Hi Nigel,
The SSL certificate itself does not have any part in this problem as it
never gets that far in the process. As I wrote previously, the TCP
handshake never completes -- e.g. netstat & co. never see a connection
in any kind of state. I did try the suggested openssl command as well
as lynx, wget, w3m, ... and none of them emit any errors, just "timed
out". And of course, there are no errors (or connection traces) in the
apache logs either :-(
On 12 Jul 2011 at 1:55, Nigel Taylor wrote:
> Hi,
>
> One guess would be the SSL certificate is for your internal hostname,
> not your external hostname. Those connecting to the external hostname,
> reject the connection because the hostname doesn't match the
> certificate. To use both internal and external names you have to create
> certificate under one name and include alternative names / ip addresses
> in the certificate.
>
> Internally on my local network I refer to the my server by it's external
> name. With a pf rule
> .....
> pass in log quick on $int_if inet proto tcp from any to $webext port
> https rdr-to 127.0.0.1 port https
> .....
>
> If I connect to the internal name / ip address, I get an untrusted
> connection response, because I haven't added the alternatives.
>
> Look in /var/www/logs,
> .....
> [Tue Jul 12 01:14:16 2011] [error] OpenSSL: error:14094412:SSL
> routines:SSL3_READ_BYTES:sslv3 alert bad certificate [Hint: Subject CN
> in certificate not server name or identical to CA!?]
> [Tue Jul 12 01:14:19 2011] [error] mod_ssl: SSL handshake failed (server
> new.host.name:443, client 192.168.202.23) (OpenSSL library error follows)
> [Tue Jul 12 01:14:19 2011] [error] OpenSSL: error:14094412:SSL
> routines:SSL3_READ_BYTES:sslv3 alert bad certificate [Hint: Subject CN
> in certificate not server name or identical to CA!?]
> .....
>
>
> Try connecting with tools like openssl, gnutls
>
> openssl s_client -connect host:port
> .....
> SSL handshake has read 2617 bytes and written 388 bytes
> ---
> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> Server public key is 4096 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol : TLSv1
> Cipher : DHE-RSA-AES256-SHA
> .....
>
>
>
> Regards
>
> Nigel Taylor
>
> On 07/11/11 22:57, Jacob L. Leifman wrote:
> > Environment:
> > - OpenBSD 4.9, stock (base) apache with self-signed certificate
> > - behind a SOHO NAT router (with relevant in-bound redirects)
> >
> > Problem: non-local SSL connections never complete the handshake
> > (verified while monitoring the interface with tcpdump, see below)
> >
> > During troubleshooting I was able to eliminate a few suspects:
> > - Regular un-encrypted HTTP (port 80) works every time;
> > - https:// from the same LAN (i.e. no NAT) always works;
> > - SSH always works (whether local or remote);
> > - PF seems to have no bearing -- no difference in behavior whether
> > enabled, enabled with "pass in quick" for the remote test host, or even
> > altogether disabled.
> >
> > Unfortunately, I cannot eliminate the NAT device and need to find a way
> > to work with it.
> >
> > All clues(ticks) are appreciated,
> > -Jacob.
> >
> > Sanitized tcpdump -netttvv log:
> > Jul 11 17:26:39.589073 00:0f:b5:ww:ww:ww 00:01:03:zz:zz:zz 0800 74:
> > a.b.c.d.37325> 192.168.x.y.443: S [tcp sum ok]
> > 2560292710:2560292710(0) win 5840<mss 1452,sackOK,timestamp 3005841692
> > 0,nop,wscale 0> (DF) (ttl 45, id 30330, len 60)
> > Jul 11 17:26:39.590087 00:01:03:zz:zz:zz 00:0f:b5:ww:ww:ww 0800 78:
> > 192.168.x.y.443> a.b.c.d.37325: S [tcp sum ok]
> > 1786229842:1786229842(0) ack 2560292711 win 16384<mss
> > 1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 1751359378
> > 3005841692> (DF) (ttl 64, id 5701, len 64)
> > Jul 11 17:26:42.584962 00:0f:b5:ww:ww:ww 00:01:03:zz:zz:zz 0800 74:
> > a.b.c.d.37325> 192.168.x.y.443: S [tcp sum ok]
