[solved] SSL Times Out - No connection

OK, following my last thread, now I've got an SSL issue of it timing out. Seems the handshake isn't occurring.

Ubuntu 10.04

ports.conf

# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default
# This is also true if you have upgraded from before 2.2.9-3 (i.e. from
# Debian etch). See /usr/share/doc/apache2.2-common/NEWS.Debian.gz and
# README.Debian.gz

NameVirtualHost *:80
Listen 80

 <ifmodule mod_ssl.c=""><virtualhost *:443="">ServerName web.site.com
     SSLEngine On
     SSLCertificateFile /etc/ssl/priv/public.crt
     SSLCertificateKeyFile /etc/ssl/priv/ssl.key
     SSLCACertificateFile /etc/ssl/priv/intermediate.crt</virtualhost> 
     NameVirtualHost *:443

     Listen 443</ifmodule> 

Also placed this in my

/etc/apache2/sites-enabled/ssl

 <virtualhost *:443="">DocumentRoot /var/www
SSLEngine on
#SSLOptions +StrictRequire
     SSLCertificateFile /etc/ssl/priv/public.crt
     SSLCertificateKeyFile /etc/ssl/priv/ssl.key
     SSLCACertificateFile /etc/ssl/priv/intermediate.crt
ServerAdmin me@localhost</virtualhost> 

iptables -L -n -v produces:

14331  788K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80

Chain ufw-user-limit (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 5 LOG flags 0 level 4 prefix `[UFW LIMIT BLOCK] '
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ufw-user-logging-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-user-logging-input (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-user-logging-output (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-user-output (1 references)
 pkts bytes target     prot opt in     out     source               destination

Out of my ssl log:

[Wed Aug 15 21:14:42 2012] [info] [client 127.0.0.1] Connection to child 7 established (server web.site.com:443)
[Wed Aug 15 21:14:42 2012] [info] Seeding PRNG with 648 bytes of entropy
[Wed Aug 15 21:14:42 2012] [debug] ssl_engine_kernel.c(1916): OpenSSL: Handshake: start
[Wed Aug 15 21:14:42 2012] [debug] ssl_engine_kernel.c(1924): OpenSSL: Loop: before/accept initialization
[Wed Aug 15 21:14:42 2012] [debug] ssl_engine_io.c(1909): OpenSSL: read 11/11 bytes from BIO#b8d78160 [mem: b8d8b7e0] (BIO dump follows)
[Wed Aug 15 21:14:42 2012] [debug] ssl_engine_io.c(1842): +-------------------------------------------------------------------------+
[Wed Aug 15 21:14:42 2012] [debug] ssl_engine_io.c(1881): | 0000: 5f 40 45 59 5f 5e 53 20-2a 20 48                 OPTIONS * H      |
[Wed Aug 15 21:14:42 2012] [debug] ssl_engine_io.c(1887): +-------------------------------------------------------------------------+
[Wed Aug 15 21:14:42 2012] [debug] ssl_engine_kernel.c(1953): OpenSSL: Exit: error in SSLv2/v3 read client hello A
[Wed Aug 15 21:14:42 2012] [info] [client 127.0.0.1] SSL library error 1 in handshake (server web.site.com:443)
[Wed Aug 15 21:14:42 2012] [info] SSL Library Error: 336027900 error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol speaking not SSL to HTTPS port!?
[Wed Aug 15 21:14:42 2012] [info] [client 127.0.0.1] Connection closed to child 7 with abortive shutdown (server web.site.com:443)

So I see the "error in SSLv2/v3 read" line which seems to indicate where my problem is, but researching that hasn't yielded any real assistance.

Little help?

4 Replies

Where's your "ACCEPT" for port 443 in the firewall rules ?

@sweh:

Where's your "ACCEPT" for port 443 in the firewall rules ?

With my luck, it missing. :oops:

How would I write that? Would this do the trick?

iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

Or will I need something else?

I'm not really up to speed on this stuff. Will this allow both incoming & outgoing, or would I need to rewrite it?

OK, fixed the iptables issue. Now I get "404 page not found" via httpS.

Getting closer to fixing this.

@josh-chs:

OK, fixed the iptables issue. Now I get "404 page not found" via httpS.

Getting closer to fixing this.

Fixed. SSL works completely now. :D

Added:

DocumentRoot /var/www/

to my ports.conf inside the virtualhost argument

Thanks folks.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct