SSL throws SSL23_GET_SERVER_HELLO error
Hi All. When I run the following line command : [ssl] # openssl s_client -connect localhost:443 -state -debug I get this error message : ... SSL_connect:error in SSLv2/v3 read server hello A 1565:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:460: ... Looking at line 460 of the source, it is exactly that error, no further clues available. Does anyone know more about it and want to help out ??? CHeers. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: FRUSTRATION : SSL throws SSL23_GET_SERVER_HELLO error
On Fri, 8 Aug 2003, Arthur Chan wrote: [ssl] # openssl s_client -connect localhost:443 -state -debug still throws this sticky error : SSL_connect:error in SSLv2/v3 read server hello A 1565:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:460: You have multiple problems conspiring against you here. Problem #1: your OpenSSL doesn't have the error messages loaded so you're getting a rather non-descriptive error message. No big deal, it just means you have to look harder to find out what the error means. Problem #2: SSL23_GET_SERVER_HELLO:unknown protocol: - now I bet if you looked at the debug dump you'd see something very similar to: - 3c 21 44 4f 43 54 59 !DOCTY which was mentioned in one of those links the other guy sent you. It's telling you that that's what it received from the server. You'll notice that !DOCTY is the first few bytes of a standard html page unencrypted. So this tells you that your web server is in fact speaking plain HTTP on port 443 rather than HTTPS. You probably do not have SSLEngine on for that virtual host. Problem #3: You mentioned trying to get name-based vhosts to work with SSL. You must realize that this doesn't work right in the general case. Please see http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#vhosts2 . Hope this helps. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
But why does it work now : SSL throws SSL23_GET_SERVER_HELLO error
Hi Yoshi.
I think that works !
Instead of
[ssl] # openssl s_client -connect localhost:443 -state -debug
I key in
[ssl] # openssl s_client -connect 192.168.100.10:443 -state -debug
and it worked, no SSL23_GET_SERVER_HELLO error, why is that ???
I am still *VERY CONCERNED* that the output from TCPDUMP contains human
readible data (admittedly you won't be able to get much out of that ).
Its nothing like the plain text http transmission, try it out !
- Original Message -
From: Kiyoshi Watanabe [EMAIL PROTECTED]
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Friday, August 08, 2003 06:44 AM
Subject: Re: FRUSTRATION : SSL throws SSL23_GET_SERVER_HELLO error
Hello,
did you test the openssl command using your IP instead of localhost?
openssl s_client -connect your-ip-here:443 -state -debug
Or why don't you change the VirtualHohost to _default_ temporarily and
see how it goes.
-Kiyoshi
Kiyoshi Watanabe
Problem #1: your OpenSSL doesn't have the error messages loaded so
you're
getting a rather non-descriptive error message. No big deal, it just
means you have to look harder to find out what the error means.
How to I load them in order to get a more meaningful description ???
I've recompiled Apache 2.0.40 several times from scratch with following
additional options:
./configure --with-mpm=worker --enable-so --enable-rewrite --enable-ssl --wi
th-ssl=/path/to/openssl --enable-proxy --auth_digest
Problem #2: SSL23_GET_SERVER_HELLO:unknown protocol: - now I bet if
you
looked at the debug dump you'd see something very similar to:
- 3c 21 44 4f 43 54 59 !DOCTY
which was mentioned in one of those links the other guy sent you.
It's
telling you that that's what it received from the server. You'll
notice
that !DOCTY is the first few bytes of a standard html page
unencrypted.
Indeed, this is the whole output :
CONNECTED(0003)
write to 0809D018 [0809D060] (124 bytes = 124 (0x7C))
- 80 7a 01 03 01 00 51 00-00 00 20 00 00 16 00 00 .zQ...
.
0010 - 13 00 00 0a 07 00 c0 00-00 66 00 00 05 00 00 04
.f..
0020 - 03 00 80 01 00 80 08 00-80 00 00 65 00 00 64 00
...e..d.
0030 - 00 63 00 00 62 00 00 61-00 00 60 00 00 15 00 00
.c..b..a..`.
0040 - 12 00 00 09 06 00 40 00-00 14 00 00 11 00 00 08
[EMAIL PROTECTED]
0050 - 00 00 06 00 00 03 04 00-80 02 00 80 5c ec 7c 7c
\.||
0060 - 60 b1 2a 84 93 cf ba f5-87 dc 22 63 27 83 c7 16
`.*...c'...
