[solved] SSL Times Out - No connection
Ubuntu 10.04
ports.conf
# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default
# This is also true if you have upgraded from before 2.2.9-3 (i.e. from
# Debian etch). See /usr/share/doc/apache2.2-common/NEWS.Debian.gz and
# README.Debian.gz
NameVirtualHost *:80
Listen 80
<ifmodule mod_ssl.c=""><virtualhost *:443="">ServerName web.site.com
SSLEngine On
SSLCertificateFile /etc/ssl/priv/public.crt
SSLCertificateKeyFile /etc/ssl/priv/ssl.key
SSLCACertificateFile /etc/ssl/priv/intermediate.crt</virtualhost>
NameVirtualHost *:443
Listen 443</ifmodule>
Also placed this in my
/etc/apache2/sites-enabled/ssl
<virtualhost *:443="">DocumentRoot /var/www
SSLEngine on
#SSLOptions +StrictRequire
SSLCertificateFile /etc/ssl/priv/public.crt
SSLCertificateKeyFile /etc/ssl/priv/ssl.key
SSLCACertificateFile /etc/ssl/priv/intermediate.crt
ServerAdmin me@localhost</virtualhost>
iptables -L -n -v produces:
14331 788K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
Chain ufw-user-limit (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix `[UFW LIMIT BLOCK] '
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-user-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-output (1 references)
pkts bytes target prot opt in out source destination
Out of my ssl log:
[Wed Aug 15 21:14:42 2012] [info] [client 127.0.0.1] Connection to child 7 established (server web.site.com:443)
[Wed Aug 15 21:14:42 2012] [info] Seeding PRNG with 648 bytes of entropy
[Wed Aug 15 21:14:42 2012] [debug] ssl_engine_kernel.c(1916): OpenSSL: Handshake: start
[Wed Aug 15 21:14:42 2012] [debug] ssl_engine_kernel.c(1924): OpenSSL: Loop: before/accept initialization
[Wed Aug 15 21:14:42 2012] [debug] ssl_engine_io.c(1909): OpenSSL: read 11/11 bytes from BIO#b8d78160 [mem: b8d8b7e0] (BIO dump follows)
[Wed Aug 15 21:14:42 2012] [debug] ssl_engine_io.c(1842): +-------------------------------------------------------------------------+
[Wed Aug 15 21:14:42 2012] [debug] ssl_engine_io.c(1881): | 0000: 5f 40 45 59 5f 5e 53 20-2a 20 48 OPTIONS * H |
[Wed Aug 15 21:14:42 2012] [debug] ssl_engine_io.c(1887): +-------------------------------------------------------------------------+
[Wed Aug 15 21:14:42 2012] [debug] ssl_engine_kernel.c(1953): OpenSSL: Exit: error in SSLv2/v3 read client hello A
[Wed Aug 15 21:14:42 2012] [info] [client 127.0.0.1] SSL library error 1 in handshake (server web.site.com:443)
[Wed Aug 15 21:14:42 2012] [info] SSL Library Error: 336027900 error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol speaking not SSL to HTTPS port!?
[Wed Aug 15 21:14:42 2012] [info] [client 127.0.0.1] Connection closed to child 7 with abortive shutdown (server web.site.com:443)
So I see the "error in SSLv2/v3 read" line which seems to indicate where my problem is, but researching that hasn't yielded any real assistance.
Little help?
4 Replies
@sweh:
Where's your "ACCEPT" for port 443 in the firewall rules ?
With my luck, it missing.
How would I write that? Would this do the trick?
iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
Or will I need something else?
I'm not really up to speed on this stuff. Will this allow both incoming & outgoing, or would I need to rewrite it?
Getting closer to fixing this.
@josh-chs:
OK, fixed the iptables issue. Now I get "404 page not found" via httpS.
Getting closer to fixing this.
Fixed. SSL works completely now.
Added:
DocumentRoot /var/www/
to my ports.conf inside the virtualhost argument
Thanks folks.