Howdy,
Yesterday I apt-get upgraded a web server to apache2 2.0.50-12 (it was
~1 week old, I think) and my SSL site isn't working anymore. I
couldn't figure out what was wrong, so I purged everything I thought
was relevant (apache2, apache2-common, apache2-mpm-prefork, libapr0,
ssl-cert), rm'ed /etc/apache2, and reinstalled, using all new config
files.
I've got it listening on 0.0.0.0:443 in /etc/apache2/ports.conf, and
my site in apache2/sites-enabled starts out like this:
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerName <Iremovedtheservernameitwashere>
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/<myserversname>-ssl.crt
SSLCertificateKeyFile /etc/apache2/ssl/<myserversname>-ssl.key
BrowserMatch "MSIE [1-4]" nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [5-9]" ssl-unclean-shutdown
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
I used /usr/share/apache2/config/default-443 as the template for it,
and I used /usr/sbin/make-ssl-cert to make the certificate/key pair.
That program actually outputs only one file, but it contains both the
RSA PRIVATE KEY and the CERTIFICATE- I manually split them into two
files.
All that is fine, but Apache is not using SSL on port 443:
[EMAIL PROTECTED]:/etc/apache2/ssl$ openssl s_client -connect localhost:443
-state -debug
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 080B07E8 [080B0DE0] (142 bytes => 142 (0x8E))
0000 - 80 8c 01 03 01 00 63 00-00 00 20 00 00 39 00 00 ......c... ..9..
0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 8..5............
0020 - 00 00 33 00 00 32 00 00-2f 03 00 80 00 00 66 00 ..3..2../.....f.
0030 - 00 05 00 00 04 01 00 80-08 00 80 00 00 63 00 00 .............c..
0040 - 62 00 00 61 00 00 15 00-00 12 00 00 09 06 00 40 b..a...........@
0050 - 00 00 65 00 00 64 00 00-60 00 00 14 00 00 11 00 ..e..d..`.......
0060 - 00 08 00 00 06 04 00 80-00 00 03 02 00 80 fb 06 ................
0070 - 3d a2 16 ba f4 15 d4 6b-f6 2f 24 01 ca 85 6e 90 =......k./$...n.
0080 - be 36 8a 32 4d a7 54 d1-5d 07 72 d9 c8 79 .6.2M.T.].r..y
SSL_connect:SSLv2/v3 write client hello A
read from 080B07E8 [080B6340] (7 bytes => 7 (0x7))
0000 - 3c 21 44 4f 43 54 59 <!DOCTY
SSL_connect:error in SSLv2/v3 read server hello A
26860:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:s23_clnt.c:475:
Note the "<!DOCTY" near the end- straight HTML, when I should be
getting an SSL handshake.
Lynx says this:
[EMAIL PROTECTED]:/etc/apache2/ssl$ lynx https://localhost
Looking up localhost
Making HTTPS connection to localhost
Retrying connection without TLS.
Looking up localhost
Making HTTPS connection to localhost
Alert!: Unable to make secure connection to remote host.
lynx: Can't access startfile https://localhost/
... but will display the page if I do 'lynx http://localhost:443/'.
The only thing reported in the log files (including system log files) is this:
127.0.0.1 - - [05/Sep/2004:13:19:21 -0700] "\x80\x8c\x01\x03\x01" 302
380 "-" "-"
127.0.0.1 - - [05/Sep/2004:13:20:46 -0700] "\x16\x03\x01" 302 380 "-" "-"
Unfortunately I don't recall what I upgraded FROM, but both 2.0.50-11
and 2.0.50-12 appear to be broken. Anyone else run into this, or have
any ideas about what I'm doing wrong?
Thanks,
Jake Maul
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
