[lug] Occasional Apache SSL Error
David L. Anselmi
anselmi at anselmi.us
Sun Apr 24 23:04:32 MDT 2011
Ben Luey wrote:
> I think I have the whole cert chain on the server: it just the gd_bundle.crt that GoDaddy
> provides as my SSLCertificateChainFile.
Does it actually contain a cert chain that verifies?
> Is there special apache ssl logging?
Don't know, didn't ask Google.
> The default SSL logging (/var/log/apache2/ssl_access.log and /var/log/apache2/error.log with log
> level warn doesn't show anything for the 'bad' traffic. No record of the GET request or
> anything.
I'd expect the server to be oblivious to the client complaining about a bad sig. Although the
client calling it a "peer" seems suspicious (unless that's SSL protocol terminology). But the
server ought to notice a protocol error.
SSL happens before HTTP, so if it fails there won't be a GET. You want to see how the SSL protocol
is executed. If you can't log it you're left with looking at network traces.
> Lenny's still got security updates for at least another year... I'll upgrade at some point, but
> that just adds more variables to the situation (it was fine before with lenny and same version of
> apache2), so I'd like to fix this first.
Unless it's a bug that's fixed post-lenny.
Some poking around indicates that maybe it's a client side bug:
http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#keysize
http://www.google.com/support/forum/p/gmail/thread?tid=08197160d4c2d28f&hl=en (several posts are
probably inaccurate, and at least one mentions a server issue with different IP addresses, but they
do mention client side problems)
Dave
More information about the LUG
mailing list