| Author |
|
Qmpeltaty
Joined: 06 Feb 2008
Posts: 182
Location: Poland
|
 Posted: Mon 27 Jan '14 19:03 Post subject: |
 |
|
| Thank you for fast answer. Unfortunately i can't mix up with production server keys for SSL - this server works with online payments etc. - not an option for that. Currently working key has been prepared by me with openssl tool, so i'm sure it's fine (i do this for many years). |
|
| Back to top |
|
jraute
Joined: 13 Sep 2013
Posts: 188
Location: Rheinland, Germany
|
| Posted: Mon 27 Jan '14 19:25 Post subject: |
|
|
Hmmm, what now?
Is this apache-instance running for payments with this configuration? i mean without working ssl?
I hope i got it wrong! 
Ok, back to the logs and the try with "medium" cipher suites.
As long as the test at ssllabs https://www.ssllabs.com/ssltest/ is not working, we have no chance to detect clearly if there is a problem with ssl. |
|
| Back to top |
|
Qmpeltaty
Joined: 06 Feb 2008
Posts: 182
Location: Poland
|
| Posted: Tue 28 Jan '14 11:54 Post subject: |
|
|
Some of the payment transactions are just dropped or rejected - it's not a big issue as the site is almoust all the time available. The main concern for me is that site doesn't work locally either.
I've changed the SSLCipher to :
| Code: |
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+MEDIUM |
but i can't see the difference. SSLLabs still can't connect. The weird thing is that SSLLabs fails on Resolving Hostname stage. Maybe there is problem with DNS ?
I have another idea - the certificate path contains another certificate of the CA - is it also checked during the handshake ? Maybe this middle certificate couses the problem ?
Last edited by Qmpeltaty on Tue 28 Jan '14 13:58; edited 1 time in total |
|
| Back to top |
|
jraute
Joined: 13 Sep 2013
Posts: 188
Location: Rheinland, Germany
|
| Posted: Tue 28 Jan '14 13:06 Post subject: |
|
|
ErrorLog?
What about the ssleay32 error? |
|
| Back to top |
|
Qmpeltaty
Joined: 06 Feb 2008
Posts: 182
Location: Poland
|
| Posted: Tue 28 Jan '14 14:01 Post subject: |
|
|
| jraute wrote: | ErrorLog?
What about the ssleay32 error? |
Everytime i restart apache i got this error in Event Viewer :
| Code: | Faulting application name: httpd.exe, version: 2.4.7.0, time stamp: 0x5294e8b6
Faulting module name: SSLEAY32.dll, version: 1.0.1.5, time stamp: 0x5123e06c
Exception code: 0xc0000005
Fault offset: 0x0000000000015e99
Faulting process id: 0x39e0
Faulting application start time: 0x01cf1c17448ca5dc
Faulting application path: C:\Apache247\bin\httpd.exe
Faulting module path: C:\Apache247\bin\SSLEAY32.dll
Report Id: adcc5e3c-880a-11e3-b76a-005056934851
|
|
|
| Back to top |
|
jraute
Joined: 13 Sep 2013
Posts: 188
Location: Rheinland, Germany
|
| Posted: Tue 28 Jan '14 18:39 Post subject: |
|
|
Have you included the mod_ssl somewhere else in a config (Perl or whatever)? Sometimes trying to load a module in such a section can cause trouble.
