Any tools to test https+mod_ssl ???

Hi All.
Further to my earlier comments that httpd + mod_ssl seems to be ignored by
Netscape 7.1
After logging-in and accepting the certificate, 7.1's liitle lock remains
open and says I am transmitting in clear text.
Yet Netscape 6.2, MSIE5 and Mozilla all accepted the certificate and they
say the transmission is encrypted.
Are there any tools available to test the transmission ???
Cheers.
:-)

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Any tools to test https+mod_ssl ???

Hi I think that the following may help you.

openssl s_client -connect localhost:443 -state -debug

Please Refer to the FAQ in detail (www.modssl.org)

-Kiyoshi
Kiyoshi Watanabe



> Hi All.
> Further to my earlier comments that httpd + mod_ssl seems to be ignored by
> Netscape 7.1
> After logging-in and accepting the certificate, 7.1's liitle lock remains
> open and says I am transmitting in clear text.
> Yet Netscape 6.2, MSIE5 and Mozilla all accepted the certificate and they
> say the transmission is encrypted.
> Are there any tools available to test the transmission ???
> Cheers.
> :-)
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

SSL throws SSL23_GET_SERVER_HELLO error

Hi All.
When I run the following line command :
[ssl] # openssl s_client -connect localhost:443 -state -debug
I get this error message :
....
SSL_connect:error in SSLv2/v3 read server hello A
1565:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:s23_clnt.c:460:
....
Looking at line 460 of the source, it is exactly that error, no further
clues available.
Does anyone know more about it and want to help out ???
CHeers.

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: SSL throws SSL23_GET_SERVER_HELLO error

Please see following links
http://www.mail-archive.com/modssl-users@modssl.org/msg16205 .html
http://forums.devshed.com/archive/15/2001/11/4/25897

Hope they help.

Regards,
Nauman
_______________________________________________
Citibank N.A., 111 Wall St., New York, NY
Ph: +1-212-657-1070 (w), +1-718-951-0508 (h)
Fax: +1-212-657-1645


-----Original Message-----
From: Arthur Chan [mailto:achana@saysit.com.hk]
Sent: Thursday, August 07, 2003 5:10 AM
To: modssl-users@modssl.org
Subject: SSL throws SSL23_GET_SERVER_HELLO error


Hi All.
When I run the following line command :
[ssl] # openssl s_client -connect localhost:443 -state -debug
I get this error message :
....
SSL_connect:error in SSLv2/v3 read server hello A
1565:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:s23_clnt.c:460:
....
Looking at line 460 of the source, it is exactly that error, no further
clues available.
Does anyone know more about it and want to help out ???
CHeers.

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

FRUSTRATION : SSL throws SSL23_GET_SERVER_HELLO error

Hiya
I followed the discussion on those links, but it was not conclusive for me.
It would seem that I have got both apache2.0.40 + mod_ssl talking with
OpenSSL, using name-based vhosts. I have the certificate installed and
self-signed. However
[ssl] # openssl s_client -connect localhost:443 -state -debug
still throws this sticky error :
SSL_connect:error in SSLv2/v3 read server hello A
1565:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:s23_clnt.c:460:
I am down to checking the source code (reveals nothing much other than it is
an error), and blindly changing things in httpd.conf...
Frustrating

----- Original Message -----
From: "Nauman, Ahmed [IT]"
To:
Sent: Thursday, August 07, 2003 10:07 AM
Subject: RE: SSL throws SSL23_GET_SERVER_HELLO error


Please see following links
http://www.mail-archive.com/modssl-users@modssl.org/msg16205 .html
http://forums.devshed.com/archive/15/2001/11/4/25897

Hope they help.

Regards,
Nauman
_______________________________________________
Citibank N.A., 111 Wall St., New York, NY
Ph: +1-212-657-1070 (w), +1-718-951-0508 (h)
Fax: +1-212-657-1645


-----Original Message-----
From: Arthur Chan [mailto:achana@saysit.com.hk]
Sent: Thursday, August 07, 2003 5:10 AM
To: modssl-users@modssl.org
Subject: SSL throws SSL23_GET_SERVER_HELLO error


Hi All.
When I run the following line command :
[ssl] # openssl s_client -connect localhost:443 -state -debug
I get this error message :
....
SSL_connect:error in SSLv2/v3 read server hello A
1565:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:s23_clnt.c:460:
....
Looking at line 460 of the source, it is exactly that error, no further
clues available.
Does anyone know more about it and want to help out ???
CHeers.

