SSL connections stopped working :(

Hello,

Some time last week, we lost our ability to do SSL. As near as I can
figure, it was around the time I updated my openssl. We're using RH 8.0
and their openssl-0.9.6b-33 (says it's 6h).

I retrieved 2.8.14 from the site today (was using .12 and hoped this
would fix it).

I've tried to build this thing on multiple machines, etc. It's not
helping.

Basically any ssl connection gets logged by apache as "\x80F\x01\X03"
intead of teh usual "GET / HTTP/1.1".

None of the apache config files changed and I haven't done anything to
the build part of my RPM specs.

I tried reverting to an older openssl, an older glibc, etc. None of
it is working :(

If anyone has a pointer to what I might look into, it would be most
appreciated!

Michael


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: SSL connections stopped working :(

There's a note in the openssl FAQ that points out that although versions of
Red Hat from 7.0 to 8.0 say openssl-0.9.6b, provided you have the latest
update installed then you have all the patches "backported" (ie it says "b"
but has all the security patches up to "h"). The most up to date version is
currently openssl-0.9.6b-33.

The simplest way out is to do

rpm -e openssl --nodeps
rpm -ivh openssl-0.9.6b-33.i386.rpm (or ...i686.rpm depending on your
architecture).

To check it has reinstalled properly do
rpm -V openssl

This should return no errors.

Finally restart the web server with "service httpd restart".

There are lots of things that break if you mess with openssl on Red Hat
boxes > version 6.2. However, provided you are careful there's nothing to
stop you trying out version 0.9.7.

-
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 John.Airey@rnib.org.uk

Taking the path of least resistance is what makes rivers and Men crooked.




> -----Original Message-----
> From: Michael McLagan [mailto:mmclagan@invlogic.com]
> Sent: 07 April 2003 22:44
> To: modssl-users@modssl.org
> Subject: SSL connections stopped working :(
>
>
> Hello,
>
> Some time last week, we lost our ability to do SSL. As
> near as I can
> figure, it was around the time I updated my openssl. We're
> using RH 8.0
> and their openssl-0.9.6b-33 (says it's 6h).
>
> I retrieved 2.8.14 from the site today (was using .12 and
> hoped this
> would fix it).
>
> I've tried to build this thing on multiple machines, etc.
> It's not
> helping.
>
> Basically any ssl connection gets logged by apache as
> "\x80F\x01\X03"
> intead of teh usual "GET / HTTP/1.1".
>
> None of the apache config files changed and I haven't done
> anything to
> the build part of my RPM specs.
>
> I tried reverting to an older openssl, an older glibc,
> etc. None of
> it is working :(
>
> If anyone has a pointer to what I might look into, it
> would be most
> appreciated!
>
> Michael
>
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>

-

NOTICE: The information contained in this email and any attachments is
confidential and may be legally privileged. If you are not the
intended recipient you are hereby notified that you must not use,
disclose, distribute, copy, print or rely on this email's content. If
you are not the intended recipient, please notify the sender
immediately and then delete the email and any attachments from your
system.

RNIB has made strenuous efforts to ensure that emails and any
attachments generated by its staff are free from viruses. However, it
cannot accept any responsibility for any viruses which are
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email
and any attachments are those of the author and do not necessarily
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: SSL connections stopped working :(

You didn't say whether you are using Red Hat's supplied httpd RPM. If you
are, that is Apache 2.0, which may also have conflicts (there's nothing to
stop you removing it and their version of mod_ssl).

rpm -q httpd will tell you if you are.

-
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 John.Airey@rnib.org.uk

Taking the path of least resistance is what makes rivers and Men crooked.


> -----Original Message-----
> From: Michael McLagan [mailto:mmclagan@invlogic.com]
> Sent: 07 April 2003 22:44
> To: modssl-users@modssl.org
> Subject: SSL connections stopped working :(
>
>
> Hello,
>
> Some time last week, we lost our ability to do SSL. As
> near as I can
> figure, it was around the time I updated my openssl. We're
> using RH 8.0
> and their openssl-0.9.6b-33 (says it's 6h).
>
> I retrieved 2.8.14 from the site today (was using .12 and
> hoped this
> would fix it).
>
> I've tried to build this thing on multiple machines, etc.
> It's not
> helping.
>
> Basically any ssl connection gets logged by apache as
> "\x80F\x01\X03"
> intead of teh usual "GET / HTTP/1.1".
>
> None of the apache config files changed and I haven't done
> anything to
> the build part of my RPM specs.
>
> I tried reverting to an older openssl, an older glibc,
> etc. None of
> it is working :(
>
> If anyone has a pointer to what I might look into, it
> would be most
> appreciated!
>
> Michael
>
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>

-

NOTICE: The information contained in this email and any attachments is
confidential and may be legally privileged. If you are not the
intended recipient you are hereby notified that you must not use,
disclose, distribute, copy, print or rely on this email's content. If
you are not the intended recipient, please notify the sender
immediately and then delete the email and any attachments from your
system.

