SSL works from server command line, but not from outside server. Weird!
am 15.09.2008 20:53:46 von John Fox------=_Part_34414_18548211.1221504826823
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Hi, folks.
I've run across a wierd problem -- https/SSL works fine when accessed
from the machine running httpd, but is unavailable from all others.
Software versions: Apache 1.3.37/mod_ssl-2.8.28-1.3.37/OpenSSL 0.9.8b
Running 'http' on port 8118, 'https' on port 8119
I get positive results from openssl's "s_client" when I connect to
8119 from the server's command line:
$ openssl s_client -connect webdev-gold:8119
CONNECTED(00000003)
depth=0 /C=US/ST=Oregon/L=Medford/O=Musey's
Pal/OU=WebDev/CN=webdev-gold.musiciansfriend.com/emailAddres s=foo@bar.net
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=Oregon/L=Medford/O=Musey's
Pal/OU=WebDev/CN=webdev-gold.musiciansfriend.com/emailAddres s=foo@bar.net
< SNIP >
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID:
9D8989B47E6EE3546426AFC100348052D900956A40E0C33AAB41019D71CF 515E
Session-ID-ctx:
Master-Key:
EF1AC496532EE1B8EF0F63988AB7CED1F05F9EAB8675DD76DC54A6DC6E91 410C12B9808C8567B803838137B79089591C
Key-Arg : None
Krb5 Principal: None
Start Time: 1221497972
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
To verify this a bit further, I (again, from the server's command
line) made use of the 'lynx' browswer to attempt accessing https on
port 8119 -- this worked, as well.
Next thing I tried was running the same "s_client" command from my
workstation's command line:
(openssl version 0.9.8g))
$ openssl s_client -connect webdev-gold:8119 -state -debug
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0x80c1340 [0x80c22f8] (124 bytes => 124 (0x7C))
0000 - 80 7a 01 03 01 00 51 00-00 00 20 00 00 39 00 00 .z....Q... ..9..
0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 8..5............
0020 - 00 00 33 00 00 32 00 00-2f 00 00 07 05 00 80 03 ..3..2../.......
0030 - 00 80 00 00 05 00 00 04-01 00 80 00 00 15 00 00 ................
0040 - 12 00 00 09 06 00 40 00-00 14 00 00 11 00 00 08 ......@.........
0050 - 00 00 06 04 00 80 00 00-03 02 00 80 78 79 d0 f1 ............xy..
0060 - 49 80 86 36 2c 4a 72 b0-9a 3d 73 a6 d7 2e e9 78 I..6,Jr..=s....x
0070 - 05 4e 73 b7 84 12 ea 38-18 b1 41 c2 .Ns....8..A.
SSL_connect:SSLv2/v3 write client hello A
read from 0x80c1340 [0x80c7858] (7 bytes => 7 (0x7))
0000 - 3c 21 44 4f 43 54 59
SSL_connect:error in SSLv2/v3 read server hello A
16389:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:s23_clnt.c:583:
And the corresponding entry from the server's error log:
[Mon Sep 15 10:04:30 2008] [error] [client 172.16.70.182] Invalid
method in request \\x80t\\x01\\x03\\x01
Seems to be working from the server, but not from outside it. So I
thought I'd best be sure that I wasn't doing
something silly like listening only on the loopback address or something:
tcp 0 0 0.0.0.0:8118 0.0.0.0:*
LISTEN
tcp 0 0 0.0.0.0:8119 0.0.0.0:*
LISTEN
Which I think proves that httpd isn't confining itself to a single
network interface.
I've spent a couple of hours googling on this, and discovered that
while the the error shown in the Apache log excerpt is quite common,
the situation I'm describing is not. Any insights, thoughts, and
suggestions would be appreciated, as I feel I've taken this as far as
I can on my own.
I am attaching the relevant httpd.conf file -- in gzipped format -- on
the chance it may prove helpful.
Thank you.
