logo
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge
 



Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored.

Your donations will help to keep this site alive and well, and continuing building binaries.



SSL connection error... AcceptFilter Apache 2.4

 
Post new topic   Reply to topic    Apache Forum Index -> Apache



View previous topic :: View next topic  
Author Message
Thog



Joined: 12 Feb 2007
Posts: 75
Location: Montreal

PostPosted: Mon 26 Dec '11 8:34    Post subject: SSL connection error... AcceptFilter Apache 2.4 Reply with quote

I can't seem to get SSL working with FCGID. Apache loads but I keep getting the following error. I know my keys work because they work when I load without FCGID.

Here is my setup. Maybe someone can post their setup for SSL with FCGID?

Code:

SSLRandomSeed startup builtin
SSLRandomSeed connect builtin

AcceptFilter https none

SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:c:/servers/apache24_ssl/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300

<VirtualHost 70.38.28.214:443>
   ServerName www.rave.ca:443
   ServerAdmin admin@rave.ca
   DocumentRoot "d:/websites/rave.ca/website"
   ErrorLog "d:/websites/rave.ca/logs/error_ssl.log"
   SSLEngine on
   SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
   SSLCertificateFile "c:/servers/apache24_ssl/conf/ssl.crt/rave.ca.crt"
   SSLCertificateKeyFile "c:/servers/apache24_ssl/conf/ssl.key/rave.ca.key"
   SSLCertificateChainFile "c:/servers/apache24_ssl/conf/ssl.crt/PositiveSSL.ca-bundle.crt"
   <FilesMatch "\.(php)$">
       SSLOptions +StdEnvVars
   </FilesMatch>
   <Directory d:/websites/rave.ca>
      AddHandler fcgid-script .php
      Options Indexes FollowSymLinks ExecCGI
      AllowOverride all
      FcgidWrapper "c:/servers/php_54_nts/php-cgi.exe" .php
      Require all granted
   </Directory>
   BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
   CustomLog "c:/servers/apache24_ssl/logs/ssl_request.log" "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>


I've also tried using these instead which seem better and more secure but no luck:

Code:

   SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
   SSLProtocol -ALL +SSLv3 +TLSv1


This is what displays when the page loads:

[CHROME]
SSL connection error
Unable to make a secure connection to the server. This may be a problem with the server or it may be requiring a client authentication certificate that you don't have.
Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.
[/CHROME]

[FIREFOX]
The connection was interrupted
The connection to www.rave.ca was interrupted while the page was loading.
[/FIREFOX]

[IE]
Internet Explorer cannot display the webpage
[/IE]


Last edited by Thog on Tue 27 Dec '11 0:25; edited 1 time in total
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2581
Location: Hilversum, NL, EU

PostPosted: Mon 26 Dec '11 12:31    Post subject: Reply with quote

With HTML ok ?

Warnings/Errors in the Apache log ?

Btw:
In 2.4 you have to load mod_socache_shmcb !


Steffen
Back to top
Thog



Joined: 12 Feb 2007
Posts: 75
Location: Montreal

PostPosted: Mon 26 Dec '11 20:05    Post subject: Reply with quote

Actually now that you mentioned it I tried with a non PHP page and it gives the same error message.

There is nothing being written to the ssl_request.log file... There are no errors in the error.log file and nothing is being written to the access.log file.

This is all:

Code:

[Mon Dec 26 12:49:58.817112 2011] [mpm_winnt:notice] [pid 2932:tid 356] AH00455: Apache/2.3.16 (Win64) OpenSSL/1.0.0e mod_fcgid/2.3.6d configured -- resuming normal operations
[Mon Dec 26 12:49:58.817112 2011] [mpm_winnt:notice] [pid 2932:tid 356] AH00456: Server built: Dec 16 2011 16:46:46
[Mon Dec 26 12:49:58.817112 2011] [core:notice] [pid 2932:tid 356] AH00094: Command line: 'C:\\Servers\\Apache24_SSL\\bin\\httpd.exe -d C:/Servers/Apache24_SSL'
[Mon Dec 26 12:49:58.817112 2011] [mpm_winnt:notice] [pid 2932:tid 356] AH00418: Parent: Created child process 6480
[Mon Dec 26 12:49:59.926501 2011] [mpm_winnt:notice] [pid 6480:tid 284] AH00354: Child: Starting 150 worker threads.


