我们正在尝试在 Wordpress、PHP、Apache 上运行的应用程序上设置 SSL。在进行必要的配置更改后,我们在 curl 命令上收到以下错误 -
[root@www ~]# curl https://www.<domain name> -v
* About to connect() to www.<domain name> port 443 (#0)
* Trying 192.168.1.5...
* Connected to www.<domain name> (<domain IP>) port 443 (#0)
* Initializing NSS with certpath: sql:/sql/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
* CApath: none
* NSS error -12263 (SSL_ERROR_RX_RECORD_TOO_LONG)
* SSL received a record that exceeded the maximum permissible length.
* Closing connection 0
* curl: (35) SSL received a record that exceeded the maximum permissible length.
[root@www ~]#
我们注意到这里的 .crt 文件名(/etc/pki/tls/certs/ca-bundle.crt
)与我们在 SSL 配置文件中设置的不同 - /etc/pki/tls/certs/<domain name>.crt
。
我们遵循以下步骤 -
- 使用以下方法找到有效的 httpd.conf 文件
ps aux | grep httpd
- 配置完毕
SSLCertificateFile
并SSLCertificateKey
处于apache/conf/ssl.conf
-
https://freeimage.host/i/UQ6Zxt
对 httpd.conf 进行了更改 -
收听 443
服务器名称
www.<domain name>:443
重新启动 httpd 服务。
phpinfo()
还检查了 PHP 配置是否在输出中显示以下内容-
Registered Stream Socket Transports => tcp, udp, unix, udg, ssl, sslv3, tls, tlsv1.0, tlsv1.1, tlsv1.2
openssl
Openssl default config => /etc/pki/tls/openssl.cnf
openssl.cafile => no value => no value
openssl.capath => no value => no value
检查此文件后,我们发现 -
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
同样在这里,我没有看到 curl 输出中引用的 .pem 和 .crt 文件,所以我不知道。
我检查过这个问题并验证使用以下方式加载的 Open SSL 扩展https://www.php.net/manual/en/function.extension-loaded.php。
提供上述详细信息的网络/服务器管理团队表示,Wordpress 端的某些配置可能会导致这种情况。您认为这有道理吗?
更新
Apache 的 ssl.conf 文件也进行了以下设置 -
SSLEngine on
此外,以下是整个 ssl.conf 文件(删除所有注释行)-
Listen 443 https
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 300
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
<VirtualHost _default_:443>
DocumentRoot "/var/www/html"
ServerName www.<domain name>:443
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA
SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
SSLHonorCipherOrder on
SSLCertificateFile /etc/pki/tls/certs/<domain name>.crt
SSLCertificateKeyFile /etc/pki/tls/private/<domain name>.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>