You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Sunil R <de...@gmail.com> on 2015/07/30 05:37:13 UTC
[users@httpd] SSL handshake failure after httpd upgrade to 2.4.12
I’m trying to upgrade the Apache version from httpd 2.2.25 to 2.4.12. Im
building apache with the same openssl version 0.9.8.After the upgrade I see
that the openssl s_client query to the server fails with error:
[Mon Jul 27 02:57:47.982584 2015] [ssl:info] [pid 22460:tid 1943075728] SSL
Library Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
number
The openssl client version is Openssl 0.9.8g ( OpenSSL/FIPS). In the httpd
config file I have disabled SSLv2 and SSLv3.
When I enable debug options on the s_client this is the output:
Linux# /isan/bin/openssl s_client -connect localhost:443 -debug -state -msg
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0x9d606b0 [0x9d61678] (124 bytes => 124 (0x7C))
0000 - 80 7a 01 03 01 00 51 00-00 00 20 00 00 39 00 00 .z....Q... ..9..
0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 8..5............
0020 - 00 00 33 00 00 32 00 00-2f 00 00 07 05 00 80 03 ..3..2../.......
0030 - 00 80 00 00 05 00 00 04-01 00 80 00 00 15 00 00 ................
0040 - 12 00 00 09 06 00 40 00-00 14 00 00 11 00 00 08 ......@.........
0050 - 00 00 06 04 00 80 00 00-03 02 00 80 68 fd d4 c6 ............h...
0060 - 77 4c 5e ef 2f 41 d4 18-e6 f8 6d d3 9e 8c b2 2d wL^./A....m....-
0070 - b4 81 83 fd c7 63 f6 8b-fe 26 e9 97 .....c...&..
>>> SSL 2.0 [length 007a], CLIENT-HELLO
01 03 01 00 51 00 00 00 20 00 00 39 00 00 38 00
00 35 00 00 16 00 00 13 00 00 0a 07 00 c0 00 00
33 00 00 32 00 00 2f 00 00 07 05 00 80 03 00 80
00 00 05 00 00 04 01 00 80 00 00 15 00 00 12 00
00 09 06 00 40 00 00 14 00 00 11 00 00 08 00 00
06 04 00 80 00 00 03 02 00 80 68 fd d4 c6 77 4c
5e ef 2f 41 d4 18 e6 f8 6d d3 9e 8c b2 2d b4 81
83 fd c7 63 f6 8b fe 26 e9 97
SSL_connect:SSLv2/v3 write client hello A
read from 0x9d606b0 [0x9d66bd8] (7 bytes => 0 (0x0))
7175:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:188:
Linux#
The SSL handshake goes through fine in these cases:
1.When I enable SSLv3, the query goes through fine.
2. When I force the TLSv1 in the s_client query.
3. With the older httpd version 2.2.25
Is this intentional, to honor the disable SSLv3 configured?
Please help me let know what could be the issue? Let me know if any other
details are needed.
Thx,
DS
Re: [users@httpd] SSL handshake failure after httpd upgrade to 2.4.12
Posted by Sunil R <de...@gmail.com>.
Thanks Daniel.
SSLCipherSuite -
ALL:!ADH:!EXPORT40:!EXPORT56:!LOW:!RC4:!MD5:!IDEA:+HIGH:+MEDIUM:+EXP:+eNULL
SSLProtocol all -SSLv2 -SSLv3
This is the openssl version output:
openssl ciphers -v
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
IDEA-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=IDEA(128) Mac=SHA1
IDEA-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=IDEA(128) Mac=MD5
RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5
RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1
EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1
DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
DES-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5
EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1
export
EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1
export
EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1
export
EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5
export
EXP-RC2-CBC-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5
export
EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5
export
EXP-RC4-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5
export
Output from the nmap scan of the server:
| ssl-enum-ciphers:
| TLSv1.0
| Ciphers (14)
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
| TLS_DHE_RSA_WITH_SEED_CBC_SHA
| TLS_RSA_WITH_3DES_EDE_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA
| TLS_RSA_WITH_AES_256_CBC_SHA
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
| TLS_RSA_WITH_RC4_128_MD5
| TLS_RSA_WITH_RC4_128_SHA
| TLS_RSA_WITH_SEED_CBC_SHA
| Compressors (1)
|_ uncompressed
Thx,
DS
On Thu, Jul 30, 2015 at 8:16 PM, Daniel <df...@gmail.com> wrote:
> You should share your SSLCiphersuite and SSLProtocol values first, besides
> that version of openssl is quite lacking regarding the availability of
> ciphers and protocols.
