I have only tried to connecting to the site via a Web Browser: Chrome, IE, Edge and FireFox. There are no errors in the Apache logs, well very little. For all intense and purposes it seems Apache is A OK. Here are my SSL settings. like I said apachectl -t is Syntax OK. httpd.conf:SSLPassPhraseDialog builtin httpd.conf:SSLSessionCache shmcb:/var/cache/httpd/sslcache(512000) httpd.conf:SSLSessionCacheTimeout 300 httpd.conf:SSLRandomSeed startup file:/dev/urandom 256 httpd.conf:SSLRandomSeed connect builtin httpd.conf:SSLCryptoDevice builtin extra/httpd-ssl.conf:SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:+HIGH:!MEDIUM:!LOW:!3DES:!RC4 extra/httpd-ssl.conf:SSLHonorCipherOrder off extra/httpd-ssl.conf:SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 extra/httpd-ssl.conf:SSLStaplingCache "shmcb:/web/applications/apache-2.4.43/logs/ssl_stapling(32768)" extra/httpd-ssl.conf:SSLEngine on extra/httpd-ssl.conf:SSLCertificateFile "/web/applications/apache-2.4.43/conf/server.crt" extra/httpd-ssl.conf:SSLCertificateKeyFile "/web/applications/apache-2.4.43/conf/server.key" extra/httpd-ssl.conf:SSLCertificateChainFile "/web/applications/apache-2.4.43/conf/DigiCertCA.crt" Here are what I see from the various Browsers. ==================================================================================================================== IE Can’t connect securely to this page This might be because the site uses outdated or unsafe TLS security settings. If this keeps happening, try contacting the website’s owner. ============================================================================== Firefox Secure Connection Failed An error occurred during a connection to server1.com:8090 <http://ai8frdctd01.ebiz.verizon.com:8090>. Peer’s certificate has an invalid signature. Error code: SEC_ERROR_BAD_SIGNATURE The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. =============================================================================== Edge Can’t connect securely to this page This might be because the site uses outdated or unsafe TLS security settings. If this keeps happening, try contacting the website’s owner. =============================================================================== Chrome This site can’t provide a secure connection *server1.com <http://ai8frdctd01.ebiz.verizon.com>* sent an invalid response. * Try running Windows Network Diagnostics. ERR_SSL_PROTOCOL_ERROR ################################################################################################################# here is some output from using OpenSSL. ============================================================================ $ openssl s_client -connect server1.com:8090 <http://server1.com:8090> -status -servername server1.com <http://server1.com> CONNECTED(00000005) depth=2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root verify return:1 depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com <http://www.digicert.com>, CN = DigiCert Baltimore CA-2 G2 verify return:1 depth=0 C = US, ST = Florida, L = Temple Terrace, O = Verizon Data Services LLC, CN = server1.com <http://server1.com> verify return:1 _/140072697692608:error:0407E086:rsa routines:RSA_verify_PKCS1_PSS_mgf1:last octet invalid:../crypto/rsa/rsa_pss.c:88: 140072697692608:error:1417B07B:SSL routines:tls_process_cert_verify:bad signature:../ssl/statem/statem_lib.c:492: ---/_ Certificate chain 0 s:C = US, ST = Florida, L = Temple Terrace, O = Verizon Data Services LLC, CN = server1.com <http://server1.com> i:C = US, O = DigiCert Inc, OU = www.digicert.com <http://www.digicert.com>, CN = DigiCert Baltimore CA-2 G2 1 s:C = US, O = DigiCert Inc, OU = www.digicert.com <http://www.digicert.com>, CN = DigiCert Baltimore CA-2 G2 i:C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root --- Server certificate -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- subject=C = US, ST = Florida, L = Temple Terrace, O = Verizon Data Services LLC, CN = server1.com <http://server1.com> issuer=C = US, O = DigiCert Inc, OU = www.cert.com <http://www.cert.com>, CN = Cert Balt CA-2 G2 --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 3941 bytes and written 346 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 4096 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- Apache Error_log ======================================================================== [Mon Jun 01 23:38:49.682080 2020] [ssl:info] [pid 5055] [client 10.10.10.10:53148 <http://10.69.32.10:53148>] AH01964: Connection to child 6 established (server server1.com:8090 <http://server1.com:8090>) [Mon Jun 01 23:38:49.687293 2020] [ssl:debug] [pid 5055] ssl_engine_kernel.c(2351): [client 10.10.10.10:53148 <http://10.69.32.10:53148>] AH02043: SSL virtual host for servername server1.com <http://server1.com> found [Mon Jun 01 23:38:50.206012 2020] [ssl:debug] [pid 5055] ssl_engine_io.c(1368): (70014)End of file found: [client 10.10.10.10:53148 <http://10.69.32.10:53148>] AH02007: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] [Mon Jun 01 23:38:50.206167 2020] [ssl:info] [pid 5055] [client 10.10.10.10:53148 <http://10.69.32.10:53148>] AH01998: Connection closed to child 6 with abortive shutdown (server server1.com:8090 <http://server1.com:8090>) On 6/1/2020 12:58 PM, Chris Punches wrote: > Let's start with the error. Can you show your curl output and any > relevant httpd logs? > > How are your ciphers? What's in your conf? > > On Mon, Jun 1, 2020 at 2:54 PM Tim <linux_geek@xxxxxxxxxxx > <mailto:linux_geek@xxxxxxxxxxx>> wrote: > > hey team, > > We recently were informed that Apache 2.4.41 had some > vulnerabilities so > we compiled 2.4.43 [Solaris 11.3]. > We also compiled OpenSSL 1.1.1g. > > And after adding our uniqueness to the httpd.conf and > extra/httpd-ssl.conf files and running apachectl -t > and received an OK. We started Apache and all appears well, note: > we are > using the same SSL certs that > worked fine in 2.4.41, however, when we try to connect to our site via > ANY browser we get some sort of > error related to TLS not configured properly. > > Now 2.4.43 is so new there is very little in actual Google searches. > > Now sure what else I should add to this... > > Any information is appreciated. > > Tim > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > <mailto:users-unsubscribe@xxxxxxxxxxxxxxxx> > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > <mailto:users-help@xxxxxxxxxxxxxxxx> > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|