SSL throws SSL23_GET_SERVER_HELLO error
Hi All. When I run the following line command : [ssl] # openssl s_client -connect localhost:443 -state -debug I get this error message : ... SSL_connect:error in SSLv2/v3 read server hello A 1565:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:460: ... Looking at line 460 of the source, it is exactly that error, no further clues available. Does anyone know more about it and want to help out ??? CHeers. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: FRUSTRATION : SSL throws SSL23_GET_SERVER_HELLO error
On Fri, 8 Aug 2003, Arthur Chan wrote: [ssl] # openssl s_client -connect localhost:443 -state -debug still throws this sticky error : SSL_connect:error in SSLv2/v3 read server hello A 1565:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:460: You have multiple problems conspiring against you here. Problem #1: your OpenSSL doesn't have the error messages loaded so you're getting a rather non-descriptive error message. No big deal, it just means you have to look harder to find out what the error means. Problem #2: SSL23_GET_SERVER_HELLO:unknown protocol: - now I bet if you looked at the debug dump you'd see something very similar to: - 3c 21 44 4f 43 54 59 !DOCTY which was mentioned in one of those links the other guy sent you. It's telling you that that's what it received from the server. You'll notice that !DOCTY is the first few bytes of a standard html page unencrypted. So this tells you that your web server is in fact speaking plain HTTP on port 443 rather than HTTPS. You probably do not have SSLEngine on for that virtual host. Problem #3: You mentioned trying to get name-based vhosts to work with SSL. You must realize that this doesn't work right in the general case. Please see http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#vhosts2 . Hope this helps. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
But why does it work now : SSL throws SSL23_GET_SERVER_HELLO error
Hi Yoshi. I think that works ! Instead of [ssl] # openssl s_client -connect localhost:443 -state -debug I key in [ssl] # openssl s_client -connect 192.168.100.10:443 -state -debug and it worked, no SSL23_GET_SERVER_HELLO error, why is that ??? I am still *VERY CONCERNED* that the output from TCPDUMP contains human readible data (admittedly you won't be able to get much out of that ). Its nothing like the plain text http transmission, try it out ! - Original Message - From: Kiyoshi Watanabe [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, August 08, 2003 06:44 AM Subject: Re: FRUSTRATION : SSL throws SSL23_GET_SERVER_HELLO error Hello, did you test the openssl command using your IP instead of localhost? openssl s_client -connect your-ip-here:443 -state -debug Or why don't you change the VirtualHohost to _default_ temporarily and see how it goes. -Kiyoshi Kiyoshi Watanabe Problem #1: your OpenSSL doesn't have the error messages loaded so you're getting a rather non-descriptive error message. No big deal, it just means you have to look harder to find out what the error means. How to I load them in order to get a more meaningful description ??? I've recompiled Apache 2.0.40 several times from scratch with following additional options: ./configure --with-mpm=worker --enable-so --enable-rewrite --enable-ssl --wi th-ssl=/path/to/openssl --enable-proxy --auth_digest Problem #2: SSL23_GET_SERVER_HELLO:unknown protocol: - now I bet if you looked at the debug dump you'd see something very similar to: - 3c 21 44 4f 43 54 59 !DOCTY which was mentioned in one of those links the other guy sent you. It's telling you that that's what it received from the server. You'll notice that !DOCTY is the first few bytes of a standard html page unencrypted. Indeed, this is the whole output : CONNECTED(0003) write to 0809D018 [0809D060] (124 bytes = 124 (0x7C)) - 80 7a 01 03 01 00 51 00-00 00 20 00 00 16 00 00 .zQ... . 0010 - 13 00 00 0a 07 00 c0 00-00 66 00 00 05 00 00 04 .f.. 0020 - 03 00 80 01 00 80 08 00-80 00 00 65 00 00 64 00 ...e..d. 0030 - 00 63 00 00 62 00 00 61-00 00 60 00 00 15 00 00 .c..b..a..`. 