[lug] apache ssl error (intermittent)

Lee Woodworth blug-mail at duboulder.com
Thu May 12 13:26:34 MDT 2011 

On 05/12/2011 12:31 PM, Ben Luey wrote:
> I'm still getting intermittent SSL errors on my apache2 server (apache 
> 2.2.9-10 on Debian lenny running mpm-worker). Restarting apache seems to 
> help in that I get the problem less frequently. But I was able to get 
> the error message with wget running on the server in question, so it 
> isn't a networking issue:

FYI, Gentoo uses 2.2.17 as its stable version for apache.

Have you tried using s_client from openssl?

> 
> user at example:/tmp$ wget -d -v -S https://example.com
This still goes through the network stack. Even if example.com
resolves to 127.0.0.1 you still have kernel network layers involved.

Nothing shows up in dmesg or the system logs (e.g. firewall messages)?

> Setting --verbose (verbose) to 1
> Setting --server-response (serverresponse) to 1
> DEBUG output created by Wget 1.11.4 on linux-gnu.
> 
> --2011-05-12 12:23:47--  https://example.com/
> Resolving example.com... 192.168.25.1
> Caching example.com => 192.168.25.1
> Connecting to example.com|192.168.25.1|:443... connected.
> Created socket 3.
> Releasing 0x0000000000fa4de0 (new refcount 1).
> Initiating SSL handshake.
> SSL handshake failed.
> OpenSSL: error:0407006A:rsa 
> routines:RSA_padding_check_PKCS1_type_1:block type is not 01
> OpenSSL: error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding 
> check failed
> OpenSSL: error:1408D07B:SSL routines:SSL3_GET_KEY_EXCHANGE:bad signature
> Closed fd 3
> Unable to establish SSL connection.
> 
> I can run the command again and it will sometimes work, sometimes not.
> 
> Any ideas what is going on? Nothing shows up in the logs, even with 
> LogLevel=debug for apache.

Seems like your ssl client (wget) is getting errors from the SSL library
complaining about the server response (apache). You may need to sniff the
connection to see if the server is sending complete responses. Can't tell
you exactly how to do that.

> 
> Thanks,
> 
> Ben
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety

More information about the LUG mailing list