You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Andreas Meyer <a....@nimmini.de> on 2016/08/31 14:56:40 UTC
[users@httpd] questions about IPv6 and SSL
Hello!
Just subscribed to this list because people reported my
webserver is not reachabel anymore.
A few days ago I added IPv6-connectivity to the webserver
and changed the Listen-directives and the VitrualHost
to also listen to the IPv6-Address on port 443.
There is a redirect from http to https. The website
is not reachable anymore, not certifactes are found.
Is a fix possible and how? Every hint welcome!
Kind regards
Andreas
Re: [users@httpd] questions about IPv6 and SSL
Posted by Andreas Meyer <a....@nimmini.de>.
Hello!
Christopher Schultz <ch...@christopherschultz.net> schrieb am 31.08.16 um 19:50:20 Uhr:
> > <IfDefine SSL> <IfDefine !NOSSL> IfModule mod_ssl.c>
>
> Missing < in the previous line. Typo or copy/paste error?
This was a copy/paste error.
# netstat -pantu |grep http
tcp 0 0 46.38.231.143:443 0.0.0.0:* LISTEN 14160/httpd2-prefor
tcp 0 0 37.120.166.21:443 0.0.0.0:* LISTEN 14160/httpd2-prefor
tcp 0 0 46.38.231.143:80 0.0.0.0:* LISTEN 14160/httpd2-prefor
tcp 0 0 37.120.166.21:80 0.0.0.0:* LISTEN 14160/httpd2-prefor
tcp 0 0 127.0.0.1:80 0.0.0.0:* LISTEN 14160/httpd2-prefor
tcp 0 0 2a03:4000:6:4123::1:443 :::* LISTEN 14160/httpd2-prefor
tcp 0 0 2a03:4000:6:4123::1:80 :::* LISTEN 14160/httpd2-prefor
> Try this:
>
> <Virtualhost 37.120.166.21:80 [2a03:4000:6:4123::1]:80>
> ...
> </VirtualHost>
> <Virtualhost 37.120.166.21:443 [2a03:4000:6:4123::1]:443>
> ...
> </VirtualHost>
done that
> Note that you haven't specified a VirtualHost for localhost and
> whatever 46.38.231.143 is.
created a VirtualHost localhost. 46.38.231.143 is just another VirtualHost
the server is serving
> Which interface are you using for testing?
On the server it is ens3:
ens3 Link encap:Ethernet Hardware Adresse BA:69:5F:F3:F8:26
inet Adresse:37.120.166.21 Bcast:37.120.167.255 Maske:255.255.252.0
inet6 Adresse: 2a03:4000:6:4123::1/64 Gültigkeitsbereich:Global
inet6 Adresse: fe80::b869:5fff:fef3:f826/64 Gültigkeitsbereich:Verbindung
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:16017225 errors:0 dropped:0 overruns:0 frame:0
TX packets:1231199 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 Sendewarteschlangenlänge:1000
RX bytes:1209401803 (1153.3 Mb) TX bytes:841330316 (802.3 Mb)
From my testingmachine it is wlan1:
wlan1 Link encap:Ethernet Hardware Adresse 00:22:B0:E7:D9:9B
inet Adresse:192.168.3.100 Bcast:192.168.3.255 Maske:255.255.255.0
inet6 Adresse: fe80::222:b0ff:fee7:d99b/64 Gültigkeitsbereich:Verbindung
inet6 Adresse: 2003:54:ef22:e900:222:b0ff:fee7:d99b/64 Gültigkeitsbereich:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:77004 errors:0 dropped:0 overruns:0 frame:0
TX packets:60273 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 Sendewarteschlangenlänge:1000
RX bytes:79839183 (76.1 Mb) TX bytes:7037131 (6.7 Mb)
> Do any of the ports work? Does httpd even start up?
Yes, no errors-
> >> Those are two different problems:
> >>
> >> 1. Certificates are not found
> >
> > The certificate are there. If I disable the IPV6 things, they are
> > found.
>
> Woah, what?
>
> When you say "disable IPv6", what do you mean? How are you changing
> your configuration?
I mean if disable the listening for IPv6-addresses in listen.conf and
remove the IPv6-addresses in the VirtualHost statement.
> >> 2. Web site is not reachable
> >>
> >> One may cause the other.
