Re: apache ssl behind nat problems

[Nigel Taylor]

Hi,

One guess would be the SSL certificate is for your internal hostname, 
not your external hostname. Those connecting to the external hostname, 
reject the connection because the hostname doesn't match the 
certificate. To use both internal and external names you have to create 
certificate under one name and include alternative names / ip addresses 
in the certificate.
Internally on my local network I refer to the my server by it's external 
name. With a pf rule
.....
pass in log quick on $int_if inet proto tcp from any to $webext port 
https rdr-to 127.0.0.1 port https
.....

If I connect to the internal name / ip address, I get an untrusted 
connection response, because I haven't added the alternatives.
Look in /var/www/logs,
.....
[Tue Jul 12 01:14:16 2011] [error] OpenSSL: error:14094412:SSL 
routines:SSL3_READ_BYTES:sslv3 alert bad certificate [Hint: Subject CN 
in certificate not server name or identical to CA!?]
[Tue Jul 12 01:14:19 2011] [error] mod_ssl: SSL handshake failed (server 
new.host.name:443, client 192.168.202.23) (OpenSSL library error follows)
[Tue Jul 12 01:14:19 2011] [error] OpenSSL: error:14094412:SSL 
routines:SSL3_READ_BYTES:sslv3 alert bad certificate [Hint: Subject CN 
in certificate not server name or identical to CA!?]
.....


Try connecting with tools like openssl, gnutls

openssl s_client -connect host:port
.....
SSL handshake has read 2617 bytes and written 388 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
.....



Regards

Nigel Taylor

On 07/11/11 22:57, Jacob L. Leifman wrote:
Environment:
  - OpenBSD 4.9, stock (base) apache with self-signed certificate
  - behind a SOHO NAT router (with relevant in-bound redirects)

Problem: non-local SSL connections never complete the handshake
(verified while monitoring the interface with tcpdump, see below)

During troubleshooting I was able to eliminate a few suspects:
  - Regular un-encrypted HTTP (port 80) works every time;
  - https:// from the same LAN (i.e. no NAT) always works;
  - SSH always works (whether local or remote);
  - PF seems to have no bearing -- no difference in behavior whether
enabled, enabled with "pass in quick" for the remote test host, or even
altogether disabled.

Unfortunately, I cannot eliminate the NAT device and need to find a way
to work with it.

All clues(ticks) are appreciated,
-Jacob.