I do have "mod_socache_shmcb" loaded also and my httpd conf file is the same as the one I posted before.

Code:

ServerRoot "C:/Servers/Apache24_SSL"

LoadModule alias_module modules/mod_alias.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule cgi_module modules/mod_cgi.so
LoadModule dir_module modules/mod_dir.so
LoadModule env_module modules/mod_env.so
LoadModule include_module modules/mod_include.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule mime_module modules/mod_mime.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule fcgid_module modules/mod_fcgid.so

<IfModule !mpm_netware_module>
<IfModule !mpm_winnt_module>
   User daemon
   Group daemon
</IfModule>
</IfModule>

ServerAdmin admin@rave.ca
ServerName localhost:80
DocumentRoot "C:/Servers/Apache24_SSL/htdocs"

<Directory />
    Options FollowSymLinks
    AllowOverride None
    Require all denied
</Directory>

<Directory "C:/Servers/Apache24_SSL/htdocs">
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>

<IfModule dir_module>
    DirectoryIndex index.php index.htm index.html
</IfModule>

<FilesMatch "^\ht.">
    Require all denied
</FilesMatch>

ErrorLog "logs/error.log"
LogLevel warn

<IfModule log_config_module>
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common
    CustomLog "logs\access.log" common
</IfModule>

<IfModule mime_module>
    TypesConfig conf/mime.types
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz
</IfModule>

EnableMMAP off
EnableSendfile off

<IfModule ssl_module>
   SSLRandomSeed startup builtin
   SSLRandomSeed connect builtin
</IfModule>

<IfModule !mpm_netware_module>
    PidFile "logs/httpd.pid"
</IfModule>

<IfModule mpm_winnt_module>
    ThreadsPerChild      150
    MaxRequestsPerChild    0
</IfModule>

AccessFileName ht.access
HostnameLookups Off
KeepAlive On
KeepAliveTimeout 5
MaxKeepAliveRequests 100
ServerSignature Off
ServerTokens Full
Timeout 300
UseCanonicalName Off

Listen 70.38.28.214:443

AcceptFilter http none
AcceptFilter https none

Include sites/*.site


And the site file (of which there is only one):

Code:

SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:c:/servers/apache24_ssl/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300

<VirtualHost 70.38.28.214:443>
   ServerName www.rave.ca:443
   ServerAdmin admin@rave.ca
   DocumentRoot "d:/websites/rave.ca/website"
   ErrorLog "d:/websites/rave.ca/logs/error_ssl.log"
   SSLEngine on
   SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
   SSLCertificateFile "c:/servers/apache24_ssl/conf/ssl.crt/rave.ca.crt"
   SSLCertificateKeyFile "c:/servers/apache24_ssl/conf/ssl.key/rave.ca.key"
   SSLCertificateChainFile "c:/servers/apache24_ssl/conf/ssl.crt/PositiveSSL.ca-bundle.crt"
   <Directory d:/websites/rave.ca>
      AddHandler fcgid-script .php
      Options Indexes FollowSymLinks
      AllowOverride all
      Require all granted
   </Directory>
   BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
   CustomLog "c:/servers/apache24_ssl/logs/ssl_request.log" "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>


Maybe you can post your SSL configuration file since I see you kind of have SSL working here on apachelounge? Maybe it has to do with the fact that I'm using /'s and not \'s for the url's but that never stopped 2.2 from working? I will try to use SSL in module mode and see if it works and post back.

NOTE: I removed all PHP stuff from this file... This is happening with regular .txt files even... I will also try using the 32bit version instead of the 64bit version and see if that helps...

NOTE: 32bit version same thing...
NOTE: Using \\ instead of / same thing...
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2581
Location: Hilversum, NL, EU

PostPosted: Mon 26 Dec '11 21:12    Post subject: Reply with quote

So none of the log files has something about your SSL requests ? Sure you looked in the access.log and error.log ?

When true, then IP/Name maybe an issue, Apache does not get the request.

