not going insane.

Copying and pasting your example fails for me in the same way that it does for you. But typing it manually works fine.

It looks like wherever you copied those lines from has swapped the regular dash symbol with another, similar looking glyph. In fact, if you look very closely you can tell that the dash used with -key looks slightly different than the ones for -new, -nodes and -out (with the font I'm using the correct one is slightly shorter).

Delete all of your dashes and re-type them on the command line.

Best Answer

Related Solutions

Linux – Apache2 quietly breaking, won’t make apache2.pid

Openssl keeps giving me “unknown option” errors

Related Topic