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: FRUSTRATION : SSL throws SSL23_GET_SERVER_HELLO error

On Fri, 8 Aug 2003, Arthur Chan wrote:

> [ssl] # openssl s_client -connect localhost:443 -state -debug
> still throws this sticky error :
> SSL_connect:error in SSLv2/v3 read server hello A
> 1565:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
> protocol:s23_clnt.c:460:

You have multiple problems conspiring against you here.

Problem #1: your OpenSSL doesn't have the error messages loaded so you're
getting a rather non-descriptive error message. No big deal, it just
means you have to look harder to find out what the error means.

Problem #2: SSL23_GET_SERVER_HELLO:unknown protocol: - now I bet if you
looked at the debug dump you'd see something very similar to:
0000 - 3c 21 44 4f 43 54 59 which was mentioned in one of those links the other guy sent you. It's
telling you that that's what it received from the server. You'll notice
that " So this tells you that your web server is in fact speaking plain HTTP on
port 443 rather than HTTPS. You probably do not have "SSLEngine on" for
that virtual host.

Problem #3: You mentioned trying to get name-based vhosts to work with
SSL. You must realize that this doesn't work right in the general case.
Please see http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#vhosts2 .

Hope this helps.

--Cliff
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

FRUSTRATION : SSL throws SSL23_GET_SERVER_HELLO error

> Problem #1: your OpenSSL doesn't have the error messages loaded so you're
> getting a rather non-descriptive error message. No big deal, it just
> means you have to look harder to find out what the error means.
How to I load them in order to get a more meaningful description ???
I've recompiled Apache 2.0.40 several times from scratch with following
additional options:
../configure --with-mpm=worker --enable-so --enable-rewrite --enable-ssl --wi
th-ssl=/path/to/openssl --enable-proxy --auth_digest


> Problem #2: SSL23_GET_SERVER_HELLO:unknown protocol: - now I bet if you
> looked at the debug dump you'd see something very similar to:
> 0000 - 3c 21 44 4f 43 54 59 > which was mentioned in one of those links the other guy sent you. It's
> telling you that that's what it received from the server. You'll notice
> that " Indeed, this is the whole output :
CONNECTED(00000003)
write to 0809D018 [0809D060] (124 bytes => 124 (0x7C))
0000 - 80 7a 01 03 01 00 51 00-00 00 20 00 00 16 00 00 .z....Q... .....
0010 - 13 00 00 0a 07 00 c0 00-00 66 00 00 05 00 00 04 .........f......
0020 - 03 00 80 01 00 80 08 00-80 00 00 65 00 00 64 00 ...........e..d.
0030 - 00 63 00 00 62 00 00 61-00 00 60 00 00 15 00 00 .c..b..a..`.....
0040 - 12 00 00 09 06 00 40 00-00 14 00 00 11 00 00 08 ......@.........
0050 - 00 00 06 00 00 03 04 00-80 02 00 80 5c ec 7c 7c ............\.||
0060 - 60 b1 2a 84 93 cf ba f5-87 dc 22 63 27 83 c7 16 `.*......."c'...
0070 - f0 68 eb 8b 33 43 57 05-e8 5e a1 ef .h..3CW..^..
read from 0809D018 [080A25C0] (7 bytes => 7 (0x7))
0000 - 3c 21 44 4f 43 54 59 SSL_connect:error in SSLv2/v3 read server hello A
1565:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:s23_clnt.c:460:

> So this tells you that your web server is in fact speaking plain HTTP on
> port 443 rather than HTTPS. You probably do not have "SSLEngine on" for
> that virtual host.
This defies purpose. Following is an excerpt from httpd.conf with only those
bits that I believe are relevant . What I done that's wrong :
(httpd.conf)

ServerName www.saysit.com.hk:80
#

# Some MIME-types for downloading Certificates and CRLs
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLSessionCache dbm:logs/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex file:logs/mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin

### Section 3: Virtual Hosts
Listen 80
Listen 443
NameVirtualHost 192.168.1.3

ServerName www.saysit.com.hk
ServerAdmin achana@saysit.com.hk
DocumentRoot /var/www/html
ErrorLog /usr/local/apache2/logs/saysit_error.log
CustomLog /usr/local/apache2/logs/saysit_access.log common
SetEnvIf User-Agent ".MSIE.*"\
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
JkMount /saysit ajp13
JkMount /saysit/* ajp13

#


ServerName demo.saysit.com.hk
ServerAdmin achana@saysit.com.hk
DocumentRoot /home/nicole/MyDocument/public_html
ErrorLog /usr/local/apache2/logs/nicole_error.log
CustomLog /usr/local/apache2/logs/nicole_access.log common

SSLEngine on
SSLCipherSuite
ALL:!ADH:!EPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eN ULL
SSLCertificateFile /usr/share/ssl/server.crt
SSLCertificateKeyFile /usr/share/ssl/server.key
#### SSLVerifyClient require #### will prompt the client to select a
certificate when browsing demo.saysit

JkExtractSSL on
JkHTTPSIndicator HTTPS
JkSESSIONIndicator SSL_SESSION_ID
JkCIPHERIndicator SSL_CIPHER
JkCERTSIndicator SSL_CLIENT_CERT
JkMount /saysit ajp13
JkMount /saysit/* ajp13




> Problem #3: You mentioned trying to get name-based vhosts to work with
> SSL. You must realize that this doesn't work right in the general case.
> Please see http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#vhosts2 .
Yes, I read that document and I do want to provide both http and https on a
single server with one single IP address (I am NAT-ting on router with one
external ip - does that matter?)


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: FRUSTRATION : SSL throws SSL23_GET_SERVER_HELLO error

Hello,

did you test the openssl command using your IP instead of localhost?

openssl s_client -connect your-ip-here:443 -state -debug

Or why don't you change the VirtualHohost to _default_ temporarily and
see how it goes.

