Date: Sat, 31 Mar 2018 21:40:22 -0600 From: Gary Aitken <freebsd@dreamchaser.org> To: Bruce Ferrell <bferrell@baywinds.org>, freebsd-questions@freebsd.org Subject: Re: apache24 ssl setup problems; "unknown protocol" Message-ID: <210673da-f441-491f-7de4-f4bfbadbf5a5@dreamchaser.org> In-Reply-To: <eab52606-6f62-d88f-0682-9fe3ce1f470c@baywinds.org> References: <acd1c4b7-72ce-0fd2-a640-4b3c22299a75@dreamchaser.org> <fc3125a2-14a1-6fe5-cc67-0a32f9361657@baywinds.org> <3ebae04a-4928-7979-9100-b0c3317a5284@dreamchaser.org> <eab52606-6f62-d88f-0682-9fe3ce1f470c@baywinds.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 03/31/18 17:30, Bruce Ferrell wrote: > > On 03/31/2018 04:06 PM, Gary Aitken wrote: >> On 03/31/18 16:36, Bruce Ferrell wrote: >>> That *looks* like you have no certs installed >> >> That's what I don't understand. It says it found the cert fine >> and it matches the domain. >> From the error log: >> >> [Sat Mar 31 13:56:14.019094 2018] [ssl:info] [pid 13686] AH01887: Init: Initializing (virtual) servers for SSL >> [Sat Mar 31 13:56:14.019107 2018] [ssl:info] [pid 13686] AH01914: Configuring server www.dreamchaser.org:443 for SSL protocol >> [Sat Mar 31 13:56:14.019438 2018] [ssl:debug] [pid 13686] ssl_engine_init.c(412): AH01893: Configuring TLS extension handling >> [Sat Mar 31 13:56:14.019920 2018] [ssl:warn] [pid 13686] AH01906: www.dreamchaser.org:443:0 server certificate is a CA certificate ( >> BasicConstraints: CA == TRUE !?) >> [Sat Mar 31 13:56:14.020047 2018] [ssl:debug] [pid 13686] ssl_util_ssl.c(443): AH02412: ... Cert matches for name 'www.dreamchaser.org' ,,, >> [Sat Mar 31 13:56:14.020071 2018] [ssl:info] [pid 13686] AH02568: Certificate and private key www.dreamchaser.org:443:0 configured f >> rom /tmp/test.crt and /tmp/test.key >> [Sat Mar 31 13:56:14.020324 2018] [ssl:info] [pid 13686] AH01876: mod_ssl/2.4.25 compiled against Server: Apache/2.4.25, Library: Op >> enSSL/1.0.1s-freebsd >> [Sat Mar 31 13:56:14.031071 2018] [mpm_prefork:notice] [pid 13686] AH00163: Apache/2.4.25 (FreeBSD) OpenSSL/1.0.1s-freebsd configure >> d -- resuming normal operations >> [Sat Mar 31 13:56:14.031116 2018] [mpm_prefork:info] [pid 13686] AH00164: Server built: unknown >> [Sat Mar 31 13:56:14.031154 2018] [core:notice] [pid 13686] AH00094: Command line: '/usr/local/sbin/httpd -D NOHTTPACCEPT' >> [Sat Mar 31 13:56:14.031166 2018] [core:debug] [pid 13686] log.c(1543): AH02639: Using SO_REUSEPORT: no (1) >> [Sat Mar 31 13:56:14.031177 2018] [mpm_prefork:debug] [pid 13686] prefork.c(1027): AH00165: Accept mutex: flock (default: flock) >> >>> On 03/31/2018 03:20 PM, Gary Aitken wrote: >>>> Hi all, >>>> >>>> I'm trying to set up apache24 ssl for the first time; getting nowhere >>>> very slowly. >>>> >>>> Server starts up ok, serves port 80 normally as usual. >>>> sockstat shows it listening on 443 ok. >>>> >>>> When I attempt to connect I get this: >>>> >>>> $ openssl s_client -connect 192.168.151.101:443 >>>> CONNECTED(00000003) >>>> 34379279064:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:782: >>>> --- >>>> no peer certificate available >>>> --- >>>> No client certificate CA names sent >>>> --- >>>> SSL handshake has read 7 bytes and written 291 bytes >>>> --- >>>> New, (NONE), Cipher is (NONE) >>>> Secure Renegotiation IS NOT supported >>>> Compression: NONE >>>> Expansion: NONE >>>> SSL-Session: >>>> Protocol : TLSv1.2 >>>> Cipher : 0000 >>>> Session-ID: >>>> Session-ID-ctx: >>>> Master-Key: >>>> Key-Arg : None >>>> PSK identity: None >>>> PSK identity hint: None >>>> SRP username: None >>>> Start Time: 1522531949 >>>> Timeout : 300 (sec) >>>> Verify return code: 0 (ok) >>>> >>>> I assume the problem is the unknown protocol issue, but it's not clear >>>> to me what the unknown protocol it's looking for is. >>>> My extra/httpd-ssl.conf says: >>>> SSLProtocol all -SSLv3 >>>> and my extra/httpd-vhosts.conf does not override it. >>>> The error log simply says: >>>> [core:debug] [pid 13758] protocol.c(1272): ... : request failed: malformed request line >>>> >>>> Running apache24-2.4.25_1 on a 10.3 amd64 > > Try this on the certificate: > > |openssl x509 -text -in /path/to/cert > > Make sure it's the correct kind of certificate Thanks for the suggestions. It looks like I was overriding the cert in httpd-ssl.conf with one in httpd-vhosts.conf which was obsolete, but for some reason it wasn't even mentioned in the log, which is troubling. I've changed that but no difference -- restarted the server and I see the same behavior. It looks to me like the cert should be ok, generated today: $ openssl x509 -text -in test.crt Certificate: Data: Version: 3 (0x2) Serial Number: 11683896583821530168 (0xa2258a09ff151438) Signature Algorithm: sha256WithRSAEncryption Issuer: ... Validity Not Before: Mar 31 15:42:46 2018 GMT Not After : Mar 30 15:42:46 2023 GMT ... Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) ... X509v3 extensions: X509v3 Subject Key Identifier: ... X509v3 Authority Key Identifier: ... X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha256WithRSAEncryption ... I'm not sure what "correct kind" is in reference to? > |[ssl:warn] [pid 13686] AH01906: www.dreamchaser.org:443:0 server certificate is a CA certificate ( > BasicConstraints: CA == TRUE !?) > > That log line bothers me. I think you may have the worn cert installed The bad cert was expired, but I'm still seeing that message with the new certs afik. I don't see the expired certs mentioned in the log. Thanks for any further pointers, Gary
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?210673da-f441-491f-7de4-f4bfbadbf5a5>