Bug#215011: apache-ssl: requests leave 'SSL23_GET_CLIENT_HELLO:unknown protocol' in error.log, and fail

To: "D.J.Moon" <dgmoon@comcast.net>, 215011@bugs.debian.org
Subject: Bug#215011: apache-ssl: requests leave 'SSL23_GET_CLIENT_HELLO:unknown protocol' in error.log, and fail
From: Fabio Massimo Di Nitto <fabbione@fabbione.net>
Date: Fri, 10 Oct 2003 07:15:11 +0200 (CEST)
Message-id: <[🔎] Pine.LNX.4.58.0310100706240.5444@trider-g7.ext.fabbione.net>
Reply-to: Fabio Massimo Di Nitto <fabbione@fabbione.net>, 215011@bugs.debian.org
In-reply-to: <[🔎] E1A7ieV-000814-00@garou.dyndns.org>
References: <[🔎] E1A7ieV-000814-00@garou.dyndns.org>

Hi,

On Thu, 9 Oct 2003, D.J.Moon wrote:

> I updated apache-ssl this afternoon, and now all requests to the server fail.
> Accessing the same URL's on my (non-ssl) apache install works fine. Following
> are snippets of my server logs around a pair of typical failing requests.
>
> /var/log/apache-ssl/error.log
>
> [Thu Oct  9 17:25:01 2003] [error] SSL_accept failed
> [Thu Oct  9 17:25:01 2003] [error] error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
> [Thu Oct  9 17:28:45 2003] [error] SSL_accept failed
> [Thu Oct  9 17:28:45 2003] [error] error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
> read in saferead: Connection reset by peer
> apache-ssl: gcachecommon.c:108: ReadThing: Assertion `nRead == sizeof usLength' failed.
> [Thu Oct  9 17:28:45 2003] [notice] child pid 30676 exit signal Aborted (6)

[SNIP]

> /var/log/apache-ssl/ssl.log
>
> [09/Oct/2003:17:25:01 -0400] TLS1 AES256-SHA -

I did test on a fresh installation of apache-ssl (meaning of no changes to
the default config).

I can see the messages in the logs but i can access the encrypted pages
without any problem. I am using the latest mozilla in Debian.

The TLS1* is a brand new change in apache-ssl/openssl (they are strictly
related to each other) and i am not sure 100% if clients need to be
recompiled to support it (that might explain the errors you get from the
windows client that i do not have with the linux one).

In my case the messages reported in error.log are somehow bogus but they
might indicate a problem handshaking the encryption method until server
and client agree on what to use. It appears to me that the message in
ssl.log indicates what they agreed.

> Yes, I noticed too that there are failures for two requests in the error.log,
> but one of them (time 17:28:45) does not show up it the other two files. That
> one is me trying to access my site externally. My browser (Mozilla on windows)
> reported the failure as "The connection to garou.dyndns.org has terminated
> unexpectedly. Some data may have been transferred." The one that shows up in
> all three files (time 17:25:01) is the drupal cron job.

We will have to investigate this issue together with upstream. In the
meanwhile can you kindly test using other clients??

Thanks
Fabio

-- 
Our mission: make IPv6 the default IP protocol
"We are on a mission from God" - Elwood Blues

http://www.itojun.org/paper/itojun-nanog-200210-ipv6isp/mgp00004.html

Reply to:

Follow-Ups:
- Bug#215011: apache-ssl: requests leave 'SSL23_GET_CLIENT_HELLO:unknown protocol' in error.log, and fail
  - From: Fabio Massimo Di Nitto <fabbione@fabbione.net>

References:
- Bug#215011: apache-ssl: requests leave 'SSL23_GET_CLIENT_HELLO:unknown protocol' in error.log, and fail
  - From: "D.J.Moon" <dgmoon@comcast.net>

Prev by Date: Re: apache-common 1.3.28-1 install fails
Next by Date: Re: apache-common 1.3.28-1 install fails
Previous by thread: Bug#215011: apache-ssl: requests leave 'SSL23_GET_CLIENT_HELLO:unknown protocol' in error.log, and fail
Next by thread: Bug#215011: apache-ssl: requests leave 'SSL23_GET_CLIENT_HELLO:unknown protocol' in error.log, and fail
Index(es):
- Date
- Thread