>
> 2015-07-30 5:37 GMT+02:00 Sunil R <de...@gmail.com>:
>
>> I’m trying to upgrade the Apache version from httpd 2.2.25 to 2.4.12. Im
>> building apache with the same openssl version 0.9.8.After the upgrade I see
>> that the openssl s_client query to the server fails with error:
>>
>> [Mon Jul 27 02:57:47.982584 2015] [ssl:info] [pid 22460:tid 1943075728]
>> SSL Library Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
>> version number
>>
>>
>>
>> The openssl client version is Openssl 0.9.8g ( OpenSSL/FIPS). In the
>> httpd config file I have disabled SSLv2 and SSLv3.
>>
>> When I enable debug options on the s_client this is the output:
>>
>>
>>
>> Linux# /isan/bin/openssl s_client -connect localhost:443 -debug -state
>> -msg
>>
>> CONNECTED(00000003)
>>
>> SSL_connect:before/connect initialization
>>
>> write to 0x9d606b0 [0x9d61678] (124 bytes => 124 (0x7C))
>>
>> 0000 - 80 7a 01 03 01 00 51 00-00 00 20 00 00 39 00 00 .z....Q... ..9..
>>
>> 0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 8..5............
>>
>> 0020 - 00 00 33 00 00 32 00 00-2f 00 00 07 05 00 80 03 ..3..2../.......
>>
>> 0030 - 00 80 00 00 05 00 00 04-01 00 80 00 00 15 00 00 ................
>>
>> 0040 - 12 00 00 09 06 00 40 00-00 14 00 00 11 00 00 08 ......@.........
>>
>> 0050 - 00 00 06 04 00 80 00 00-03 02 00 80 68 fd d4 c6 ............h...
>>
>> 0060 - 77 4c 5e ef 2f 41 d4 18-e6 f8 6d d3 9e 8c b2 2d wL^./A....m....-
>>
>> 0070 - b4 81 83 fd c7 63 f6 8b-fe 26 e9 97 .....c...&..
>>
>> >>> SSL 2.0 [length 007a], CLIENT-HELLO
>>
>> 01 03 01 00 51 00 00 00 20 00 00 39 00 00 38 00
>>
>> 00 35 00 00 16 00 00 13 00 00 0a 07 00 c0 00 00
>>
>> 33 00 00 32 00 00 2f 00 00 07 05 00 80 03 00 80
>>
>> 00 00 05 00 00 04 01 00 80 00 00 15 00 00 12 00
>>
>> 00 09 06 00 40 00 00 14 00 00 11 00 00 08 00 00
>>
>> 06 04 00 80 00 00 03 02 00 80 68 fd d4 c6 77 4c
>>
>> 5e ef 2f 41 d4 18 e6 f8 6d d3 9e 8c b2 2d b4 81
>>
>> 83 fd c7 63 f6 8b fe 26 e9 97
>>
>> SSL_connect:SSLv2/v3 write client hello A
>>
>> read from 0x9d606b0 [0x9d66bd8] (7 bytes => 0 (0x0))
>>
>> 7175:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
>> failure:s23_lib.c:188:
>>
>> Linux#
>>
>>
>>
>> The SSL handshake goes through fine in these cases:
>>
>> 1.When I enable SSLv3, the query goes through fine.
>>
>> 2. When I force the TLSv1 in the s_client query.
>>
>> 3. With the older httpd version 2.2.25
>> Is this intentional, to honor the disable SSLv3 configured?