> > 2560292710:2560292710(0) win 5840<mss 1452,sackOK,timestamp 3005841992
> > 0,nop,wscale 0> (DF) (ttl 45, id 30331, len 60)
> > Jul 11 17:26:42.585565 00:01:03:zz:zz:zz 00:0f:b5:ww:ww:ww 0800 78:
> > 192.168.x.y.443> a.b.c.d.37325: S [tcp sum ok]
> > 1786229842:1786229842(0) ack 2560292711 win 16384<mss
> > 1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 1751359384
> > 3005841992> (DF) (ttl 64, id 52775, len 64)
> > Jul 11 17:26:42.589685 00:01:03:zz:zz:zz 00:0f:b5:ww:ww:ww 0800 78:
> > 192.168.x.y.443> a.b.c.d.37325: S [tcp sum ok]
> > 1786229842:1786229842(0) ack 2560292711 win 16384<mss
> > 1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 1751359384
> > 3005841992> (DF) (ttl 64, id 3806, len 64)
> > Jul 11 17:26:48.584959 00:0f:b5:ww:ww:ww 00:01:03:zz:zz:zz 0800 74:
> > a.b.c.d.37325> 192.168.x.y.443: S [tcp sum ok]
> > 2560292710:2560292710(0) win 5840<mss 1452,sackOK,timestamp 3005842592
> > 0,nop,wscale 0> (DF) (ttl 45, id 30332, len 60)
> > Jul 11 17:26:48.585435 00:01:03:zz:zz:zz 00:0f:b5:ww:ww:ww 0800 78:
> > 192.168.x.y.443> a.b.c.d.37325: S [tcp sum ok]
> > 1786229842:1786229842(0) ack 2560292711 win 16384<mss
> > 1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 1751359396
> > 3005842592> (DF) (ttl 64, id 4014, len 64)
> > Jul 11 17:26:48.590024 00:01:03:zz:zz:zz 00:0f:b5:ww:ww:ww 0800 78:
> > 192.168.x.y.443> a.b.c.d.37325: S [tcp sum ok]
> > 1786229842:1786229842(0) ack 2560292711 win 16384<mss
> > 1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 1751359396
> > 3005842592> (DF) (ttl 64, id 59349, len 64)
> > Jul 11 17:27:00.584563 00:0f:b5:ww:ww:ww 00:01:03:zz:zz:zz 0800 74:
> > a.b.c.d.37325> 192.168.x.y.443: S [tcp sum ok]
> > 2560292710:2560292710(0) win 5840<mss 1452,sackOK,timestamp 3005843792
> > 0,nop,wscale 0> (DF) (ttl 45, id 30333, len 60)
> > Jul 11 17:27:00.584880 00:01:03:zz:zz:zz 00:0f:b5:ww:ww:ww 0800 78:
> > 192.168.x.y.443> a.b.c.d.37325: S [tcp sum ok]
> > 1786229842:1786229842(0) ack 2560292711 win 16384<mss
> > 1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 1751359419
> > 3005843792> (DF) (ttl 64, id 4439, len 64)
> > Jul 11 17:27:00.590727 00:01:03:zz:zz:zz 00:0f:b5:ww:ww:ww 0800 78:
> > 192.168.x.y.443> a.b.c.d.37325: S [tcp sum ok]
> > 1786229842:1786229842(0) ack 2560292711 win 16384<mss
> > 1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 1751359419
> > 3005843792> (DF) (ttl 64, id 17093, len 64)
> > Jul 11 17:27:24.585829 00:0f:b5:ww:ww:ww 00:01:03:zz:zz:zz 0800 74:
> > a.b.c.d.37325> 192.168.x.y.443: S [tcp sum ok]
> > 2560292710:2560292710(0) win 5840<mss 1452,sackOK,timestamp 3005846192
> > 0,nop,wscale 0> (DF) (ttl 45, id 30334, len 60)
> > Jul 11 17:27:24.586302 00:01:03:zz:zz:zz 00:0f:b5:ww:ww:ww 0800 78:
> > 192.168.x.y.443> a.b.c.d.37325: S [tcp sum ok]
> > 1786229842:1786229842(0) ack 2560292711 win 16384<mss
> > 1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 1751359467
> > 3005846192> (DF) (ttl 64, id 12052, len 64)
> > Jul 11 17:27:24.592057 00:01:03:zz:zz:zz 00:0f:b5:ww:ww:ww 0800 78:
> > 192.168.x.y.443> a.b.c.d.37325: S [tcp sum ok]
> > 1786229842:1786229842(0) ack 2560292711 win 16384<mss
> > 1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 1751359467
> > 3005846192> (DF) (ttl 64, id 15080, len 64)
> >
> > Obligatory dmesg:
> >
> > OpenBSD 4.9 (GENERIC) #671: Wed Mar 2 07:09:00 MST 2011
> > dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
> > cpu0: Intel Pentium III ("GenuineIntel" 686-class) 848 MHz
> > cpu0:
> > FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PSE36,MMX,FXSR,
> > SSE
> > real mem = 267915264 (255MB)
> > avail mem = 253403136 (241MB)
> > mainbus0 at root
> > bios0 at mainbus0: AT/286+ BIOS, date 01/21/04, BIOS32 rev. 0 @
> > 0xffe90, SMBIOS rev. 2.3 @ 0xf6ef0 (60 entries)
> > bios0: vendor Dell Computer Corporation version "A23" date 01/21/2004
> > bios0: Dell Computer Corporation Latitude C800
