openssl 给出错误,apache 无法使用 https

openssl 给出错误,apache 无法使用 https

我尝试使用 ssl 配置 apache-tomcat,但发现一些问题

[root@manage conf]# openssl s_client -state -debug -connect 10.104.1.38:443 -key server.key -cert server.crt 
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0x80f1e98 [0x811d5e8] (121 bytes => 121 (0x79))
0000 - 80 77 01 03 01 00 4e 00-00 00 20 00 00 39 00 00   .w....N... ..9..
0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0   8..5............
0020 - 00 00 33 00 00 32 00 00-2f 03 00 80 00 00 05 00   ..3..2../.......
0030 - 00 04 01 00 80 00 00 15-00 00 12 00 00 09 06 00   ................
0040 - 40 00 00 14 00 00 11 00-00 08 00 00 06 04 00 80   @...............
0050 - 00 00 03 02 00 80 00 00-ff 0a 86 af 23 f2 2f a1   ............#./.
0060 - 4b 2d 9b f3 a9 d9 0e 1b-34 4d 0c e4 1a 06 b6 25   K-......4M.....%
0070 - 76 04 de bd 6f 50 86 a1-9f                        v...oP...
SSL_connect:SSLv2/v3 write client hello A
read from 0x80f1e98 [0x8122b48] (7 bytes => 7 (0x7))
0000 - 3c 21 44 4f 43 54 59                              <!DOCTY
SSL_connect:error in SSLv2/v3 read server hello A
23995:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:588:

这是我的 apache 配置

[root@manage extra]# cat httpd-ssl.conf 
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl
SSLPassPhraseDialog  builtin
SSLSessionCache        "shmcb:/usr/local/apache/logs/ssl_scache(512000)"
SSLSessionCacheTimeout  300
SSLMutex  "file:/usr/local/apache/logs/ssl_mutex"

<VirtualHost _default_:443>
ErrorLog "/usr/local/tomcat/logs/error_log"
TransferLog "/usr/local/tomcat/logs/access_log"

        SSLEngine on
        SSLProtocol +SSLv3 +TLSv1
        SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP+SSLv3:

        ServerName          manage.xyz
        DocumentRoot        /usr/local/tomcat/webapps/xyz
        ServerAdmin         [email protected]
        Alias /backup "/var/backupdata/"
        Alias /logbackup "/var/logbackupdata/"
        Alias /autologbackupdata "/var/autologbackupdata/"
        Alias /client "/usr/local/xxxx/clientfiles/"
        Alias /syshealth "/usr/local/tomcat/webapps/xyz/syshealth/"
        Alias /connection "/tmp"
        Alias /cacheimages "/var/cacherrdimages"
        Alias /xyz/images "/usr/local/xxxx/images/"
        Alias /images "/usr/local/xxxx/images/"
        Alias /javaplugin "/usr/local/xxxx/javaplugin/"
        Alias /bandwidthgraph "/var/bandwidthgraphs"
        Alias /usergraph "/var/bandwidthgraphs/userimage"

        JkMount /xyz/servlet/* ajp13
        JkMount /xyz/*.jsp ajp13

SSLCertificateFile "/usr/local/apache/conf/server.crt"
SSLCertificateKeyFile "/usr/local/apache/conf/server.key"
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/usr/local/apache/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

BrowserMatch "MSIE [2-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
CustomLog "/usr/local/apache/logs/ssl_request_log" "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