Btw you changed the installation directory to apache247. Did you change the pathes in the httpd.conf/ssl.conf as well? |
|
| Back to top |
|
Qmpeltaty
Joined: 06 Feb 2008
Posts: 182
Location: Poland
|
| Posted: Wed 29 Jan '14 10:48 Post subject: |
|
|
| jraute wrote: | Have you included the mod_ssl somewhere else in a config (Perl or whatever)? Sometimes trying to load a module in such a section can cause trouble.
|
Nope. It's pure Apache installation with mod_ssl and mod_jk - no perl, no php etc.
| jraute wrote: |
Btw you changed the installation directory to apache247. Did you change the pathes in the httpd.conf/ssl.conf as well? |
Yes, i've installed separate, independent instance of 2.4.7 to C:\Apache247 - paths to httpd.conf and ssl.conf are correct for sure (points to C:\Apache247\conf dir). |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7445
Location: EU, Germany, Next to Hamburg
|
| Posted: Wed 29 Jan '14 16:12 Post subject: |
|
|
Is a good option to check if everything is ok
You also have to make sure that there is no OpenSSL files in your %PATH% so apache might use the wrong file. |
|
| Back to top |
|
Qmpeltaty
Joined: 06 Feb 2008
Posts: 182
Location: Poland
|
| Posted: Wed 29 Jan '14 17:15 Post subject: |
|
|
| James Blond wrote: |
Is a good option to check if everything is ok
You also have to make sure that there is no OpenSSL files in your %PATH% so apache might use the wrong file. |
PATH (standard for Win2k8 distribution imho) :
| Code: |
%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\
|
httpd -S
| Code: |
VirtualHost configuration:
192.168.1.65:443 mydomain.com (C:/Apache247/conf/ssl.conf:73)
192.168.1.65:80 is a NameVirtualHost
default server mydomain.com (C:/Apache247/conf/httpd.conf:554)
port 80 namevhost mydomain.com (C:/Apache247/conf/httpd.conf:554)
port 80 namevhost www.mydomain.com (C:/Apache247/conf/httpd.conf:559)
ServerRoot: "C:/Apache247"
Main DocumentRoot: "C:/Apache247/htdocs"
Main ErrorLog: "D:/log/apache/error.log"
Mutex authdigest-opaque: using_defaults
Mutex rewrite-map: using_defaults
Mutex authdigest-client: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="C:/Apache247/logs/" mechanism=default
PidFile: "C:/Apache247/logs/httpd.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
|
EDIT : I've found another error in EventViewer :
| Code: | Faulting application name: httpd.exe, version: 2.4.7.0, time stamp: 0x5294e8b6
Faulting module name: libhttpd.dll, version: 2.4.7.0, time stamp: 0x5294e978
Exception code: 0xc0000005
Fault offset: 0x0000000000033bfe
Faulting process id: 0x1130
Faulting application start time: 0x01cf1d0734023885
Faulting application path: C:\Apache247\bin\httpd.exe
Faulting module path: C:\Apache247\bin\libhttpd.dll
Report Id: 7300c734-88fa-11e3-b76a-005056934851 |
|
|
| Back to top |
|
jraute
Joined: 13 Sep 2013
Posts: 188
Location: Rheinland, Germany
|
| Posted: Thu 30 Jan '14 0:09 Post subject: |
|
|
| Qmpeltaty wrote: | | SSLLabs still can't connect. The weird thing is that SSLLabs fails on Resolving Hostname stage. Maybe there is problem with DNS ? |
Yes, that looks like a classic dns problem. But who knows if this comes as a sideeffect? For HTTP-requests the hostname gets resolved, right?
| Qmpeltaty wrote: | | I have another idea - the certificate path contains another certificate of the CA - is it also checked during the handshake ? Maybe this middle certificate couses the problem ? |
Typically all certificates are checked.
I am wondering if the SSLCertificateChainFile directive is the problem: pls have a look at http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatechainfile
"But be careful: Providing the certificate chain works only if you are using a single RSA or DSA based server certificate. If you are using a coupled RSA+DSA certificate pair, this will work only if actually both certificates use the same certificate chain. Else the browsers will be confused in this situation."
