From owner-freebsd-questions@freebsd.org  Sun Apr  1 03:41:17 2018
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id BE105F78189
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Sun,  1 Apr 2018 03:41:17 +0000 (UTC)
 (envelope-from freebsd@dreamchaser.org)
Received: from nightmare.dreamchaser.org (ns.dreamchaser.org [66.109.141.57])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
 bits)) (Client CN "nightmare.dreamchaser.org",
 Issuer "nightmare.dreamchaser.org" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 251D686CBD
 for <freebsd-questions@freebsd.org>; Sun,  1 Apr 2018 03:41:16 +0000 (UTC)
 (envelope-from freebsd@dreamchaser.org)
Received: from breakaway.dreamchaser.org (breakaway [192.168.151.122])
 by nightmare.dreamchaser.org (8.15.2/8.15.2) with ESMTP id w313f3mZ014944;
 Sat, 31 Mar 2018 21:41:04 -0600 (MDT)
 (envelope-from freebsd@dreamchaser.org)
Subject: Re: apache24 ssl setup problems; "unknown protocol"
To: Bruce Ferrell <bferrell@baywinds.org>, freebsd-questions@freebsd.org
References: <acd1c4b7-72ce-0fd2-a640-4b3c22299a75@dreamchaser.org>
 <fc3125a2-14a1-6fe5-cc67-0a32f9361657@baywinds.org>
 <3ebae04a-4928-7979-9100-b0c3317a5284@dreamchaser.org>
 <eab52606-6f62-d88f-0682-9fe3ce1f470c@baywinds.org>
Reply-To: freebsd@dreamchaser.org
From: Gary Aitken <freebsd@dreamchaser.org>
Message-ID: <210673da-f441-491f-7de4-f4bfbadbf5a5@dreamchaser.org>
Date: Sat, 31 Mar 2018 21:40:22 -0600
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101
 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <eab52606-6f62-d88f-0682-9fe3ce1f470c@baywinds.org>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Apr 2018 03:41:18 -0000