-Kiyoshi
Kiyoshi Watanabe



> > Problem #1: your OpenSSL doesn't have the error messages loaded so you're
> > getting a rather non-descriptive error message. No big deal, it just
> > means you have to look harder to find out what the error means.
> How to I load them in order to get a more meaningful description ???
> I've recompiled Apache 2.0.40 several times from scratch with following
> additional options:
> ./configure --with-mpm=worker --enable-so --enable-rewrite --enable-ssl --wi
> th-ssl=/path/to/openssl --enable-proxy --auth_digest
>
>
> > Problem #2: SSL23_GET_SERVER_HELLO:unknown protocol: - now I bet if you
> > looked at the debug dump you'd see something very similar to:
> > 0000 - 3c 21 44 4f 43 54 59 > > which was mentioned in one of those links the other guy sent you. It's
> > telling you that that's what it received from the server. You'll notice
> > that " > Indeed, this is the whole output :
> CONNECTED(00000003)
> write to 0809D018 [0809D060] (124 bytes => 124 (0x7C))
> 0000 - 80 7a 01 03 01 00 51 00-00 00 20 00 00 16 00 00 .z....Q... .....
> 0010 - 13 00 00 0a 07 00 c0 00-00 66 00 00 05 00 00 04 .........f......
> 0020 - 03 00 80 01 00 80 08 00-80 00 00 65 00 00 64 00 ...........e..d.
> 0030 - 00 63 00 00 62 00 00 61-00 00 60 00 00 15 00 00 .c..b..a..`.....
> 0040 - 12 00 00 09 06 00 40 00-00 14 00 00 11 00 00 08 ......@.........
> 0050 - 00 00 06 00 00 03 04 00-80 02 00 80 5c ec 7c 7c ............\.||
> 0060 - 60 b1 2a 84 93 cf ba f5-87 dc 22 63 27 83 c7 16 `.*......."c'...
> 0070 - f0 68 eb 8b 33 43 57 05-e8 5e a1 ef .h..3CW..^..
> read from 0809D018 [080A25C0] (7 bytes => 7 (0x7))
> 0000 - 3c 21 44 4f 43 54 59 > SSL_connect:error in SSLv2/v3 read server hello A
> 1565:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
> protocol:s23_clnt.c:460:
>
> > So this tells you that your web server is in fact speaking plain HTTP on
> > port 443 rather than HTTPS. You probably do not have "SSLEngine on" for
> > that virtual host.
> This defies purpose. Following is an excerpt from httpd.conf with only those
> bits that I believe are relevant . What I done that's wrong :
> (httpd.conf)
>
> ServerName www.saysit.com.hk:80
> #
>
> # Some MIME-types for downloading Certificates and CRLs
> AddType application/x-x509-ca-cert .crt
> AddType application/x-pkcs7-crl .crl
> SSLSessionCache dbm:logs/ssl_scache
> SSLSessionCacheTimeout 300
> SSLMutex file:logs/mutex
> SSLRandomSeed startup builtin
> SSLRandomSeed connect builtin
>
> ### Section 3: Virtual Hosts
> Listen 80
> Listen 443
> NameVirtualHost 192.168.1.3
>
> ServerName www.saysit.com.hk
> ServerAdmin achana@saysit.com.hk
> DocumentRoot /var/www/html
> ErrorLog /usr/local/apache2/logs/saysit_error.log
> CustomLog /usr/local/apache2/logs/saysit_access.log common
> SetEnvIf User-Agent ".MSIE.*"\
> nokeepalive ssl-unclean-shutdown \
> downgrade-1.0 force-response-1.0
> JkMount /saysit ajp13
> JkMount /saysit/* ajp13
>
> #
>
>
> ServerName demo.saysit.com.hk
> ServerAdmin achana@saysit.com.hk
> DocumentRoot /home/nicole/MyDocument/public_html
> ErrorLog /usr/local/apache2/logs/nicole_error.log
> CustomLog /usr/local/apache2/logs/nicole_access.log common
>
> SSLEngine on
> SSLCipherSuite
> ALL:!ADH:!EPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eN ULL
> SSLCertificateFile /usr/share/ssl/server.crt
> SSLCertificateKeyFile /usr/share/ssl/server.key
> #### SSLVerifyClient require #### will prompt the client to select a
> certificate when browsing demo.saysit
>
> JkExtractSSL on
> JkHTTPSIndicator HTTPS
> JkSESSIONIndicator SSL_SESSION_ID
> JkCIPHERIndicator SSL_CIPHER
> JkCERTSIndicator SSL_CLIENT_CERT
> JkMount /saysit ajp13
> JkMount /saysit/* ajp13
>
>
>
>
> > Problem #3: You mentioned trying to get name-based vhosts to work with
> > SSL. You must realize that this doesn't work right in the general case.
> > Please see http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#vhosts2 .
> Yes, I read that document and I do want to provide both http and https on a
> single server with one single IP address (I am NAT-ting on router with one
> external ip - does that matter?)
>
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

But why does it work now : SSL throws SSL23_GET_SERVER_HELLO error

Hi Yoshi.
I think that works !
Instead of
[ssl] # openssl s_client -connect localhost:443 -state -debug
I key in
[ssl] # openssl s_client -connect 192.168.100.10:443 -state -debug
and it worked, no SSL23_GET_SERVER_HELLO error, why is that ???
I am still *VERY CONCERNED* that the output from TCPDUMP contains human
readible data (admittedly you won't be able to get much out of that ).
Its nothing like the plain text http transmission, try it out !


----- Original Message -----
From: "Kiyoshi Watanabe"
To: ;
Cc:
Sent: Friday, August 08, 2003 06:44 AM
Subject: Re: FRUSTRATION : SSL throws SSL23_GET_SERVER_HELLO error


