Since I turned off gzip encoding in the config this problem hasn't reared it's head yet. I'll let it run like this for another couple of days for a longer term test, but this seems promising.
I realized something last night though that I am slapping myself for not flagging earlier. This configuration uses virtual hosts. The SSL_BAD_SIGNATURE error only occurs on one virtual host when it happens. It's not always the same one. Sometimes it's admin.bestbridalprices.com and sometimes it's www.bestbridalprices.com I've never seen it on any other virtual host. The configuration is not using a wildcard ssl certificate - the non www virtual hosts are for internal use only. Since some virtual hosts work fine when the problem is occuring on another, it leads me to believe that whatever error is occuring AFTER the SSL handshake and at least before the http-host header is sent - possibly after. The problem is arising during the HTTP portion of the communication. Definately a significant clue. It is no wonder openssl s_client wasn't producing any meaningful errors but for the one time. It makes me wonder if the error I did see the once was unrelated. Ryan On Tue, Apr 6, 2010 at 12:05 PM, Ryan McIntosh <[email protected]>wrote: > You're correct. Adding the DH Parameter files did not resolve anything. I > just had to restart the server again. > > Anything else I can try? > > Alvaro, you mention bad content-length and/or bad content-encoding. I'll > try disabling gzip. > > When cherokee calculates content-length, does it consider encodings, or > does it just count bytes? I'm not familiar enough with HTTP to know if > that's a dumb question or not. > > Ryan > > > On Tue, Apr 6, 2010 at 9:46 AM, Alvaro Lopez Ortega > <[email protected]>wrote: > >> On 06/04/2010, at 15:53, Ryan McIntosh wrote: >> >> > Even with an hourly restart, this error is still occuring sporadically. >> Once further piece of information I didn't realize may be significant >> before is that I have not configured DH parameters. I'm not sure if they're >> at all necessary as SSL was still working and I've never had to do this with >> any other webserver. Are the DH parameters are used for generating the >> session keys? Perhaps creating DH parameter files will do something for me? >> >> The DH parameters file does not have anything to do with the problem, I'm >> quite sure about that. >> >> I still believe that the problem is somehow related to keep-alive, >> unfinished connections, bad content-lenght and/or bad content-encoding. >> >> > I will test and write back. >> >> Thanks for all the finding and reports! >> >> -- >> Octality >> http://www.octality.com/ >> >> >
_______________________________________________ Cherokee mailing list [email protected] http://lists.octality.com/listinfo/cherokee
