[opensuse] Apache 2.4.6 on OpenSuse 13.1: ssl_error_rx_record_too_long and ERR_SSL_PROTOCOL_ERROR
This is killing me. After googling for days, and going down countless blind alleys, I am no closer to a solution. Much of the info I get is either ancient or for other platforms, or both. Worse, 99% of the pages I get blame the browser, but the browser is not relevant (except I get ssl_error_rx_record_too_long from Firefox and ERR_SSL_PROTOCOL_ERROR from Chrome: both on a workstations running OpenSuse 13.1). I know the browser is not to blame because the same browsers CAN connect to another of my servers (running Ubuntu 12.04) over https. I made sure that 443 is open in the firewall, and that the server is listening on 443, and that the virtual host using 443 is properly configured (or so I believe), with the proper filename and full path to the server's key and certificate, as well as to my rootCA certificate. The web server DOES start, and handles http requests perfectly. But every attempt to use SSL results in one of the above errors on the client side. On the server side, the only error I get relates to the web server not being able to find socache_shmcb_module; or so it says. In point of fact, the .so file is in /usr/lib64/apache2. I can not imagine why it would claim that it isn't installed (and that it would ignore that error), when in fact the file is there and the proper path to it has been provided in the LoadModule statement in the relevant conf file. As the only reference to variables related to this module occur in the virtual host that is supposed to be using SSL, I wonder if this error is causing the other two. I would include my *.conf files, but there are so many, and I am no longer sure of which files would be most useful, or which I should focus on (I have stared at all of them for so long, it is hard to read my screen), I'll post only those you ask for. I don't want to post anything that is not relevant. Please help. It is getting desperate here. I now have a headache that would kill an ox. It feels like my head is going to explode. If you see a mushroom cloud over central Ontario, Canada, you'll know what happened. :-( Thanks Ted -- R.E.(Ted) Byers, Ph.D.,Ed.D. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 07/29/2014 08:48 PM, Ted Byers wrote:
This is killing me. After googling for days, and going down countless blind alleys, I am no closer to a solution. Much of the info I get is either ancient or for other platforms, or both. Worse, 99% of the pages I get blame the browser, but the browser is not relevant (except I get ssl_error_rx_record_too_long from Firefox and ERR_SSL_PROTOCOL_ERROR from Chrome: both on a workstations running OpenSuse 13.1). I know the browser is not to blame because the same browsers CAN connect to another of my servers (running Ubuntu 12.04) over https.
Check if your webserver delivers a valid chain using openssl as client: openssl s_client -connect yourserver:443 -showcerts The manpage of s_client tells you more options: man s_client
On Wed, Jul 30, 2014 at 9:21 AM, Florian Gleixner <flo@redflo.de> wrote:
On 07/29/2014 08:48 PM, Ted Byers wrote:
This is killing me. After googling for days, and going down countless blind alleys, I am no closer to a solution. Much of the info I get is either ancient or for other platforms, or both. Worse, 99% of the pages I get blame the browser, but the browser is not relevant (except I get ssl_error_rx_record_too_long from Firefox and ERR_SSL_PROTOCOL_ERROR from Chrome: both on a workstations running OpenSuse 13.1). I know the browser is not to blame because the same browsers CAN connect to another of my servers (running Ubuntu 12.04) over https.
Check if your webserver delivers a valid chain using openssl as client:
openssl s_client -connect yourserver:443 -showcerts
The manpage of s_client tells you more options:
man s_client
Thanks Florien Here is the result: ed@linux-jp04:~> openssl s_client -connect gremlin.site:443 -showcerts CONNECTED(00000003) 140137415726736:error: 140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:787: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 317 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- I would suppose that that means that either the certificates are broken or apache is not properly configured to use them. The latter configuration is in the contents of vhosts-ssl that I posted here early. Here is how I generated the certificates: openssl genrsa -out rootCA.key 2048 openssl req -x509 -new -nodes -key rootCA.key -days 1024 -out rootCA.pem openssl genrsa -out gremlin.site.key 2048 openssl req -new -key gremlin.site.key -out gremlin.site.csr openssl x509 -req -in gremlin.site.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out gremlin.site.crt -days 1024 I put rootCA.pem and gremlin.site.crt in /etc/apache2/ssl.crt, and gremlin.site.key in /etc/apache2/ssl.key What would be the next step? Thanks Ted -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (2)
-
Florian Gleixner -
Ted Byers