On 03/31/18 17:30, Bruce Ferrell wrote:
> 
> On 03/31/2018 04:06 PM, Gary Aitken wrote:
>> On 03/31/18 16:36, Bruce Ferrell wrote:
>>> That *looks* like you have no certs installed
>>
>> That's what I don't understand.  It says it found the cert fine
>> and it matches the domain.
>> From the error log:
>>
>> [Sat Mar 31 13:56:14.019094 2018] [ssl:info] [pid 13686] AH01887: Init: Initializing (virtual) servers for SSL
>> [Sat Mar 31 13:56:14.019107 2018] [ssl:info] [pid 13686] AH01914: Configuring server www.dreamchaser.org:443 for SSL protocol
>> [Sat Mar 31 13:56:14.019438 2018] [ssl:debug] [pid 13686] ssl_engine_init.c(412): AH01893: Configuring TLS extension handling
>> [Sat Mar 31 13:56:14.019920 2018] [ssl:warn] [pid 13686] AH01906: www.dreamchaser.org:443:0 server certificate is a CA certificate (
>> BasicConstraints: CA == TRUE !?)
>> [Sat Mar 31 13:56:14.020047 2018] [ssl:debug] [pid 13686] ssl_util_ssl.c(443): AH02412: ... Cert matches for name 'www.dreamchaser.org' ,,,
>> [Sat Mar 31 13:56:14.020071 2018] [ssl:info] [pid 13686] AH02568: Certificate and private key www.dreamchaser.org:443:0 configured f
>> rom /tmp/test.crt and /tmp/test.key
>> [Sat Mar 31 13:56:14.020324 2018] [ssl:info] [pid 13686] AH01876: mod_ssl/2.4.25 compiled against Server: Apache/2.4.25, Library: Op
>> enSSL/1.0.1s-freebsd
>> [Sat Mar 31 13:56:14.031071 2018] [mpm_prefork:notice] [pid 13686] AH00163: Apache/2.4.25 (FreeBSD) OpenSSL/1.0.1s-freebsd configure
>> d -- resuming normal operations
>> [Sat Mar 31 13:56:14.031116 2018] [mpm_prefork:info] [pid 13686] AH00164: Server built: unknown
>> [Sat Mar 31 13:56:14.031154 2018] [core:notice] [pid 13686] AH00094: Command line: '/usr/local/sbin/httpd -D NOHTTPACCEPT'
>> [Sat Mar 31 13:56:14.031166 2018] [core:debug] [pid 13686] log.c(1543): AH02639: Using SO_REUSEPORT: no (1)
>> [Sat Mar 31 13:56:14.031177 2018] [mpm_prefork:debug] [pid 13686] prefork.c(1027): AH00165: Accept mutex: flock (default: flock)
>>
>>> On 03/31/2018 03:20 PM, Gary Aitken wrote:
>>>> Hi all,
>>>>
>>>> I'm trying to set up apache24 ssl for the first time; getting nowhere
>>>> very slowly.
>>>>
>>>> Server starts up ok, serves port 80 normally as usual.
>>>> sockstat shows it listening on 443 ok.
>>>>
>>>> When I attempt to connect I get this:
>>>>
>>>> $ openssl s_client -connect 192.168.151.101:443
>>>> CONNECTED(00000003)
>>>> 34379279064:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:782:
>>>> ---
>>>> no peer certificate available
>>>> ---
>>>> No client certificate CA names sent
>>>> ---
>>>> SSL handshake has read 7 bytes and written 291 bytes
>>>> ---
>>>> New, (NONE), Cipher is (NONE)
>>>> Secure Renegotiation IS NOT supported
>>>> Compression: NONE
>>>> Expansion: NONE
>>>> SSL-Session:
>>>>     Protocol  : TLSv1.2
>>>>     Cipher    : 0000
>>>>     Session-ID:
>>>>     Session-ID-ctx:
>>>>     Master-Key:
>>>>     Key-Arg   : None
>>>>     PSK identity: None
>>>>     PSK identity hint: None
>>>>     SRP username: None
>>>>     Start Time: 1522531949
>>>>     Timeout   : 300 (sec)
>>>>     Verify return code: 0 (ok)
>>>>
>>>> I assume the problem is the unknown protocol issue, but it's not clear
>>>> to me what the unknown protocol it's looking for is.
>>>> My extra/httpd-ssl.conf says:
>>>>   SSLProtocol all -SSLv3
>>>> and my extra/httpd-vhosts.conf does not override it.
>>>> The error log simply says:
>>>>    [core:debug] [pid 13758] protocol.c(1272): ... : request failed: malformed request line
>>>>
>>>> Running apache24-2.4.25_1 on a 10.3 amd64
> 
> Try this on the certificate:
> 
> |openssl x509 -text -in /path/to/cert
> 
> Make sure it's the correct kind of certificate

Thanks for the suggestions.
It looks like I was overriding the cert in httpd-ssl.conf with one
in httpd-vhosts.conf which was obsolete, but for some reason it wasn't
even mentioned in the log, which is troubling.  I've changed that but
no difference -- restarted the server and I see the same behavior.
It looks to me like the cert should be ok, generated today:

$ openssl x509 -text -in test.crt
Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 11683896583821530168 (0xa2258a09ff151438)
     Signature Algorithm: sha256WithRSAEncryption
         Issuer: ...
         Validity
             Not Before: Mar 31 15:42:46 2018 GMT
             Not After : Mar 30 15:42:46 2023 GMT
...
             Public Key Algorithm: rsaEncryption
                 Public-Key: (2048 bit)
...
         X509v3 extensions:
             X509v3 Subject Key Identifier:
...
             X509v3 Authority Key Identifier:
...
             X509v3 Basic Constraints:
                 CA:TRUE
     Signature Algorithm: sha256WithRSAEncryption
...

I'm not sure what "correct kind" is in reference to?

> |[ssl:warn] [pid 13686] AH01906: www.dreamchaser.org:443:0 server certificate is a CA certificate (
> BasicConstraints: CA == TRUE !?)
> 
> That log line bothers me. I think you may have the worn cert installed

The bad cert was expired, but I'm still seeing that message with the
new certs afik.  I don't see the expired certs mentioned in the log.

Thanks for any further pointers,
Gary