> >>
> >> What error message to you get, and where?
> >
> > The thing is, I didn't notice the website is not reachable 'cause
> > my testings with my IPv6 connection showed no errors.
>
> That statement is confusing to me. Can you clarify it?
I mean I can reach the server on port 443 with IPv6-entries without
problems from my outside connection with IPv6 enabled but people
tell me they can't.
If have this in bitcorner-ssl.conf
SSLEngine on
SSLProtocol all
> > ping from outside:
> >
> > andreas@workstation:/> ping6 2a03:4000:6:4123::1 PING
> > 2a03:4000:6:4123::1(2a03:4000:6:4123::1) 56 data bytes 64 bytes
> > from 2a03:4000:6:4123::1: icmp_seq=1 ttl=58 time=33.2 ms 64 bytes
> > from 2a03:4000:6:4123::1: icmp_seq=2 ttl=58 time=33.1 ms 64 bytes
> > from 2a03:4000:6:4123::1: icmp_seq=3 ttl=58 time=30.9 ms ^C
> >
> > People then reported the site is not reachable, for instance:
> >
> > Firefox-Fehlermeldung: Ein Fehler ist während einer Verbindung mit
> > www.bitcorner.de aufgetreten. SSL hat einen Eintrag erhalten, der
> > die maximal erlaubte Länge überschritten hat. Fehlercode:
> > SSL_ERROR_RX_RECORD_TOO_LONG
> >
> > Curl: error (35): error:140770FC:SSL
> > routines:SSL23_GET_SERVER_HELLO:unknown protocol]
>
> That usually happens when you (correctly) disable SSLv3 and someone
> tries to use an SSLv3 handshake with your site. That doesn't
> necessarily mean that your site is misconfigured.
>
> > Wget: wget "https://www.bitcorner.de/bshop/products.csv"
> > --2016-08-31 15:21:12--
> > https://www.bitcorner.de/bshop/products.csv Resolving
> > www.bitcorner.de (www.bitcorner.de)... 37.120.166.21,
> > 2a03:4000:6:4123::1 Connecting to www.bitcorner.de
> > (www.bitcorner.de)|37.120.166.21|:443... connected. GnuTLS: An
> > unexpected TLS packet was received. Unable to establish SSL
> > connection.
>
> How about this:
>
> $ openssl s_client -tls1 -connect www.bitcorner.de:443
>
> Here's what I get when I try SSLv3:
>
> $ openssl s_client -ssl3 -connect www.bitcorner.de:443
> CONNECTED(00000003)
> 5966:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
> failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenS
> SL098-59.60.1/src/ssl/s3_pkt.c:1145:SSL
> alert number 40
> 5966:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
> failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenS
> SL098-59.60.1/src/ssl/s3_pkt.c:566:
>
> Using TLSv1, I get better results:
>
> $ openssl s_client -tls1 -connect www.bitcorner.de:443
> CONNECTED(00000003)
> depth=1 /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
> verify error:num=20:unable to get local issuer certificate
> verify return:0
> - ---
> Certificate chain
> 0 s:/CN=bitcorner.de
> i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
> 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
> i:/O=Digital Signature Trust Co./CN=DST Root CA X3
> - ---
> [...]
> - ---
> SSL handshake has read 4652 bytes and written 682 bytes
> - ---
> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> Server public key is 4096 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol : TLSv1
> Cipher : DHE-RSA-AES256-SHA
>
> etc.
>
> If I let s_client choose the protocol, it chooses TLSv1.2:
> $ openssl s_client -connect www.bitcorner.de:443
> CONNECTED(00000003)
> depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
> verify error:num=20:unable to get local issuer certificate
> verify return:0
> - ---
> Certificate chain
> 0 s:/CN=bitcorner.de
> i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
> 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
> i:/O=Digital Signature Trust Co./CN=DST Root CA X3
> - ---
> [...]
> SSL-Session:
> Protocol : TLSv1.2
> Cipher : ECDHE-RSA-AES256-GCM-SHA384
>
> etc.
yes, allright
andreas@workstation:~> openssl s_client -connect www.bitcorner.de:443
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = bitcorner.de
verify return:1
---
Certificate chain
0 s:/CN=bitcorner.de
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
....
