[lug] apache ssl error (intermittent)

Lee Woodworth blug-mail at duboulder.com
Fri May 13 20:01:33 MDT 2011 

On 05/13/2011 10:48 AM, dio2002 at indra.com wrote:
>>
>>> Have you tried using s_client from openssl?
>>>
>> Thanks for the suggestion. When it works right, I get a nice long log.
>> When it fails I get:
>>
>> user at example:/tmp$ openssl s_client -connect example.com:443
>> CONNECTED(00000003)
>> depth=3 /L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert
>> Class 2 Policy Validation
>> Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com
>> verify error:num=19:self signed certificate in certificate chain
> 

......

> 
>> verify return:0
>> 4263:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block
>> type is not 01:rsa_pk1.c:100:
>> 4263:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check
>> failed:rsa_eay.c:699:
>> 4263:error:1408D07B:SSL routines:SSL3_GET_KEY_EXCHANGE:bad
>> signature:s3_clnt.c:1415:
>>
>>
>> Normally, I get the Certificate chains shown and then the certificate
>> key. Could this be some internet / networking issues with valicert.com
>> (who are they?)

Some certs I have looked at have URLs pointing to policy data. This could
be your client trying to verify the cert chain. If you dump all of the certs
in your chain, you should find that URL or a related one.

It looks to me like your ssl clients are going to the internet to verify
something in the certificate chain. You could verify this with a tcpdump
trace of the handshake. A traceroute of any external IPs might show if
there is a routing issue.

>>
>>> This still goes through the network stack. Even if example.comresolves
>>> to 127.0.0.1 you still have kernel network layers involved.
>>>
>>> Nothing shows up in dmesg or the system logs (e.g. firewall messages)?
>>>
>> Right, but since I see this problem when connecting from the server in
>> question, from the internal network or from the internet, I doubt it is
>> a networking issue. I don't see anything in dmesg or firewall or
>> anything. Also, if I run
>>
>> openssl s_client -connect localhost:443
>>
>> I get the same results -- sometimes it works, sometimes I get the above
>> error.
>>
>> Any ideas appreciated -- Thanks,
>>
>> Ben
>> _______________________________________________
>> Web Page:  http://lug.boulder.co.us
>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
>>
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety

More information about the LUG mailing list