From owner-freebsd-questions@freebsd.org Sat Mar 31 23:30:44 2018 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 37524F65AE5 for ; Sat, 31 Mar 2018 23:30:44 +0000 (UTC) (envelope-from bferrell@baywinds.org) Received: from baywinds.org (50-196-187-248-static.hfc.comcastbusiness.net [50.196.187.248]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "baywinds.org", Issuer "rr-v" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id CC2BE7C345 for ; Sat, 31 Mar 2018 23:30:43 +0000 (UTC) (envelope-from bferrell@baywinds.org) Received: from [192.0.2.130] (rr-iii [192.0.2.130]) by baywinds.org (8.14.4/8.14.4) with ESMTP id w2VNUdkI016456 for ; Sat, 31 Mar 2018 16:30:40 -0700 Subject: Re: apache24 ssl setup problems; "unknown protocol" To: freebsd-questions@freebsd.org References: <3ebae04a-4928-7979-9100-b0c3317a5284@dreamchaser.org> From: Bruce Ferrell Message-ID: Date: Sat, 31 Mar 2018 16:30:39 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 MIME-Version: 1.0 In-Reply-To: <3ebae04a-4928-7979-9100-b0c3317a5284@dreamchaser.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US X-Greylist: inspected by milter-greylist-4.5.12 (baywinds.org [192.0.2.134]); Sat, 31 Mar 2018 16:30:41 -0700 (PDT) for IP:'192.0.2.130' DOMAIN:'rr-iii' HELO:'[192.0.2.130]' FROM:'bferrell@baywinds.org' RCPT:'' X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.12 (baywinds.org [192.0.2.134]); Sat, 31 Mar 2018 16:30:41 -0700 (PDT) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Mar 2018 23:30:44 -0000 On 03/31/2018 04:06 PM, Gary Aitken wrote: > On 03/31/18 16:36, Bruce Ferrell wrote: >> That *looks* like you have no certs installed > > That's what I don't understand.  It says it found the cert fine > and it matches the domain. > From the error log: > > [Sat Mar 31 13:56:14.019094 2018] [ssl:info] [pid 13686] AH01887: Init: Initializing (virtual) servers for SSL > [Sat Mar 31 13:56:14.019107 2018] [ssl:info] [pid 13686] AH01914: Configuring server www.dreamchaser.org:443 for SSL protocol > [Sat Mar 31 13:56:14.019438 2018] [ssl:debug] [pid 13686] ssl_engine_init.c(412): AH01893: Configuring TLS extension handling > [Sat Mar 31 13:56:14.019920 2018] [ssl:warn] [pid 13686] AH01906: www.dreamchaser.org:443:0 server certificate is a CA certificate ( > BasicConstraints: CA == TRUE !?) > [Sat Mar 31 13:56:14.020047 2018] [ssl:debug] [pid 13686] ssl_util_ssl.c(443): AH02412: ... Cert matches for name 'www.dreamchaser.org' ,,, > [Sat Mar 31 13:56:14.020071 2018] [ssl:info] [pid 13686] AH02568: Certificate and private key www.dreamchaser.org:443:0 configured f > rom /tmp/test.crt and /tmp/test.key > [Sat Mar 31 13:56:14.020324 2018] [ssl:info] [pid 13686] AH01876: mod_ssl/2.4.25 compiled against Server: Apache/2.4.25, Library: Op > enSSL/1.0.1s-freebsd > [Sat Mar 31 13:56:14.031071 2018] [mpm_prefork:notice] [pid 13686] AH00163: Apache/2.4.25 (FreeBSD) OpenSSL/1.0.1s-freebsd configure > d -- resuming normal operations > [Sat Mar 31 13:56:14.031116 2018] [mpm_prefork:info] [pid 13686] AH00164: Server built: unknown > [Sat Mar 31 13:56:14.031154 2018] [core:notice] [pid 13686] AH00094: Command line: '/usr/local/sbin/httpd -D NOHTTPACCEPT' > [Sat Mar 31 13:56:14.031166 2018] [core:debug] [pid 13686] log.c(1543): AH02639: Using SO_REUSEPORT: no (1) > [Sat Mar 31 13:56:14.031177 2018] [mpm_prefork:debug] [pid 13686] prefork.c(1027): AH00165: Accept mutex: flock (default: flock) > >> On 03/31/2018 03:20 PM, Gary Aitken wrote: >>> Hi all, >>> >>> I'm trying to set up apache24 ssl for the first time; getting nowhere >>> very slowly. >>> >>> Server starts up ok, serves port 80 normally as usual. >>> sockstat shows it listening on 443 ok. >>> >>> When I attempt to connect I get this: >>> >>> $ openssl s_client -connect 192.168.151.101:443 >>> CONNECTED(00000003) >>> 34379279064:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:782: >>> --- >>> no peer certificate available >>> --- >>> No client certificate CA names sent >>> --- >>> SSL handshake has read 7 bytes and written 291 bytes >>> --- >>> New, (NONE), Cipher is (NONE) >>> Secure Renegotiation IS NOT supported >>> Compression: NONE >>> Expansion: NONE >>> SSL-Session: >>>     Protocol  : TLSv1.2 >>>     Cipher    : 0000 >>>     Session-ID: >>>     Session-ID-ctx: >>>     Master-Key: >>>     Key-Arg   : None >>>     PSK identity: None >>>     PSK identity hint: None >>>     SRP username: None >>>     Start Time: 1522531949 >>>     Timeout   : 300 (sec) >>>     Verify return code: 0 (ok) >>> >>> I assume the problem is the unknown protocol issue, but it's not clear >>> to me what the unknown protocol it's looking for is. >>> My extra/httpd-ssl.conf says: >>>   SSLProtocol all -SSLv3 >>> and my extra/httpd-vhosts.conf does not override it. >>> The error log simply says: >>>    [core:debug] [pid 13758] protocol.c(1272): ... : request failed: malformed request line >>> >>> Running apache24-2.4.25_1 on a 10.3 amd64 Try this on the certificate: |openssl x509 -text -in /path/to/cert Make sure it's the correct kind of certificate | |[ssl:warn] [pid 13686] AH01906: www.dreamchaser.org:443:0 server certificate is a CA certificate ( BasicConstraints: CA == TRUE !?) That log line bothers me. I think you may have the worn cert installed |