[Klug-general] https in Apache

MacGyveR macgyver at thedumbterminal.co.uk
Thu Apr 23 21:49:08 UTC 2009 

On Thursday 23 Apr 2009, Nathan Friend wrote:
> Hi all,
> I'm tyring to use SSL in Apache.  I've created a self signed cert for
> testing and setup an SSL vhost using the template provided.
>
> When I got to https:\\testserver.domain.com in Firefox I get
>
> Secure Connection Failed
> An error occurred during a connection to testserver.domain.com
> SSL received a record that exceeded the maximum permissible length.
> (Error code: ssl_error_rx_record_too_long)
> The page you are trying to view can not be shown because the authenticity
> of the received data could not be verified.
>     *  Please contact the web site owners to inform them of this problem.
>
> After a bit of searching round the net I tried
>
> testserver:~ # openssl s_client -connect localhost:443 -state -debug
> CONNECTED(00000003)
> SSL_connect:before/connect initialization
> write to 0x80c61c0 [0x80c6208] (136 bytes => 136 (0x88))
> 0000 - 80 86 01 03 01 00 5d 00-00 00 20 00 00 39 00 00   ......]... ..9..
> 0010 - 38 00 00 35 00 00 88 00-00 87 00 00 84 00 00 16   8..5............
> 0020 - 00 00 13 00 00 0a 07 00-c0 00 00 33 00 00 32 00   ...........3..2.
> 0030 - 00 2f 00 00 45 00 00 44-00 00 41 03 00 80 00 00   ./..E..D..A.....
> 0040 - 05 00 00 04 01 00 80 00-00 15 00 00 12 00 00 09   ................
> 0050 - 06 00 40 00 00 14 00 00-11 00 00 08 00 00 06 04   .. at .............
> 0060 - 00 80 00 00 03 02 00 80-33 fa 66 1e 41 05 b8 e3   ........3.f.A...
> 0070 - 00 59 e5 ed 08 77 c1 45-ac 4b 05 1d 51 d3 28 65   .Y...w.E.K..Q.(e
> 0080 - 79 ad 7a ac 1b 37 65 8f-                          y.z..7e.
> SSL_connect:SSLv2/v3 write client hello A
> read from 0x80c61c0 [0x80cb768] (7 bytes => 7 (0x7))
> 0000 - 3c 3f 78 6d 6c 20 76                              <?xml v
> SSL_connect:error in SSLv2/v3 read server hello A
> 6384:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
> protocol:s23_clnt.c:585:
>
> Any ideas?
>
> Cheers,
>
> Nathan.

Most distros' apache ssl package comes with some self signed certs already, 
did they work ok for you?

Could you give an text dump of your cert using openssl:

openssl req -noout -text -in cert.csr

This looks a bit strange in the packet dump you posted above:

0000 - 3c 3f 78 6d 6c 20 76                              <?xml v

-- 
--------------------------------
http://www.thedumbterminal.co.uk

More information about the Kent mailing list