FRUSTRATION : SSL throws SSL23_GET_SERVER_HELLO error
Hiya I followed the discussion on those links, but it was not conclusive for me. It would seem that I have got both apache2.0.40 + mod_ssl talking with OpenSSL, using name-based vhosts. I have the certificate installed and self-signed. However [ssl] # openssl s_client -connect localhost:443 -state -debug still throws this sticky error : SSL_connect:error in SSLv2/v3 read server hello A 1565:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:460: I am down to checking the source code (reveals nothing much other than it is an error), and blindly changing things in httpd.conf... Frustrating - Original Message - From: Nauman, Ahmed [IT] [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, August 07, 2003 10:07 AM Subject: RE: SSL throws SSL23_GET_SERVER_HELLO error Please see following links http://www.mail-archive.com/[EMAIL PROTECTED]/msg16205.html http://forums.devshed.com/archive/15/2001/11/4/25897 Hope they help. Regards, Nauman ___ Citibank N.A., 111 Wall St., New York, NY Ph: +1-212-657-1070 (w), +1-718-951-0508 (h) Fax: +1-212-657-1645 -Original Message- From: Arthur Chan [mailto:[EMAIL PROTECTED] Sent: Thursday, August 07, 2003 5:10 AM To: [EMAIL PROTECTED] Subject: SSL throws SSL23_GET_SERVER_HELLO error Hi All. When I run the following line command : [ssl] # openssl s_client -connect localhost:443 -state -debug I get this error message : ... SSL_connect:error in SSLv2/v3 read server hello A 1565:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:460: ... Looking at line 460 of the source, it is exactly that error, no further clues available. Does anyone know more about it and want to help out ??? CHeers. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
FRUSTRATION : SSL throws SSL23_GET_SERVER_HELLO error
Problem #1: your OpenSSL doesn't have the error messages loaded so you're getting a rather non-descriptive error message. No big deal, it just means you have to look harder to find out what the error means. How to I load them in order to get a more meaningful description ??? I've recompiled Apache 2.0.40 several times from scratch with following additional options: ./configure --with-mpm=worker --enable-so --enable-rewrite --enable-ssl --wi th-ssl=/path/to/openssl --enable-proxy --auth_digest Problem #2: SSL23_GET_SERVER_HELLO:unknown protocol: - now I bet if you looked at the debug dump you'd see something very similar to: - 3c 21 44 4f 43 54 59 !DOCTY which was mentioned in one of those links the other guy sent you. It's telling you that that's what it received from the server. You'll notice that !DOCTY is the first few bytes of a standard html page unencrypted. Indeed, this is the whole output : CONNECTED(0003) write to 0809D018 [0809D060] (124 bytes = 124 (0x7C)) - 80 7a 01 03 01 00 51 00-00 00 20 00 00 16 00 00 .zQ... . 0010 - 13 00 00 0a 07 00 c0 00-00 66 00 00 05 00 00 04 .f.. 0020 - 03 00 80 01 00 80 08 00-80 00 00 65 00 00 64 00 ...e..d. 0030 - 00 63 00 00 62 00 00 61-00 00 60 00 00 15 00 00 .c..b..a..`. 0040 - 12 00 00 09 06 00 40 00-00 14 00 00 11 00 00 08 [EMAIL PROTECTED] 0050 - 00 00 06 00 00 03 04 00-80 02 00 80 5c ec 7c 7c \.|| 0060 - 60 b1 2a 84 93 cf ba f5-87 dc 22 63 27 83 c7 16 `.*...c'... 0070 - f0 68 eb 8b 33 43 57 05-e8 5e a1 ef .h..3CW..