[users@httpd] mod_ssl: http to https ErrorDocument redirect stops working when only TLSv1.2 specified

["Pavel Heimlich, a.k.a. hajma" <tr...@gmail.com>]

Hi,
I use
ErrorDocument 400 "https://myserver:215"
to achieve redirection to secure connection for anyone who would access my
server with just 'http://myserver:215'.

This works as long as there's
SSLProtocol TLSv1.1 +TLSv1.2
specified in the configuration. However when I change that to just
SSLProtocol TLSv1.2
it stops working and the client gets "The connection was reset
The connection to the server was reset while the page was loading."
in their browser.

I guess this is because Apache calls different OpenSSL functions based on
the config setting at
https://github.com/apache/httpd/blob/2f0f0d4e31bcf8b151ebc833ddd56c09dbff6462/modules/ssl/ssl_engine_init.c#L643
or
https://github.com/apache/httpd/blob/2f0f0d4e31bcf8b151ebc833ddd56c09dbff6462/modules/ssl/ssl_engine_init.c#L649

and I am not sure if this is something that could be dealt with within
Apache.
Would you consider this worth logging a bug?
Or would there be another way to achieve this?

Thanks!
P.

P.S.:
This is on Solaris 11.4, x86, Apache 2.4.47, OpenSSL 1.0
My simplified config below:

ServerRoot "/usr/apache2/2.4"

Listen 215

<IfDefine prefork>
LoadModule mpm_prefork_module libexec/mod_mpm_prefork.so
</IfDefine>
<IfDefine worker>
LoadModule mpm_worker_module libexec/mod_mpm_worker.so
</IfDefine>
<IfDefine !prefork>
<IfDefine !worker>
LoadModule mpm_event_module libexec/mod_mpm_event.so
</IfDefine>
</IfDefine>

LoadModule ssl_module libexec/mod_ssl-fips-140.so
LoadModule authz_core_module libexec/mod_authz_core.so
LoadModule unixd_module libexec/mod_unixd.so

<IfModule unixd_module>
User webservd
Group webservd

</IfModule>


ServerName 127.0.0.1

<Directory />
    AllowOverride none
    Require all denied
</Directory>

DocumentRoot "/var/apache2/2.4/htdocs"
<Directory "/var/apache2/2.4/htdocs">
    Options Indexes FollowSymLinks

    AllowOverride None

    Require all granted
</Directory>

<Files ".ht*">
    Require all denied
</Files>

ErrorLog "/var/apache2/2.4/logs/error_log"

LogLevel warn

<Directory "/var/apache2/2.4/cgi-bin">
    AllowOverride None
    Options None
    Require all granted
</Directory>

<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>

SSLEngine               on
SSLProtocol TLSv1.1 +TLSv1.2
SSLCertificateFile /etc/certs/localhost/host.crt
SSLCertificateKeyFile /etc/certs/localhost/host.key
SSLCACertificateFile /etc/certs/localhost/host-ca/hostca.crt
SSLCertificateChainFile /etc/certs/localhost/host-ca/hostca.crt
ErrorDocument 400 "https://myserver:215"

Re: [users@httpd] mod_ssl: http to https ErrorDocument redirect stops working when only TLSv1.2 specified

["Pavel Heimlich, a.k.a. hajma" <tr...@gmail.com>]

čt 24. 6. 2021 v 17:54 odesílatel Otis Dewitt - NOAA Affiliate
<ot...@noaa.gov.invalid> napsal:

> You may be having certificate issues. Try testing the certificates first.
>
> # Your first error message is:   AH02008: SSL library error 1 in handshake
>
> # Run This
> openssl verify  /etc/certs/localhost/host.crt
>
>
# openssl verify  /etc/certs/localhost/host.crt
/etc/certs/localhost/host.crt: OK


> # If you get This
> error 20 at 0 depth lookup:unable to get local issuer certificate
>
> # Then Run this with your CA file
> openssl verify -CAfile /etc/certs/CA/locate CAfile
> /etc/certs/localhost/host.crt
>
>
# openssl verify -CAfile /etc/certs/CA/localhost-hostca.pem
/etc/certs/localhost/host.crt
/etc/certs/localhost/host.crt: OK

Re: [users@httpd] mod_ssl: http to https ErrorDocument redirect stops working when only TLSv1.2 specified

[Otis Dewitt - NOAA Affiliate <ot...@noaa.gov.INVALID>]

You may be having certificate issues. Try testing the certificates first.

# Your first error message is:   AH02008: SSL library error 1 in handshake

# Run This
openssl verify  /etc/certs/localhost/host.crt

# If you get This
error 20 at 0 depth lookup:unable to get local issuer certificate

# Then Run this with your CA file
openssl verify -CAfile /etc/certs/CA/locate CAfile
/etc/certs/localhost/host.crt

# Any error here should help you resolve the issue.

On Thu, Jun 24, 2021 at 4:22 AM Pavel Heimlich, a.k.a. hajma <
tropikhajma@gmail.com> wrote:

> With the
> SSLProtocol -ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2
> line in config:
>
> [Thu Jun 24 07:59:41.488363 2021] [ssl:info] [pid 2213:tid 1] AH01883:
> Init: Initialized OpenSSL library
> [Thu Jun 24 07:59:41.488427 2021] [ssl:warn] [pid 2213:tid 1] AH01873:
> Init: Session Cache is not configured [hint: SSLSessionCache]
> [Thu Jun 24 07:59:41.488443 2021] [ssl:info] [pid 2213:tid 1] AH01887:
> Init: Initializing (virtual) servers for SSL
> [Thu Jun 24 07:59:41.488456 2021] [ssl:info] [pid 2213:tid 1] AH01914:
> Configuring server 127.0.0.1:443 for SSL protocol
> [Thu Jun 24 07:59:41.488779 2021] [ssl:debug] [pid 2213:tid 1]
> ssl_engine_init.c(2097): AH02209: CA certificate: CN=solaris,O=Host Root CA
> [Thu Jun 24 07:59:41.488961 2021] [ssl:debug] [pid 2213:tid 1]
> ssl_engine_init.c(1142): AH01904: Configuring server certificate chain (1
> CA certificate)
> [Thu Jun 24 07:59:41.488980 2021] [ssl:debug] [pid 2213:tid 1]
> ssl_engine_init.c(500): AH01893: Configuring TLS extension handling
> [Thu Jun 24 07:59:41.489222 2021] [ssl:debug] [pid 2213:tid 1]
> ssl_util_ssl.c(451): AH02412: [127.0.0.1:443] Cert does not match for
> name '127.0.0.1' [subject: CN=ST098 / issuer: CN=solaris,O=Host Root CA /
> serial: 4A755690944C / notbefore: Jun  9 14:26:00 2021 GMT / notafter: Jun
>  9 14:26:00 2022 GMT]
> [Thu Jun 24 07:59:41.489250 2021] [ssl:warn] [pid 2213:tid 1] AH01909:
> 127.0.0.1:443:0 server certificate does NOT include an ID which matches
> the server name
> [Thu Jun 24 07:59:41.489263 2021] [ssl:info] [pid 2213:tid 1] AH02568:
> Certificate and private key 127.0.0.1:443:0 configured from
> /etc/certs/localhost/host.crt and /etc/certs/localhost/host.key
> [Thu Jun 24 07:59:41.489416 2021] [ssl:info] [pid 2213:tid 1] AH01876:
> mod_ssl/2.4.47 compiled against Server: Apache/2.4.47, Library:
> OpenSSL/1.0.2y
> [Thu Jun 24 07:59:41.489752 2021] [mpm_event:notice] [pid 2213:tid 1]
> AH00489: Apache/2.4.47 (Unix) OpenSSL/1.0.2y-fips configured -- resuming
> normal operations
> [Thu Jun 24 07:59:41.489773 2021] [mpm_event:info] [pid 2213:tid 1]
> AH00490: Server built: May 21 2021 14:00:57
> [Thu Jun 24 07:59:41.489786 2021] [core:notice] [pid 2213:tid 1] AH00094:
> Command line: '/usr/apache2/2.4/bin/httpd'
> [Thu Jun 24 07:59:41.489804 2021] [core:debug] [pid 2213:tid 1]
> log.c(1570): AH02639: Using SO_REUSEPORT: no (1)
> [Thu Jun 24 07:59:42.493418 2021] [mpm_event:debug] [pid 2752:tid 2]
> event.c(2298): AH02471: start_threads: Using port (wakeable)
> [Thu Jun 24 07:59:42.497865 2021] [mpm_event:debug] [pid 2753:tid 2]
> event.c(2298): AH02471: start_threads: Using port (wakeable)
> [Thu Jun 24 07:59:42.565017 2021] [mpm_event:debug] [pid 2754:tid 2]
> event.c(2298): AH02471: start_threads: Using port (wakeable)
> Note ^ Now the server is fully started
> Note v Starting the client
> [Thu Jun 24 08:00:39.187556 2021] [ssl:info] [pid 2754:tid 27] [client
> 10.175.18.160:60576] AH01964: Connection to child 152 established (server
> 127.0.0.1:443)
> [Thu Jun 24 08:00:39.188524 2021] [ssl:info] [pid 2754:tid 27] [client
> 10.175.18.160:60576] AH02008: SSL library error 1 in handshake (server
> 127.0.0.1:443)
> [Thu Jun 24 08:00:39.188666 2021] [ssl:info] [pid 2754:tid 27] SSL Library
> Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
> [Thu Jun 24 08:00:39.188694 2021] [ssl:info] [pid 2754:tid 27] [client
> 10.175.18.160:60576] AH01998: Connection closed to child 152 with
> abortive shutdown (server 127.0.0.1:443)
> [Thu Jun 24 08:00:39.306587 2021] [ssl:info] [pid 2754:tid 27] [client
> 10.175.18.160:60578] AH01964: Connection to child 152 established (server
> 127.0.0.1:443)
> [Thu Jun 24 08:00:39.306887 2021] [ssl:info] [pid 2754:tid 27]
> (-1385897552)Unknown error: [client 10.175.18.160:60578] AH02008: SSL
> library error 1 in handshake (server 127.0.0.1:443)
> [Thu Jun 24 08:00:39.307024 2021] [ssl:info] [pid 2754:tid 27] SSL Library
> Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
> [Thu Jun 24 08:00:39.307044 2021] [ssl:info] [pid 2754:tid 27] [client
> 10.175.18.160:60578] AH01998: Connection closed to child 152 with
> abortive shutdown (server 127.0.0.1:443)
> [Thu Jun 24 08:00:39.438365 2021] [ssl:info] [pid 2754:tid 27] [client
> 10.175.18.160:60580] AH01964: Connection to child 152 established (server
> 127.0.0.1:443)
> [Thu Jun 24 08:00:39.438634 2021] [ssl:info] [pid 2754:tid 27]
> (-1385897552)Unknown error: [client 10.175.18.160:60580] AH02008: SSL
> library error 1 in handshake (server 127.0.0.1:443)
> [Thu Jun 24 08:00:39.438686 2021] [ssl:info] [pid 2754:tid 27] SSL Library
> Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
> [Thu Jun 24 08:00:39.438705 2021] [ssl:info] [pid 2754:tid 27] [client
> 10.175.18.160:60580] AH01998: Connection closed to child 152 with
> abortive shutdown (server 127.0.0.1:443)
> [Thu Jun 24 08:00:39.559198 2021] [ssl:info] [pid 2754:tid 27] [client
> 10.175.18.160:60582] AH01964: Connection to child 152 established (server
> 127.0.0.1:443)
> [Thu Jun 24 08:00:39.559407 2021] [ssl:info] [pid 2754:tid 27]
> (-1385897552)Unknown error: [client 10.175.18.160:60582] AH02008: SSL
> library error 1 in handshake (server 127.0.0.1:443)
> [Thu Jun 24 08:00:39.559448 2021] [ssl:info] [pid 2754:tid 27] SSL Library
> Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
> [Thu Jun 24 08:00:39.559466 2021] [ssl:info] [pid 2754:tid 27] [client
> 10.175.18.160:60582] AH01998: Connection closed to child 152 with
> abortive shutdown (server 127.0.0.1:443)
> [Thu Jun 24 08:00:39.687589 2021] [ssl:info] [pid 2754:tid 27] [client
> 10.175.18.160:60584] AH01964: Connection to child 152 established (server
> 127.0.0.1:443)
> [Thu Jun 24 08:00:39.687913 2021] [ssl:info] [pid 2754:tid 27]
> (-1385897552)Unknown error: [client 10.175.18.160:60584] AH02008: SSL
> library error 1 in handshake (server 127.0.0.1:443)
> [Thu Jun 24 08:00:39.687974 2021] [ssl:info] [pid 2754:tid 27] SSL Library
> Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
> [Thu Jun 24 08:00:39.688008 2021] [ssl:info] [pid 2754:tid 27] [client
> 10.175.18.160:60584] AH01998: Connection closed to child 152 with
> abortive shutdown (server 127.0.0.1:443)
> [Thu Jun 24 08:00:39.815258 2021] [ssl:info] [pid 2754:tid 27] [client
> 10.175.18.160:60586] AH01964: Connection to child 152 established (server
> 127.0.0.1:443)
> [Thu Jun 24 08:00:39.815532 2021] [ssl:info] [pid 2754:tid 27]
> (-1385897552)Unknown error: [client 10.175.18.160:60586] AH02008: SSL
> library error 1 in handshake (server 127.0.0.1:443)
> [Thu Jun 24 08:00:39.815585 2021] [ssl:info] [pid 2754:tid 27] SSL Library
> Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
> [Thu Jun 24 08:00:39.815603 2021] [ssl:info] [pid 2754:tid 27] [client
> 10.175.18.160:60586] AH01998: Connection closed to child 152 with
> abortive shutdown (server 127.0.0.1:443)
> [Thu Jun 24 08:00:39.945447 2021] [ssl:info] [pid 2754:tid 27] [client
> 10.175.18.160:60588] AH01964: Connection to child 152 established (server
> 127.0.0.1:443)
> [Thu Jun 24 08:00:39.945650 2021] [ssl:info] [pid 2754:tid 27]
> (-1385897552)Unknown error: [client 10.175.18.160:60588] AH02008: SSL
> library error 1 in handshake (server 127.0.0.1:443)
> [Thu Jun 24 08:00:39.945692 2021] [ssl:info] [pid 2754:tid 27] SSL Library
> Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
> [Thu Jun 24 08:00:39.945710 2021] [ssl:info] [pid 2754:tid 27] [client
> 10.175.18.160:60588] AH01998: Connection closed to child 152 with
> abortive shutdown (server 127.0.0.1:443)
> [Thu Jun 24 08:00:40.075017 2021] [ssl:info] [pid 2754:tid 27] [client
> 10.175.18.160:60590] AH01964: Connection to child 152 established (server
> 127.0.0.1:443)
> [Thu Jun 24 08:00:40.075213 2021] [ssl:info] [pid 2754:tid 27]
> (-1385897552)Unknown error: [client 10.175.18.160:60590] AH02008: SSL
> library error 1 in handshake (server 127.0.0.1:443)
> [Thu Jun 24 08:00:40.075295 2021] [ssl:info] [pid 2754:tid 27] SSL Library
> Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
> [Thu Jun 24 08:00:40.075342 2021] [ssl:info] [pid 2754:tid 27] [client
> 10.175.18.160:60590] AH01998: Connection closed to child 152 with
> abortive shutdown (server 127.0.0.1:443)
> [Thu Jun 24 08:00:40.203748 2021] [ssl:info] [pid 2754:tid 26] [client
> 10.175.18.160:60592] AH01964: Connection to child 151 established (server
> 127.0.0.1:443)
> [Thu Jun 24 08:00:40.203997 2021] [ssl:info] [pid 2754:tid 26]
> (-1385897552)Unknown error: [client 10.175.18.160:60592] AH02008: SSL
> library error 1 in handshake (server 127.0.0.1:443)
> [Thu Jun 24 08:00:40.204064 2021] [ssl:info] [pid 2754:tid 26] SSL Library
> Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
> [Thu Jun 24 08:00:40.204101 2021] [ssl:info] [pid 2754:tid 26] [client
> 10.175.18.160:60592] AH01998: Connection closed to child 151 with
> abortive shutdown (server 127.0.0.1:443)
> [Thu Jun 24 08:00:40.331214 2021] [ssl:info] [pid 2754:tid 26] [client
> 10.175.18.160:60594] AH01964: Connection to child 151 established (server
> 127.0.0.1:443)
> [Thu Jun 24 08:00:40.331513 2021] [ssl:info] [pid 2754:tid 26]
> (-1385897552)Unknown error: [client 10.175.18.160:60594] AH02008: SSL
> library error 1 in handshake (server 127.0.0.1:443)
> [Thu Jun 24 08:00:40.331555 2021] [ssl:info] [pid 2754:tid 26] SSL Library
> Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
> [Thu Jun 24 08:00:40.331573 2021] [ssl:info] [pid 2754:tid 26] [client
> 10.175.18.160:60594] AH01998: Connection closed to child 151 with
> abortive shutdown (server 127.0.0.1:443)
>
> With
> SSLProtocol TLSv1.1 +TLSv1.2
> in config:
> (The startup part is identical, skipping that)
> [Thu Jun 24 08:07:11.248472 2021] [ssl:info] [pid 2773:tid 27] [client
> 10.175.18.160:60708] AH01964: Connection to child 344 established (server
> 127.0.0.1:443)
> [Thu Jun 24 08:07:11.249320 2021] [ssl:info] [pid 2773:tid 27] [client
> 10.175.18.160:60708] AH01996: SSL handshake failed: HTTP spoken on HTTPS
> port; trying to send HTML error page
> [Thu Jun 24 08:07:11.249464 2021] [ssl:info] [pid 2773:tid 27] SSL Library
> Error: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request --
> speaking HTTP to HTTPS port!?
> [Thu Jun 24 08:07:11.382584 2021] [ssl:info] [pid 2773:tid 27] [client
> 10.175.18.160:60710] AH01964: Connection to child 344 established (server
> 127.0.0.1:443)
> [Thu Jun 24 08:07:11.390393 2021] [ssl:debug] [pid 2773:tid 27]
> ssl_engine_kernel.c(2389): [client 10.175.18.160:60710] AH02044: No
> matching SSL virtual host for servername myserver found (using
> default/first virtual host)
> [Thu Jun 24 08:07:11.390553 2021] [core:debug] [pid 2773:tid 27]
> protocol.c(2346): [client 10.175.18.160:60710] AH03155: select protocol
> from , choices=h2,http/1.1 for server 127.0.0.1
> [Thu Jun 24 08:07:11.472125 2021] [ssl:debug] [pid 2773:tid 27]
> ssl_engine_kernel.c(2252): [client 10.175.18.160:60710] AH02041:
> Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
> [Thu Jun 24 08:07:11.478503 2021] [ssl:debug] [pid 2773:tid 27]
> ssl_engine_kernel.c(415): [client 10.175.18.160:60710] AH02034: Initial
> (No.1) HTTPS request received for child 344 (server 127.0.0.1:443)
> [Thu Jun 24 08:07:11.478634 2021] [authz_core:debug] [pid 2773:tid 27]
> mod_authz_core.c(815): [client 10.175.18.160:60710] AH01626:
> authorization result of Require all granted: granted
> [Thu Jun 24 08:07:11.478654 2021] [authz_core:debug] [pid 2773:tid 27]
> mod_authz_core.c(815): [client 10.175.18.160:60710] AH01626:
> authorization result of <RequireAny>: granted
> [Thu Jun 24 08:07:11.478675 2021] [core:info] [pid 2773:tid 27] [client
> 10.175.18.160:60710] AH00129: Attempt to serve directory:
> /var/apache2/2.4/htdocs/
>
>
>
> čt 24. 6. 2021 v 3:46 odesílatel Otis Dewitt - NOAA Affiliate
> <ot...@noaa.gov.invalid> napsal:
>
>> What does the /var/log/httpd/error_log say?  Paste that.
>>
>>