>>
>> Please help me let know what could be the issue? Let me know if any other
>> details are needed.
>>
>> Thx,
>> DS
>>
>
>
>
> --
> *Daniel Ferradal*
> IT Specialist
>
> email dferradal at gmail.com
> linkedin es.linkedin.com/in/danielferradal
>
Re: [users@httpd] SSL handshake failure after httpd upgrade to 2.4.12
Posted by Daniel <df...@gmail.com>.
You should share your SSLCiphersuite and SSLProtocol values first, besides
that version of openssl is quite lacking regarding the availability of
ciphers and protocols.
2015-07-30 5:37 GMT+02:00 Sunil R <de...@gmail.com>:
> I’m trying to upgrade the Apache version from httpd 2.2.25 to 2.4.12. Im
> building apache with the same openssl version 0.9.8.After the upgrade I see
> that the openssl s_client query to the server fails with error:
>
> [Mon Jul 27 02:57:47.982584 2015] [ssl:info] [pid 22460:tid 1943075728]
> SSL Library Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
> version number
>
>
>
> The openssl client version is Openssl 0.9.8g ( OpenSSL/FIPS). In the httpd
> config file I have disabled SSLv2 and SSLv3.
>
> When I enable debug options on the s_client this is the output:
>
>
>
> Linux# /isan/bin/openssl s_client -connect localhost:443 -debug -state -msg
>
> CONNECTED(00000003)
>
> SSL_connect:before/connect initialization
>
> write to 0x9d606b0 [0x9d61678] (124 bytes => 124 (0x7C))
>
> 0000 - 80 7a 01 03 01 00 51 00-00 00 20 00 00 39 00 00 .z....Q... ..9..
>
> 0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 8..5............
>
> 0020 - 00 00 33 00 00 32 00 00-2f 00 00 07 05 00 80 03 ..3..2../.......
>
> 0030 - 00 80 00 00 05 00 00 04-01 00 80 00 00 15 00 00 ................
>
> 0040 - 12 00 00 09 06 00 40 00-00 14 00 00 11 00 00 08 ......@.........
>
> 0050 - 00 00 06 04 00 80 00 00-03 02 00 80 68 fd d4 c6 ............h...
>
> 0060 - 77 4c 5e ef 2f 41 d4 18-e6 f8 6d d3 9e 8c b2 2d wL^./A....m....-
>
> 0070 - b4 81 83 fd c7 63 f6 8b-fe 26 e9 97 .....c...&..
>
> >>> SSL 2.0 [length 007a], CLIENT-HELLO
>
> 01 03 01 00 51 00 00 00 20 00 00 39 00 00 38 00
>
> 00 35 00 00 16 00 00 13 00 00 0a 07 00 c0 00 00
>
> 33 00 00 32 00 00 2f 00 00 07 05 00 80 03 00 80
>
> 00 00 05 00 00 04 01 00 80 00 00 15 00 00 12 00
>
> 00 09 06 00 40 00 00 14 00 00 11 00 00 08 00 00
>
> 06 04 00 80 00 00 03 02 00 80 68 fd d4 c6 77 4c
>
> 5e ef 2f 41 d4 18 e6 f8 6d d3 9e 8c b2 2d b4 81
>
> 83 fd c7 63 f6 8b fe 26 e9 97
>
> SSL_connect:SSLv2/v3 write client hello A
>
> read from 0x9d606b0 [0x9d66bd8] (7 bytes => 0 (0x0))
>
> 7175:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
> failure:s23_lib.c:188:
>
> Linux#
>
>
>
> The SSL handshake goes through fine in these cases:
>
> 1.When I enable SSLv3, the query goes through fine.
>
> 2. When I force the TLSv1 in the s_client query.
>
> 3. With the older httpd version 2.2.25
> Is this intentional, to honor the disable SSLv3 configured?
>
> Please help me let know what could be the issue? Let me know if any other
> details are needed.
>
> Thx,
> DS
>
--
*Daniel Ferradal*
IT Specialist
email dferradal at gmail.com
linkedin es.linkedin.com/in/danielferradal