^.. read from 0809D018 [080A25C0] (7 bytes = 7 (0x7)) - 3c 21 44 4f 43 54 59 !DOCTY SSL_connect:error in SSLv2/v3 read server hello A 1565:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:460: So this tells you that your web server is in fact speaking plain HTTP on port 443 rather than HTTPS. You probably do not have SSLEngine on for that virtual host. This defies purpose. Following is an excerpt from httpd.conf with only those bits that I believe are relevant . What I done that's wrong : (httpd.conf) ServerName www.saysit.com.hk:80 # IfModule mod_ssl.c # Some MIME-types for downloading Certificates and CRLs AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl.crl SSLSessionCache dbm:logs/ssl_scache SSLSessionCacheTimeout 300 SSLMutex file:logs/mutex SSLRandomSeed startup builtin SSLRandomSeed connect builtin /IfModule ### Section 3: Virtual Hosts Listen 80 Listen 443 NameVirtualHost 192.168.1.3 VirtualHost 192.168.1.3:80 ServerName www.saysit.com.hk ServerAdmin [EMAIL PROTECTED] DocumentRoot /var/www/html ErrorLog /usr/local/apache2/logs/saysit_error.log CustomLog /usr/local/apache2/logs/saysit_access.log common SetEnvIf User-Agent .MSIE.*\ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 JkMount /saysit ajp13 JkMount /saysit/* ajp13 /VirtualHost # IfDefine SSL VirtualHost 192.168.1.3:443 ServerName demo.saysit.com.hk ServerAdmin [EMAIL PROTECTED] DocumentRoot /home/nicole/MyDocument/public_html ErrorLog /usr/local/apache2/logs/nicole_error.log CustomLog /usr/local/apache2/logs/nicole_access.log common IfModule mod_ssl.c SSLEngine on SSLCipherSuite ALL:!ADH:!EPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /usr/share/ssl/server.crt SSLCertificateKeyFile /usr/share/ssl/server.key SSLVerifyClient require will prompt the client to select a certificate when browsing demo.saysit /IfModule JkExtractSSL on JkHTTPSIndicator HTTPS JkSESSIONIndicator SSL_SESSION_ID JkCIPHERIndicator SSL_CIPHER JkCERTSIndicator SSL_CLIENT_CERT JkMount /saysit ajp13 JkMount /saysit/* ajp13 /VirtualHost /IfDefine Problem #3: You mentioned trying to get name-based vhosts to work with SSL. You must realize that this doesn't work right in the general case. Please see http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#vhosts2 . Yes, I read that document and I do want to provide both http and https on a single server with one single IP address (I am NAT-ting on router with one external ip - does that matter?) __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: FRUSTRATION : SSL throws SSL23_GET_SERVER_HELLO error
Hello,
did you test the openssl command using your IP instead of localhost?
openssl s_client -connect your-ip-here:443 -state -debug
Or why don't you change the VirtualHohost to _default_ temporarily and
see how it goes.
-Kiyoshi
Kiyoshi Watanabe
Problem #1: your OpenSSL doesn't have the error messages loaded so you're
getting a rather non-descriptive error message. No big deal, it just
means you have to look harder to find out what the error means.
How to I load them in order to get a more meaningful description ???
I've recompiled Apache 2.0.40 several times from scratch with following
additional options:
./configure --with-mpm=worker --enable-so --enable-rewrite --enable-ssl --wi
th-ssl=/path/to/openssl --enable-proxy --auth_digest
Problem #2: SSL23_GET_SERVER_HELLO:unknown protocol: - now I bet if you
looked at the debug dump you'd see something very similar to:
- 3c 21 44 4f 43 54 59 !DOCTY
which was mentioned in one of those links the other guy sent you. It's
telling you that that's what it received from the server. You'll notice
that !DOCTY is the first few bytes of a standard html page unencrypted.
Indeed, this is the whole output :
CONNECTED(0003)
write to 0809D018 [0809D060] (124 bytes = 124 (0x7C))
- 80 7a 01 03 01 00 51 00-00 00 20 00 00 16 00 00 .zQ... .
0010 - 13 00 00 0a 07 00 c0 00-00 66 00 00 05 00 00 04 .f..
0020 - 03 00 80 01 00 80 08 00-80 00 00 65 00 00 64 00 ...e..d.
0030 - 00 63 00 00 62 00 00 61-00 00 60 00 00 15 00 00 .c..b..a..`.
0040 - 12 00 00 09 06 00 40 00-00 14 00 00 11 00 00 08 [EMAIL PROTECTED]
0050 - 00 00 06 00 00 03 04 00-80 02 00 80 5c ec 7c 7c \.||
0060 - 60 b1 2a 84 93 cf ba f5-87 dc 22 63 27 83 c7 16 `.*...c'...