0040 - 12 00 00 09 06 00 40 00-00 14 00 00 11 00 00 08 [EMAIL PROTECTED] 0050 - 00 00 06 00 00 03 04 00-80 02 00 80 5c ec 7c 7c \.|| 0060 - 60 b1 2a 84 93 cf ba f5-87 dc 22 63 27 83 c7 16 `.*...c'... 0070 - f0 68 eb 8b 33 43 57 05-e8 5e a1 ef .h..3CW..^.. read from 0809D018 [080A25C0] (7 bytes = 7 (0x7)) - 3c 21 44 4f 43 54 59 !DOCTY SSL_connect:error in SSLv2/v3 read server hello A 1565:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:460: So this tells you that your web server is in fact speaking plain HTTP on port 443 rather than HTTPS. You probably do not have SSLEngine on for that virtual host. This defies purpose. Following is an excerpt from httpd.conf with only those bits that I believe are relevant . What I done that's wrong : (httpd.conf) ServerName www.saysit.com.hk:80 # IfModule mod_ssl.c # Some MIME-types for downloading Certificates and CRLs AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl.crl SSLSessionCache dbm:logs/ssl_scache SSLSessionCacheTimeout 300 SSLMutex file:logs/mutex SSLRandomSeed startup builtin SSLRandomSeed connect builtin /IfModule ### Section 3: Virtual Hosts Listen 80 Listen 443 NameVirtualHost 192.168.1.3 VirtualHost 192.168.1.3:80 ServerName www.saysit.com.hk ServerAdmin [EMAIL PROTECTED] DocumentRoot /var/www/html ErrorLog /usr/local/apache2/logs/saysit_error.log CustomLog /usr/local/apache2/logs/saysit_access.log common SetEnvIf User-Agent .MSIE.*\ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 JkMount /saysit ajp13 JkMount /saysit/* ajp13 /VirtualHost # IfDefine SSL VirtualHost 192.168.1.3:443 ServerName demo.saysit.com.hk ServerAdmin [EMAIL PROTECTED] DocumentRoot /home/nicole/MyDocument/public_html ErrorLog /usr/local/apache2/logs/nicole_error.log CustomLog /usr/local/apache2/logs/nicole_access.log common IfModule mod_ssl.c SSLEngine on SSLCipherSuite ALL:!ADH:!EPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /usr/share/ssl/server.crt SSLCertificateKeyFile /usr/share/ssl/server.key SSLVerifyClient require will prompt the client to select a certificate when browsing demo.saysit /IfModule JkExtractSSL on JkHTTPSIndicator HTTPS JkSESSIONIndicator SSL_SESSION_ID JkCIPHERIndicator SSL_CIPHER JkCERTSIndicator SSL_CLIENT_CERT JkMount /saysit ajp13 JkMount
Browser specific OpenSSL mod_ssl problem !
Hi All. Help. Netscape is driving me to drinks! Problem : Netscape 7.1 will not redirect from http://my.first.dom to https://my.secure.dom, claims it is transmitting in clear text (rather than encrypted). Objective : from first web-site, create a linik to a secure web-site inside index.html using an anchor e.g. A HREF=https://my.secure.dom;ClickMe/A Set up : Apache2 httpd + mod_ssl + Tomcat + Oracle. Tomcat holds java servlets. Apache server has applets communicating with servlets. What works : Everything works just fine using W98+MSIE5 or W98+Netscape6.2 or Linux+Mozilla. What doesn't work : Using Netscape 7.1, When I key in the URL my.first.dom, it takes me to the web-site. When I click on the link to my.secure.dom, which does indeed take me to the secure site, it presents the logon screen and the certificate. I logged on and accepted the certificate. Normally in Netscape 6.2, the tiny lock located in bottom right side of screen should be closed and shows the certificate when I click on it. But in 7.1, the lock is NOT CLOSED and it says that the transmission is in clear text for all to see. However, if I key in the URL : https://my.secure.dom, the little lock closes and shows the certificate. ... [code] (httpd.conf) ... Listen 192.168.100.1:80 Listen 443 NameVirtualHost 192.168.100.1 VirtualHost 192.168.100.1:80 ServerName my.first dom ... /VirtualHost # I added following redirect in the hope Netscape7.1 would work - didn't! VirtualHost 192.168.100.1:80 Server my.secure.dom Redirect /index.html https://my.secure.dom/index.html /VirtualHost # as far as MSIE5 and Mozilla are concerned, they only need the following lines to work properly VirtualHost ServerName my.secure.dom ... IfModule mod_ssl.c ... blablabla /IfModule ... VirtualHost [/code] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]