ssl handshake failure
am 25.11.2007 05:56:49 von Bob JohnsonHi. I'm running mod_ssl with apache 1.3. My setup consists of a couple
of domains and 2 IP addresses. Each IP address has 2 or 3 name-based
virtual hosts for HTTP, and a single HTTPS virtual host. the first
HTTPS virtual host has been set up for a while, with no special
configuration, and works great. the second HTTPS virtual host (on a
different IP address) was just added, and does not work at all,
despite sharing a nearly identical configuration to the first one.
First off, here's the error.
output from "openssl s_client -connect xx.xxx.xxx.91:443 -state -debug -msg":
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0x80bb680 [0x80bbd00] (124 bytes => 124 (0x7C))
0000 - 80 7a 01 03 01 00 51 00-00 00 20 00 00 39 00 00 .z....Q... ..9..
0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 8..5............
0020 - 00 00 33 00 00 32 00 00-2f 00 00 07 05 00 80 03 ..3..2../.......
0030 - 00 80 00 00 05 00 00 04-01 00 80 00 00 15 00 00 ................
0040 - 12 00 00 09 06 00 40 00-00 14 00 00 11 00 00 08 ......@.........
0050 - 00 00 06 04 00 80 00 00-03 02 00 80 37 bf 69 76 ............7.iv
0060 - 53 ce 0a d5 8c d5 78 8e-94 73 05 84 d7 13 d6 2a S.....x..s.....*
0070 - fe 77 b8 8b be b0 dc e2-72 5f 4f d3 .w......r_O.
>>> SSL 2.0 [length 007a], CLIENT-HELLO
01 03 01 00 51 00 00 00 20 00 00 39 00 00 38 00
00 35 00 00 16 00 00 13 00 00 0a 07 00 c0 00 00
33 00 00 32 00 00 2f 00 00 07 05 00 80 03 00 80
00 00 05 00 00 04 01 00 80 00 00 15 00 00 12 00
00 09 06 00 40 00 00 14 00 00 11 00 00 08 00 00
06 04 00 80 00 00 03 02 00 80 37 bf 69 76 53 ce
0a d5 8c d5 78 8e 94 73 05 84 d7 13 d6 2a fe 77
b8 8b be b0 dc e2 72 5f 4f d3
SSL_connect:SSLv2/v3 write client hello A
read from 0x80bb680 [0x80c1260] (7 bytes => 4 (0x4))
0000 - 68 69 55 53 hiUS
read from 0x80bb680 [0x80c1264] (3 bytes => 0 (0x0))
15772:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:188:
output from "openssl s_client -connect xx.xxx.xxx.91:443 -state -debug
-msg -ssl3":
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0x80bb680 [0x80c59e8] (89 bytes => 89 (0x59))
0000 - 16 03 00 00 54 01 00 00-50 03 00 47 48 fc 0b c5 ....T...P..GH...
0010 - 9e 29 80 53 0f d4 59 10-3c ec 31 f1 cf e9 c2 4b .).S..Y.<.1....K
0020 - 69 02 54 a7 fb 5d 6a 64-b7 c9 9c 00 00 28 00 39 i.T..]jd.....(.9
0030 - 00 38 00 35 00 16 00 13-00 0a 00 33 00 32 00 2f .8.5.......3.2./
0040 - 00 07 00 05 00 04 00 15-00 12 00 09 00 14 00 11 ................
0050 - 00 08 00 06 00 03 02 01- ........
0059 -
>>> SSL 3.0 Handshake [length 0054], ClientHello
01 00 00 50 03 00 47 48 fc 0b c5 9e 29 80 53 0f
d4 59 10 3c ec 31 f1 cf e9 c2 4b 69 02 54 a7 fb
5d 6a 64 b7 c9 9c 00 00 28 00 39 00 38 00 35 00
16 00 13 00 0a 00 33 00 32 00 2f 00 07 00 05 00
04 00 15 00 12 00 09 00 14 00 11 00 08 00 06 00
03 02 01 00
SSL_connect:SSLv3 write client hello A
read from 0x80bb680 [0x80c11d8] (5 bytes => 4 (0x4))
0000 - 68 69 55 53 hiUS
read from 0x80bb680 [0x80c11dc] (1 bytes => 0 (0x0))
SSL_connect:failed in SSLv3 read server hello A
18042:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
failure:s3_pkt.c:534:
output from "curl https://secure.my2ndwebsite.com --trace ssl.trace":
== Info: About to connect() to secure.2ndmywebsite.com port 443
== Info: Trying xx.xxx.xxx.91... == Info: connected
== Info: Connected to secure.my2ndwebsite.com (xx.xxx.xxx.91) port 443
== Info: successfully set certificate verify locations:
== Info: CAfile: /usr/share/curl/curl-ca-bundle.crt
CApath: none
== Info: SSLv2, Client hello (1):
<= Send SSL data, 130 bytes (0x82)
0000: 01 03 01 00 69 00 00 00 10 00 00 39 00 00 38 00 ....i......9..8.