Try first with localhost:

Listen 443

<VirtualHost 127.0.0.1:443>
ServerName localhost:443
...
...
...

Steffen
Back to top
Thog



Joined: 12 Feb 2007
Posts: 75
Location: Montreal

PostPosted: Tue 27 Dec '11 0:22    Post subject: Reply with quote

I tried on the localhost and pressed F5 a lot and maybe 1 out of every 50 page views will load but the other 49 page views give:

Error 15 (net::ERR_SOCKET_NOT_CONNECTED): Unknown error.

or

Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.

Which is strange that it would actually load sometimes without problem!

Anyways I guess I will just wait for someone else to have a similar problem and see if they fix it. I'll continue to use version 2.2 for anything related to SSL for now. I do hope sometime someone will post their config of apache running with ssl since no good example exist!

I also tried on another machine with a totally different domain and the same thing happened. Thinking maybe it was this machine.

Meanwhile Apache 2.2 works flawlessly with fastcgi and ssl which makes me believe there is a problem in 2.4 using ssl...
Back to top
admin
Site Admin


Joined: 15 Oct 2005
Posts: 551

PostPosted: Tue 27 Dec '11 13:11    Post subject: Reply with quote

So it is going better, 1 out of 50.

!! Try to comment out: AcceptFilter https none

Tested below config here with IE6, IE9, Chrome, no issues here.
Code:

Listen 192.168.1.13:443

#AcceptFilter https none !!!

SSLPassPhraseDialog builtin
SSLSessionCache shmcb:logs/ssl_scache(512000)
SSLSessionCacheTimeout 300

<VirtualHost 192.168.1.13:443>
ServerName devxp

SSLEngine on
DocumentRoot "c:/Apache23/htdocs"

SSLProtocol all -SSLv2
SSLHonorCipherOrder On
SSLCipherSuite !aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5:ALL

SSLCertificateFile conf/ssl.crt
SSLCertificateKeyFile conf/ssl.key
SSLCertificateChainFile conf/sub.class2.server.ca.cer
SSLCACertificateFile conf/ca.cer


BrowserMatch "MSIE [2-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

ErrorLog F:/log/apache/serror.log

CustomLog f:/log/apache/srequest.log "%h %l %u %t %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
 
</VirtualHost>
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2581
Location: Hilversum, NL, EU

PostPosted: Tue 27 Dec '11 17:49    Post subject: Reply with quote

Reported it on the dev list that AcceptFilter set to none has maybe an issue..

Commenting out AcceptFilter https works here fine.


Steffen
Back to top
Thog



Joined: 12 Feb 2007
Posts: 75
Location: Montreal

PostPosted: Wed 28 Dec '11 5:14    Post subject: Reply with quote

I used your config and after commenting out:

#AcceptFilter https none

It works fine!

But with it it still only works 1 time out of 50 (and sometimes not at all). It also works with my old config without the AcceptFilter but from what I remember without it the site occasionally will freeze and you end up with "The specified network name is no longer available." or "Asynchronous AcceptEx failed." stuff in the logs. I will post more if that happens!

Thanks!

I hope they fix this problem! Apache 2.4 is really much more stable then 2.2 and also seems to work faster!
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2581
Location: Hilversum, NL, EU

PostPosted: Wed 28 Dec '11 12:12    Post subject: Reply with quote

I reported the issue already months back.

To overcome, I have a 2.2.21 SSL-only with Reverse Proxy in front of 2.3.16. A minimal httpd.conf with eg. only mod_ssl, mod_proxyx and logging loaded. And no vhosts.

...
...
SSLEngine on
ProxyRequests Off
Win32DisableAcceptEx
EnableSendfile Off
EnableMMAP off
ServerName www.land10web.com
DocumentRoot f:/web/unknown
ProxyPreserveHost On
ProxyPass / http://127.0.0.1/
ProxyPassReverse / http://127.0.0.1/
...
...

It feels an advantage in general, it offloads recources from the high non-SSL traffic. Kinda extra multi-threaded.

Steffen
Back to top


Post new topic   Reply to topic    Apache Forum Index -> Apache
Page 1 of 1