Sanitized tcpdump -netttvv log:
Jul 11 17:26:39.589073 00:0f:b5:ww:ww:ww 00:01:03:zz:zz:zz 0800 74:
a.b.c.d.37325>  192.168.x.y.443: S [tcp sum ok]
2560292710:2560292710(0) win 5840<mss 1452,sackOK,timestamp 3005841692
0,nop,wscale 0>  (DF) (ttl 45, id 30330, len 60)
Jul 11 17:26:39.590087 00:01:03:zz:zz:zz 00:0f:b5:ww:ww:ww 0800 78:
192.168.x.y.443>  a.b.c.d.37325: S [tcp sum ok]
1786229842:1786229842(0) ack 2560292711 win 16384<mss
1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 1751359378
3005841692>  (DF) (ttl 64, id 5701, len 64)
Jul 11 17:26:42.584962 00:0f:b5:ww:ww:ww 00:01:03:zz:zz:zz 0800 74:
a.b.c.d.37325>  192.168.x.y.443: S [tcp sum ok]
2560292710:2560292710(0) win 5840<mss 1452,sackOK,timestamp 3005841992
0,nop,wscale 0>  (DF) (ttl 45, id 30331, len 60)
Jul 11 17:26:42.585565 00:01:03:zz:zz:zz 00:0f:b5:ww:ww:ww 0800 78:
192.168.x.y.443>  a.b.c.d.37325: S [tcp sum ok]
1786229842:1786229842(0) ack 2560292711 win 16384<mss
1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 1751359384
3005841992>  (DF) (ttl 64, id 52775, len 64)
Jul 11 17:26:42.589685 00:01:03:zz:zz:zz 00:0f:b5:ww:ww:ww 0800 78:
192.168.x.y.443>  a.b.c.d.37325: S [tcp sum ok]
1786229842:1786229842(0) ack 2560292711 win 16384<mss
1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 1751359384
3005841992>  (DF) (ttl 64, id 3806, len 64)
Jul 11 17:26:48.584959 00:0f:b5:ww:ww:ww 00:01:03:zz:zz:zz 0800 74:
a.b.c.d.37325>  192.168.x.y.443: S [tcp sum ok]
2560292710:2560292710(0) win 5840<mss 1452,sackOK,timestamp 3005842592
0,nop,wscale 0>  (DF) (ttl 45, id 30332, len 60)
Jul 11 17:26:48.585435 00:01:03:zz:zz:zz 00:0f:b5:ww:ww:ww 0800 78:
192.168.x.y.443>  a.b.c.d.37325: S [tcp sum ok]
1786229842:1786229842(0) ack 2560292711 win 16384<mss
1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 1751359396
3005842592>  (DF) (ttl 64, id 4014, len 64)
Jul 11 17:26:48.590024 00:01:03:zz:zz:zz 00:0f:b5:ww:ww:ww 0800 78:
192.168.x.y.443>  a.b.c.d.37325: S [tcp sum ok]
1786229842:1786229842(0) ack 2560292711 win 16384<mss
1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 1751359396
3005842592>  (DF) (ttl 64, id 59349, len 64)
Jul 11 17:27:00.584563 00:0f:b5:ww:ww:ww 00:01:03:zz:zz:zz 0800 74:
a.b.c.d.37325>  192.168.x.y.443: S [tcp sum ok]
2560292710:2560292710(0) win 5840<mss 1452,sackOK,timestamp 3005843792
0,nop,wscale 0>  (DF) (ttl 45, id 30333, len 60)
Jul 11 17:27:00.584880 00:01:03:zz:zz:zz 00:0f:b5:ww:ww:ww 0800 78:
192.168.x.y.443>  a.b.c.d.37325: S [tcp sum ok]
1786229842:1786229842(0) ack 2560292711 win 16384<mss
1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 1751359419
3005843792>  (DF) (ttl 64, id 4439, len 64)
Jul 11 17:27:00.590727 00:01:03:zz:zz:zz 00:0f:b5:ww:ww:ww 0800 78:
192.168.x.y.443>  a.b.c.d.37325: S [tcp sum ok]
1786229842:1786229842(0) ack 2560292711 win 16384<mss
1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 1751359419
3005843792>  (DF) (ttl 64, id 17093, len 64)
Jul 11 17:27:24.585829 00:0f:b5:ww:ww:ww 00:01:03:zz:zz:zz 0800 74:
a.b.c.d.37325>  192.168.x.y.443: S [tcp sum ok]
2560292710:2560292710(0) win 5840<mss 1452,sackOK,timestamp 3005846192
0,nop,wscale 0>  (DF) (ttl 45, id 30334, len 60)
Jul 11 17:27:24.586302 00:01:03:zz:zz:zz 00:0f:b5:ww:ww:ww 0800 78:
192.168.x.y.443>  a.b.c.d.37325: S [tcp sum ok]
1786229842:1786229842(0) ack 2560292711 win 16384<mss
1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 1751359467
3005846192>  (DF) (ttl 64, id 12052, len 64)
Jul 11 17:27:24.592057 00:01:03:zz:zz:zz 00:0f:b5:ww:ww:ww 0800 78:
192.168.x.y.443>  a.b.c.d.37325: S [tcp sum ok]
1786229842:1786229842(0) ack 2560292711 win 16384<mss
1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 1751359467
3005846192>  (DF) (ttl 64, id 15080, len 64)

Obligatory dmesg:

OpenBSD 4.9 (GENERIC) #671: Wed Mar  2 07:09:00 MST 2011
     dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium III ("GenuineIntel" 686-class) 848 MHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PSE36,MMX,FXSR,
SSE
real mem  = 267915264 (255MB)
avail mem = 253403136 (241MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 01/21/04, BIOS32 rev. 0 @
0xffe90, SMBIOS rev. 2.3 @ 0xf6ef0 (60 entries)
bios0: vendor Dell Computer Corporation version "A23" date 01/21/2004
bios0: Dell Computer Corporation Latitude C800
apm0 at bios0: Power Management spec V1.2
apm0: battery life expectancy 100%
apm0: AC on, battery charge high, estimated 9:34 hours
acpi at bios0 function 0x0 not configured
pcibios0 at bios0: rev 2.1 @ 0xf0000/0x10000
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfbc20/192 (10 entries)
pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82371 ISA and IDE"
rev 0x00)
pcibios0: PCI bus #4 is the last bus
bios0: ROM list: 0xc0000/0x10000
cpu0 at mainbus0: (uniprocessor)
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "Intel 82815 Host" rev 0x02
intelagp0 at pchb0
agp0 at intelagp0: aperture at 0xe4000000, size 0x2400000
ppb0 at pci0 dev 1 function 0 "Intel 82815 AGP" rev 0x02
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "ATI Rage 128 Mobility" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ppb1 at pci0 dev 30 function 0 "Intel 82801BAM Hub-to-PCI" rev 0x03
pci2 at ppb1 bus 2
mem address conflict 0x10000000/0x1000
mem address conflict 0x10001000/0x1000
esa0 at pci2 dev 3 function 0 "ESS Maestro 3" rev 0x10: irq 5
ac97: codec id 0x83847609 (SigmaTel STAC9721/23)
ac97: codec features 18 bit DAC, 18 bit ADC, SigmaTel 3D
audio0 at esa0
xl0 at pci2 dev 6 function 0 "3Com 3c556 100Base-TX" rev 0x10: irq 10,
address 00:01:03:zz:zz:zz
tqphy0 at xl0 phy 0: 78Q2120 10/100 PHY, rev. 11
"3Com V.90 Modem" rev 0x10 at pci2 dev 6 function 1 not configured
cbb0 at pci2 dev 15 function 0 "TI PCI4451 CardBus" rev 0x00: irq 10
cbb1 at pci2 dev 15 function 1 "TI PCI4451 CardBus" rev 0x00: irq 10
"TI PCI4451 FireWire" rev 0x00 at pci2 dev 15 function 2 not configured
cardslot0 at cbb0 slot 0 flags 0
cardbus0 at cardslot0: bus 3 device 0 cacheline 0x8, lattimer 0x20
pcmcia0 at cardslot0
cardslot1 at cbb1 slot 1 flags 0
cardbus1 at cardslot1: bus 4 device 0 cacheline 0x8, lattimer 0x20
pcmcia1 at cardslot1
ichpcib0 at pci0 dev 31 function 0 "Intel 82801BAM LPC" rev 0x03: 24-
bit timer at 3579545Hz
pciide0 at pci0 dev 31 function 1 "Intel 82801BAM IDE" rev 0x03: DMA,
channel 0 wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0:<IC25N020ATCS04-0>
wd0: 16-sector PIO, LBA, 19077MB, 39070080 sectors
atapiscsi0 at pciide0 channel 0 drive 1
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0:<MATSHITA, UJDA330, 1.05>  ATAPI 5/cdrom
removable
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
cd0(pciide0:0:1): using PIO mode 4, DMA mode 2
pciide0: channel 1 ignored (disabled)
uhci0 at pci0 dev 31 function 2 "Intel 82801BA USB" rev 0x03: irq 10
isa0 at ichpcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
usb0 at uhci0: USB revision 1.0
uhub0 at usb0 "Intel UHCI root hub" rev 1.00/1.00 addr 1
biomask ef4d netmask ef4d ttymask ffdf
mtrr: Pentium Pro MTRR support
com3 at pcmcia0 function 0 "MEGAHERTZ, XJ2288, V.34 PCMCIA MODEM" port
0xe3f8/8: ns16550a, 16 byte fifo
com3: probed fifo depth: 0 bytes
vscsi0 at root
scsibus1 at vscsi0: 256 targets
softraid0 at root
root on wd0a swap on wd0b dump on wd0b