[lug] apache ssl error (intermittent)

dio2002 at indra.com dio2002 at indra.com
Fri May 13 10:48:45 MDT 2011


>
>> Have you tried using s_client from openssl?
>>
> Thanks for the suggestion. When it works right, I get a nice long log.
> When it fails I get:
>
> user at example:/tmp$ openssl s_client -connect example.com:443
> CONNECTED(00000003)
> depth=3 /L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert
> Class 2 Policy Validation
> Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com
> verify error:num=19:self signed certificate in certificate chain

one thing you might check is if this is a self-signed certificate you're
using or a paid for commercial one.  i gather you're trying to use a self
signed cert and if that's the case, you shouldn't be using an external
authority to verify it (e.g. this message shouldn't be showing up in your
server log).

more importantly, if you are using a paid for commercial certificate, i
believe that communication and cert check occurs between the browser and
the certificate authority company, not your server, which means the check
shouldn't be showing up in your server logs.  somebody correct me if i'm
wrong about that.  just my two cents.  i'll bow out from here.

> verify return:0
> 4263:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block
> type is not 01:rsa_pk1.c:100:
> 4263:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check
> failed:rsa_eay.c:699:
> 4263:error:1408D07B:SSL routines:SSL3_GET_KEY_EXCHANGE:bad
> signature:s3_clnt.c:1415:
>
>
> Normally, I get the Certificate chains shown and then the certificate
> key. Could this be some internet / networking issues with valicert.com
> (who are they?)
>
>> This still goes through the network stack. Even if example.comresolves
>> to 127.0.0.1 you still have kernel network layers involved.
>>
>> Nothing shows up in dmesg or the system logs (e.g. firewall messages)?
>>
> Right, but since I see this problem when connecting from the server in
> question, from the internal network or from the internet, I doubt it is
> a networking issue. I don't see anything in dmesg or firewall or
> anything. Also, if I run
>
> openssl s_client -connect localhost:443
>
> I get the same results -- sometimes it works, sometimes I get the above
> error.
>
> Any ideas appreciated -- Thanks,
>
> Ben
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
>




More information about the LUG mailing list