Hello. I am experiencing a strange problem with Apache 2.2.27p4 on
OpenBSD 5.6-stable amd64.
I am _intermittently_ getting this error:
SSL received a record that exceeded the maximum permissible length.
(Error code: ssl_error_rx_record_too_long)
in Firefox 31.3.0esr (both Linux and Windows clients) when accessing my
server via HTTPS. I am not seeing errors pop up in other browsers but I
am seeing strange things in IE11 and Chromium where things seem to not
always load over HTTPS. The Qualsys SSL Server Test website also
reports errors accessing my server sometimes when I have run tests
against it using their tool.
What is very strange is that it is intermittent. Things seem to work
then click a link or reload a page and the error pops up.
I have done much searching and fiddled with various settings and have
not been able to find a solution so far. I do not think it is a network
problem (unless it is a hardware vs driver issue for the NIC in the
server) since I have tested with pf disabled on the server with a client
on the same ethernet segment and the problem is still there.
I am also pretty confident in the Apache configuration. It was mostly
transferred from a tried and true Apache 2.0.65 config. Not by just
dumping the old config in place, but by using what was installed by the
apache-httpd package as a base then carefully merging in my changes.
Nothing is showing up in the Apache error_logs.
I was also able to test with two different certificates. My old
certificate was up for renewal and it was also SHA1. So I renewed my
certificate at the CA today (and upped it to SHA256). No change. What
is different about my certificate compared to what most other people are
probably doing is that my certificate is a wildcard certificate (valid
for *.example.com and example.com). I have never had a problem with
these wildcard certificates in the past. But I don't think I've ever
tried to use them with Apache beyond 2.0.X though...
Anyway, I'm prepared to dive deeper but the attack surface is huge. So
many possible places where this problem could be residing. Has anyone
here ever run in to this before? Anyone have any
suggestions/hints/hunches/etc. as to where to start looking? Thanks!
--
John Merriam