RNIB has made strenuous efforts to ensure that emails and any
attachments generated by its staff are free from viruses. However, it
cannot accept any responsibility for any viruses which are
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email
and any attachments are those of the author and do not necessarily
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: SSL connections stopped working :(

On Tue, 8 Apr 2003 15:17:43 +0100, John.Airey@rnib.org.uk wrote:

>You didn't say whether you are using Red Hat's supplied httpd RPM. If you
>are, that is Apache 2.0, which may also have conflicts (there's nothing to
>stop you removing it and their version of mod_ssl).
>
>rpm -q httpd will tell you if you are.

John,

Let me clarify. I'm using:

apache 1.3.27 built from RH 7.3 spec non-compiler with changes
mod_ssl 2.8.14 built from RH 7.3 spec non-compiler with changes
also tried 2.8.12
openssl 0.9.6b-33 as provided by RH. It's sometime around the
upgrade here that things went kablooey. Was
using -31 and -29. Tried all revs back to -18
without success.

I built the first two using gcc 3.2-7, glibc-2.3.2-4.80.4.

>The simplest way out is to do
>
>rpm -e openssl --nodeps
>rpm -ivh openssl-0.9.6b-33.i386.rpm (or ...i686.rpm depending on your
>architecture).
>
>To check it has reinstalled properly do
>rpm -V openssl
>
>This should return no errors.
>
>Finally restart the web server with "service httpd restart".

I've backed things out several times, including all of ssl, apache, it's
friends, etc. Going back to ground 0 hasn't helped :(

There are 5 systems with the same RPMs installed, all produce the same
strange request.

Michael


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: SSL connections stopped working :(

> -----Original Message-----
> From: Michael McLagan [mailto:mmclagan@invlogic.com]
> Sent: 08 April 2003 15:49
> To: modssl-users@modssl.org
> Subject: RE: SSL connections stopped working :(
>
> John,
>
> Let me clarify. I'm using:
>
> apache 1.3.27 built from RH 7.3 spec non-compiler
> with changes
> mod_ssl 2.8.14 built from RH 7.3 spec non-compiler
> with changes
> also tried 2.8.12
> openssl 0.9.6b-33 as provided by RH. It's sometime around the
> upgrade here that things went kablooey. Was
> using -31 and -29. Tried all revs back to -18
> without success.
>
> I built the first two using gcc 3.2-7, glibc-2.3.2-4.80.4.
>
Speaking personally I avoid compiling programs whenever I can. A few years
ago I had no choice but to compile Apache, but now I stick to the Red Hat
packages (one of our systems needs a one line patch, but even then that is
built into a new RPM package). There are so many kludges within Red Hat's
version of openssl I wouldn't try to build one (they remove patent
restricted code, so what you build will break sendmail, openssh and nearly
all your email programs). The sonames don't match up to what openssl creates
either.

That's why I'd say you are best off going back to the openssl RPM version
that Red Hat supply. In addition, you might want to check that you have the
openssl-devel package installed (as you can use that to build mod_ssl and
apache against).

I'll probably get flamed now...

John

-

NOTICE: The information contained in this email and any attachments is
confidential and may be legally privileged. If you are not the
intended recipient you are hereby notified that you must not use,
disclose, distribute, copy, print or rely on this email's content. If
you are not the intended recipient, please notify the sender
immediately and then delete the email and any attachments from your
system.

RNIB has made strenuous efforts to ensure that emails and any
attachments generated by its staff are free from viruses. However, it
cannot accept any responsibility for any viruses which are
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email
and any attachments are those of the author and do not necessarily
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: SSL connections stopped working :(

John,

I'm sorry, I must not be clear on this. I am using RH's openssl
package, as provided. I'm only compiling apache and mod_ssl.

Michael

On Tue, 8 Apr 2003 16:04:55 +0100, John.Airey@rnib.org.uk wrote:

>> -----Original Message-----
>> From: Michael McLagan [mailto:mmclagan@invlogic.com]
>> Sent: 08 April 2003 15:49
>> To: modssl-users@modssl.org
>> Subject: RE: SSL connections stopped working :(
>>
>> John,
>>
>> Let me clarify. I'm using:
>>
>> apache 1.3.27 built from RH 7.3 spec non-compiler
>> with changes
>> mod_ssl 2.8.14 built from RH 7.3 spec non-compiler
>> with changes
>> also tried 2.8.12
>> openssl 0.9.6b-33 as provided by RH. It's sometime around the
>> upgrade here that things went kablooey. Was
>> using -31 and -29. Tried all revs back to -18
>> without success.
>>
>> I built the first two using gcc 3.2-7, glibc-2.3.2-4.80.4.
>>
>Speaking personally I avoid compiling programs whenever I can. A few years
>ago I had no choice but to compile Apache, but now I stick to the Red Hat
>packages (one of our systems needs a one line patch, but even then that is
>built into a new RPM package). There are so many kludges within Red Hat's
>version of openssl I wouldn't try to build one (they remove patent
>restricted code, so what you build will break sendmail, openssh and nearly
>all your email programs). The sonames don't match up to what openssl creates
>either.
>
>That's why I'd say you are best off going back to the openssl RPM version
>that Red Hat supply. In addition, you might want to check that you have the
>openssl-devel package installed (as you can use that to build mod_ssl and
>apache against).
>
>I'll probably get flamed now...
>
>John


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: SSL connections stopped working :(

Thanks for the clarification. I understand where you are at now (though not
sadly why you are getting such an odd message as \x80F\x01\X03 in your logs
rather than GET / HTTP/1.1).

John

> -----Original Message-----
> From: Michael McLagan [mailto:mmclagan@invlogic.com]
> Sent: 08 April 2003 16:15
> To: modssl-users@modssl.org
> Subject: RE: SSL connections stopped working :(
>
>
> John,
>
> I'm sorry, I must not be clear on this. I am using RH's openssl
> package, as provided. I'm only compiling apache and mod_ssl.
>
> Michael
>
> On Tue, 8 Apr 2003 16:04:55 +0100, John.Airey@rnib.org.uk wrote:
>

-

NOTICE: The information contained in this email and any attachments is
confidential and may be legally privileged. If you are not the
intended recipient you are hereby notified that you must not use,
disclose, distribute, copy, print or rely on this email's content. If
you are not the intended recipient, please notify the sender
immediately and then delete the email and any attachments from your
system.

RNIB has made strenuous efforts to ensure that emails and any
attachments generated by its staff are free from viruses. However, it
cannot accept any responsibility for any viruses which are
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email
and any attachments are those of the author and do not necessarily
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: SSL connections stopped working :(

When you say that the system says you have 6h, where is that coming from?
I've just checked on a test Red Hat 8.0 server I have here, and I get the
following:

[jairey@ginger jairey]$ openssl
OpenSSL> version
OpenSSL 0.9.6b [engine] 9 Jul 2001
OpenSSL> exit

Thanks.

John

> -----Original Message-----
> From: Michael McLagan [mailto:mmclagan@invlogic.com]
> Sent: 08 April 2003 16:15
> To: modssl-users@modssl.org
> Subject: RE: SSL connections stopped working :(
>
>
> John,
>
> I'm sorry, I must not be clear on this. I am using RH's openssl
> package, as provided. I'm only compiling apache and mod_ssl.
>
> Michael
>
> On Tue, 8 Apr 2003 16:04:55 +0100, John.Airey@rnib.org.uk wrote:
>
> >> -----Original Message-----
> >> From: Michael McLagan [mailto:mmclagan@invlogic.com]
> >> Sent: 08 April 2003 15:49
> >> To: modssl-users@modssl.org
> >> Subject: RE: SSL connections stopped working :(
> >>
> >> John,
> >>
> >> Let me clarify. I'm using:
> >>
> >> apache 1.3.27 built from RH 7.3 spec non-compiler
> >> with changes
> >> mod_ssl 2.8.14 built from RH 7.3 spec non-compiler
> >> with changes
> >> also tried 2.8.12
> >> openssl 0.9.6b-33 as provided by RH. It's sometime
> around the
> >> upgrade here that things went
> kablooey. Was
> >> using -31 and -29. Tried all revs
> back to -18
> >> without success.
> >>
> >> I built the first two using gcc 3.2-7, glibc-2.3.2-4.80.4.
> >>
> >Speaking personally I avoid compiling programs whenever I
> can. A few years
> >ago I had no choice but to compile Apache, but now I stick
> to the Red Hat
> >packages (one of our systems needs a one line patch, but
> even then that is
> >built into a new RPM package). There are so many kludges
> within Red Hat's
> >version of openssl I wouldn't try to build one (they remove patent
> >restricted code, so what you build will break sendmail,
> openssh and nearly
> >all your email programs). The sonames don't match up to what
> openssl creates
> >either.
> >
> >That's why I'd say you are best off going back to the
> openssl RPM version
> >that Red Hat supply. In addition, you might want to check
> that you have the
> >openssl-devel package installed (as you can use that to
> build mod_ssl and
> >apache against).
> >
> >I'll probably get flamed now...
> >
> >John
>
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>

-

NOTICE: The information contained in this email and any attachments is
confidential and may be legally privileged. If you are not the
intended recipient you are hereby notified that you must not use,
disclose, distribute, copy, print or rely on this email's content. If
you are not the intended recipient, please notify the sender
immediately and then delete the email and any attachments from your
system.

RNIB has made strenuous efforts to ensure that emails and any
attachments generated by its staff are free from viruses. However, it
cannot accept any responsibility for any viruses which are
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email
and any attachments are those of the author and do not necessarily
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: SSL connections stopped working :(

On Tue, 8 Apr 2003 16:36:02 +0100, John.Airey@rnib.org.uk wrote:

>When you say that the system says you have 6h, where is that coming
from?
>I've just checked on a test Red Hat 8.0 server I have here, and I get
the
>following:
>
>[jairey@ginger jairey]$ openssl
>OpenSSL> version
>OpenSSL 0.9.6b [engine] 9 Jul 2001
>OpenSSL> exit
>
>Thanks.

John,

I thought I saw it in an Apache response or error log as part of the
startup but I wouldn't swear by it. Everything here says 0.9.6b now that
I go looking for it.

Michael


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org