-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Andreas,
On 8/31/16 6:05 PM, Andreas Meyer wrote:
> Christopher Schultz <chris@xxxxxxxxxxxxxxxxxxxxxx> schrieb am
> 31.08.16 um 17:28:04 Uhr:
>
>>> A few days ago I added IPv6-connectivity to the web server and
>>> changed the Listen-directives and the VitrualHost to also
>>> listen to the IPv6-Address on port 443.
>>
>> Please post your "Listen" and "VirtualHost" directive lines from
>> your config file.
>
> This is the part of listen.conf:
>
> Listen 127.0.0.1:80 Listen 37.120.166.21:80 Listen
> 46.38.231.143:80 Listen [2a03:4000:6:4123::1]:80
>
> <IfDefine SSL> <IfDefine !NOSSL> IfModule mod_ssl.c>
Missing < in the previous line. Typo or copy/paste error?
> Listen 127.0.0.1:443 Listen 37.120.166.21:443 Listen
> 46.38.231.143:443 Listen [2a03:4000:6:4123::1]:443
>
> </IfModule> </IfDefine> </IfDefine>
>
> and in the VirtualHost I just added
>
> <Virtualhost 37.120.166.21 [2a03:4000:6:4123::1]:80>
>
> RewriteCond %{HTTPS} off RewriteRule ^(.*)$
> https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
>
> and in the sslvhost <Virtualhost 37.120.166.21
> [2a03:4000:6:4123::1]:443>
This plus the above are likely to be confusing: you have separate
VirtualHosts bound to the same interface with no port specification.
Try this:
<Virtualhost 37.120.166.21:80 [2a03:4000:6:4123::1]:80>
...
</VirtualHost>
<Virtualhost 37.120.166.21:443 [2a03:4000:6:4123::1]:443>
...
</VirtualHost>
Note that you haven't specified a VirtualHost for localhost and
whatever 46.38.231.143 is.
Which interface are you using for testing?
Do any of the ports work? Does httpd even start up?
> tried also with a separate <VirtualHost [2a03:4000:6:4123::1]:443>
>
>>> There is a redirect from http to https. The website is not
>>> reachable anymore, not certificates are found.
>>
>> Those are two different problems:
>>
>> 1. Certificates are not found
>
> The certificate are there. If I disable the IPV6 things, they are
> found.
Woah, what?
When you say "disable IPv6", what do you mean? How are you changing
your configuration?
>> 2. Web site is not reachable
>>
>> One may cause the other.
>>
>> What error message to you get, and where?
>
> The thing is, I didn't notice the website is not reachable 'cause
> my testings with my IPv6 connection showed no errors.
That statement is confusing to me. Can you clarify it?
> ping from outside:
>
> andreas@workstation:/> ping6 2a03:4000:6:4123::1 PING
> 2a03:4000:6:4123::1(2a03:4000:6:4123::1) 56 data bytes 64 bytes
> from 2a03:4000:6:4123::1: icmp_seq=1 ttl=58 time=33.2 ms 64 bytes
> from 2a03:4000:6:4123::1: icmp_seq=2 ttl=58 time=33.1 ms 64 bytes
> from 2a03:4000:6:4123::1: icmp_seq=3 ttl=58 time=30.9 ms ^C
>
> People then reported the site is not reachable, for instance:
>
> Firefox-Fehlermeldung: Ein Fehler ist während einer Verbindung mit
> www.bitcorner.de aufgetreten. SSL hat einen Eintrag erhalten, der
> die maximal erlaubte Länge überschritten hat. Fehlercode:
> SSL_ERROR_RX_RECORD_TOO_LONG
>
> Curl: error (35): error:140770FC:SSL
> routines:SSL23_GET_SERVER_HELLO:unknown protocol]
That usually happens when you (correctly) disable SSLv3 and someone
tries to use an SSLv3 handshake with your site. That doesn't
necessarily mean that your site is misconfigured.