>
> Hello,
>
> did you test the openssl command using your IP instead of localhost?
>
> openssl s_client -connect your-ip-here:443 -state -debug
>
> Or why don't you change the VirtualHohost to _default_ temporarily and
> see how it goes.
>
> -Kiyoshi
> Kiyoshi Watanabe
>
>
>
> > > Problem #1: your OpenSSL doesn't have the error messages loaded so
you're
> > > getting a rather non-descriptive error message. No big deal, it just
> > > means you have to look harder to find out what the error means.
> > How to I load them in order to get a more meaningful description ???
> > I've recompiled Apache 2.0.40 several times from scratch with following
> > additional options:
> >
../configure --with-mpm=worker --enable-so --enable-rewrite --enable-ssl --wi
> > th-ssl=/path/to/openssl --enable-proxy --auth_digest
> >
> >
> > > Problem #2: SSL23_GET_SERVER_HELLO:unknown protocol: - now I bet if
you
> > > looked at the debug dump you'd see something very similar to:
> > > 0000 - 3c 21 44 4f 43 54 59 > > > which was mentioned in one of those links the other guy sent you.
It's
> > > telling you that that's what it received from the server. You'll
notice
> > > that " unencrypted.
> > Indeed, this is the whole output :
> > CONNECTED(00000003)
> > write to 0809D018 [0809D060] (124 bytes => 124 (0x7C))
> > 0000 - 80 7a 01 03 01 00 51 00-00 00 20 00 00 16 00 00 .z....Q...
......
> > 0010 - 13 00 00 0a 07 00 c0 00-00 66 00 00 05 00 00 04
..........f......
> > 0020 - 03 00 80 01 00 80 08 00-80 00 00 65 00 00 64 00
............e..d.
> > 0030 - 00 63 00 00 62 00 00 61-00 00 60 00 00 15 00 00
..c..b..a..`.....
> > 0040 - 12 00 00 09 06 00 40 00-00 14 00 00 11 00 00 08
.......@.........
> > 0050 - 00 00 06 00 00 03 04 00-80 02 00 80 5c ec 7c 7c
.............\.||
> > 0060 - 60 b1 2a 84 93 cf ba f5-87 dc 22 63 27 83 c7 16
`.*......."c'...
> > 0070 - f0 68 eb 8b 33 43 57 05-e8 5e a1 ef .h..3CW..^..
> > read from 0809D018 [080A25C0] (7 bytes => 7 (0x7))
> > 0000 - 3c 21 44 4f 43 54 59 > > SSL_connect:error in SSLv2/v3 read server hello A
> > 1565:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
> > protocol:s23_clnt.c:460:
> >
> > > So this tells you that your web server is in fact speaking plain HTTP
on
> > > port 443 rather than HTTPS. You probably do not have "SSLEngine on"
for
> > > that virtual host.
> > This defies purpose. Following is an excerpt from httpd.conf with only
those
> > bits that I believe are relevant . What I done that's wrong :
> > (httpd.conf)
> >
> > ServerName www.saysit.com.hk:80
> > #
> >
> > # Some MIME-types for downloading Certificates and CRLs
> > AddType application/x-x509-ca-cert .crt
> > AddType application/x-pkcs7-crl .crl
> > SSLSessionCache dbm:logs/ssl_scache
> > SSLSessionCacheTimeout 300
> > SSLMutex file:logs/mutex
> > SSLRandomSeed startup builtin
> > SSLRandomSeed connect builtin
> >
> > ### Section 3: Virtual Hosts
> > Listen 80
> > Listen 443
> > NameVirtualHost 192.168.1.3
> >
> > ServerName www.saysit.com.hk
> > ServerAdmin achana@saysit.com.hk
> > DocumentRoot /var/www/html
> > ErrorLog /usr/local/apache2/logs/saysit_error.log
> > CustomLog /usr/local/apache2/logs/saysit_access.log common
> > SetEnvIf User-Agent ".MSIE.*"\
> > nokeepalive ssl-unclean-shutdown \
> > downgrade-1.0 force-response-1.0
> > JkMount /saysit ajp13
> > JkMount /saysit/* ajp13
> >
> > #
> >
> >
> > ServerName demo.saysit.com.hk
> > ServerAdmin achana@saysit.com.hk
> > DocumentRoot /home/nicole/MyDocument/public_html
> > ErrorLog /usr/local/apache2/logs/nicole_error.log
> > CustomLog /usr/local/apache2/logs/nicole_access.log common
> >
> > SSLEngine on
> > SSLCipherSuite
> > ALL:!ADH:!EPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eN ULL
> > SSLCertificateFile /usr/share/ssl/server.crt
> > SSLCertificateKeyFile /usr/share/ssl/server.key
> > #### SSLVerifyClient require #### will prompt the client to select a
> > certificate when browsing demo.saysit
> >
> > JkExtractSSL on
> > JkHTTPSIndicator HTTPS
> > JkSESSIONIndicator SSL_SESSION_ID
> > JkCIPHERIndicator SSL_CIPHER
> > JkCERTSIndicator SSL_CLIENT_CERT
> > JkMount /saysit ajp13
> > JkMount /saysit/* ajp13
> >
> >
> >
> >
> > > Problem #3: You mentioned trying to get name-based vhosts to work with
> > > SSL. You must realize that this doesn't work right in the general
case.
> > > Please see http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#vhosts2 .
> > Yes, I read that document and I do want to provide both http and https
on a
> > single server with one single IP address (I am NAT-ting on router with
one
> > external ip - does that matter?)
> >
> >
> > ____________________________________________________________ __________
> > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > User Support Mailing List modssl-users@modssl.org
> > Automated List Manager majordomo@modssl.org
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: But why does it work now : SSL throws SSL23_GET_SERVER_HELLOerror