0070 - f0 68 eb 8b 33 43 57 05-e8 5e a1 ef .h..3CW..^..
read from 0809D018 [080A25C0] (7 bytes = 7 (0x7))
- 3c 21 44 4f 43 54 59 !DOCTY
SSL_connect:error in SSLv2/v3 read server hello A
1565:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:s23_clnt.c:460:
So this tells you that your web server is in fact speaking plain HTTP on
port 443 rather than HTTPS. You probably do not have SSLEngine on for
that virtual host.
This defies purpose. Following is an excerpt from httpd.conf with only those
bits that I believe are relevant . What I done that's wrong :
(httpd.conf)
ServerName www.saysit.com.hk:80
#
IfModule mod_ssl.c
# Some MIME-types for downloading Certificates and CRLs
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl.crl
SSLSessionCache dbm:logs/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex file:logs/mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
/IfModule
### Section 3: Virtual Hosts
Listen 80
Listen 443
NameVirtualHost 192.168.1.3
VirtualHost 192.168.1.3:80
ServerName www.saysit.com.hk
ServerAdmin [EMAIL PROTECTED]
DocumentRoot /var/www/html
ErrorLog /usr/local/apache2/logs/saysit_error.log
CustomLog /usr/local/apache2/logs/saysit_access.log common
SetEnvIf User-Agent .MSIE.*\
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
JkMount /saysit ajp13
JkMount /saysit/* ajp13
/VirtualHost
#
IfDefine SSL
VirtualHost 192.168.1.3:443
ServerName demo.saysit.com.hk
ServerAdmin [EMAIL PROTECTED]
DocumentRoot /home/nicole/MyDocument/public_html
ErrorLog /usr/local/apache2/logs/nicole_error.log
CustomLog /usr/local/apache2/logs/nicole_access.log common
IfModule mod_ssl.c
SSLEngine on
SSLCipherSuite
ALL:!ADH:!EPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /usr/share/ssl/server.crt
SSLCertificateKeyFile /usr/share/ssl/server.key
SSLVerifyClient require will prompt the client to select a
certificate when browsing demo.saysit
/IfModule
JkExtractSSL on
JkHTTPSIndicator HTTPS
JkSESSIONIndicator SSL_SESSION_ID
JkCIPHERIndicator SSL_CIPHER
JkCERTSIndicator SSL_CLIENT_CERT
JkMount /saysit ajp13
JkMount /saysit/* ajp13
/VirtualHost
/IfDefine
Problem #3: You mentioned trying to get name-based vhosts to work with
SSL. You must realize that this doesn't work right in the general case.
Please see http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#vhosts2 .
Yes, I read that document and I do want to provide both http and https on a
single server with one single IP address (I am NAT-ting on router with one
external ip - does that matter?)
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: FRUSTRATION : SSL throws SSL23_GET_SERVER_HELLO error
On Fri, 8 Aug 2003, Arthur Chan wrote: [ssl] # openssl s_client -connect localhost:443 -state -debug still throws this sticky error : SSL_connect:error in SSLv2/v3 read server hello A 1565:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:460: You have multiple problems conspiring against you here. Problem #1: your OpenSSL doesn't have the error messages loaded so you're getting a rather non-descriptive error message. No big deal, it just means you have to look harder to find out what the error means. Problem #2: SSL23_GET_SERVER_HELLO:unknown protocol: - now I bet if you looked at the debug dump you'd see something very similar to: - 3c 21 44 4f 43 54 59 !DOCTY which was mentioned in one of those links the other guy sent you. It's telling you that that's what it received from the server. You'll notice that !DOCTY is the first few bytes of a standard html page unencrypted. So this tells you that your web server is in fact speaking plain HTTP on port 443 rather than HTTPS. You probably do not have SSLEngine on for that virtual host. Problem #3: You mentioned trying to get name-based vhosts to work with SSL. You must realize that this doesn't work right in the general case. Please see http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#vhosts2 . Hope this helps. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