error_log 输出

[Tue Aug 05 13:44:03 2014] [info] [client 127.0.0.1] Connection to child 2 established (server manage.xyz:443)
[Tue Aug 05 13:44:03 2014] [info] Seeding PRNG with 136 bytes of entropy
[Tue Aug 05 13:44:03 2014] [debug] ssl_engine_kernel.c(1903): OpenSSL: Handshake: start
[Tue Aug 05 13:44:03 2014] [debug] ssl_engine_kernel.c(1911): OpenSSL: Loop: before/accept initialization
[Tue Aug 05 13:44:03 2014] [debug] ssl_engine_io.c(1939): OpenSSL: read 7/11 bytes from BIO#8136940 [mem: 813dfc0] (BIO dump follows)
[Tue Aug 05 13:44:03 2014] [debug] ssl_engine_io.c(1872): +-------------------------------------------------------------------------+
[Tue Aug 05 13:44:03 2014] [debug] ssl_engine_io.c(1911): | 0000: 15 03 01 00 02 01                                ......           |
[Tue Aug 05 13:44:03 2014] [debug] ssl_engine_io.c(1915): | 0007 - <SPACES/NULS>
[Tue Aug 05 13:44:03 2014] [debug] ssl_engine_io.c(1917): +-------------------------------------------------------------------------+
[Tue Aug 05 13:44:03 2014] [debug] ssl_engine_io.c(1950): OpenSSL: I/O error, 4 bytes expected to read on BIO#8136940 [mem: 813dfc7]
[Tue Aug 05 13:44:03 2014] [debug] ssl_engine_kernel.c(1940): OpenSSL: Exit: error in SSLv2/v3 read client hello A
[Tue Aug 05 13:44:03 2014] [info] [client 127.0.0.1] (70014)End of file found: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
[Tue Aug 05 13:44:03 2014] [info] [client 127.0.0.1] Connection closed to child 2 with abortive shutdown (server manage.xyz:443)
[Tue Aug 05 13:45:37 2014] [error] [client 10.104.1.38] Invalid method in request \x80w\x01\x03\x01

-key下面是我尝试不使用和选项时的相关输出-cert

[root@manage extra]# openssl s_client -state -debug -connect 10.104.1.38:443
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0x80f0da0 [0x811c4f8] (121 bytes => 121 (0x79))
0000 - 80 77 01 03 01 00 4e 00-00 00 20 00 00 39 00 00   .w....N... ..9..
0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0   8..5............
0020 - 00 00 33 00 00 32 00 00-2f 03 00 80 00 00 05 00   ..3..2../.......
0030 - 00 04 01 00 80 00 00 15-00 00 12 00 00 09 06 00   ................
0040 - 40 00 00 14 00 00 11 00-00 08 00 00 06 04 00 80   @...............
0050 - 00 00 03 02 00 80 00 00-ff 10 44 3f 7f e0 41 4d   ..........D?..AM
0060 - fd 08 dd 10 5b bb f7 10-c6 ec cd 59 b8 ff 55 db   ....[......Y..U.
0070 - 70 cd 97 8d af 9d 2a 65-2a                        p.....*e*
SSL_connect:SSLv2/v3 write client hello A
read from 0x80f0da0 [0x8121a58] (7 bytes => 7 (0x7))
0000 - 3c 21 44 4f 43 54 59                              <!DOCTY
SSL_connect:error in SSLv2/v3 read server hello A
32453:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:588:

apache 同时记录:

[Tue Aug 05 14:23:49 2014] [error] [client 10.104.1.38] Invalid method in request \x80w\x01\x03\x01

访问日志

10.104.1.38 - - [05/Aug/2014:14:23:49 -0400] "\x80w\x01\x03\x01" 501 217

以下是我重启 Httpd 服务时的日志。我猜没有发现错误。

==> error_log <==
[Tue Aug 05 14:36:44 2014] [info] removed PID file /var/run/httpd.pid (pid=18411)
[Tue Aug 05 14:36:44 2014] [notice] caught SIGTERM, shutting down
[Tue Aug 05 14:37:09 2014] [info] Init: Seeding PRNG with 136 bytes of entropy
[Tue Aug 05 14:37:09 2014] [info] Loading certificate & private key of SSL-aware server
[Tue Aug 05 14:37:09 2014] [debug] ssl_engine_pphrase.c(470): unencrypted RSA private key - pass phrase not required
[Tue Aug 05 14:37:09 2014] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Tue Aug 05 14:37:09 2014] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Tue Aug 05 14:37:09 2014] [info] Init: Initializing (virtual) servers for SSL
[Tue Aug 05 14:37:09 2014] [info] Configuring server for SSL protocol
[Tue Aug 05 14:37:09 2014] [debug] ssl_engine_init.c(521): Creating new SSL context (protocols: SSLv3, TLSv1)
[Tue Aug 05 14:37:09 2014] [debug] ssl_engine_init.c(759): Configuring permitted SSL ciphers [ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP+SSLv3:]
[Tue Aug 05 14:37:09 2014] [debug] ssl_engine_init.c(890): Configuring RSA server certificate
[Tue Aug 05 14:37:09 2014] [warn] RSA server certificate CommonName (CN) `jat' does NOT match server name!?
[Tue Aug 05 14:37:09 2014] [debug] ssl_engine_init.c(936): Configuring RSA server private key
[Tue Aug 05 14:37:09 2014] [info] mod_ssl/2.2.27 compiled against Server: Apache/2.2.27, Library: OpenSSL/0.9.8e-fips-rhel5
[Tue Aug 05 14:37:09 2014] [warn] No JkShmFile defined in httpd.conf. Using default /usr/local/apache/logs/jk-runtime-status
[Tue Aug 05 14:37:09 2014] [info] Init: Seeding PRNG with 136 bytes of entropy
[Tue Aug 05 14:37:09 2014] [info] Loading certificate & private key of SSL-aware server
[Tue Aug 05 14:37:09 2014] [debug] ssl_engine_pphrase.c(470): unencrypted RSA private key - pass phrase not required
[Tue Aug 05 14:37:09 2014] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Tue Aug 05 14:37:09 2014] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Tue Aug 05 14:37:09 2014] [debug] ssl_scache_shmcb.c(253): shmcb_init allocated 512000 bytes of shared memory
[Tue Aug 05 14:37:09 2014] [debug] ssl_scache_shmcb.c(272): for 511952 bytes (512000 including header), recommending 32 subcaches, 133 indexes each
[Tue Aug 05 14:37:09 2014] [debug] ssl_scache_shmcb.c(306): shmcb_init_memory choices follow
[Tue Aug 05 14:37:09 2014] [debug] ssl_scache_shmcb.c(308): subcache_num = 32
[Tue Aug 05 14:37:09 2014] [debug] ssl_scache_shmcb.c(310): subcache_size = 15996
[Tue Aug 05 14:37:09 2014] [debug] ssl_scache_shmcb.c(312): subcache_data_offset = 2144
[Tue Aug 05 14:37:09 2014] [debug] ssl_scache_shmcb.c(314): subcache_data_size = 13852
[Tue Aug 05 14:37:09 2014] [debug] ssl_scache_shmcb.c(316): index_num = 133
[Tue Aug 05 14:37:09 2014] [info] Shared memory session cache initialised
[Tue Aug 05 14:37:09 2014] [info] Init: Initializing (virtual) servers for SSL
[Tue Aug 05 14:37:09 2014] [info] Configuring server for SSL protocol
[Tue Aug 05 14:37:09 2014] [debug] ssl_engine_init.c(521): Creating new SSL context (protocols: SSLv3, TLSv1)
[Tue Aug 05 14:37:09 2014] [debug] ssl_engine_init.c(759): Configuring permitted SSL ciphers [ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP+SSLv3:]
[Tue Aug 05 14:37:09 2014] [debug] ssl_engine_init.c(890): Configuring RSA server certificate
[Tue Aug 05 14:37:09 2014] [warn] RSA server certificate CommonName (CN) `jat' does NOT match server name!?
[Tue Aug 05 14:37:09 2014] [debug] ssl_engine_init.c(936): Configuring RSA server private key
[Tue Aug 05 14:37:09 2014] [info] mod_ssl/2.2.27 compiled against Server: Apache/2.2.27, Library: OpenSSL/0.9.8e-fips-rhel5
[Tue Aug 05 14:37:09 2014] [warn] No JkShmFile defined in httpd.conf. Using default /usr/local/apache/logs/jk-runtime-status
[Tue Aug 05 14:37:09 2014] [notice] Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.40 configured -- resuming normal operations
[Tue Aug 05 14:37:09 2014] [info] Server built: Jun 14 2014 05:04:12
[Tue Aug 05 14:37:09 2014] [debug] prefork.c(1023): AcceptMutex: sysvsem (default: sysvsem)

答案1

从上面的评论可以看出,直接的问题是我的服务不是在 HTTPS 下运行,只是在 HTTP 下运行。 openssl s_client因此无法连接到它,因为没有任何 SSL 可以握手。

根本问题出在我的 Apache 配置中。Apache 2.2 的NameVirtualHost指令不支持参数,我已将其更改NameVirtualHost manage.xxxNameVirtualHost *:80 ,一切正常

相关内容