Hi arthur,

> I think that works !
> Instead of
> [ssl] # openssl s_client -connect localhost:443 -state -debug
> I key in
> [ssl] # openssl s_client -connect 192.168.100.10:443 -state -debug
> and it worked, no SSL23_GET_SERVER_HELLO error, why is that ???

I looked at your conf and realize that the conf was OK. However, your
were accessing to the localhost, which was different from your virtual
host. You can have the SSL when you access to the virtual host
directive in which you specify that the ssl engine is on.

The error happends when you access to the location in which you do not
specify that the ssl engine is on. Probably someone else can answer
this better than I do.

> I am still *VERY CONCERNED* that the output from TCPDUMP contains human
> readible data (admittedly you won't be able to get much out of that ).
> Its nothing like the plain text http transmission, try it out !

I am not sure which data you are talking about. Transmission data is
encrypted after the handshake stage completes.

-Kiyoshi
Kiyoshi Watanabe



>
> ----- Original Message -----
> From: "Kiyoshi Watanabe"
> To: ;
> Cc:
> Sent: Friday, August 08, 2003 06:44 AM
> Subject: Re: FRUSTRATION : SSL throws SSL23_GET_SERVER_HELLO error
>
>
> >
> > Hello,
> >
> > did you test the openssl command using your IP instead of localhost?
> >
> > openssl s_client -connect your-ip-here:443 -state -debug
> >
> > Or why don't you change the VirtualHohost to _default_ temporarily and
> > see how it goes.
> >
> > -Kiyoshi
> > Kiyoshi Watanabe
> >
> >
> >
> > > > Problem #1: your OpenSSL doesn't have the error messages loaded so
> you're
> > > > getting a rather non-descriptive error message. No big deal, it just
> > > > means you have to look harder to find out what the error means.
> > > How to I load them in order to get a more meaningful description ???
> > > I've recompiled Apache 2.0.40 several times from scratch with following
> > > additional options:
> > >
> ./configure --with-mpm=worker --enable-so --enable-rewrite --enable-ssl --wi
> > > th-ssl=/path/to/openssl --enable-proxy --auth_digest
> > >
> > >
> > > > Problem #2: SSL23_GET_SERVER_HELLO:unknown protocol: - now I bet if
> you
> > > > looked at the debug dump you'd see something very similar to:
> > > > 0000 - 3c 21 44 4f 43 54 59 > > > > which was mentioned in one of those links the other guy sent you.
> It's
> > > > telling you that that's what it received from the server. You'll
> notice
> > > > that " > unencrypted.
> > > Indeed, this is the whole output :
> > > CONNECTED(00000003)
> > > write to 0809D018 [0809D060] (124 bytes => 124 (0x7C))
> > > 0000 - 80 7a 01 03 01 00 51 00-00 00 20 00 00 16 00 00 .z....Q...
> .....
> > > 0010 - 13 00 00 0a 07 00 c0 00-00 66 00 00 05 00 00 04
> .........f......
> > > 0020 - 03 00 80 01 00 80 08 00-80 00 00 65 00 00 64 00
> ...........e..d.
> > > 0030 - 00 63 00 00 62 00 00 61-00 00 60 00 00 15 00 00
> .c..b..a..`.....
> > > 0040 - 12 00 00 09 06 00 40 00-00 14 00 00 11 00 00 08
> ......@.........
> > > 0050 - 00 00 06 00 00 03 04 00-80 02 00 80 5c ec 7c 7c
> ............\.||
> > > 0060 - 60 b1 2a 84 93 cf ba f5-87 dc 22 63 27 83 c7 16
> `.*......."c'...
> > > 0070 - f0 68 eb 8b 33 43 57 05-e8 5e a1 ef .h..3CW..^..
> > > read from 0809D018 [080A25C0] (7 bytes => 7 (0x7))
