SSL 配置问题 - “SSL 收到的记录超出了最大允许长度”

SSL 配置问题 - “SSL 收到的记录超出了最大允许长度”

我们正在尝试在 Wordpress、PHP、Apache 上运行的应用程序上设置 SSL。在进行必要的配置更改后,我们在 curl 命令上收到以下错误 -

[root@www ~]# curl https://www.<domain name> -v
* About to connect() to www.<domain name> port 443 (#0)
*   Trying 192.168.1.5...
* Connected to www.<domain name> (<domain IP>) port 443 (#0)
* Initializing NSS with certpath: sql:/sql/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
* CApath: none
* NSS error -12263 (SSL_ERROR_RX_RECORD_TOO_LONG)
* SSL received a record that exceeded the maximum permissible length.
* Closing connection 0
* curl: (35) SSL received a record that exceeded the maximum permissible length.
[root@www ~]#

我们注意到这里的 .crt 文件名(/etc/pki/tls/certs/ca-bundle.crt)与我们在 SSL 配置文件中设置的不同 - /etc/pki/tls/certs/<domain name>.crt

我们遵循以下步骤 -

  • 使用以下方法找到有效的 httpd.conf 文件ps aux | grep httpd
  • 配置完毕SSLCertificateFileSSLCertificateKey处于apache/conf/ssl.conf-

https://freeimage.host/i/UQ6Zxt

  • 对 httpd.conf 进行了更改 -

    收听 443

    服务器名称www.<domain name>:443

  • 重新启动 httpd 服务。

phpinfo()还检查了 PHP 配置是否在输出中显示以下内容-

Registered Stream Socket Transports => tcp, udp, unix, udg, ssl, sslv3, tls, tlsv1.0, tlsv1.1, tlsv1.2
openssl
Openssl default config => /etc/pki/tls/openssl.cnf
openssl.cafile => no value => no value
openssl.capath => no value => no value

检查此文件后,我们发现 -

[ CA_default ]

dir             = /etc/pki/CA           # Where everything is kept
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
#unique_subject = no                    # Set to 'no' to allow creation of
                                        # several ctificates with same subject.
new_certs_dir   = $dir/newcerts         # default place for new certs.

certificate     = $dir/cacert.pem       # The CA certificate
serial          = $dir/serial           # The current serial number
crlnumber       = $dir/crlnumber        # the current crl number
                                        # must be commented out to leave a V1 CRL
crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/private/cakey.pem# The private key
RANDFILE        = $dir/private/.rand    # private random number file

同样在这里,我没有看到 curl 输出中引用的 .pem 和 .crt 文件,所以我不知道。

我检查过这个问题并验证使用以下方式加载的 Open SSL 扩展https://www.php.net/manual/en/function.extension-loaded.php

提供上述详细信息的网络/服务器管理团队表示,Wordpress 端的某些配置可能会导致这种情况。您认为这有道理吗?

更新

Apache 的 ssl.conf 文件也进行了以下设置 -

SSLEngine on

此外,以下是整个 ssl.conf 文件(删除所有注释行)-

Listen 443 https
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  300
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

<VirtualHost _default_:443>
DocumentRoot "/var/www/html"
ServerName www.<domain name>:443
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA
SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
SSLHonorCipherOrder on
SSLCertificateFile /etc/pki/tls/certs/<domain name>.crt
SSLCertificateKeyFile /etc/pki/tls/private/<domain name>.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

相关内容