Random SSL Problems

Hi List,

I having an issue here on a newly setup webserver that I'm hoping you
can help me with. For some reason, when some of our customers click to
go into the secure area of our site, they're getting the Plain Jane IE
error page of "Page cannot be displayed". When this happens, I get an
error like this in the error log:

> [Thu May 31 09:29:10 2007] [error] mod_ssl: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] (System error follows)
> [Thu May 31 09:29:10 2007] [error] System: Connection reset by peer (errno: 104)

I found this error in numerous results doing Google searches, but none
of them seem to be relevant to my issue. There doesn't seem to be any
rhyme or reason as to who or why. We've had customers call after they
experience the issue who were using browsers like IE 6 and IE 7, but
we've also had success with other customers using those same browsers (I
cannot reproduce the problem locally). I cannot be sure of the exact
percentage of errors, but looking at our order volume, it seems to be
happening about 40% of the time.

The install is configured and compiled from source on a RHEL4 box:

Apache 1.3.37
mod_ssl 2.8.28
OpenSSL 0.9.8e

And these modules are loaded into Apache:

mod_pythonmod_perl, mod_php4, mod_ssl, mod_setenvif, mod_so,
mod_unique_id, mod_log_forensic, mod_usertrack, mod_headers,
mod_expires, mod_cern_meta, mod_proxy, mod_digest, mod_auth_dbm,
mod_auth_anon, mod_auth, mod_access, mod_rewrite, mod_alias,
mod_userdir, mod_speling, mod_actions, mod_imap, mod_asis, mod_cgi,
mod_dir, mod_autoindex, mod_include, mod_info, mod_status,
mod_negotiation, mod_mime, mod_mime_magic, mod_log_config, mod_define,
mod_env, mod_vhost_alias, http_core

Any help would be greatly appreciated.

--
John C. Nichel IV
System Administrator
KegWorks
http://www.kegworks.com
716.362.9212 x16
john@kegworks.com

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Random SSL Problems

There seems to be a bug in IE that affects how it interacts with
mod_ssl. See:

http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#msie

for some tips.

Rich

-----Original Message-----
From: owner-modssl-users@modssl.org
[mailto:owner-modssl-users@modssl.org] On Behalf Of John Nichel
Sent: Thursday, May 31, 2007 9:03 AM
To: mod_ssl List
Subject: Random SSL Problems

Hi List,

I having an issue here on a newly setup webserver that I'm hoping you
can help me with. For some reason, when some of our customers click to
go into the secure area of our site, they're getting the Plain Jane IE
error page of "Page cannot be displayed". When this happens, I get an
error like this in the error log:

> [Thu May 31 09:29:10 2007] [error] mod_ssl: SSL handshake interrupted
by system [Hint: Stop button pressed in browser?!] (System error
follows)
> [Thu May 31 09:29:10 2007] [error] System: Connection reset by peer
(errno: 104)

I found this error in numerous results doing Google searches, but none
of them seem to be relevant to my issue. There doesn't seem to be any
rhyme or reason as to who or why. We've had customers call after they
experience the issue who were using browsers like IE 6 and IE 7, but
we've also had success with other customers using those same browsers (I
cannot reproduce the problem locally). I cannot be sure of the exact
percentage of errors, but looking at our order volume, it seems to be
happening about 40% of the time.

The install is configured and compiled from source on a RHEL4 box:

Apache 1.3.37
mod_ssl 2.8.28
OpenSSL 0.9.8e

And these modules are loaded into Apache:

mod_pythonmod_perl, mod_php4, mod_ssl, mod_setenvif, mod_so,
mod_unique_id, mod_log_forensic, mod_usertrack, mod_headers,
mod_expires, mod_cern_meta, mod_proxy, mod_digest, mod_auth_dbm,
mod_auth_anon, mod_auth, mod_access, mod_rewrite, mod_alias,
mod_userdir, mod_speling, mod_actions, mod_imap, mod_asis, mod_cgi,
mod_dir, mod_autoindex, mod_include, mod_info, mod_status,
mod_negotiation, mod_mime, mod_mime_magic, mod_log_config, mod_define,
mod_env, mod_vhost_alias, http_core

Any help would be greatly appreciated.

