You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by John Oliver <jo...@john-oliver.net> on 2009/11/13 18:21:43 UTC
[users@httpd] SSL received a record that exceeded the maximum permissible length.
I have one physical server with two IP addresses. I created
VirtualHosts for each:
NameVirtualHost 192.168.1.47:443
NameVirtualHost 192.168.1.129:443
<VirtualHost 192.168.1.47:443>
ServerName virtual.host1
DocumentRoot /var/www/html2
ErrorLog logs/ssl_error2_log
CustomLog logs/ssl_request2_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
SSLEngine on
SSLProtocol all -SSLv2
SSLVerifyClient require
SSLVerifyDepth 10
SSLCertificateFile /etc/pki/tls/certs/subscriber.pem
SSLCACertificateFile /etc/pki/tls/certs/cabundle.crt
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</VirtualHost>
<VirtualHost 192.168.1.129:443>
ServerName virtual.host2
DocumentRoot /var/www/html
ErrorLog logs/ssl_error_log
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
SSLEngine on
SSLProtocol all -SSLv2
SSLCertificateFile /etc/pki/tls/certs/ois_cert.pem
SSLCertificateKeyFile /etc/pki/tls/private/ois_key.pem
SSLCACertificateFile /etc/pki/tls/certs/cabundle.crt
SSLVerifyClient require
SSLVerifyDepth 10
</VirtualHost>
When I visit https://virtual.host2/ I get:
SSL received a record that exceeded the maximum permissible length.
(Error code: ssl_error_rx_record_too_long)
But nothing is logged, even if I change LogLevel to 'debug'.
https://192.168.1.129/ works just fine. I've double-checked the file
permissions for the cert and key, and that the cert is not expired.
Googling hasn't helped. I'm at kind of a loss here! What else can I
look at for more clues?
--
***********************************************************************
* John Oliver http://www.john-oliver.net/ *
* *
***********************************************************************
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] SSL received a record that exceeded the maximum
permissible length.
Posted by Crypto Sal <cr...@gmail.com>.
On 11/13/2009 12:29 PM, Philip Wigg wrote:
>> NameVirtualHost 192.168.1.47:443
>> NameVirtualHost 192.168.1.129:443
>>
> You can't use name based virtual hosting with SSL. Try these lines
> out. You need to make sure you have a Listen directive for those
> IP/port combinations though.
>
> Cheers,
> Phil.
>
>
>
Phil,
As of Apache 2.2.12 + OpenSSL 0.9.8f/j, you can. You may thank RFC 4366
for SNI (Server Name Indication). However, most version of IE (any
version on XP) don't support it. :-P
http://en.wikipedia.org/wiki/Server_Name_Indication
http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] SSL received a record that exceeded the maximum permissible length.
Posted by John Oliver <jo...@john-oliver.net>.
On Fri, Nov 13, 2009 at 05:29:07PM +0000, Philip Wigg wrote:
> > NameVirtualHost 192.168.1.47:443
> > NameVirtualHost 192.168.1.129:443
>
> You can't use name based virtual hosting with SSL. Try these lines
> out. You need to make sure you have a Listen directive for those
> IP/port combinations though.
Oh, duh... :-)
Thanks, I'm back in business.
--
***********************************************************************
* John Oliver http://www.john-oliver.net/ *
* *
***********************************************************************
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] SSL received a record that exceeded the maximum
permissible length.
Posted by Philip Wigg <ph...@philipwigg.co.uk>.
> NameVirtualHost 192.168.1.47:443
> NameVirtualHost 192.168.1.129:443
You can't use name based virtual hosting with SSL. Try these lines
out. You need to make sure you have a Listen directive for those
IP/port combinations though.
Cheers,
Phil.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] SSL received a record that exceeded the maximum permissible length.
Posted by John Oliver <jo...@john-oliver.net>.
On Fri, Nov 13, 2009 at 12:31:50PM -0500, Eric Covener wrote:
> > <VirtualHost 192.168.1.47:443>
> > <VirtualHost 192.168.1.129:443>
>
> > When I visit https://virtual.host2/ I get:
> >
> > SSL received a record that exceeded the maximum permissible length.
> >
> > (Error code: ssl_error_rx_record_too_long)
> >
>
> My guess is that your actually receving this connection on an
> interface not listed in any of your vhosts, so it's handled as HTTP by
> the "base" server config.
>
> Can you use at least 1 *:443?
When I had *:443 I got a message about:
[warn] NameVirtualHost *:443 has no VirtualHosts
And there are no other interfaces. eth0 and eth1, each with one of the
two IPs above.
--
***********************************************************************
* John Oliver http://www.john-oliver.net/ *
* *
***********************************************************************
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] SSL received a record that exceeded the maximum
permissible length.
Posted by Eric Covener <co...@gmail.com>.
> <VirtualHost 192.168.1.47:443>
> <VirtualHost 192.168.1.129:443>
> When I visit https://virtual.host2/ I get:
>
> SSL received a record that exceeded the maximum permissible length.
>
> (Error code: ssl_error_rx_record_too_long)
>
My guess is that your actually receving this connection on an
interface not listed in any of your vhosts, so it's handled as HTTP by
the "base" server config.
Can you use at least 1 *:443?
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org