| Author |
|
Thog
Joined: 12 Feb 2007
Posts: 75
Location: Montreal
|
 Posted: Mon 26 Dec '11 8:34 Post subject: SSL connection error... AcceptFilter Apache 2.4 |
 |
|
I can't seem to get SSL working with FCGID. Apache loads but I keep getting the following error. I know my keys work because they work when I load without FCGID.
Here is my setup. Maybe someone can post their setup for SSL with FCGID?
| Code: |
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
AcceptFilter https none
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:c:/servers/apache24_ssl/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300
<VirtualHost 70.38.28.214:443>
ServerName www.rave.ca:443
ServerAdmin admin@rave.ca
DocumentRoot "d:/websites/rave.ca/website"
ErrorLog "d:/websites/rave.ca/logs/error_ssl.log"
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile "c:/servers/apache24_ssl/conf/ssl.crt/rave.ca.crt"
SSLCertificateKeyFile "c:/servers/apache24_ssl/conf/ssl.key/rave.ca.key"
SSLCertificateChainFile "c:/servers/apache24_ssl/conf/ssl.crt/PositiveSSL.ca-bundle.crt"
<FilesMatch "\.(php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory d:/websites/rave.ca>
AddHandler fcgid-script .php
Options Indexes FollowSymLinks ExecCGI
AllowOverride all
FcgidWrapper "c:/servers/php_54_nts/php-cgi.exe" .php
Require all granted
</Directory>
BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
CustomLog "c:/servers/apache24_ssl/logs/ssl_request.log" "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
|
I've also tried using these instead which seem better and more secure but no luck:
| Code: |
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
SSLProtocol -ALL +SSLv3 +TLSv1
|
This is what displays when the page loads:
[CHROME]
SSL connection error
Unable to make a secure connection to the server. This may be a problem with the server or it may be requiring a client authentication certificate that you don't have.
Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.
[/CHROME]
[FIREFOX]
The connection was interrupted
The connection to www.rave.ca was interrupted while the page was loading.
[/FIREFOX]
[IE]
Internet Explorer cannot display the webpage
[/IE]
Last edited by Thog on Tue 27 Dec '11 0:25; edited 1 time in total |
|
| Back to top |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3131
Location: Hilversum, NL, EU
|
| Posted: Mon 26 Dec '11 12:31 Post subject: |
|
|
With HTML ok ?
Warnings/Errors in the Apache log ?
Btw:
In 2.4 you have to load mod_socache_shmcb !
Steffen |
|
| Back to top |
|
Thog
Joined: 12 Feb 2007
Posts: 75
Location: Montreal
|
| Posted: Mon 26 Dec '11 20:05 Post subject: |
|
|
Actually now that you mentioned it I tried with a non PHP page and it gives the same error message.
There is nothing being written to the ssl_request.log file... There are no errors in the error.log file and nothing is being written to the access.log file.
This is all:
| Code: |
[Mon Dec 26 12:49:58.817112 2011] [mpm_winnt:notice] [pid 2932:tid 356] AH00455: Apache/2.3.16 (Win64) OpenSSL/1.0.0e mod_fcgid/2.3.6d configured -- resuming normal operations
[Mon Dec 26 12:49:58.817112 2011] [mpm_winnt:notice] [pid 2932:tid 356] AH00456: Server built: Dec 16 2011 16:46:46
[Mon Dec 26 12:49:58.817112 2011] [core:notice] [pid 2932:tid 356] AH00094: Command line: 'C:\\Servers\\Apache24_SSL\\bin\\httpd.exe -d C:/Servers/Apache24_SSL'
[Mon Dec 26 12:49:58.817112 2011] [mpm_winnt:notice] [pid 2932:tid 356] AH00418: Parent: Created child process 6480
[Mon Dec 26 12:49:59.926501 2011] [mpm_winnt:notice] [pid 6480:tid 284] AH00354: Child: Starting 150 worker threads.