0070 - f0 68 eb 8b 33 43 57 05-e8 5e a1 ef .h..3CW..^..
read from 0809D018 [080A25C0] (7 bytes = 7 (0x7))
- 3c 21 44 4f 43 54 59 !DOCTY
SSL_connect:error in SSLv2/v3 read server hello A
1565:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:s23_clnt.c:460:
So this tells you that your web server is in fact speaking plain HTTP
on
port 443 rather than HTTPS. You probably do not have SSLEngine on
for
that virtual host.
This defies purpose. Following is an excerpt from httpd.conf with only
those
bits that I believe are relevant . What I done that's wrong :
(httpd.conf)
ServerName www.saysit.com.hk:80
#
IfModule mod_ssl.c
# Some MIME-types for downloading Certificates and CRLs
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl.crl
SSLSessionCache dbm:logs/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex file:logs/mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
/IfModule
### Section 3: Virtual Hosts
Listen 80
Listen 443
NameVirtualHost 192.168.1.3
VirtualHost 192.168.1.3:80
ServerName www.saysit.com.hk
ServerAdmin [EMAIL PROTECTED]
DocumentRoot /var/www/html
ErrorLog /usr/local/apache2/logs/saysit_error.log
CustomLog /usr/local/apache2/logs/saysit_access.log common
SetEnvIf User-Agent .MSIE.*\
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
JkMount /saysit ajp13
JkMount /saysit/* ajp13
/VirtualHost
#
IfDefine SSL
VirtualHost 192.168.1.3:443
ServerName demo.saysit.com.hk
ServerAdmin [EMAIL PROTECTED]
DocumentRoot /home/nicole/MyDocument/public_html
ErrorLog /usr/local/apache2/logs/nicole_error.log
CustomLog /usr/local/apache2/logs/nicole_access.log common
IfModule mod_ssl.c
SSLEngine on
SSLCipherSuite
ALL:!ADH:!EPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /usr/share/ssl/server.crt
SSLCertificateKeyFile /usr/share/ssl/server.key
SSLVerifyClient require will prompt the client to select a
certificate when browsing demo.saysit
/IfModule
JkExtractSSL on
JkHTTPSIndicator HTTPS
JkSESSIONIndicator SSL_SESSION_ID
JkCIPHERIndicator SSL_CIPHER
JkCERTSIndicator SSL_CLIENT_CERT
JkMount /saysit ajp13
JkMount
Browser specific OpenSSL mod_ssl problem !
Hi All. Help. Netscape is driving me to drinks! Problem : Netscape 7.1 will not redirect from http://my.first.dom to https://my.secure.dom, claims it is transmitting in clear text (rather than encrypted). Objective : from first web-site, create a linik to a secure web-site inside index.html using an anchor e.g. A HREF=https://my.secure.dom;ClickMe/A Set up : Apache2 httpd + mod_ssl + Tomcat + Oracle. Tomcat holds java servlets. Apache server has applets communicating with servlets. What works : Everything works just fine using W98+MSIE5 or W98+Netscape6.2 or Linux+Mozilla. What doesn't work : Using Netscape 7.1, When I key in the URL my.first.dom, it takes me to the web-site. When I click on the link to my.secure.dom, which does indeed take me to the secure site, it presents the logon screen and the certificate. I logged on and accepted the certificate. Normally in Netscape 6.2, the tiny lock located in bottom right side of screen should be closed and shows the certificate when I click on it. But in 7.1, the lock is NOT CLOSED and it says that the transmission is in clear text for all to see. However, if I key in the URL : https://my.secure.dom, the little lock closes and shows the certificate. ... [code] (httpd.conf) ... Listen 192.168.100.1:80 Listen 443 NameVirtualHost 192.168.100.1 VirtualHost 192.168.100.1:80 ServerName my.first dom ... /VirtualHost # I added following redirect in the hope Netscape7.1 would work - didn't! VirtualHost 192.168.100.1:80 Server my.secure.dom Redirect /index.html https://my.secure.dom/index.html /VirtualHost # as far as MSIE5 and Mozilla are concerned, they only need the following lines to work properly VirtualHost ServerName my.secure.dom ... IfModule mod_ssl.c ... blablabla /IfModule ... VirtualHost [/code] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