> Wget: wget "https://www.bitcorner.de/bshop/products.csv";
> --2016-08-31 15:21:12--
> https://www.bitcorner.de/bshop/products.csv Resolving
> www.bitcorner.de (www.bitcorner.de)... 37.120.166.21,
> 2a03:4000:6:4123::1 Connecting to www.bitcorner.de
> (www.bitcorner.de)|37.120.166.21|:443... connected. GnuTLS: An
> unexpected TLS packet was received. Unable to establish SSL
> connection.
How about this:
$ openssl s_client -tls1 -connect www.bitcorner.de:443
Here's what I get when I try SSLv3:
$ openssl s_client -ssl3 -connect www.bitcorner.de:443
CONNECTED(00000003)
5966:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenS
SL098-59.60.1/src/ssl/s3_pkt.c:1145:SSL
alert number 40
5966:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenS
SL098-59.60.1/src/ssl/s3_pkt.c:566:
Using TLSv1, I get better results:
$ openssl s_client -tls1 -connect www.bitcorner.de:443
CONNECTED(00000003)
depth=1 /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
verify return:0
- ---
Certificate chain
0 s:/CN=bitcorner.de
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
- ---
[...]
- ---
SSL handshake has read 4652 bytes and written 682 bytes
- ---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
etc.
If I let s_client choose the protocol, it chooses TLSv1.2:
$ openssl s_client -connect www.bitcorner.de:443
CONNECTED(00000003)
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
verify return:0
- ---
Certificate chain
0 s:/CN=bitcorner.de
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
- ---
[...]
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
etc.
$ host www.bitcorner.de
www.bitcorner.de has address 37.120.166.21
www.bitcorner.de has IPv6 address 2a03:4000:6:4123::1
$ ping6 2a03:4000:6:4123::1
connect: Network is unreachable
$ ping www.bitcorner.de
PING www.bitcorner.de (37.120.166.21) 56(84) bytes of data.
64 bytes from mail.bitcorner.de (37.120.166.21): icmp_req=1 ttl=49
time=92.6 ms
$ /sbin/ifconfig
eth0 Link encap:Ethernet HWaddr [...]
inet addr:10.[...] Bcast:10.192.215.255 Mask:255.255.254.0
inet6 addr: [present]/64 Scope:Link
Weird. Looks like my IPv6 isn't working as I'd expect. So whatever
configuration you have there now seems to be working. Did you
roll-back when things weren't working?
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJXx208AAoJEBzwKT+lPKRYlwQQAJC58I9bk4iTV7HgrzJ8nghh
urGhZrU3yI3utjbVJhgF8V6+vPHmmUBWCmdsuAzeGLqQsV7S44JXqlCfbqxDIzq0
aQAL0NIsycfGI3lIIaG/ROu8DLfLfQwtCf8toEW+NWix51RGXx1qBvRQmC7ZDE9N
k260a7GMYBBHTIlEwaBoeErwPQSEmmTtHGfTxmXlcKRyYkh8Yiq6vNIvy3Ut+ok/
0+SqSC64bdrm2Jrp6rHCZS8lz4vy0GXRp4grTlOQbJkBWHe3ASONMb2YKYQ5Ut4K
IBenv2kUVqy5rWeUoO9j1/NHGpGWKk+30RPCGTkBqUQ4JEhaqZgAvDh6fO1N8Fn1
9MnAka3PCKliWeyjaf2bl3ZwTUrWK/8awzB8choRO3khloUP03mjQV6wuGoBOuk5
BAFBzyKSOtR71K5+qhMht/NuJUg0WbmXZN/fwR4v/MV3YA4HVhLdRiZ/SMqSJlhV
D/GP0wbH781YVCwnZzfvC8rQlhSJyWk4rvQFTgg8jzZHvkc+sBFMNel2DMg3Rr9x
RxcVdM3RH6bY3VdUWV1e84XMY21pxJZnWOeDdh1ERD8PxHC4kvewj0O6YchzdFNO
/8IBgNO27qrDA83fxg2oXGSDfRVDLLiuEJL6Td9e7JZkNEniVkFgMbUfOLwUHz8S
3rTDIj96hzr1DNRPyN/H
=s2Xk
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|