|
I do have "mod_socache_shmcb" loaded also and my httpd conf file is the same as the one I posted before.
| Code: |
ServerRoot "C:/Servers/Apache24_SSL"
LoadModule alias_module modules/mod_alias.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule cgi_module modules/mod_cgi.so
LoadModule dir_module modules/mod_dir.so
LoadModule env_module modules/mod_env.so
LoadModule include_module modules/mod_include.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule mime_module modules/mod_mime.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule fcgid_module modules/mod_fcgid.so
<IfModule !mpm_netware_module>
<IfModule !mpm_winnt_module>
User daemon
Group daemon
</IfModule>
</IfModule>
ServerAdmin admin@rave.ca
ServerName localhost:80
DocumentRoot "C:/Servers/Apache24_SSL/htdocs"
<Directory />
Options FollowSymLinks
AllowOverride None
Require all denied
</Directory>
<Directory "C:/Servers/Apache24_SSL/htdocs">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
<IfModule dir_module>
DirectoryIndex index.php index.htm index.html
</IfModule>
<FilesMatch "^\ht.">
Require all denied
</FilesMatch>
ErrorLog "logs/error.log"
LogLevel warn
<IfModule log_config_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
CustomLog "logs\access.log" common
</IfModule>
<IfModule mime_module>
TypesConfig conf/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
</IfModule>
EnableMMAP off
EnableSendfile off
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
<IfModule !mpm_netware_module>
PidFile "logs/httpd.pid"
</IfModule>
<IfModule mpm_winnt_module>
ThreadsPerChild 150
MaxRequestsPerChild 0
</IfModule>
AccessFileName ht.access
HostnameLookups Off
KeepAlive On
KeepAliveTimeout 5
MaxKeepAliveRequests 100
ServerSignature Off
ServerTokens Full
Timeout 300
UseCanonicalName Off
Listen 70.38.28.214:443
AcceptFilter http none
AcceptFilter https none
Include sites/*.site
|
And the site file (of which there is only one):
| Code: |
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:c:/servers/apache24_ssl/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300
<VirtualHost 70.38.28.214:443>
ServerName www.rave.ca:443
ServerAdmin admin@rave.ca
DocumentRoot "d:/websites/rave.ca/website"
ErrorLog "d:/websites/rave.ca/logs/error_ssl.log"
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile "c:/servers/apache24_ssl/conf/ssl.crt/rave.ca.crt"
SSLCertificateKeyFile "c:/servers/apache24_ssl/conf/ssl.key/rave.ca.key"
SSLCertificateChainFile "c:/servers/apache24_ssl/conf/ssl.crt/PositiveSSL.ca-bundle.crt"
<Directory d:/websites/rave.ca>
AddHandler fcgid-script .php
Options Indexes FollowSymLinks
AllowOverride all
Require all granted
</Directory>
BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
CustomLog "c:/servers/apache24_ssl/logs/ssl_request.log" "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
|
Maybe you can post your SSL configuration file since I see you kind of have SSL working here on apachelounge? Maybe it has to do with the fact that I'm using /'s and not \'s for the url's but that never stopped 2.2 from working? I will try to use SSL in module mode and see if it works and post back.
NOTE: I removed all PHP stuff from this file... This is happening with regular .txt files even... I will also try using the 32bit version instead of the 64bit version and see if that helps...
NOTE: 32bit version same thing...
NOTE: Using \\ instead of / same thing... |
|
| Back to top |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3131
Location: Hilversum, NL, EU
|
| Posted: Mon 26 Dec '11 21:12 Post subject: |
|
|
So none of the log files has something about your SSL requests ? Sure you looked in the access.log and error.log ?
When true, then IP/Name maybe an issue, Apache does not get the request.
Try first with localhost:
Listen 443
<VirtualHost 127.0.0.1:443>
ServerName localhost:443
...
...
...
