httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andreas Meyer <a.me...@nimmini.de>
Subject Re: [users@httpd] questions about IPv6 and SSL
Date Thu, 01 Sep 2016 07:13:01 GMT
Hello!

Christopher Schultz <chris@christopherschultz.net> schrieb am 31.08.16 um 19:50:20 Uhr:

> > <IfDefine SSL> <IfDefine !NOSSL> IfModule mod_ssl.c>  
> 
> Missing < in the previous line. Typo or copy/paste error?

This was a copy/paste error.

# netstat -pantu |grep http
tcp        0      0 46.38.231.143:443       0.0.0.0:*               LISTEN      14160/httpd2-prefor

tcp        0      0 37.120.166.21:443       0.0.0.0:*               LISTEN      14160/httpd2-prefor

tcp        0      0 46.38.231.143:80        0.0.0.0:*               LISTEN      14160/httpd2-prefor

tcp        0      0 37.120.166.21:80        0.0.0.0:*               LISTEN      14160/httpd2-prefor

tcp        0      0 127.0.0.1:80            0.0.0.0:*               LISTEN      14160/httpd2-prefor

tcp        0      0 2a03:4000:6:4123::1:443 :::*                    LISTEN      14160/httpd2-prefor

tcp        0      0 2a03:4000:6:4123::1:80  :::*                    LISTEN      14160/httpd2-prefor


> Try this:
> 
> <Virtualhost 37.120.166.21:80 [2a03:4000:6:4123::1]:80>
>    ...
> </VirtualHost>
> <Virtualhost 37.120.166.21:443 [2a03:4000:6:4123::1]:443>
>    ...
> </VirtualHost>

done that

> Note that you haven't specified a VirtualHost for localhost and
> whatever 46.38.231.143 is.

created a VirtualHost localhost. 46.38.231.143 is just another VirtualHost
the server is serving

> Which interface are you using for testing?

On the server it is ens3:

ens3      Link encap:Ethernet  Hardware Adresse BA:69:5F:F3:F8:26  
          inet Adresse:37.120.166.21  Bcast:37.120.167.255  Maske:255.255.252.0
          inet6 Adresse: 2a03:4000:6:4123::1/64 Gültigkeitsbereich:Global
          inet6 Adresse: fe80::b869:5fff:fef3:f826/64 Gültigkeitsbereich:Verbindung
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:16017225 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1231199 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 Sendewarteschlangenlänge:1000 
          RX bytes:1209401803 (1153.3 Mb)  TX bytes:841330316 (802.3 Mb)

From my testingmachine it is wlan1:

wlan1     Link encap:Ethernet  Hardware Adresse 00:22:B0:E7:D9:9B  
          inet Adresse:192.168.3.100  Bcast:192.168.3.255  Maske:255.255.255.0
          inet6 Adresse: fe80::222:b0ff:fee7:d99b/64 Gültigkeitsbereich:Verbindung
          inet6 Adresse: 2003:54:ef22:e900:222:b0ff:fee7:d99b/64 Gültigkeitsbereich:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:77004 errors:0 dropped:0 overruns:0 frame:0
          TX packets:60273 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 Sendewarteschlangenlänge:1000 
          RX bytes:79839183 (76.1 Mb)  TX bytes:7037131 (6.7 Mb)

> Do any of the ports work? Does httpd even start up?

Yes, no errors-

> >> Those are two different problems:
> >> 
> >> 1. Certificates are not found  
> > 
> > The certificate are there. If I disable the IPV6 things, they are
> > found.  
> 
> Woah, what?
> 
> When you say "disable IPv6", what do you mean? How are you changing
> your configuration?

I mean if disable the listening for IPv6-addresses in listen.conf and
remove the IPv6-addresses in the VirtualHost statement.

> >> 2. Web site is not reachable
> >> 
> >> One may cause the other.
> >> 
> >> What error message to you get, and where?  
> > 
> > The thing is, I didn't notice the website is not reachable 'cause
> > my testings with my IPv6 connection showed no errors.  
> 
> That statement is confusing to me. Can you clarify it?

I mean I can reach the server on port 443 with IPv6-entries without
problems from my outside connection with IPv6 enabled but people
tell me they can't.

If have this in bitcorner-ssl.conf

        SSLEngine on
        SSLProtocol all

> > ping from outside:
> >   
> > andreas@workstation:/> ping6 2a03:4000:6:4123::1 PING  
> > 2a03:4000:6:4123::1(2a03:4000:6:4123::1) 56 data bytes 64 bytes
> > from 2a03:4000:6:4123::1: icmp_seq=1 ttl=58 time=33.2 ms 64 bytes
> > from 2a03:4000:6:4123::1: icmp_seq=2 ttl=58 time=33.1 ms 64 bytes
> > from 2a03:4000:6:4123::1: icmp_seq=3 ttl=58 time=30.9 ms ^C
> > 
> > People then reported the site is not reachable, for instance:
> > 
> > Firefox-Fehlermeldung: Ein Fehler ist während einer Verbindung mit
> > www.bitcorner.de aufgetreten. SSL hat einen Eintrag erhalten, der
> > die maximal erlaubte Länge überschritten hat. Fehlercode: 
> > SSL_ERROR_RX_RECORD_TOO_LONG
> > 
> > Curl: error (35): error:140770FC:SSL
> > routines:SSL23_GET_SERVER_HELLO:unknown protocol]  
> 
> That usually happens when you (correctly) disable SSLv3 and someone
> tries to use an SSLv3 handshake with your site. That doesn't
> necessarily mean that your site is misconfigured.
> 
> > Wget: wget "https://www.bitcorner.de/bshop/products.csv" 
> > --2016-08-31 15:21:12--
> > https://www.bitcorner.de/bshop/products.csv Resolving
> > www.bitcorner.de (www.bitcorner.de)... 37.120.166.21, 
> > 2a03:4000:6:4123::1 Connecting to www.bitcorner.de
> > (www.bitcorner.de)|37.120.166.21|:443... connected. GnuTLS: An
> > unexpected TLS packet was received. Unable to establish SSL
> > connection.  
> 
> How about this:
> 
> $ openssl s_client -tls1 -connect www.bitcorner.de:443
> 
> Here's what I get when I try SSLv3:
> 
> $ openssl s_client -ssl3 -connect www.bitcorner.de:443
> CONNECTED(00000003)
> 5966:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
> failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenS
> SL098-59.60.1/src/ssl/s3_pkt.c:1145:SSL
> alert number 40
> 5966:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
> failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenS
> SL098-59.60.1/src/ssl/s3_pkt.c:566:
> 
> Using TLSv1, I get better results:
> 
> $ openssl s_client -tls1 -connect www.bitcorner.de:443
> CONNECTED(00000003)
> depth=1 /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
> verify error:num=20:unable to get local issuer certificate
> verify return:0
> - ---
> Certificate chain
>  0 s:/CN=bitcorner.de
>    i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
>  1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
>    i:/O=Digital Signature Trust Co./CN=DST Root CA X3
> - ---
> [...]
> - ---
> SSL handshake has read 4652 bytes and written 682 bytes
> - ---
> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> Server public key is 4096 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>     Protocol  : TLSv1
>     Cipher    : DHE-RSA-AES256-SHA
> 
> etc.
> 
> If I let s_client choose the protocol, it chooses TLSv1.2:
> $ openssl s_client -connect www.bitcorner.de:443
> CONNECTED(00000003)
> depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
> verify error:num=20:unable to get local issuer certificate
> verify return:0
> - ---
> Certificate chain
>  0 s:/CN=bitcorner.de
>    i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
>  1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
>    i:/O=Digital Signature Trust Co./CN=DST Root CA X3
> - ---
> [...]
> SSL-Session:
>     Protocol  : TLSv1.2
>     Cipher    : ECDHE-RSA-AES256-GCM-SHA384
> 
> etc.

yes, allright

andreas@workstation:~> openssl s_client -connect www.bitcorner.de:443
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = bitcorner.de
verify return:1
---
Certificate chain
 0 s:/CN=bitcorner.de
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3

....

SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: E78775875C88EDB18D25CCE24295EF81B521C024753D77EA19085B5F6916E714
    Session-ID-ctx: 
    Master-Key: AF834CBD084DB5F2BFFA2625C36EB2EAB3C290257A07B1ADCA978C8191BF04717456A8B92379797B5F844D6DFB9EC161
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - fb 80 d4 4a e9 07 ce eb-36 af fb 8e d5 2e 5d 27   ...J....6.....]'
    0010 - 1e 77 84 33 f4 cb a7 4e-14 df a8 18 38 41 a2 ec   .w.3...N....8A..
    0020 - 25 fd 14 5d c9 d8 4f 63-ab 45 59 e5 50 e8 db 03   %..]..Oc.EY.P...
    0030 - 1a 83 aa 01 1b c0 d6 63-56 40 a6 65 db 51 18 b3   .......cV@.e.Q..
    0040 - 2c cf 89 ab 84 86 04 d6-5b 33 bf de d2 40 16 06   ,.......[3...@..
    0050 - 7a 48 04 7c d5 8d 92 b6-48 7b 53 19 ac 46 f2 60   zH.|....H{S..F.`
    0060 - 10 0b 39 8a 9a 65 b6 cd-08 2f 19 57 5a 08 4e 66   ..9..e.../.WZ.Nf
    0070 - 3e 65 f0 69 b3 5d 1c 1f-46 35 cf 85 34 04 6a c6   >e.i.]..F5..4.j.
    0080 - 1a fb 72 fe 59 fb c9 a7-fa fa 0b ab 65 9a 0f 5f   ..r.Y.......e.._
    0090 - 20 c4 4a 53 0d 51 00 00-9e 2c 17 7d b8 74 60 66    .JS.Q...,.}.t`f
    00a0 - 56 af 7a 33 a7 6a 3a 09-e4 5d 41 c8 b7 22 eb 84   V.z3.j:..]A.."..
    00b0 - 8d c7 e4 f4 4c cf 26 93-f1 bb 42 5a e9 f3 71      ....L.&...BZ..q
    00c0 - <SPACES/NULS>

    Start Time: 1472713310
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

> 
> $ host www.bitcorner.de
> www.bitcorner.de has address 37.120.166.21
> www.bitcorner.de has IPv6 address 2a03:4000:6:4123::1
> 
> $ ping6 2a03:4000:6:4123::1
> connect: Network is unreachable
> 
> $ ping www.bitcorner.de
> PING www.bitcorner.de (37.120.166.21) 56(84) bytes of data.
> 64 bytes from mail.bitcorner.de (37.120.166.21): icmp_req=1 ttl=49
> time=92.6 ms
> 
> $ /sbin/ifconfig
> eth0      Link encap:Ethernet  HWaddr [...]
>           inet addr:10.[...]  Bcast:10.192.215.255  Mask:255.255.254.0
>           inet6 addr: [present]/64 Scope:Link
> 
> Weird. Looks like my IPv6 isn't working as I'd expect. So whatever
> configuration you have there now seems to be working. Did you
> roll-back when things weren't working?

Maybe after the changes to 
<Virtualhost 37.120.166.21:80 [2a03:4000:6:4123::1]:80>
and
<VirtualHost 37.120.166.21:443 [2a03:4000:6:4123::1]:443>

things work better?

I disabled the RewriteRule for now.

#RewriteCond %{HTTPS} off
#RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

  Andreas

Mime
View raw message