> > > 0000 - 3c 21 44 4f 43 54 59 > > > SSL_connect:error in SSLv2/v3 read server hello A
> > > 1565:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
> > > protocol:s23_clnt.c:460:
> > >
> > > > So this tells you that your web server is in fact speaking plain HTTP
> on
> > > > port 443 rather than HTTPS. You probably do not have "SSLEngine on"
> for
> > > > that virtual host.
> > > This defies purpose. Following is an excerpt from httpd.conf with only
> those
> > > bits that I believe are relevant . What I done that's wrong :
> > > (httpd.conf)
> > >
> > > ServerName www.saysit.com.hk:80
> > > #
> > >
> > > # Some MIME-types for downloading Certificates and CRLs
> > > AddType application/x-x509-ca-cert .crt
> > > AddType application/x-pkcs7-crl .crl
> > > SSLSessionCache dbm:logs/ssl_scache
> > > SSLSessionCacheTimeout 300
> > > SSLMutex file:logs/mutex
> > > SSLRandomSeed startup builtin
> > > SSLRandomSeed connect builtin
> > >
> > > ### Section 3: Virtual Hosts
> > > Listen 80
> > > Listen 443
> > > NameVirtualHost 192.168.1.3
> > >
> > > ServerName www.saysit.com.hk
> > > ServerAdmin achana@saysit.com.hk
> > > DocumentRoot /var/www/html
> > > ErrorLog /usr/local/apache2/logs/saysit_error.log
> > > CustomLog /usr/local/apache2/logs/saysit_access.log common
> > > SetEnvIf User-Agent ".MSIE.*"\
> > > nokeepalive ssl-unclean-shutdown \
> > > downgrade-1.0 force-response-1.0
> > > JkMount /saysit ajp13
> > > JkMount /saysit/* ajp13
> > >
> > > #
> > >
> > >
> > > ServerName demo.saysit.com.hk
> > > ServerAdmin achana@saysit.com.hk
> > > DocumentRoot /home/nicole/MyDocument/public_html
> > > ErrorLog /usr/local/apache2/logs/nicole_error.log
> > > CustomLog /usr/local/apache2/logs/nicole_access.log common
> > >
> > > SSLEngine on
> > > SSLCipherSuite
> > > ALL:!ADH:!EPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eN ULL
> > > SSLCertificateFile /usr/share/ssl/server.crt
> > > SSLCertificateKeyFile /usr/share/ssl/server.key
> > > #### SSLVerifyClient require #### will prompt the client to select a
> > > certificate when browsing demo.saysit
> > >
> > > JkExtractSSL on
> > > JkHTTPSIndicator HTTPS
> > > JkSESSIONIndicator SSL_SESSION_ID
> > > JkCIPHERIndicator SSL_CIPHER
> > > JkCERTSIndicator SSL_CLIENT_CERT
> > > JkMount /saysit ajp13
> > > JkMount /saysit/* ajp13
> > >
> > >
> > >
> > >
> > > > Problem #3: You mentioned trying to get name-based vhosts to work with
> > > > SSL. You must realize that this doesn't work right in the general
> case.
> > > > Please see http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#vhosts2 .
> > > Yes, I read that document and I do want to provide both http and https
> on a
> > > single server with one single IP address (I am NAT-ting on router with
> one
> > > external ip - does that matter?)
> > >
> > >
> > > ____________________________________________________________ __________
> > > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > > User Support Mailing List modssl-users@modssl.org
> > > Automated List Manager majordomo@modssl.org
> > ____________________________________________________________ __________
> > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > User Support Mailing List modssl-users@modssl.org
> > Automated List Manager majordomo@modssl.org
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org