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: E78775875C88EDB18D25CCE24295EF81B521C024753D77EA19085B5F6916E714
Session-ID-ctx:
Master-Key: AF834CBD084DB5F2BFFA2625C36EB2EAB3C290257A07B1ADCA978C8191BF04717456A8B92379797B5F844D6DFB9EC161
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - fb 80 d4 4a e9 07 ce eb-36 af fb 8e d5 2e 5d 27 ...J....6.....]'
0010 - 1e 77 84 33 f4 cb a7 4e-14 df a8 18 38 41 a2 ec .w.3...N....8A..
0020 - 25 fd 14 5d c9 d8 4f 63-ab 45 59 e5 50 e8 db 03 %..]..Oc.EY.P...
0030 - 1a 83 aa 01 1b c0 d6 63-56 40 a6 65 db 51 18 b3 .......cV@.e.Q..
0040 - 2c cf 89 ab 84 86 04 d6-5b 33 bf de d2 40 16 06 ,.......[3...@..
0050 - 7a 48 04 7c d5 8d 92 b6-48 7b 53 19 ac 46 f2 60 zH.|....H{S..F.`
0060 - 10 0b 39 8a 9a 65 b6 cd-08 2f 19 57 5a 08 4e 66 ..9..e.../.WZ.Nf
0070 - 3e 65 f0 69 b3 5d 1c 1f-46 35 cf 85 34 04 6a c6 >e.i.]..F5..4.j.
0080 - 1a fb 72 fe 59 fb c9 a7-fa fa 0b ab 65 9a 0f 5f ..r.Y.......e.._
0090 - 20 c4 4a 53 0d 51 00 00-9e 2c 17 7d b8 74 60 66 .JS.Q...,.}.t`f
00a0 - 56 af 7a 33 a7 6a 3a 09-e4 5d 41 c8 b7 22 eb 84 V.z3.j:..]A.."..
00b0 - 8d c7 e4 f4 4c cf 26 93-f1 bb 42 5a e9 f3 71 ....L.&...BZ..q
00c0 - <SPACES/NULS>
Start Time: 1472713310
Timeout : 300 (sec)
Verify return code: 0 (ok)
>
> $ host www.bitcorner.de
> www.bitcorner.de has address 37.120.166.21
> www.bitcorner.de has IPv6 address 2a03:4000:6:4123::1
>
> $ ping6 2a03:4000:6:4123::1
> connect: Network is unreachable
>
> $ ping www.bitcorner.de
> PING www.bitcorner.de (37.120.166.21) 56(84) bytes of data.
> 64 bytes from mail.bitcorner.de (37.120.166.21): icmp_req=1 ttl=49
> time=92.6 ms
>
> $ /sbin/ifconfig
> eth0 Link encap:Ethernet HWaddr [...]
> inet addr:10.[...] Bcast:10.192.215.255 Mask:255.255.254.0
> inet6 addr: [present]/64 Scope:Link
>
> Weird. Looks like my IPv6 isn't working as I'd expect. So whatever
> configuration you have there now seems to be working. Did you
> roll-back when things weren't working?
Maybe after the changes to
<Virtualhost 37.120.166.21:80 [2a03:4000:6:4123::1]:80>
and
<VirtualHost 37.120.166.21:443 [2a03:4000:6:4123::1]:443>
things work better?
I disabled the RewriteRule for now.
#RewriteCond %{HTTPS} off
#RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
Andreas
Re: [users@httpd] questions about IPv6 and SSL
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Andreas,
On 8/31/16 6:05 PM, Andreas Meyer wrote:
> Christopher Schultz <ch...@christopherschultz.net> schrieb am
> 31.08.16 um 17:28:04 Uhr:
>
>>> A few days ago I added IPv6-connectivity to the web server and
>>> changed the Listen-directives and the VitrualHost to also
>>> listen to the IPv6-Address on port 443.
>>
>> Please post your "Listen" and "VirtualHost" directive lines from
>> your config file.
>
> This is the part of listen.conf:
>
> Listen 127.0.0.1:80 Listen 37.120.166.21:80 Listen
> 46.38.231.143:80 Listen [2a03:4000:6:4123::1]:80
>
> <IfDefine SSL> <IfDefine !NOSSL> IfModule mod_ssl.c>
Missing < in the previous line. Typo or copy/paste error?