-John
------=_Part_34414_18548211.1221504826823
Content-Type: application/x-gzip; name=sample_httpd.conf.gz
Content-Transfer-Encoding: base64
X-Attachment-Id: f_fl5g9ytt0
Content-Disposition: attachment; filename=sample_httpd.conf.gz
H4sICFKnzkgAA3NhbXBsZV9odHRwZC5jb25mAJ0Ya3PauPa7fsXZEGa7TWID TZvW022HBTdhLiTU
Jum9s91ljC1AG9vySjKByfS/3yMZEx55lmQy6Oi8dZ6pwGDKJOCvmlKYKpVF VsjTMeSSRjDmAhSV
iqUT8D0fpMrHY+ApBBCzGYVmFoRIJqmYUWGRCux3IgcCavg0DCOLpYczqFsn 0KjVTux6zW4cQ6Ph
1N86tROggl2DO89gn5A+Fwre1+vvSZdJRdPt7x8ICmjGMb+BVyhuAdMgvF78 BlMuVRokqEaeZZqH
4kZpmNBU0KMkyDI0RWNJi5wj4hUTKg/iM4TAa0I+bpwdLfUTAfz4xixNATc3 N1aCLlnILIjRrsQg
9KmIz4I0iqmANh0HeayWR8eZFl/IR3uN/adnSqOjiM6OJjyOflJqBf4IJAvh a87C65il1+AXziGV
CuwZKGiw3CPEozeCKdoLMvg3HoriBMuPmivHlipQLLRP3tjoTGlvqGQvCY4K pTf1tZB8h3/EBA3V
C/gXBA8LKCW46YSlFMOzBHT5BOwpT6j9D5+m1pjPbZVktolOOwpUYCc8Ki22 9FNYMZ+sUXfpjMbw
dsNHGH9UhIFEF7FUOYobwAqlxdMIqree+/XS9QfDS6/zA/62X1mvf9vfQNm/ vXO2s3+74upU6z9+
gGW9LrG9PKag6aFagz/7g8OvfvOw+9fPCiyc+QKJ3u8ZFUmQ0lStRFfWAstD Hwn0Rsz5dZ5ZeP43
RxlF8RiJIA2nUG/U6sePaLOp/ufqLR68/w39gdc5P31IOf2Mjm3fFxYmrexq 7bMOsQ0LtPY/k5Km
lmB0PpGPpxoNo+TJMnCJNRPKqCSngucZSBES0mOpnwWCFrIl1EkvmG9AGsRX gVB3CBX4RiHi6a8K
UoqOV7qip3SudIrTQ7zCivKZVJBRK2boBc0DD/qlsE5KNKA1ZXEE9VpNv22P R9rJunqzSS4wN3lq
S6rwdUkrpoEoEHRlJs0oWqLrVArCkEpphaSyBc/VFKGbQJrOdmCYfsNC7s5V whK6A8SHjXeAqCry
ZuPdC6wzudwBlwVgGx7ELNjFllJLRDf5fheMV8jHzngboQggpBwsMgrYgmIW Fo6cH83f1j4chcFR
SLFZWSEW5Ydxs+tQnhyFItYoiBsXgel3+4GU/anA/G2zAN0Go5zF2KjLex8f Alm0TIOORonzeCFE
pYcy1Mj3MRig73mu4A0GyPK6lys6hzGL6TM4Jxp5aHr4ktzDvOCJr8NV6mjG 8N8yYA0DIyLVLWML
4+nyrmVT0xVMZK0rsKruN4FIMT3LJ8TcJG0e5gnmice5elwChkHblDAuFp00 Qo8w/deaqoSsJER0
lE9In0Vf0FsP8yuGL9OFMhYRVwgunmEiRu6QalxtolXMTDy8flzWHalO2Uxh 3wuviVb5C8dSqWCv
OoVqDNUcqgq+71XF9z2ofpJQHUF1pgG3Hh1TQcUPhjf6rCvaURPrpNKgPXy0 ZISOj0grl4onz7Sk
qCArU+64kDI/MJIUkiUxaC/HD8DNrBhFsOC5wFp4ozNTJ6geDCWMKHY/i+jK 7YeCZY+8stTlaF5/
9+FNzeAvEx2n4fXj5hy2frPVEcyVqbadlJX4mpvjhBo6ZAi+Q3Ln9yLReYmE 5TjNS+Y6sg1SATVF
iirA3NJeiJZRDdrbIywcOLAbD1B1FeAoedFqd7wn3gh5RCOyRuUPmoNOC5Yj 3PrNN/ePoe96V663
2anvG2vXGbqtS89dp5SPkTompws7tZEmiFikd4CexvtVQj+I1wW03Su3e9Hv uecD3TvXbtx2Z4Dz
Ril7QeWGYp4/9DsDd9hpm55bbCK57uMojGMvFiwygdG6OP9iKHWNdtPZCrZD hSNSSGFP0CDeAxx9
JNxMcdnBJKK67eLWZYb0DWao/7DvuUbJoVbq7MIfnDd7LtH8i1XsqOh0gGEB ukWuzoKascxUpInm
n+Ui45JKvbxdMfSe3gNxmrv0utKgSq43q4yNxwusbWNTHbAtWOQjVhnzFR9/ XWg5Oq3iduPWXF6I
iGol0sVhoP1hgG08wljwBBBWdETjKwOqnzSs+jsLB8kTq4Y/dZxVLPw9fo+l u1REj3J3Sq3ZvaNS
cWcyf2eEK3Zax/Hv9OX36Rvt6Bvs6Hv8Io0/kQdUvMg0gsRFmYat084mg2IQ mRXTpVlzNwfax1On
cM0LGt6LVtXn9jDdpssWttGl71a6JaDFsikVfq5X1O+k3FKb3a7zS7N95vzi /rd/4Q3evnO81vGB
5zedg7PO6Zlz0MPkvuw5B92Lb84B8pk1nAPEdQ7o+WW3axhV4CwQUcij5e6S YosAcF6tROO4xsZ6
NKNFcw3ohEkb21NhxfLfHlZGk3tI/kMXT1IZso2AKA18JHaf+y+BEnc7mIzM tYDa2lT+D7dVB74h
EgAA
------=_Part_34414_18548211.1221504826823--
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org