From owner-freebsd-questions@freebsd.org Sat Mar 31 23:07:51 2018 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3F837F63DA7 for ; Sat, 31 Mar 2018 23:07:51 +0000 (UTC) (envelope-from freebsd@dreamchaser.org) Received: from nightmare.dreamchaser.org (ns.dreamchaser.org [66.109.141.57]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "nightmare.dreamchaser.org", Issuer "nightmare.dreamchaser.org" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id BFFF67B461 for ; Sat, 31 Mar 2018 23:07:50 +0000 (UTC) (envelope-from freebsd@dreamchaser.org) Received: from breakaway.dreamchaser.org (breakaway [192.168.151.122]) by nightmare.dreamchaser.org (8.15.2/8.15.2) with ESMTP id w2VN7Rsf014185; Sat, 31 Mar 2018 17:07:27 -0600 (MDT) (envelope-from freebsd@dreamchaser.org) Subject: Re: apache24 ssl setup problems; "unknown protocol" To: Bruce Ferrell , freebsd-questions@freebsd.org References: From: Gary Aitken Reply-To: freebsd@dreamchaser.org Message-ID: <3ebae04a-4928-7979-9100-b0c3317a5284@dreamchaser.org> Date: Sat, 31 Mar 2018 17:06:46 -0600 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Mar 2018 23:07:51 -0000 On 03/31/18 16:36, Bruce Ferrell wrote: > That *looks* like you have no certs installed That's what I don't understand. It says it found the cert fine and it matches the domain. From the error log: [Sat Mar 31 13:56:14.019094 2018] [ssl:info] [pid 13686] AH01887: Init: Initializing (virtual) servers for SSL [Sat Mar 31 13:56:14.019107 2018] [ssl:info] [pid 13686] AH01914: Configuring server www.dreamchaser.org:443 for SSL protocol [Sat Mar 31 13:56:14.019438 2018] [ssl:debug] [pid 13686] ssl_engine_init.c(412): AH01893: Configuring TLS extension handling [Sat Mar 31 13:56:14.019920 2018] [ssl:warn] [pid 13686] AH01906: www.dreamchaser.org:443:0 server certificate is a CA certificate ( BasicConstraints: CA == TRUE !?) [Sat Mar 31 13:56:14.020047 2018] [ssl:debug] [pid 13686] ssl_util_ssl.c(443): AH02412: ... Cert matches for name 'www.dreamchaser.org' ,,, [Sat Mar 31 13:56:14.020071 2018] [ssl:info] [pid 13686] AH02568: Certificate and private key www.dreamchaser.org:443:0 configured f rom /tmp/test.crt and /tmp/test.key [Sat Mar 31 13:56:14.020324 2018] [ssl:info] [pid 13686] AH01876: mod_ssl/2.4.25 compiled against Server: Apache/2.4.25, Library: Op enSSL/1.0.1s-freebsd [Sat Mar 31 13:56:14.031071 2018] [mpm_prefork:notice] [pid 13686] AH00163: Apache/2.4.25 (FreeBSD) OpenSSL/1.0.1s-freebsd configure d -- resuming normal operations [Sat Mar 31 13:56:14.031116 2018] [mpm_prefork:info] [pid 13686] AH00164: Server built: unknown [Sat Mar 31 13:56:14.031154 2018] [core:notice] [pid 13686] AH00094: Command line: '/usr/local/sbin/httpd -D NOHTTPACCEPT' [Sat Mar 31 13:56:14.031166 2018] [core:debug] [pid 13686] log.c(1543): AH02639: Using SO_REUSEPORT: no (1) [Sat Mar 31 13:56:14.031177 2018] [mpm_prefork:debug] [pid 13686] prefork.c(1027): AH00165: Accept mutex: flock (default: flock) > On 03/31/2018 03:20 PM, Gary Aitken wrote: >> Hi all, >> >> I'm trying to set up apache24 ssl for the first time; getting nowhere >> very slowly. >> >> Server starts up ok, serves port 80 normally as usual. >> sockstat shows it listening on 443 ok. >> >> When I attempt to connect I get this: >> >> $ openssl s_client -connect 192.168.151.101:443 >> CONNECTED(00000003) >> 34379279064:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:782: >> --- >> no peer certificate available >> --- >> No client certificate CA names sent >> --- >> SSL handshake has read 7 bytes and written 291 bytes >> --- >> New, (NONE), Cipher is (NONE) >> Secure Renegotiation IS NOT supported >> Compression: NONE >> Expansion: NONE >> SSL-Session: >>     Protocol  : TLSv1.2 >>     Cipher    : 0000 >>     Session-ID: >>     Session-ID-ctx: >>     Master-Key: >>     Key-Arg   : None >>     PSK identity: None >>     PSK identity hint: None >>     SRP username: None >>     Start Time: 1522531949 >>     Timeout   : 300 (sec) >>     Verify return code: 0 (ok) >> >> I assume the problem is the unknown protocol issue, but it's not clear >> to me what the unknown protocol it's looking for is. >> My extra/httpd-ssl.conf says: >>   SSLProtocol all -SSLv3 >> and my extra/httpd-vhosts.conf does not override it. >> The error log simply says: >>    [core:debug] [pid 13758] protocol.c(1272): ... : request failed: malformed request line >> >> Running apache24-2.4.25_1 on a 10.3 amd64