> Listen 127.0.0.1:443 Listen 37.120.166.21:443 Listen
> 46.38.231.143:443 Listen [2a03:4000:6:4123::1]:443
>
> </IfModule> </IfDefine> </IfDefine>
>
> and in the VirtualHost I just added
>
> <Virtualhost 37.120.166.21 [2a03:4000:6:4123::1]:80>
>
> RewriteCond %{HTTPS} off RewriteRule ^(.*)$
> https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
>
> and in the sslvhost <Virtualhost 37.120.166.21
> [2a03:4000:6:4123::1]:443>
This plus the above are likely to be confusing: you have separate
VirtualHosts bound to the same interface with no port specification.
Try this:
<Virtualhost 37.120.166.21:80 [2a03:4000:6:4123::1]:80>
...
</VirtualHost>
<Virtualhost 37.120.166.21:443 [2a03:4000:6:4123::1]:443>
...
</VirtualHost>
Note that you haven't specified a VirtualHost for localhost and
whatever 46.38.231.143 is.
Which interface are you using for testing?
Do any of the ports work? Does httpd even start up?
> tried also with a separate <VirtualHost [2a03:4000:6:4123::1]:443>
>
>>> There is a redirect from http to https. The website is not
>>> reachable anymore, not certificates are found.
>>
>> Those are two different problems:
>>
>> 1. Certificates are not found
>
> The certificate are there. If I disable the IPV6 things, they are
> found.
Woah, what?
When you say "disable IPv6", what do you mean? How are you changing
your configuration?
>> 2. Web site is not reachable
>>
>> One may cause the other.
>>
>> What error message to you get, and where?
>
> The thing is, I didn't notice the website is not reachable 'cause
> my testings with my IPv6 connection showed no errors.
That statement is confusing to me. Can you clarify it?
> ping from outside:
>
> andreas@workstation:/> ping6 2a03:4000:6:4123::1 PING
> 2a03:4000:6:4123::1(2a03:4000:6:4123::1) 56 data bytes 64 bytes
> from 2a03:4000:6:4123::1: icmp_seq=1 ttl=58 time=33.2 ms 64 bytes
> from 2a03:4000:6:4123::1: icmp_seq=2 ttl=58 time=33.1 ms 64 bytes
> from 2a03:4000:6:4123::1: icmp_seq=3 ttl=58 time=30.9 ms ^C
>
> People then reported the site is not reachable, for instance:
>
> Firefox-Fehlermeldung: Ein Fehler ist w�hrend einer Verbindung mit
> www.bitcorner.de aufgetreten. SSL hat einen Eintrag erhalten, der
> die maximal erlaubte L�nge �berschritten hat. Fehlercode:
> SSL_ERROR_RX_RECORD_TOO_LONG
>
> Curl: error (35): error:140770FC:SSL
> routines:SSL23_GET_SERVER_HELLO:unknown protocol]
That usually happens when you (correctly) disable SSLv3 and someone
tries to use an SSLv3 handshake with your site. That doesn't
necessarily mean that your site is misconfigured.
> Wget: wget "https://www.bitcorner.de/bshop/products.csv"
> --2016-08-31 15:21:12--
> https://www.bitcorner.de/bshop/products.csv Resolving
> www.bitcorner.de (www.bitcorner.de)... 37.120.166.21,
> 2a03:4000:6:4123::1 Connecting to www.bitcorner.de
> (www.bitcorner.de)|37.120.166.21|:443... connected. GnuTLS: An
> unexpected TLS packet was received. Unable to establish SSL
> connection.
How about this:
$ openssl s_client -tls1 -connect www.bitcorner.de:443
Here's what I get when I try SSLv3:
$ openssl s_client -ssl3 -connect www.bitcorner.de:443
CONNECTED(00000003)
5966:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenS
SL098-59.60.1/src/ssl/s3_pkt.c:1145:SSL
alert number 40
5966:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenS
SL098-59.60.1/src/ssl/s3_pkt.c:566:
Using TLSv1, I get better results:
$ openssl s_client -tls1 -connect www.bitcorner.de:443
CONNECTED(00000003)
depth=1 /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
verify return:0
- ---
Certificate chain
0 s:/CN=bitcorner.de
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
- ---
[...]
- ---
SSL handshake has read 4652 bytes and written 682 bytes
- ---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
etc.