Steffen |
|
| Back to top |
|
Thog
Joined: 12 Feb 2007
Posts: 75
Location: Montreal
|
| Posted: Tue 27 Dec '11 0:22 Post subject: |
|
|
I tried on the localhost and pressed F5 a lot and maybe 1 out of every 50 page views will load but the other 49 page views give:
Error 15 (net::ERR_SOCKET_NOT_CONNECTED): Unknown error.
or
Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.
Which is strange that it would actually load sometimes without problem!
Anyways I guess I will just wait for someone else to have a similar problem and see if they fix it. I'll continue to use version 2.2 for anything related to SSL for now. I do hope sometime someone will post their config of apache running with ssl since no good example exist!
I also tried on another machine with a totally different domain and the same thing happened. Thinking maybe it was this machine.
Meanwhile Apache 2.2 works flawlessly with fastcgi and ssl which makes me believe there is a problem in 2.4 using ssl... |
|
| Back to top |
|
admin
Site Admin
Joined: 15 Oct 2005
Posts: 706
|
| Posted: Tue 27 Dec '11 13:11 Post subject: |
|
|
So it is going better, 1 out of 50.
!! Try to comment out: AcceptFilter https none
Tested below config here with IE6, IE9, Chrome, no issues here.
| Code: |
Listen 192.168.1.13:443
#AcceptFilter https none !!!
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:logs/ssl_scache(512000)
SSLSessionCacheTimeout 300
<VirtualHost 192.168.1.13:443>
ServerName devxp
SSLEngine on
DocumentRoot "c:/Apache23/htdocs"
SSLProtocol all -SSLv2
SSLHonorCipherOrder On
SSLCipherSuite !aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5:ALL
SSLCertificateFile conf/ssl.crt
SSLCertificateKeyFile conf/ssl.key
SSLCertificateChainFile conf/sub.class2.server.ca.cer
SSLCACertificateFile conf/ca.cer
BrowserMatch "MSIE [2-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
ErrorLog F:/log/apache/serror.log
CustomLog f:/log/apache/srequest.log "%h %l %u %t %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
</VirtualHost>
|
|
|
| Back to top |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3131
Location: Hilversum, NL, EU
|
| Posted: Tue 27 Dec '11 17:49 Post subject: |
|
|
Reported it on the dev list that AcceptFilter set to none has maybe an issue..
Commenting out AcceptFilter https works here fine.
Steffen |
|
| Back to top |
|
Thog
Joined: 12 Feb 2007
Posts: 75
Location: Montreal
|
| Posted: Wed 28 Dec '11 5:14 Post subject: |
|
|
I used your config and after commenting out:
#AcceptFilter https none
It works fine!
But with it it still only works 1 time out of 50 (and sometimes not at all). It also works with my old config without the AcceptFilter but from what I remember without it the site occasionally will freeze and you end up with "The specified network name is no longer available." or "Asynchronous AcceptEx failed." stuff in the logs. I will post more if that happens!
Thanks!
I hope they fix this problem! Apache 2.4 is really much more stable then 2.2 and also seems to work faster! |
|
| Back to top |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3131
Location: Hilversum, NL, EU
|
| Posted: Wed 28 Dec '11 12:12 Post subject: |
|
|
I reported the issue already months back.
To overcome, I have a 2.2.21 SSL-only with Reverse Proxy in front of 2.3.16. A minimal httpd.conf with eg. only mod_ssl, mod_proxyx and logging loaded. And no vhosts.
...
...
SSLEngine on
ProxyRequests Off
Win32DisableAcceptEx
EnableSendfile Off
EnableMMAP off
ServerName www.land10web.com
DocumentRoot f:/web/unknown
ProxyPreserveHost On
ProxyPass / http://127.0.0.1/
ProxyPassReverse / http://127.0.0.1/
...
...
It feels an advantage in general, it offloads recources from the high non-SSL traffic. Kinda extra multi-threaded.
Steffen |
|
| Back to top |
|
