Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: SSL-PROTOCOL-ERR in 2.4.66 all browsers except Firefox |
|
| Author |
|
jeremydunn
Joined: 15 Dec 2025
Posts: 3
Location: USA, Becket
|
 Posted: Mon 15 Dec '25 19:12 Post subject: SSL-PROTOCOL-ERR in 2.4.66 all browsers except Firefox |
 |
|
Windows Server 2019
was running httpd 2.4.65 x64
upgraded to 2.4.66 x64
wildcard SSL certificate *.dhammareg.dhamma.org purchased through CheapSSLSecurity, issued by Sectigo
Apache config fragment:
| Quote: |
SSLCertificateFile "c:\Program Files\Apache\conf\dhammareg.ssl\STAR_dhammareg_dhamma_org-exp10Sept2030.crt"
SSLCertificateKeyFile "c:\Program Files\Apache\conf\dhammareg.ssl\STAR_dhammareg_dhamma_org-exp10Sept2030.key"
#SSLCertificateChainFile "c:\Program Files\Apache\conf\dhammareg.ssl\SectigoCABundle.crt"
SSLCertificateChainFile "c:\Program Files\Apache\conf\dhammareg.ssl\SectigoCABundle-New.crt"
|
CertificateChainFile is issued by Sectigo.
Original Certificate chain file was included in the download package for our SSL cert
PROBLEM:
* under 2.4.65, original CertificateChainFile works fine in all browsers (Firefox, Chrome, Edge, Safari, Opera)
* under 2.4.66, with no configuration changes, get SSL-PROTOCOL-ERR in (Chrome, Edge, Opera); but Firefox works ok
* downloading the latest CertificateChainFile from Sectigo website, 2.4.66 works fine again in all browsers.
The problem is fixed; but I don't understand what happened. Can anyone explain?
p.s. installed the latest CertificateChainFile on dev server (2.4.66). it's working fine in all browsers *but* gives error using SSLChecker: https://www.sslshopper.com/ssl-checker.html#hostname=https://train.dhammareg.dhamma.org:8443/
shows missing Root certificate. various other SSL-checking tools also show incomplete certificate chain.
one of the production sites (2.4.65, with original certificate chain) validates: https://www.sslshopper.com/ssl-checker.html#hostname=uscan.dhammareg.dhamma.org:8443
still confused  |
|
| Back to top |
|
admin
Site Admin
Joined: 15 Oct 2005
Posts: 714
|
| Posted: Mon 15 Dec '25 20:09 Post subject: |
|
|
| Good news that the sites are now working. |
|
| Back to top |
|
piro
Joined: 17 Dec 2025
Posts: 1
|
| Posted: Wed 17 Dec '25 13:02 Post subject: |
|
|
TL;DR
This is very likely related to an OpenSSL 3.6.0 bug related to including OCSP responses. See: https://github.com/openssl/openssl/issues/28902. You probably run the risk of being affected if you have OCSP stapling enabled.
For those interested, this is how we found the issue:
We ran into similar issues with TLS connections not working in Chromium and WebKit browsers. For us, the issue only manifested with a new certificate and the 2.4.66 build. When using either the old build or the old certificate everything worked fine.
We then searched through the Chrome network log produced by chrome://net-export which pointed at tls13_both.cc line 259 in boringssl. This code relates to decoding an OCSP response.
When we tried again with disabled OCSP stapling, Chromium and WebKit browsers worked again.
After that, we decided to check which changes in OpenSSL 3.6.0 might impact OCSP responsend and saw that the issue had already been reported. |
|
| Back to top |
|
|
|
|
|
|