If I let s_client choose the protocol, it chooses TLSv1.2:
$ openssl s_client -connect www.bitcorner.de:443
CONNECTED(00000003)
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
verify return:0
- ---
Certificate chain
0 s:/CN=bitcorner.de
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
- ---
[...]
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
etc.
$ host www.bitcorner.de
www.bitcorner.de has address 37.120.166.21
www.bitcorner.de has IPv6 address 2a03:4000:6:4123::1
$ ping6 2a03:4000:6:4123::1
connect: Network is unreachable
$ ping www.bitcorner.de
PING www.bitcorner.de (37.120.166.21) 56(84) bytes of data.
64 bytes from mail.bitcorner.de (37.120.166.21): icmp_req=1 ttl=49
time=92.6 ms
$ /sbin/ifconfig
eth0 Link encap:Ethernet HWaddr [...]
inet addr:10.[...] Bcast:10.192.215.255 Mask:255.255.254.0
inet6 addr: [present]/64 Scope:Link
Weird. Looks like my IPv6 isn't working as I'd expect. So whatever
configuration you have there now seems to be working. Did you
roll-back when things weren't working?
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJXx208AAoJEBzwKT+lPKRYlwQQAJC58I9bk4iTV7HgrzJ8nghh
urGhZrU3yI3utjbVJhgF8V6+vPHmmUBWCmdsuAzeGLqQsV7S44JXqlCfbqxDIzq0
aQAL0NIsycfGI3lIIaG/ROu8DLfLfQwtCf8toEW+NWix51RGXx1qBvRQmC7ZDE9N
k260a7GMYBBHTIlEwaBoeErwPQSEmmTtHGfTxmXlcKRyYkh8Yiq6vNIvy3Ut+ok/
0+SqSC64bdrm2Jrp6rHCZS8lz4vy0GXRp4grTlOQbJkBWHe3ASONMb2YKYQ5Ut4K
IBenv2kUVqy5rWeUoO9j1/NHGpGWKk+30RPCGTkBqUQ4JEhaqZgAvDh6fO1N8Fn1
9MnAka3PCKliWeyjaf2bl3ZwTUrWK/8awzB8choRO3khloUP03mjQV6wuGoBOuk5
BAFBzyKSOtR71K5+qhMht/NuJUg0WbmXZN/fwR4v/MV3YA4HVhLdRiZ/SMqSJlhV
D/GP0wbH781YVCwnZzfvC8rQlhSJyWk4rvQFTgg8jzZHvkc+sBFMNel2DMg3Rr9x
RxcVdM3RH6bY3VdUWV1e84XMY21pxJZnWOeDdh1ERD8PxHC4kvewj0O6YchzdFNO
/8IBgNO27qrDA83fxg2oXGSDfRVDLLiuEJL6Td9e7JZkNEniVkFgMbUfOLwUHz8S
3rTDIj96hzr1DNRPyN/H
=s2Xk
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] questions about IPv6 and SSL
Posted by Andreas Meyer <a....@nimmini.de>.
Hello!
Christopher Schultz <ch...@christopherschultz.net> schrieb am 31.08.16 um 17:28:04 Uhr:
> > A few days ago I added IPv6-connectivity to the web server and
> > changed the Listen-directives and the VitrualHost to also listen to
> > the IPv6-Address on port 443.
>
> Please post your "Listen" and "VirtualHost" directive lines from your
> config file.
This is the part of listen.conf:
Listen 127.0.0.1:80
Listen 37.120.166.21:80
Listen 46.38.231.143:80
Listen [2a03:4000:6:4123::1]:80
<IfDefine SSL>
<IfDefine !NOSSL>
IfModule mod_ssl.c>
Listen 127.0.0.1:443
Listen 37.120.166.21:443
Listen 46.38.231.143:443
Listen [2a03:4000:6:4123::1]:443
</IfModule>
</IfDefine>
</IfDefine>
and in the VirtualHost I just added
<Virtualhost 37.120.166.21 [2a03:4000:6:4123::1]:80>
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
and in the sslvhost
<Virtualhost 37.120.166.21 [2a03:4000:6:4123::1]:443>
tried also with a separate
<VirtualHost [2a03:4000:6:4123::1]:443>
> > There is a redirect from http to https. The website is not
> > reachable anymore, not certificates are found.
