Apache2 'SSLEngine on' not working in testing

To: debian-user@lists.debian.org
Subject: Apache2 'SSLEngine on' not working in testing
From: Jake Maul <jakemaul@gmail.com>
Date: Sun, 5 Sep 2004 13:30:34 -0700
Message-id: <[🔎] 4944626d040905133043becb7b@mail.gmail.com>
Reply-to: Jake Maul <jakemaul@gmail.com>

Howdy,

Yesterday I apt-get upgraded a web server to apache2 2.0.50-12 (it was
~1 week old, I think) and my SSL site isn't working anymore. I
couldn't figure out what was wrong, so I purged everything I thought
was relevant (apache2, apache2-common, apache2-mpm-prefork, libapr0,
ssl-cert), rm'ed /etc/apache2, and reinstalled, using all new config
files.

I've got it listening on 0.0.0.0:443 in /etc/apache2/ports.conf, and
my site in apache2/sites-enabled starts out like this:

<IfModule mod_ssl.c>
       <VirtualHost _default_:443>
           ServerName <Iremovedtheservernameitwashere>
           SSLEngine on
           SSLCertificateFile    /etc/apache2/ssl/<myserversname>-ssl.crt
           SSLCertificateKeyFile /etc/apache2/ssl/<myserversname>-ssl.key
           BrowserMatch "MSIE [1-4]" nokeepalive ssl-unclean-shutdown \
                                     downgrade-1.0 force-response-1.0
           BrowserMatch "MSIE [5-9]" ssl-unclean-shutdown
           SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

I used /usr/share/apache2/config/default-443 as the template for it,
and I used /usr/sbin/make-ssl-cert to make the certificate/key pair.
That program actually outputs only one file, but it contains both the
RSA PRIVATE KEY and the CERTIFICATE- I manually split them into two
files.

All that is fine, but Apache is not using SSL on port 443:
jake@mail:/etc/apache2/ssl$ openssl s_client -connect localhost:443
-state -debug
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 080B07E8 [080B0DE0] (142 bytes => 142 (0x8E))
0000 - 80 8c 01 03 01 00 63 00-00 00 20 00 00 39 00 00   ......c... ..9..
0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0   8..5............
0020 - 00 00 33 00 00 32 00 00-2f 03 00 80 00 00 66 00   ..3..2../.....f.
0030 - 00 05 00 00 04 01 00 80-08 00 80 00 00 63 00 00   .............c..
0040 - 62 00 00 61 00 00 15 00-00 12 00 00 09 06 00 40   b..a...........@
0050 - 00 00 65 00 00 64 00 00-60 00 00 14 00 00 11 00   ..e..d..`.......
0060 - 00 08 00 00 06 04 00 80-00 00 03 02 00 80 fb 06   ................
0070 - 3d a2 16 ba f4 15 d4 6b-f6 2f 24 01 ca 85 6e 90   =......k./$...n.
0080 - be 36 8a 32 4d a7 54 d1-5d 07 72 d9 c8 79         .6.2M.T.].r..y
SSL_connect:SSLv2/v3 write client hello A
read from 080B07E8 [080B6340] (7 bytes => 7 (0x7))
0000 - 3c 21 44 4f 43 54 59                              <!DOCTY
SSL_connect:error in SSLv2/v3 read server hello A
26860:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:s23_clnt.c:475:

Note the "<!DOCTY" near the end- straight HTML, when I should be
getting an SSL handshake.

Lynx says this:
jake@mail:/etc/apache2/ssl$ lynx https://localhost

Looking up localhost
Making HTTPS connection to localhost
Retrying connection without TLS.
Looking up localhost
Making HTTPS connection to localhost
Alert!: Unable to make secure connection to remote host.

lynx: Can't access startfile https://localhost/

... but will display the page if I do 'lynx http://localhost:443/'.

The only thing reported in the log files (including system log files) is this:
127.0.0.1 - - [05/Sep/2004:13:19:21 -0700] "\x80\x8c\x01\x03\x01" 302
380 "-" "-"
127.0.0.1 - - [05/Sep/2004:13:20:46 -0700] "\x16\x03\x01" 302 380 "-" "-"

Unfortunately I don't recall what I upgraded FROM, but both 2.0.50-11
and 2.0.50-12 appear to be broken. Anyone else run into this, or have
any ideas about what I'm doing wrong?

Thanks,
Jake Maul

Reply to:

Prev by Date: Re: Alsa in Debian Sarge? How to?
Next by Date: Re: Alsa in Debian Sarge? How to?
Previous by thread: GPG and evolution: email address and different key
Next by thread: Re: Apache2 'SSLEngine on' not working in testing
Index(es):
- Date
- Thread