Re: [users@httpd] mod_ssl: http to https ErrorDocument redirect stops working when only TLSv1.2 specified

["Pavel Heimlich, a.k.a. hajma" <tr...@gmail.com>]

With the
SSLProtocol -ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2
line in config:

[Thu Jun 24 07:59:41.488363 2021] [ssl:info] [pid 2213:tid 1] AH01883:
Init: Initialized OpenSSL library
[Thu Jun 24 07:59:41.488427 2021] [ssl:warn] [pid 2213:tid 1] AH01873:
Init: Session Cache is not configured [hint: SSLSessionCache]
[Thu Jun 24 07:59:41.488443 2021] [ssl:info] [pid 2213:tid 1] AH01887:
Init: Initializing (virtual) servers for SSL
[Thu Jun 24 07:59:41.488456 2021] [ssl:info] [pid 2213:tid 1] AH01914:
Configuring server 127.0.0.1:443 for SSL protocol
[Thu Jun 24 07:59:41.488779 2021] [ssl:debug] [pid 2213:tid 1]
ssl_engine_init.c(2097): AH02209: CA certificate: CN=solaris,O=Host Root CA
[Thu Jun 24 07:59:41.488961 2021] [ssl:debug] [pid 2213:tid 1]
ssl_engine_init.c(1142): AH01904: Configuring server certificate chain (1
CA certificate)
[Thu Jun 24 07:59:41.488980 2021] [ssl:debug] [pid 2213:tid 1]
ssl_engine_init.c(500): AH01893: Configuring TLS extension handling
[Thu Jun 24 07:59:41.489222 2021] [ssl:debug] [pid 2213:tid 1]
ssl_util_ssl.c(451): AH02412: [127.0.0.1:443] Cert does not match for name
'127.0.0.1' [subject: CN=ST098 / issuer: CN=solaris,O=Host Root CA /
serial: 4A755690944C / notbefore: Jun  9 14:26:00 2021 GMT / notafter: Jun
 9 14:26:00 2022 GMT]
[Thu Jun 24 07:59:41.489250 2021] [ssl:warn] [pid 2213:tid 1] AH01909:
127.0.0.1:443:0 server certificate does NOT include an ID which matches the
server name
[Thu Jun 24 07:59:41.489263 2021] [ssl:info] [pid 2213:tid 1] AH02568:
Certificate and private key 127.0.0.1:443:0 configured from
/etc/certs/localhost/host.crt and /etc/certs/localhost/host.key
[Thu Jun 24 07:59:41.489416 2021] [ssl:info] [pid 2213:tid 1] AH01876:
mod_ssl/2.4.47 compiled against Server: Apache/2.4.47, Library:
OpenSSL/1.0.2y
[Thu Jun 24 07:59:41.489752 2021] [mpm_event:notice] [pid 2213:tid 1]
AH00489: Apache/2.4.47 (Unix) OpenSSL/1.0.2y-fips configured -- resuming
normal operations
[Thu Jun 24 07:59:41.489773 2021] [mpm_event:info] [pid 2213:tid 1]
AH00490: Server built: May 21 2021 14:00:57
[Thu Jun 24 07:59:41.489786 2021] [core:notice] [pid 2213:tid 1] AH00094:
Command line: '/usr/apache2/2.4/bin/httpd'
[Thu Jun 24 07:59:41.489804 2021] [core:debug] [pid 2213:tid 1]
log.c(1570): AH02639: Using SO_REUSEPORT: no (1)
[Thu Jun 24 07:59:42.493418 2021] [mpm_event:debug] [pid 2752:tid 2]
event.c(2298): AH02471: start_threads: Using port (wakeable)
[Thu Jun 24 07:59:42.497865 2021] [mpm_event:debug] [pid 2753:tid 2]
event.c(2298): AH02471: start_threads: Using port (wakeable)
[Thu Jun 24 07:59:42.565017 2021] [mpm_event:debug] [pid 2754:tid 2]
event.c(2298): AH02471: start_threads: Using port (wakeable)
Note ^ Now the server is fully started
Note v Starting the client
[Thu Jun 24 08:00:39.187556 2021] [ssl:info] [pid 2754:tid 27] [client
10.175.18.160:60576] AH01964: Connection to child 152 established (server
127.0.0.1:443)
[Thu Jun 24 08:00:39.188524 2021] [ssl:info] [pid 2754:tid 27] [client
10.175.18.160:60576] AH02008: SSL library error 1 in handshake (server
127.0.0.1:443)
[Thu Jun 24 08:00:39.188666 2021] [ssl:info] [pid 2754:tid 27] SSL Library
Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
[Thu Jun 24 08:00:39.188694 2021] [ssl:info] [pid 2754:tid 27] [client
10.175.18.160:60576] AH01998: Connection closed to child 152 with abortive
shutdown (server 127.0.0.1:443)
[Thu Jun 24 08:00:39.306587 2021] [ssl:info] [pid 2754:tid 27] [client
10.175.18.160:60578] AH01964: Connection to child 152 established (server
127.0.0.1:443)
[Thu Jun 24 08:00:39.306887 2021] [ssl:info] [pid 2754:tid 27]
(-1385897552)Unknown error: [client 10.175.18.160:60578] AH02008: SSL
library error 1 in handshake (server 127.0.0.1:443)
[Thu Jun 24 08:00:39.307024 2021] [ssl:info] [pid 2754:tid 27] SSL Library
Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
[Thu Jun 24 08:00:39.307044 2021] [ssl:info] [pid 2754:tid 27] [client
10.175.18.160:60578] AH01998: Connection closed to child 152 with abortive
shutdown (server 127.0.0.1:443)
[Thu Jun 24 08:00:39.438365 2021] [ssl:info] [pid 2754:tid 27] [client
10.175.18.160:60580] AH01964: Connection to child 152 established (server
127.0.0.1:443)
[Thu Jun 24 08:00:39.438634 2021] [ssl:info] [pid 2754:tid 27]
(-1385897552)Unknown error: [client 10.175.18.160:60580] AH02008: SSL
library error 1 in handshake (server 127.0.0.1:443)
[Thu Jun 24 08:00:39.438686 2021] [ssl:info] [pid 2754:tid 27] SSL Library
Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
[Thu Jun 24 08:00:39.438705 2021] [ssl:info] [pid 2754:tid 27] [client
10.175.18.160:60580] AH01998: Connection closed to child 152 with abortive
shutdown (server 127.0.0.1:443)
[Thu Jun 24 08:00:39.559198 2021] [ssl:info] [pid 2754:tid 27] [client
10.175.18.160:60582] AH01964: Connection to child 152 established (server
127.0.0.1:443)
[Thu Jun 24 08:00:39.559407 2021] [ssl:info] [pid 2754:tid 27]
(-1385897552)Unknown error: [client 10.175.18.160:60582] AH02008: SSL
library error 1 in handshake (server 127.0.0.1:443)
[Thu Jun 24 08:00:39.559448 2021] [ssl:info] [pid 2754:tid 27] SSL Library
Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
[Thu Jun 24 08:00:39.559466 2021] [ssl:info] [pid 2754:tid 27] [client
10.175.18.160:60582] AH01998: Connection closed to child 152 with abortive
shutdown (server 127.0.0.1:443)
[Thu Jun 24 08:00:39.687589 2021] [ssl:info] [pid 2754:tid 27] [client
10.175.18.160:60584] AH01964: Connection to child 152 established (server
127.0.0.1:443)
[Thu Jun 24 08:00:39.687913 2021] [ssl:info] [pid 2754:tid 27]
(-1385897552)Unknown error: [client 10.175.18.160:60584] AH02008: SSL
library error 1 in handshake (server 127.0.0.1:443)
[Thu Jun 24 08:00:39.687974 2021] [ssl:info] [pid 2754:tid 27] SSL Library
Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
[Thu Jun 24 08:00:39.688008 2021] [ssl:info] [pid 2754:tid 27] [client
10.175.18.160:60584] AH01998: Connection closed to child 152 with abortive
shutdown (server 127.0.0.1:443)
[Thu Jun 24 08:00:39.815258 2021] [ssl:info] [pid 2754:tid 27] [client
10.175.18.160:60586] AH01964: Connection to child 152 established (server
127.0.0.1:443)
[Thu Jun 24 08:00:39.815532 2021] [ssl:info] [pid 2754:tid 27]
(-1385897552)Unknown error: [client 10.175.18.160:60586] AH02008: SSL
library error 1 in handshake (server 127.0.0.1:443)
[Thu Jun 24 08:00:39.815585 2021] [ssl:info] [pid 2754:tid 27] SSL Library
Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
[Thu Jun 24 08:00:39.815603 2021] [ssl:info] [pid 2754:tid 27] [client
10.175.18.160:60586] AH01998: Connection closed to child 152 with abortive
shutdown (server 127.0.0.1:443)
[Thu Jun 24 08:00:39.945447 2021] [ssl:info] [pid 2754:tid 27] [client
10.175.18.160:60588] AH01964: Connection to child 152 established (server
127.0.0.1:443)
[Thu Jun 24 08:00:39.945650 2021] [ssl:info] [pid 2754:tid 27]
(-1385897552)Unknown error: [client 10.175.18.160:60588] AH02008: SSL
library error 1 in handshake (server 127.0.0.1:443)
[Thu Jun 24 08:00:39.945692 2021] [ssl:info] [pid 2754:tid 27] SSL Library
Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
[Thu Jun 24 08:00:39.945710 2021] [ssl:info] [pid 2754:tid 27] [client
10.175.18.160:60588] AH01998: Connection closed to child 152 with abortive
shutdown (server 127.0.0.1:443)
[Thu Jun 24 08:00:40.075017 2021] [ssl:info] [pid 2754:tid 27] [client
10.175.18.160:60590] AH01964: Connection to child 152 established (server
127.0.0.1:443)
[Thu Jun 24 08:00:40.075213 2021] [ssl:info] [pid 2754:tid 27]
(-1385897552)Unknown error: [client 10.175.18.160:60590] AH02008: SSL
library error 1 in handshake (server 127.0.0.1:443)
[Thu Jun 24 08:00:40.075295 2021] [ssl:info] [pid 2754:tid 27] SSL Library
Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
[Thu Jun 24 08:00:40.075342 2021] [ssl:info] [pid 2754:tid 27] [client
10.175.18.160:60590] AH01998: Connection closed to child 152 with abortive
shutdown (server 127.0.0.1:443)
[Thu Jun 24 08:00:40.203748 2021] [ssl:info] [pid 2754:tid 26] [client
10.175.18.160:60592] AH01964: Connection to child 151 established (server
127.0.0.1:443)
[Thu Jun 24 08:00:40.203997 2021] [ssl:info] [pid 2754:tid 26]
(-1385897552)Unknown error: [client 10.175.18.160:60592] AH02008: SSL
library error 1 in handshake (server 127.0.0.1:443)
[Thu Jun 24 08:00:40.204064 2021] [ssl:info] [pid 2754:tid 26] SSL Library
Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
[Thu Jun 24 08:00:40.204101 2021] [ssl:info] [pid 2754:tid 26] [client
10.175.18.160:60592] AH01998: Connection closed to child 151 with abortive
shutdown (server 127.0.0.1:443)
[Thu Jun 24 08:00:40.331214 2021] [ssl:info] [pid 2754:tid 26] [client
10.175.18.160:60594] AH01964: Connection to child 151 established (server
127.0.0.1:443)
[Thu Jun 24 08:00:40.331513 2021] [ssl:info] [pid 2754:tid 26]
(-1385897552)Unknown error: [client 10.175.18.160:60594] AH02008: SSL
library error 1 in handshake (server 127.0.0.1:443)
[Thu Jun 24 08:00:40.331555 2021] [ssl:info] [pid 2754:tid 26] SSL Library
Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
[Thu Jun 24 08:00:40.331573 2021] [ssl:info] [pid 2754:tid 26] [client
10.175.18.160:60594] AH01998: Connection closed to child 151 with abortive
shutdown (server 127.0.0.1:443)