> > apm0 at bios0: Power Management spec V1.2
> > apm0: battery life expectancy 100%
> > apm0: AC on, battery charge high, estimated 9:34 hours
> > acpi at bios0 function 0x0 not configured
> > pcibios0 at bios0: rev 2.1 @ 0xf0000/0x10000
> > pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfbc20/192 (10 entries)
> > pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82371 ISA and IDE"
> > rev 0x00)
> > pcibios0: PCI bus #4 is the last bus
> > bios0: ROM list: 0xc0000/0x10000
> > cpu0 at mainbus0: (uniprocessor)
> > pci0 at mainbus0 bus 0: configuration mode 1 (bios)
> > pchb0 at pci0 dev 0 function 0 "Intel 82815 Host" rev 0x02
> > intelagp0 at pchb0
> > agp0 at intelagp0: aperture at 0xe4000000, size 0x2400000
> > ppb0 at pci0 dev 1 function 0 "Intel 82815 AGP" rev 0x02
> > pci1 at ppb0 bus 1
> > vga1 at pci1 dev 0 function 0 "ATI Rage 128 Mobility" rev 0x00
> > wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
> > wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
> > ppb1 at pci0 dev 30 function 0 "Intel 82801BAM Hub-to-PCI" rev 0x03
> > pci2 at ppb1 bus 2
> > mem address conflict 0x10000000/0x1000
> > mem address conflict 0x10001000/0x1000
> > esa0 at pci2 dev 3 function 0 "ESS Maestro 3" rev 0x10: irq 5
> > ac97: codec id 0x83847609 (SigmaTel STAC9721/23)
> > ac97: codec features 18 bit DAC, 18 bit ADC, SigmaTel 3D
> > audio0 at esa0
> > xl0 at pci2 dev 6 function 0 "3Com 3c556 100Base-TX" rev 0x10: irq 10,
> > address 00:01:03:zz:zz:zz
> > tqphy0 at xl0 phy 0: 78Q2120 10/100 PHY, rev. 11
> > "3Com V.90 Modem" rev 0x10 at pci2 dev 6 function 1 not configured
> > cbb0 at pci2 dev 15 function 0 "TI PCI4451 CardBus" rev 0x00: irq 10
> > cbb1 at pci2 dev 15 function 1 "TI PCI4451 CardBus" rev 0x00: irq 10
> > "TI PCI4451 FireWire" rev 0x00 at pci2 dev 15 function 2 not configured
> > cardslot0 at cbb0 slot 0 flags 0
> > cardbus0 at cardslot0: bus 3 device 0 cacheline 0x8, lattimer 0x20
> > pcmcia0 at cardslot0
> > cardslot1 at cbb1 slot 1 flags 0
> > cardbus1 at cardslot1: bus 4 device 0 cacheline 0x8, lattimer 0x20
> > pcmcia1 at cardslot1
> > ichpcib0 at pci0 dev 31 function 0 "Intel 82801BAM LPC" rev 0x03: 24-
> > bit timer at 3579545Hz
> > pciide0 at pci0 dev 31 function 1 "Intel 82801BAM IDE" rev 0x03: DMA,
> > channel 0 wired to compatibility, channel 1 wired to compatibility
> > wd0 at pciide0 channel 0 drive 0:<IC25N020ATCS04-0>
> > wd0: 16-sector PIO, LBA, 19077MB, 39070080 sectors
> > atapiscsi0 at pciide0 channel 0 drive 1
> > scsibus0 at atapiscsi0: 2 targets
> > cd0 at scsibus0 targ 0 lun 0:<MATSHITA, UJDA330, 1.05> ATAPI 5/cdrom
> > removable
> > wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
> > cd0(pciide0:0:1): using PIO mode 4, DMA mode 2
> > pciide0: channel 1 ignored (disabled)
> > uhci0 at pci0 dev 31 function 2 "Intel 82801BA USB" rev 0x03: irq 10
> > isa0 at ichpcib0
> > isadma0 at isa0
> > com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
> > pckbc0 at isa0 port 0x60/5
> > pckbd0 at pckbc0 (kbd slot)
> > pckbc0: using irq 1 for kbd slot
> > wskbd0 at pckbd0: console keyboard, using wsdisplay0
> > pms0 at pckbc0 (aux slot)
> > pckbc0: using irq 12 for aux slot
> > wsmouse0 at pms0 mux 0
> > pcppi0 at isa0 port 0x61
> > spkr0 at pcppi0
> > lpt0 at isa0 port 0x378/4 irq 7
> > npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
> > fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
> > usb0 at uhci0: USB revision 1.0
> > uhub0 at usb0 "Intel UHCI root hub" rev 1.00/1.00 addr 1
> > biomask ef4d netmask ef4d ttymask ffdf
> > mtrr: Pentium Pro MTRR support
> > com3 at pcmcia0 function 0 "MEGAHERTZ, XJ2288, V.34 PCMCIA MODEM" port
> > 0xe3f8/8: ns16550a, 16 byte fifo
> > com3: probed fifo depth: 0 bytes
> > vscsi0 at root
> > scsibus1 at vscsi0: 256 targets
> > softraid0 at root
> > root on wd0a swap on wd0b dump on wd0b