>
> Those are two different problems:
>
> 1. Certificates are not found
The certificate are there. If I disable the IPV6 things, they
are found.
> 2. Web site is not reachable
>
> One may cause the other.
>
> What error message to you get, and where?
The thing is, I didn't notice the website is not reachable
'cause my testings with my IPv6 connetion showed no errors.
ping from outside:
andreas@workstation:/> ping6 2a03:4000:6:4123::1
PING 2a03:4000:6:4123::1(2a03:4000:6:4123::1) 56 data bytes
64 bytes from 2a03:4000:6:4123::1: icmp_seq=1 ttl=58 time=33.2 ms
64 bytes from 2a03:4000:6:4123::1: icmp_seq=2 ttl=58 time=33.1 ms
64 bytes from 2a03:4000:6:4123::1: icmp_seq=3 ttl=58 time=30.9 ms
^C
People then reported the site is not reachable, for instance:
Firefox-Fehlermeldung:
Ein Fehler ist während einer Verbindung mit www.bitcorner.de
aufgetreten. SSL hat einen Eintrag erhalten,
der die maximal erlaubte Länge überschritten hat. Fehlercode:
SSL_ERROR_RX_RECORD_TOO_LONG
Curl:
error (35): error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol]
Wget:
wget "https://www.bitcorner.de/bshop/products.csv"
--2016-08-31 15:21:12-- https://www.bitcorner.de/bshop/products.csv
Resolving www.bitcorner.de (www.bitcorner.de)... 37.120.166.21,
2a03:4000:6:4123::1
Connecting to www.bitcorner.de (www.bitcorner.de)|37.120.166.21|:443...
connected.
GnuTLS: An unexpected TLS packet was received.
Unable to establish SSL connection.
Andreas
Re: [users@httpd] questions about IPv6 and SSL
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Andreas,
On 8/31/16 10:56 AM, Andreas Meyer wrote:
> Just subscribed to this list because people reported my web server
> is not reachable anymore.
>
> A few days ago I added IPv6-connectivity to the web server and
> changed the Listen-directives and the VitrualHost to also listen to
> the IPv6-Address on port 443.
Please post your "Listen" and "VirtualHost" directive lines from your
config file.
> There is a redirect from http to https. The website is not
> reachable anymore, not certificates are found.
Those are two different problems:
1. Certificates are not found
2. Web site is not reachable
One may cause the other.
What error message to you get, and where?
> Is a fix possible and how? Every hint welcome!
You can definitely fix this. httpd definitely works with IPv6, SSL,
and redirects. :)
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJXx0vkAAoJEBzwKT+lPKRYxJgQAKCz6QYLtllqD/3Fp/KBxquY
236u1XRtC64qy4THr3TpZNVyUQs8+ODYzF2zRhoW3gvp6U4OkBPZ+t4ErM8hM1Ru
YX47rDIk9uqGMvVCliraydcbkpSzGuXQoWkcx0pJHWLgEYLFH9TQakRjlBGXxFqS
L1RqrBg7nyhV7PJ/WbUvzD1m1LJ6tK6yoalFg2T3CaEGuJRO1jiSJ9L7famk5RrN
RX/Q/LH6eHqlXeVzYC7GjIZQTm12+83HhjadX3M9BtloM988F+buOiz1jR28ZgmO
OXWqFEfKATffwZUUNfDDBcAR12ACgz1xsXc9u609LsF7DLBkPUh60xfYWl/ayAQn
bSKzHejVxVI6sTK6kIL9BVjaG/JjBV/kFednSvKCbYZEGsHVEDuDeXpmqYsiMumU
xO2fw3OEz303DNzkFrn2wCuow5ZEBKHNfj1RYptiMigFQwRvLSZRI/FnnDlhXFaI
j3e3POwrjuk4mX9cyirscea91Is3R7+h+epAn7KP756w1/R34VtKWfwc5FmH/4TC
/gkRO4PkPbUr6Wx6T4wQZHyZbgGIiLsyEWNZe0DXAmZHpZ9fV4nKQw621V8he356
PU/bLF1KwDKWLyJTZWa9/hu9KLDtNVUD503QFGSDVBwyooZ9N4zcmxkHJV/Gi0se
MGVnWK+0kzzzxQgdUSkU
=wL8A
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org