With
SSLProtocol TLSv1.1 +TLSv1.2
in config:
(The startup part is identical, skipping that)
[Thu Jun 24 08:07:11.248472 2021] [ssl:info] [pid 2773:tid 27] [client
10.175.18.160:60708] AH01964: Connection to child 344 established (server
127.0.0.1:443)
[Thu Jun 24 08:07:11.249320 2021] [ssl:info] [pid 2773:tid 27] [client
10.175.18.160:60708] AH01996: SSL handshake failed: HTTP spoken on HTTPS
port; trying to send HTML error page
[Thu Jun 24 08:07:11.249464 2021] [ssl:info] [pid 2773:tid 27] SSL Library
Error: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request --
speaking HTTP to HTTPS port!?
[Thu Jun 24 08:07:11.382584 2021] [ssl:info] [pid 2773:tid 27] [client
10.175.18.160:60710] AH01964: Connection to child 344 established (server
127.0.0.1:443)
[Thu Jun 24 08:07:11.390393 2021] [ssl:debug] [pid 2773:tid 27]
ssl_engine_kernel.c(2389): [client 10.175.18.160:60710] AH02044: No
matching SSL virtual host for servername myserver found (using
default/first virtual host)
[Thu Jun 24 08:07:11.390553 2021] [core:debug] [pid 2773:tid 27]
protocol.c(2346): [client 10.175.18.160:60710] AH03155: select protocol
from , choices=h2,http/1.1 for server 127.0.0.1
[Thu Jun 24 08:07:11.472125 2021] [ssl:debug] [pid 2773:tid 27]
ssl_engine_kernel.c(2252): [client 10.175.18.160:60710] AH02041: Protocol:
TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
[Thu Jun 24 08:07:11.478503 2021] [ssl:debug] [pid 2773:tid 27]
ssl_engine_kernel.c(415): [client 10.175.18.160:60710] AH02034: Initial
(No.1) HTTPS request received for child 344 (server 127.0.0.1:443)
[Thu Jun 24 08:07:11.478634 2021] [authz_core:debug] [pid 2773:tid 27]
mod_authz_core.c(815): [client 10.175.18.160:60710] AH01626: authorization
result of Require all granted: granted
[Thu Jun 24 08:07:11.478654 2021] [authz_core:debug] [pid 2773:tid 27]
mod_authz_core.c(815): [client 10.175.18.160:60710] AH01626: authorization
result of <RequireAny>: granted
[Thu Jun 24 08:07:11.478675 2021] [core:info] [pid 2773:tid 27] [client
10.175.18.160:60710] AH00129: Attempt to serve directory:
/var/apache2/2.4/htdocs/



čt 24. 6. 2021 v 3:46 odesílatel Otis Dewitt - NOAA Affiliate
<ot...@noaa.gov.invalid> napsal:

> What does the /var/log/httpd/error_log say?  Paste that.
>
>

Re: [users@httpd] mod_ssl: http to https ErrorDocument redirect stops working when only TLSv1.2 specified

[Otis Dewitt - NOAA Affiliate <ot...@noaa.gov.INVALID>]

What does the /var/log/httpd/error_log say?  Paste that.

On Wed, Jun 23, 2021 at 8:06 PM Pavel Heimlich, a.k.a. hajma <
tropikhajma@gmail.com> wrote:

> st 23. 6. 2021 v 23:06 odesílatel Otis Dewitt - NOAA Affiliate
> <ot...@noaa.gov.invalid> napsal:
>
>> Check your Openssl ciphers to see if it supports TLS 1.2
>> Try:
>>
>> SSLProtocol -ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2
>> SSLCipherSuite
>>  HIGH:!aNULL:!eNULL:!kECDH:!aDH:!RC4:!3DES:!CAMELLIA:!MD5:!AES256-SHA:!AES128-SHA256:!AES256-SHA256:!AES256-GCM-SHA384:!AES128-SHA:!AES128-SHA:!AES128-GCM-SHA256:!AES128-GCM-SHA384:!PSK:!SRP:!KRB5:@STRENGTH
>>
>
> This made no difference. 'The connection was reset'
>
>
>>
>> # openssl ciphers -tls1
>>
>
> # openssl ciphers -tls1
>
> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:SRP-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA
>
>

Re: [users@httpd] mod_ssl: http to https ErrorDocument redirect stops working when only TLSv1.2 specified

["Pavel Heimlich, a.k.a. hajma" <tr...@gmail.com>]

I've rebuilt Apache against OpenSSL 3.0 beta 1 and there the redirect
works.
Unfortunately switching to OpenSSL 3.0 (or 1.1 where I expect it to also
work) is not an option at the moment.

čt 24. 6. 2021 v 18:55 odesílatel Pavel Heimlich, a.k.a. hajma <
tropikhajma@gmail.com> napsal:

> it seems unrelated. Their issue is when there's a gap in the list of
> protocols. That's not my case.
>
> čt 24. 6. 2021 v 17:34 odesílatel Nick Folino <ni...@folino.us> napsal:
>
>> See if this helps.  From 2 Jun.
>>
>> "Newer Apache does not offer TLS cipher with TLSv1 anymore"
>>
>> On Thu, Jun 24, 2021 at 11:24 AM Pavel Heimlich, a.k.a. hajma <
>> tropikhajma@gmail.com> wrote:
>>
>>> I went through the past 6 months and couldn't find a relevant one. Would
>>> you recall some particular keyword I could search for?
>>>
>>> čt 24. 6. 2021 v 12:37 odesílatel Nick Folino <ni...@folino.us> napsal:
>>>
>>>> Search the archives.  I believe there's a recent thread about this.
>>>>
>>>> On Thu, Jun 24, 2021 at 4:26 AM Pavel Heimlich, a.k.a. hajma <
>>>> tropikhajma@gmail.com> wrote:
>>>>
>>>>>
>>>>>
>>>>> čt 24. 6. 2021 v 3:56 odesílatel Jim Albert <ji...@netrition.com>
>>>>> napsal:
>>>>>
>>>>>> Have you attempted from more than one client?
>>>>>>
>>>>>
>>>>> yes. Firefox and wget. Both behave identically.
>>>>>
>>>>>
>>>>>>
>>>>>> Expand more, please on what you have running on port 215. I'm
>>>>>> unfamiliar with the Solaris apache configs.
>>>>>>
>>>>>
>>>>> there's just the Apache server, nothing else
>>>>>
>>>>

Re: [users@httpd] mod_ssl: http to https ErrorDocument redirect stops working when only TLSv1.2 specified

["Pavel Heimlich, a.k.a. hajma" <tr...@gmail.com>]

it seems unrelated. Their issue is when there's a gap in the list of
protocols. That's not my case.

čt 24. 6. 2021 v 17:34 odesílatel Nick Folino <ni...@folino.us> napsal:

> See if this helps.  From 2 Jun.
>
> "Newer Apache does not offer TLS cipher with TLSv1 anymore"
>
> On Thu, Jun 24, 2021 at 11:24 AM Pavel Heimlich, a.k.a. hajma <
> tropikhajma@gmail.com> wrote:
>
>> I went through the past 6 months and couldn't find a relevant one. Would
>> you recall some particular keyword I could search for?
>>
>> čt 24. 6. 2021 v 12:37 odesílatel Nick Folino <ni...@folino.us> napsal:
>>
>>> Search the archives.  I believe there's a recent thread about this.
>>>
>>> On Thu, Jun 24, 2021 at 4:26 AM Pavel Heimlich, a.k.a. hajma <
>>> tropikhajma@gmail.com> wrote:
>>>
>>>>
>>>>
>>>> čt 24. 6. 2021 v 3:56 odesílatel Jim Albert <ji...@netrition.com> napsal:
>>>>
>>>>> Have you attempted from more than one client?
>>>>>
>>>>
>>>> yes. Firefox and wget. Both behave identically.
>>>>
>>>>
>>>>>
>>>>> Expand more, please on what you have running on port 215. I'm
>>>>> unfamiliar with the Solaris apache configs.
>>>>>
>>>>
>>>> there's just the Apache server, nothing else
>>>>
>>>

Re: [users@httpd] mod_ssl: http to https ErrorDocument redirect stops working when only TLSv1.2 specified

[Nick Folino <ni...@folino.us>]

See if this helps.  From 2 Jun.