--=20
John C. Nichel IV
System Administrator
KegWorks
http://www.kegworks.com
716.362.9212 x16
john@kegworks.com

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Random SSL Problems

Here are some shots in the dark for you:

When I tried to tighten down the ciphers and SSL protocols on my server,
some (but not all) users on both IE6 and IE7 started to get that "page not
found" error (although my log error was something like "re-negotiate
failed"). I found that IE7 will fail to renegotiate with an SSLv3-only
server if IE7 is configured to use both TLSv1 and SSLv3 (I guess it tries
really hard to use TLSv1). I plan to support SSLv3 and TLSv1 to address
this problem.

Specifically:
Didn't work:
SSLProtocol -all +SSLv3
or
SSLProtocol SSLv3
Did work:
SSLProtocol all -SSLv2
or
SSLProtocol -all +SSLv3 +TLSv1

(I prefer the last incantation, which protects against the unexpected
change in definition of 'all' after an Apache upgrade)

I also had this, to tighten up the ciphers:
SSLCipherSuite HIGH:MEDIUM


Also, if your stock config files don't already do it, you may want to
implement the "fixes" for broken versions of IE (prior to IE6, I believe):
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

although the first line is different for newer versions of Apache:
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0



On Thu, 31 May 2007, John Nichel wrote:

> Hi List,
>
> I having an issue here on a newly setup webserver that I'm hoping you
> can help me with. For some reason, when some of our customers click to
> go into the secure area of our site, they're getting the Plain Jane IE
> error page of "Page cannot be displayed". When this happens, I get an
> error like this in the error log:
>
>> [Thu May 31 09:29:10 2007] [error] mod_ssl: SSL handshake interrupted by
>> system [Hint: Stop button pressed in browser?!] (System error follows)
>> [Thu May 31 09:29:10 2007] [error] System: Connection reset by peer (errno:
>> 104)
>
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Random SSL Problems

David P. Mott wrote:
>
> Here are some shots in the dark for you:
>
> When I tried to tighten down the ciphers and SSL protocols on my server,
> some (but not all) users on both IE6 and IE7 started to get that "page
> not found" error (although my log error was something like "re-negotiate
> failed"). I found that IE7 will fail to renegotiate with an SSLv3-only
> server if IE7 is configured to use both TLSv1 and SSLv3 (I guess it
> tries really hard to use TLSv1). I plan to support SSLv3 and TLSv1 to
> address this problem.
>
> Specifically:
> Didn't work:
> SSLProtocol -all +SSLv3
> or
> SSLProtocol SSLv3
> Did work:
> SSLProtocol all -SSLv2
> or
> SSLProtocol -all +SSLv3 +TLSv1
>
> (I prefer the last incantation, which protects against the unexpected
> change in definition of 'all' after an Apache upgrade)
>
> I also had this, to tighten up the ciphers:
> SSLCipherSuite HIGH:MEDIUM
>
>
> Also, if your stock config files don't already do it, you may want to
> implement the "fixes" for broken versions of IE (prior to IE6, I believe):
> SetEnvIf User-Agent ".*MSIE.*" \
> nokeepalive ssl-unclean-shutdown \
> downgrade-1.0 force-response-1.0
>
> although the first line is different for newer versions of Apache:
> BrowserMatch ".*MSIE.*" \
> nokeepalive ssl-unclean-shutdown \
> downgrade-1.0 force-response-1.0
>

Thank you. I'll give this a shot. By newer versions of Apache, do you
mean in the 1.3.x build?

--
John C. Nichel IV
System Administrator
KegWorks
http://www.kegworks.com
716.362.9212 x16
john@kegworks.com
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Random SSL Problems

On Thu, 31 May 2007, John Nichel wrote:

> Thank you. I'll give this a shot. By newer versions of Apache, do you
> mean in the 1.3.x build?

Yup.
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org