httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: [users@httpd] questions about IPv6 and SSL
Date Wed, 31 Aug 2016 23:50:20 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Andreas,

On 8/31/16 6:05 PM, Andreas Meyer wrote:
> Christopher Schultz <chris@christopherschultz.net> schrieb am
> 31.08.16 um 17:28:04 Uhr:
> 
>>> A few days ago I added IPv6-connectivity to the web server and 
>>> changed the Listen-directives and the VitrualHost to also
>>> listen to the IPv6-Address on port 443.
>> 
>> Please post your "Listen" and "VirtualHost" directive lines from
>> your config file.
> 
> This is the part of listen.conf:
> 
> Listen 127.0.0.1:80 Listen 37.120.166.21:80 Listen
> 46.38.231.143:80 Listen [2a03:4000:6:4123::1]:80
> 
> <IfDefine SSL> <IfDefine !NOSSL> IfModule mod_ssl.c>

Missing < in the previous line. Typo or copy/paste error?

> Listen 127.0.0.1:443 Listen 37.120.166.21:443 Listen
> 46.38.231.143:443 Listen [2a03:4000:6:4123::1]:443
> 
> </IfModule> </IfDefine> </IfDefine>
> 
> and in the VirtualHost I just added
> 
> <Virtualhost 37.120.166.21 [2a03:4000:6:4123::1]:80>
> 
> RewriteCond %{HTTPS} off RewriteRule ^(.*)$
> https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
> 
> and in the sslvhost <Virtualhost 37.120.166.21
> [2a03:4000:6:4123::1]:443>

This plus the above are likely to be confusing: you have separate
VirtualHosts bound to the same interface with no port specification.

Try this:

<Virtualhost 37.120.166.21:80 [2a03:4000:6:4123::1]:80>
   ...
</VirtualHost>
<Virtualhost 37.120.166.21:443 [2a03:4000:6:4123::1]:443>
   ...
</VirtualHost>

Note that you haven't specified a VirtualHost for localhost and
whatever 46.38.231.143 is.

Which interface are you using for testing?

Do any of the ports work? Does httpd even start up?

> tried also with a separate <VirtualHost [2a03:4000:6:4123::1]:443>
> 
>>> There is a redirect from http to https. The website is not 
>>> reachable anymore, not certificates are found.
>> 
>> Those are two different problems:
>> 
>> 1. Certificates are not found
> 
> The certificate are there. If I disable the IPV6 things, they are
> found.

Woah, what?

When you say "disable IPv6", what do you mean? How are you changing
your configuration?

>> 2. Web site is not reachable
>> 
>> One may cause the other.
>> 
>> What error message to you get, and where?
> 
> The thing is, I didn't notice the website is not reachable 'cause
> my testings with my IPv6 connection showed no errors.

That statement is confusing to me. Can you clarify it?

> ping from outside:
> 
> andreas@workstation:/> ping6 2a03:4000:6:4123::1 PING
> 2a03:4000:6:4123::1(2a03:4000:6:4123::1) 56 data bytes 64 bytes
> from 2a03:4000:6:4123::1: icmp_seq=1 ttl=58 time=33.2 ms 64 bytes
> from 2a03:4000:6:4123::1: icmp_seq=2 ttl=58 time=33.1 ms 64 bytes
> from 2a03:4000:6:4123::1: icmp_seq=3 ttl=58 time=30.9 ms ^C
> 
> People then reported the site is not reachable, for instance:
> 
> Firefox-Fehlermeldung: Ein Fehler ist während einer Verbindung mit
> www.bitcorner.de aufgetreten. SSL hat einen Eintrag erhalten, der
> die maximal erlaubte Länge überschritten hat. Fehlercode: 
> SSL_ERROR_RX_RECORD_TOO_LONG
> 
> Curl: error (35): error:140770FC:SSL
> routines:SSL23_GET_SERVER_HELLO:unknown protocol]

That usually happens when you (correctly) disable SSLv3 and someone
tries to use an SSLv3 handshake with your site. That doesn't
necessarily mean that your site is misconfigured.

> Wget: wget "https://www.bitcorner.de/bshop/products.csv" 
> --2016-08-31 15:21:12--
> https://www.bitcorner.de/bshop/products.csv Resolving
> www.bitcorner.de (www.bitcorner.de)... 37.120.166.21, 
> 2a03:4000:6:4123::1 Connecting to www.bitcorner.de
> (www.bitcorner.de)|37.120.166.21|:443... connected. GnuTLS: An
> unexpected TLS packet was received. Unable to establish SSL
> connection.

How about this:

$ openssl s_client -tls1 -connect www.bitcorner.de:443

Here's what I get when I try SSLv3:

$ openssl s_client -ssl3 -connect www.bitcorner.de:443
CONNECTED(00000003)
5966:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenS
SL098-59.60.1/src/ssl/s3_pkt.c:1145:SSL
alert number 40
5966:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenS
SL098-59.60.1/src/ssl/s3_pkt.c:566:

Using TLSv1, I get better results:

$ openssl s_client -tls1 -connect www.bitcorner.de:443
CONNECTED(00000003)
depth=1 /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
verify return:0
- ---
Certificate chain
 0 s:/CN=bitcorner.de
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
- ---
[...]
- ---
SSL handshake has read 4652 bytes and written 682 bytes
- ---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA

etc.

If I let s_client choose the protocol, it chooses TLSv1.2:
$ openssl s_client -connect www.bitcorner.de:443
CONNECTED(00000003)
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
verify return:0
- ---
Certificate chain
 0 s:/CN=bitcorner.de
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
- ---
[...]
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384

etc.

$ host www.bitcorner.de
www.bitcorner.de has address 37.120.166.21
www.bitcorner.de has IPv6 address 2a03:4000:6:4123::1

$ ping6 2a03:4000:6:4123::1
connect: Network is unreachable

$ ping www.bitcorner.de
PING www.bitcorner.de (37.120.166.21) 56(84) bytes of data.
64 bytes from mail.bitcorner.de (37.120.166.21): icmp_req=1 ttl=49
time=92.6 ms

$ /sbin/ifconfig
eth0      Link encap:Ethernet  HWaddr [...]
          inet addr:10.[...]  Bcast:10.192.215.255  Mask:255.255.254.0
          inet6 addr: [present]/64 Scope:Link

Weird. Looks like my IPv6 isn't working as I'd expect. So whatever
configuration you have there now seems to be working. Did you
roll-back when things weren't working?

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJXx208AAoJEBzwKT+lPKRYlwQQAJC58I9bk4iTV7HgrzJ8nghh
urGhZrU3yI3utjbVJhgF8V6+vPHmmUBWCmdsuAzeGLqQsV7S44JXqlCfbqxDIzq0
aQAL0NIsycfGI3lIIaG/ROu8DLfLfQwtCf8toEW+NWix51RGXx1qBvRQmC7ZDE9N
k260a7GMYBBHTIlEwaBoeErwPQSEmmTtHGfTxmXlcKRyYkh8Yiq6vNIvy3Ut+ok/
0+SqSC64bdrm2Jrp6rHCZS8lz4vy0GXRp4grTlOQbJkBWHe3ASONMb2YKYQ5Ut4K
IBenv2kUVqy5rWeUoO9j1/NHGpGWKk+30RPCGTkBqUQ4JEhaqZgAvDh6fO1N8Fn1
9MnAka3PCKliWeyjaf2bl3ZwTUrWK/8awzB8choRO3khloUP03mjQV6wuGoBOuk5
BAFBzyKSOtR71K5+qhMht/NuJUg0WbmXZN/fwR4v/MV3YA4HVhLdRiZ/SMqSJlhV
D/GP0wbH781YVCwnZzfvC8rQlhSJyWk4rvQFTgg8jzZHvkc+sBFMNel2DMg3Rr9x
RxcVdM3RH6bY3VdUWV1e84XMY21pxJZnWOeDdh1ERD8PxHC4kvewj0O6YchzdFNO
/8IBgNO27qrDA83fxg2oXGSDfRVDLLiuEJL6Td9e7JZkNEniVkFgMbUfOLwUHz8S
3rTDIj96hzr1DNRPyN/H
=s2Xk
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message