And pls check if any of the certificates is out of date and have a look at the registry for the dll's which are listed in the log. if they are registered to another location and still there it could be the reason for the problem, although windows typically looks for the dlls at the directory from where httpd.exe ist started first. |
|
| Back to top |
|
Qmpeltaty
Joined: 06 Feb 2008
Posts: 182
Location: Poland
|
| Posted: Thu 30 Jan '14 11:48 Post subject: |
|
|
| jraute wrote: | | Qmpeltaty wrote: | | SSLLabs still can't connect. The weird thing is that SSLLabs fails on Resolving Hostname stage. Maybe there is problem with DNS ? |
Yes, that looks like a classic dns problem. But who knows if this comes as a sideeffect? For HTTP-requests the hostname gets resolved, right? |
HTTP works fine all the time. Yestarday i've changed threads settings from :
| Code: |
ThreadsPerChild 1900
MaxRequestsPerChild 0
|
to :
| Code: |
ThreadLimit 5000
ThreadsPerChild 3000
MaxRequestsPerChild 0
|
I've got the impression that site is working much better now, but still generating the timeouts - less frequently but still.
I had also noticed that problems starts when traffic is increasing on the website - the rush hours starts around 10AM and ends around 11PM. Outside this timeframe https is not dropping the connections. Today on early morning i had finally been able to run SSLLabs without problems - got A- grade.
| jraute wrote: |
| Qmpeltaty wrote: | | I have another idea - the certificate path contains another certificate of the CA - is it also checked during the handshake ? Maybe this middle certificate couses the problem ? |
Typically all certificates are checked.
I am wondering if the SSLCertificateChainFile directive is the problem: pls have a look at http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatechainfile
"But be careful: Providing the certificate chain works only if you are using a single RSA or DSA based server certificate. If you are using a coupled RSA+DSA certificate pair, this will work only if actually both certificates use the same certificate chain. Else the browsers will be confused in this situation." |
How to check the certificates if they are RSA or DSA ?
| jraute wrote: |
And pls check if any of the certificates is out of date |
Checked, all certificates are current.
| jraute wrote: |
and have a look at the registry for the dll's which are listed in the log. if they are registered to another location and still there it could be the reason for the problem, cause then they are loaded at boot time, causing conflicts with the expected new ones. windows won't load the same named dll twice. |
I will check that, however i'm bit confused as Error details definietely points to proper dll file. |
|
| Back to top |
|
Qmpeltaty
Joined: 06 Feb 2008
Posts: 182
Location: Poland
|
| Posted: Thu 30 Jan '14 17:11 Post subject: |
|
|
| I have to say that it's working without even single timeout today. I hate such cases, when some errors just disappers without any particular reason. Damn ! |
|
| Back to top |
|
jraute
Joined: 13 Sep 2013
Posts: 188
Location: Rheinland, Germany
|
| Posted: Thu 30 Jan '14 19:20 Post subject: |
|
|
You are welcome!  |
|
| Back to top |
|
Qmpeltaty
Joined: 06 Feb 2008
Posts: 182
Location: Poland
|
| Posted: Fri 31 Jan '14 9:40 Post subject: |
|
|
| jraute wrote: | | You are welcome! |
I had a feeling that the story will goes on, this is not the end However thank you for your engagement |
|
| Back to top |
|
jraute
Joined: 13 Sep 2013
Posts: 188
Location: Rheinland, Germany
|
| Posted: Fri 31 Jan '14 9:53 Post subject: |
|
|
I have the same feeling that it will happen again.
Sometimes it's just crazy and you cannot change it.
Maybe it's a hint that the configuration is fine and the problem is somewhere else. |
|
| Back to top |
|
Qmpeltaty
Joined: 06 Feb 2008
Posts: 182
Location: Poland
|
| Posted: Fri 31 Jan '14 12:30 Post subject: |
|
|
| jraute wrote: | I have the same feeling that it will happen again.
Sometimes it's just crazy and you cannot change it.
Maybe it's a hint that the configuration is fine and the problem is somewhere else. |
I'm quite confident that increasing ThreadsPerChild parameter has helped, however based on my expierience if this value is too low, Apache throws an error in error.log - which hadn't happen. |
|
| Back to top |
|
