SSL received a record that exceeded the maximum permissible length.

SSL received a record that exceeded the maximum permissible length.

am 13.11.2009 18:21:43 von John Oliver

I have one physical server with two IP addresses. I created
VirtualHosts for each:

NameVirtualHost 192.168.1.47:443
NameVirtualHost 192.168.1.129:443


ServerName virtual.host1
DocumentRoot /var/www/html2
ErrorLog logs/ssl_error2_log
CustomLog logs/ssl_request2_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
SSLEngine on
SSLProtocol all -SSLv2
SSLVerifyClient require
SSLVerifyDepth 10
SSLCertificateFile /etc/pki/tls/certs/subscriber.pem
SSLCACertificateFile /etc/pki/tls/certs/cabundle.crt

SSLOptions +StdEnvVars


SSLOptions +StdEnvVars

SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0



ServerName virtual.host2
DocumentRoot /var/www/html
ErrorLog logs/ssl_error_log
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
SSLEngine on
SSLProtocol all -SSLv2
SSLCertificateFile /etc/pki/tls/certs/ois_cert.pem
SSLCertificateKeyFile /etc/pki/tls/private/ois_key.pem
SSLCACertificateFile /etc/pki/tls/certs/cabundle.crt
SSLVerifyClient require
SSLVerifyDepth 10


When I visit https://virtual.host2/ I get:

SSL received a record that exceeded the maximum permissible length.

(Error code: ssl_error_rx_record_too_long)


But nothing is logged, even if I change LogLevel to 'debug'.
https://192.168.1.129/ works just fine. I've double-checked the file
permissions for the cert and key, and that the cert is not expired.
Googling hasn't helped. I'm at kind of a loss here! What else can I
look at for more clues?

--
************************************************************ ***********
* John Oliver http://www.john-oliver.net/ *
* *
************************************************************ ***********

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: SSL received a record that exceeded the maximum

am 13.11.2009 18:29:07 von Philip Wigg

> NameVirtualHost 192.168.1.47:443
> NameVirtualHost 192.168.1.129:443

You can't use name based virtual hosting with SSL. Try these lines
out. You need to make sure you have a Listen directive for those
IP/port combinations though.

Cheers,
Phil.

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: SSL received a record that exceeded the maximum

am 13.11.2009 18:31:50 von Eric Covener

>
>

> When I visit https://virtual.host2/ I get:
>
> SSL received a record that exceeded the maximum permissible length.
>
> (Error code: ssl_error_rx_record_too_long)
>

My guess is that your actually receving this connection on an
interface not listed in any of your vhosts, so it's handled as HTTP by
the "base" server config.

Can you use at least 1 *:443?

--
Eric Covener
covener@gmail.com

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: SSL received a record that exceeded the maximum permissible length.

am 13.11.2009 19:20:51 von John Oliver

On Fri, Nov 13, 2009 at 12:31:50PM -0500, Eric Covener wrote:
> >
> >
>
> > When I visit https://virtual.host2/ I get:
> >
> > SSL received a record that exceeded the maximum permissible length.
> >
> > (Error code: ssl_error_rx_record_too_long)
> >
>
> My guess is that your actually receving this connection on an
> interface not listed in any of your vhosts, so it's handled as HTTP by
> the "base" server config.
>
> Can you use at least 1 *:443?

When I had *:443 I got a message about:

[warn] NameVirtualHost *:443 has no VirtualHosts

And there are no other interfaces. eth0 and eth1, each with one of the
two IPs above.

--
************************************************************ ***********
* John Oliver http://www.john-oliver.net/ *
* *
************************************************************ ***********

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: SSL received a record that exceeded the maximum permissible length.

am 13.11.2009 19:24:59 von John Oliver

On Fri, Nov 13, 2009 at 05:29:07PM +0000, Philip Wigg wrote:
> > NameVirtualHost 192.168.1.47:443
> > NameVirtualHost 192.168.1.129:443
>
> You can't use name based virtual hosting with SSL. Try these lines
> out. You need to make sure you have a Listen directive for those
> IP/port combinations though.

Oh, duh... :-)

Thanks, I'm back in business.

--
************************************************************ ***********
* John Oliver http://www.john-oliver.net/ *
* *
************************************************************ ***********

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: SSL received a record that exceeded the maximum permissible length.

am 14.11.2009 08:04:31 von Crypto Sal

On 11/13/2009 12:29 PM, Philip Wigg wrote:
>> NameVirtualHost 192.168.1.47:443
>> NameVirtualHost 192.168.1.129:443
>>
> You can't use name based virtual hosting with SSL. Try these lines
> out. You need to make sure you have a Listen directive for those
> IP/port combinations though.
>
> Cheers,
> Phil.
>
>
>

Phil,

As of Apache 2.2.12 + OpenSSL 0.9.8f/j, you can. You may thank RFC 4366
for SNI (Server Name Indication). However, most version of IE (any
version on XP) don't support it. :-P


http://en.wikipedia.org/wiki/Server_Name_Indication

http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org