0010: 00 35 00 00 16 00 00 13 00 00 0a 07 00 c0 00 00 .5..............
0020: 33 00 00 32 00 00 2f 00 00 07 05 00 80 03 00 80 3..2../.........
0030: 00 00 66 00 00 05 00 00 04 01 00 80 08 00 80 00 ..f.............
0040: 00 63 00 00 62 00 00 61 00 00 15 00 00 12 00 00 .c..b..a........
0050: 09 06 00 40 00 00 65 00 00 64 00 00 60 00 00 14 ...@..e..d..`...
0060: 00 00 11 00 00 08 00 00 06 04 00 80 00 00 03 02 ................
0070: 00 80 4b 74 75 71 34 b5 f9 50 3a 63 91 a6 64 0f ..Ktuq4..P:c..d.
0080: f5 3a .:
== Info: Unknown SSL protocol error in connection to
secure.2ndmywebsite.com:443
== Info: Closing connection #0
Okay, now that you've got the error, here are some snippets from my
httpd.conf. xx.xxx.xxx.90 is the one that's completely working
(including HTTPS on https://secure.my1stwebsite.com), xx.xxx.xxx.91
works except for the HTTPS virtual host (as you can see above).
Commented-out lines are things that I tried, but did not solve the
problem:
Listen xx.xxx.xxx.90:80
Listen xx.xxx.xxx.90:443
Listen xx.xxx.xxx.91:80
Listen xx.xxx.xxx.91:443
NameVirtualHost xx.xxx.xxx.90
NameVirtualHost xx.xxx.xxx.91
# I also tried using:
# NameVirtualHost xx.xxx.xxx.91:80
# There are a number of virtual hosts on .90 configured like this
ServerAdmin webmaster@my1stwebsite.com
DocumentRoot /path/to/public_html
Servername my1stwebsite.com
ServerAlias www.my1stwebsite.com
ServerAlias www2.my1stwebsite.com
ScriptAlias /cgi-bin /path/to/cgi-bin
# this one works fine
ServerAdmin webmaster@secure.my1stwebsite.com
DocumentRoot /path/to/public_html
Servername secure.my1stwebsite.com
ServerAlias www.secure.my1stwebsite.com
ScriptAlias /cgi-bin /path/to/cgi-bin
SSLEngine On
SSLCertificateFile /path/to/secure.my1stwebsite.com.crt
SSLCertificateKeyFile /path/to/secure.my1stwebsite.com.key
SSLCertificateChainFile /path/to/EV_intermediate.crt
# also works fine
ServerAdmin webmaster@my2ndwebsite.com
DocumentRoot /path/to/public_html
Servername my2ndwebsite.com
ServerAlias www.my2ndwebsite.com
ScriptAlias /cgi-bin /path/to/cgi-bin
# this, however, gives the error from above
ServerAdmin webmaster@secure.my2ndwebsite.com
DocumentRoot /path/to/public_html
Servername secure.my2ndwebsite.com
ServerAlias www.secure.my2ndwebsite.com
ScriptAlias /cgi-bin /path/to/cgi-bin
SSLEngine On
SSLCertificateFile /path/to/secure.my2ndwebsite.com.crt
SSLCertificateKeyFile /path/to/secure.my2ndwebsite.com.key
SSLCertificateChainFile /path/to/EV_intermediate.crt
# I also tried the following setting
# SSLVerifyClient none
This error occurs using my valid signed certificate (for
"secure.my2ndwebsite.com"), as well as with various self-signed certs
I've tried (using common names such as "*.my2ndwebsite.com" and
"xx.xxx.xxx.91").
I've been pounding my head against the wall for days over this
problem. Any clues? Thanks a lot!
- Jason
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org