"Newer Apache does not offer TLS cipher with TLSv1 anymore"

On Thu, Jun 24, 2021 at 11:24 AM Pavel Heimlich, a.k.a. hajma <
tropikhajma@gmail.com> wrote:

> I went through the past 6 months and couldn't find a relevant one. Would
> you recall some particular keyword I could search for?
>
> čt 24. 6. 2021 v 12:37 odesílatel Nick Folino <ni...@folino.us> napsal:
>
>> Search the archives.  I believe there's a recent thread about this.
>>
>> On Thu, Jun 24, 2021 at 4:26 AM Pavel Heimlich, a.k.a. hajma <
>> tropikhajma@gmail.com> wrote:
>>
>>>
>>>
>>> čt 24. 6. 2021 v 3:56 odesílatel Jim Albert <ji...@netrition.com> napsal:
>>>
>>>> Have you attempted from more than one client?
>>>>
>>>
>>> yes. Firefox and wget. Both behave identically.
>>>
>>>
>>>>
>>>> Expand more, please on what you have running on port 215. I'm
>>>> unfamiliar with the Solaris apache configs.
>>>>
>>>
>>> there's just the Apache server, nothing else
>>>
>>

Re: [users@httpd] mod_ssl: http to https ErrorDocument redirect stops working when only TLSv1.2 specified

["Pavel Heimlich, a.k.a. hajma" <tr...@gmail.com>]

I went through the past 6 months and couldn't find a relevant one. Would
you recall some particular keyword I could search for?

čt 24. 6. 2021 v 12:37 odesílatel Nick Folino <ni...@folino.us> napsal:

> Search the archives.  I believe there's a recent thread about this.
>
> On Thu, Jun 24, 2021 at 4:26 AM Pavel Heimlich, a.k.a. hajma <
> tropikhajma@gmail.com> wrote:
>
>>
>>
>> čt 24. 6. 2021 v 3:56 odesílatel Jim Albert <ji...@netrition.com> napsal:
>>
>>> Have you attempted from more than one client?
>>>
>>
>> yes. Firefox and wget. Both behave identically.
>>
>>
>>>
>>> Expand more, please on what you have running on port 215. I'm unfamiliar
>>> with the Solaris apache configs.
>>>
>>
>> there's just the Apache server, nothing else
>>
>

Re: [users@httpd] mod_ssl: http to https ErrorDocument redirect stops working when only TLSv1.2 specified

[Nick Folino <ni...@folino.us>]

Search the archives.  I believe there's a recent thread about this.

On Thu, Jun 24, 2021 at 4:26 AM Pavel Heimlich, a.k.a. hajma <
tropikhajma@gmail.com> wrote:

>
>
> čt 24. 6. 2021 v 3:56 odesílatel Jim Albert <ji...@netrition.com> napsal:
>
>> Have you attempted from more than one client?
>>
>
> yes. Firefox and wget. Both behave identically.
>
>
>>
>> Expand more, please on what you have running on port 215. I'm unfamiliar
>> with the Solaris apache configs.
>>
>
> there's just the Apache server, nothing else
>

Re: [users@httpd] mod_ssl: http to https ErrorDocument redirect stops working when only TLSv1.2 specified

[Jim Albert <ji...@netrition.com>]

I'm not following your port configs.
If you want to listen on 215 for https then I'd expect you need:
Listen 215 https
... and then you'd have to choose a different port for http.

I'd try different ports and see if it makes a difference and possibly 
rule out any cipher issues.

Jim

On 6/24/2021 11:25 AM, Pavel Heimlich, a.k.a. hajma wrote:
> Basically yes. It was this hack that redirected users to https when 
> they tried http. But it stopped working when I tried to drop TLSv1.1
>
> čt 24. 6. 2021 v 15:31 odesílatel Jim Albert <jim@netrition.com 
> <ma...@netrition.com>> napsal:
>
>
>     215 is configured to answer for both http and https? I only see
>     one Listen config in your original post. I wasn't aware Apache can
>     distinguish based on the traffic and thought you need to use
>     different ports.
>
>     Jim
>

Re: [users@httpd] mod_ssl: http to https ErrorDocument redirect stops working when only TLSv1.2 specified

["Pavel Heimlich, a.k.a. hajma" <tr...@gmail.com>]

Basically yes. It was this hack that redirected users to https when they
tried http. But it stopped working when I tried to drop TLSv1.1

čt 24. 6. 2021 v 15:31 odesílatel Jim Albert <ji...@netrition.com> napsal:

>
> 215 is configured to answer for both http and https? I only see one Listen
> config in your original post. I wasn't aware Apache can distinguish based
> on the traffic and thought you need to use different ports.
>
> Jim
>

Re: [users@httpd] mod_ssl: http to https ErrorDocument redirect stops working when only TLSv1.2 specified

[Jim Albert <ji...@netrition.com>]

On 6/24/2021 4:25 AM, Pavel Heimlich, a.k.a. hajma wrote:
>
>
> čt 24. 6. 2021 v 3:56 odesílatel Jim Albert <jim@netrition.com 
> <ma...@netrition.com>> napsal:
>
>     Have you attempted from more than one client?
>
>
> yes. Firefox and wget. Both behave identically.
>
>
>     Expand more, please on what you have running on port 215. I'm
>     unfamiliar with the Solaris apache configs.
>
>
> there's just the Apache server, nothing else

215 is configured to answer for both http and https? I only see one 
Listen config in your original post. I wasn't aware Apache can 
distinguish based on the traffic and thought you need to use different 
ports.

Jim

Re: [users@httpd] mod_ssl: http to https ErrorDocument redirect stops working when only TLSv1.2 specified

["Pavel Heimlich, a.k.a. hajma" <tr...@gmail.com>]

čt 24. 6. 2021 v 3:56 odesílatel Jim Albert <ji...@netrition.com> napsal:

> Have you attempted from more than one client?
>

yes. Firefox and wget. Both behave identically.


