Bug#593334: apache2: Upgrade to Squeeze broke Apache+TRAC+SSL setup
Subject: apache2: Upgrade to Squeeze broke Apache+TRAC+SSL setup
Package: apache2.2-common
Version: 2.2.16-1
Severity: important
Hi,
yesterday i was trying to upgrade our server to squeeze in wich wer
have an SSL+TRAC+APACHE2 service and i noticed that with the upgrade
the service was unavaliable.
There are other services running under apache as well in the same
server and they are unaffected.
Here's our configuration:
## sites-enabled/trac
<VirtualHost server.com:8000>
DocumentRoot /mnt/proyectos/trac
<Location />
Options -Indexes -MultiViews
</Location>
<Location /trac>
SetHandler mod_python
PythonHandler trac.web.modpython_frontend
PythonOption TracEnvParentDir /mnt/proyectos/trac
PythonOption TracUriRoot /trac
SSLVerifyClient require
SSLVerifyDepth 3
SSLRequire (%{SSL_CLIENT_S_DN_O} eq "Company" and
%{SSL_CLIENT_S_DN_OU} eq "OU")
# SSLOptions +OptRenegotiate
</Location>
<LocationMatch "/login">
AuthType Basic
AuthName "Trac"
AuthUserFile /etc/apache2/dav_svn.passwd
Require valid-user
</LocationMatch>
SSLEngine on
SSLCertificateFile /etc/apache2/keys/server-cert.pem
SSLCertificateKeyFile /etc/apache2/keys/server-key.pem
SSLCACertificateFile /etc/apache2/keys/ou.pem
LogLevel debug
CustomLog /var/log/apache2/svn_access.log combined
ErrorLog /var/log/apache2/svn_error.log
<Location /svn>
DAV svn
SVNParentPath /mnt/proyectos/subversion
AuthType Basic
AuthName "Company Subversion Repository"
AuthUserFile /etc/apache2/dav_svn.passwd
AuthzSVNAccessFile /etc/apache2/svnpolicy
Require valid-user
SSLVerifyClient none
SSLRequireSSL
</Location>
</VirtualHost>
What i get on the log when someone tries to go to server.com/trac with
Firefox (our main browser) is:
bucnh of ssl-debug...
[Tue Aug 17 11:47:37 2010] [debug] ssl_engine_io.c(1860):
+-------------------------------------------------------------------------+
[Tue Aug 17 11:47:37 2010] [debug] ssl_engine_kernel.c(1884): OpenSSL:
Write: SSLv3 read client key exchange A
[Tue Aug 17 11:47:37 2010] [debug] ssl_engine_kernel.c(1903): OpenSSL:
Exit: error in SSLv3 read client key exchange A
[Tue Aug 17 11:47:37 2010] [error] [client 115.110.119.226]
Re-negotiation handshake failed: Not accepted by client!?
[Tue Aug 17 11:47:37 2010] [debug] mod_deflate.c(615): [client
115.110.119.226] Zlib: Compressed 0 to 2 : URL /trac/
As I said there are other certificate based(svn,file-browsing)
services working fine.
Another thing that strikes me is that I tried with Opera browser and
they work just fine...
Excuse me if apache2 is not the right package to be submitted, and for
my bad english.
Thanks.
-- Package-specific info:
List of enabled modules from 'apache2 -M':
alias auth_basic authn_file authz_default authz_groupfile
authz_host authz_svn authz_user autoindex cache cgid dav dav_svn
deflate dir disk_cache env include mime negotiation python
reqtimeout setenvif ssl status
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8
(charmap=ANSI_X3.4-1968) (ignored: LC_ALL set to POSIX)
Shell: /bin/sh linked to /bin/dash
Versions of packages apache2 depends on:
ii apache2-mpm-worker 2.2.16-1 Apache HTTP Server - high speed th
ii apache2.2-common 2.2.16-1 Apache HTTP Server common files
apache2 recommends no packages.
apache2 suggests no packages.
Versions of packages apache2.2-common depends on:
ii apache2-utils 2.2.16-1 utility programs for webservers
ii apache2.2-bin 2.2.16-1 Apache HTTP Server common binary f
ii libmagic1 5.04-5 File type determination library us
ii lsb-base 3.2-23.1 Linux Standard Base 3.2 init scrip
ii mime-support 3.48-1 MIME files 'mime.types' & 'mailcap
ii perl 5.10.1-14 Larry Wall's Practical Extraction
ii procps 1:3.2.8-9 /proc file system utilities
-- no debconf information
Reply to: