Apache/GnuTLS 从 Apache-Host 连接时出现错误

tag-icon tag-icon apache-2.2 gnutls
Apache/GnuTLS 从 Apache-Host 连接时出现错误

我们有一个配置为使用 GnuTLS 的 SNI 的 Apache Web 服务器。一切正常,服务器向客户端提供正确的证书。

除非直接从 Apache 主机连接。

# curl -v https://example.com

* About to connect() to example.com port 443 (#0)
*   Trying xxx.xxx.xxx.xxx...
* connected
* Connected to example.com (xxx.xxx.xxx.xxx) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
    CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
* Closing connection #0
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

从另一台计算机执行时,相同的命令行也有效。

经过一些测试,我发现当源 IP 和目标 IP 相同时就会出现问题。

# curl -v --interface 127.0.0.1 https://example.com运行完美,T​​LS 握手成功。

服务器配置了两个接口。只要接口 IP 与解析的主机名 IP 不匹配,一切正常。

目前,我可以找到一种解决方法来解决这个问题,但无法弄清楚是什么导致了这种现象。

~# lsb_release -si -sr
Debian
7.8

~# apache2 -v
Server version: Apache/2.2.22 (Debian)
Server built:   Dec 23 2014 22:48:29

~# gnutls-cli -v
gnutls-cli (GnuTLS) 2.12.20
Packaged by Debian (2.12.20-8+deb7u3)

~# host example.com
example.com has address xxx.xxx.xxx.xxx


~# ifconfig |grep inet -B1
eth0       Link encap:Ethernet  HWaddr 00:aa:bb:cc:dd:ee
          inet addr:yyy.yyy.yyy.yyy Bcast:yyy.yyy.yyy.zzz Mask:255.255.255.248
--
eth1       Link encap:Ethernet  HWaddr 00:aa:bb:cc:dd:ef
          inet addr:xxx.xxx.xxx.xxx  Bcast:xxx.xxx.zzz.zzz  Mask:255.255.0.0
--
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0

~# cat ports.conf
Listen xxx.xxx.xxx.xxx:443
Listen yyy.yyy.yyy.yyy:443
Listen xxx.xxx.xxx.xxx:80
Listen yyy.yyy.yyy.yyy:80
NameVirtualHost xxx.xxx.xxx.xxx:443
NameVirtualHost yyy.yyy.yyy.yyy:443
NameVirtualHost xxx.xxx.xxx.xxx:80
NameVirtualHost yyy.yyy.yyy.yyy:80

~# cat sites-enabled/example.com.conf
<VirtualHost xxx.xxx.xxx.xxx:80>
        DocumentRoot "/var/www/com.example"
        ServerName example.com
        Redirect permanent / https://example.com/
        ErrorLog ${APACHE_LOG_DIR}/example.com.error.log
        CustomLog ${APACHE_LOG_DIR}/example.com.access.log combined
        <Directory "/var/www/com.example">
                allow from all
                Options +Indexes
                </Directory>
</VirtualHost>

<VirtualHost xxx.xxx.xxx.xxx:443>
        GnuTLSEnable on
        GnuTLSSessionTickets on
        GnuTLSPriorities SECURE128:-VERS-SSL3.0:+COMP-DEFLATE
        DocumentRoot "/var/www/com.example"
        ServerName example.com
        ErrorLog ${APACHE_LOG_DIR}/example.com.error.log
        CustomLog ${APACHE_LOG_DIR}/example.com.access.log combined
        GnuTLSCertificateFile /etc/ssl/certs/example.com.pem
        GnuTLSKeyFile /etc/ssl/private/example.com.key
        <Directory "/var/www/com.example">
                allow from all
                Options +Indexes
        </Directory>
</VirtualHost>

相关内容