>
> Expand more, please on what you have running on port 215. I'm unfamiliar
> with the Solaris apache configs.
>

there's just the Apache server, nothing else

Re: [users@httpd] mod_ssl: http to https ErrorDocument redirect stops working when only TLSv1.2 specified

[Jim Albert <ji...@netrition.com>]

On 6/23/2021 8:06 PM, Pavel Heimlich, a.k.a. hajma wrote:
> st 23. 6. 2021 v 23:06 odesílatel Otis Dewitt - NOAA Affiliate 
> <ot...@noaa.gov.invalid> napsal:
>
>     Check your Openssl ciphers to see if it supports TLS 1.2
>     Try:
>
>     SSLProtocol -ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2
>     SSLCipherSuite
>      HIGH:!aNULL:!eNULL:!kECDH:!aDH:!RC4:!3DES:!CAMELLIA:!MD5:!AES256-SHA:!AES128-SHA256:!AES256-SHA256:!AES256-GCM-SHA384:!AES128-SHA:!AES128-SHA:!AES128-GCM-SHA256:!AES128-GCM-SHA384:!PSK:!SRP:!KRB5:@STRENGTH
>
>
> This made no difference. 'The connection was reset'
>
>
>     # openssl ciphers -tls1
>
>
> # openssl ciphers -tls1
> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:SRP-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA

Have you attempted from more than one client?

Expand more, please on what you have running on port 215. I'm unfamiliar 
with the Solaris apache configs.

Jim

Re: [users@httpd] mod_ssl: http to https ErrorDocument redirect stops working when only TLSv1.2 specified

["Pavel Heimlich, a.k.a. hajma" <tr...@gmail.com>]

st 23. 6. 2021 v 23:06 odesílatel Otis Dewitt - NOAA Affiliate
<ot...@noaa.gov.invalid> napsal:

> Check your Openssl ciphers to see if it supports TLS 1.2
> Try:
>
> SSLProtocol -ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2
> SSLCipherSuite
>  HIGH:!aNULL:!eNULL:!kECDH:!aDH:!RC4:!3DES:!CAMELLIA:!MD5:!AES256-SHA:!AES128-SHA256:!AES256-SHA256:!AES256-GCM-SHA384:!AES128-SHA:!AES128-SHA:!AES128-GCM-SHA256:!AES128-GCM-SHA384:!PSK:!SRP:!KRB5:@STRENGTH
>

This made no difference. 'The connection was reset'


>
> # openssl ciphers -tls1
>

# openssl ciphers -tls1
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:SRP-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA

Re: [users@httpd] mod_ssl: http to https ErrorDocument redirect stops working when only TLSv1.2 specified

[Otis Dewitt - NOAA Affiliate <ot...@noaa.gov.INVALID>]

Check your Openssl ciphers to see if it supports TLS 1.2
Try:

SSLProtocol -ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2
SSLCipherSuite
 HIGH:!aNULL:!eNULL:!kECDH:!aDH:!RC4:!3DES:!CAMELLIA:!MD5:!AES256-SHA:!AES128-SHA256:!AES256-SHA256:!AES256-GCM-SHA384:!AES128-SHA:!AES128-SHA:!AES128-GCM-SHA256:!AES128-GCM-SHA384:!PSK:!SRP:!KRB5:@STRENGTH

# openssl ciphers -tls1

On Wed, Jun 23, 2021 at 4:53 PM Pavel Heimlich, a.k.a. hajma <
tropikhajma@gmail.com> wrote:

> Hi,
> I use
> ErrorDocument 400 "https://myserver:215"
> to achieve redirection to secure connection for anyone who would access my
> server with just 'http://myserver:215'.
>
> This works as long as there's
> SSLProtocol TLSv1.1 +TLSv1.2
> specified in the configuration. However when I change that to just
> SSLProtocol TLSv1.2
> it stops working and the client gets "The connection was reset
> The connection to the server was reset while the page was loading."
> in their browser.
>
> I guess this is because Apache calls different OpenSSL functions based on
> the config setting at
>
> https://github.com/apache/httpd/blob/2f0f0d4e31bcf8b151ebc833ddd56c09dbff6462/modules/ssl/ssl_engine_init.c#L643
> or
>
> https://github.com/apache/httpd/blob/2f0f0d4e31bcf8b151ebc833ddd56c09dbff6462/modules/ssl/ssl_engine_init.c#L649
>
> and I am not sure if this is something that could be dealt with within
> Apache.
> Would you consider this worth logging a bug?
> Or would there be another way to achieve this?
>
> Thanks!
> P.
>
> P.S.:
> This is on Solaris 11.4, x86, Apache 2.4.47, OpenSSL 1.0
> My simplified config below:
>
> ServerRoot "/usr/apache2/2.4"
>
> Listen 215
>
> <IfDefine prefork>
> LoadModule mpm_prefork_module libexec/mod_mpm_prefork.so
> </IfDefine>
> <IfDefine worker>
> LoadModule mpm_worker_module libexec/mod_mpm_worker.so
> </IfDefine>
> <IfDefine !prefork>
> <IfDefine !worker>
> LoadModule mpm_event_module libexec/mod_mpm_event.so
> </IfDefine>
> </IfDefine>
>
> LoadModule ssl_module libexec/mod_ssl-fips-140.so
> LoadModule authz_core_module libexec/mod_authz_core.so
> LoadModule unixd_module libexec/mod_unixd.so
>
> <IfModule unixd_module>
> User webservd
> Group webservd
>
> </IfModule>
>
>
> ServerName 127.0.0.1
>
> <Directory />
>     AllowOverride none
>     Require all denied
> </Directory>
>
> DocumentRoot "/var/apache2/2.4/htdocs"
> <Directory "/var/apache2/2.4/htdocs">
>     Options Indexes FollowSymLinks
>
>     AllowOverride None
>
>     Require all granted
> </Directory>
>
> <Files ".ht*">
>     Require all denied
> </Files>
>
> ErrorLog "/var/apache2/2.4/logs/error_log"
>
> LogLevel warn
>
> <Directory "/var/apache2/2.4/cgi-bin">
>     AllowOverride None
>     Options None
>     Require all granted
> </Directory>
>
> <IfModule ssl_module>
> SSLRandomSeed startup builtin
> SSLRandomSeed connect builtin
> </IfModule>
>
> SSLEngine               on
> SSLProtocol TLSv1.1 +TLSv1.2
> SSLCertificateFile /etc/certs/localhost/host.crt
> SSLCertificateKeyFile /etc/certs/localhost/host.key
> SSLCACertificateFile /etc/certs/localhost/host-ca/hostca.crt
> SSLCertificateChainFile /etc/certs/localhost/host-ca/hostca.crt
> ErrorDocument 400 "https://myserver:215"
>