Re: mod_ssl: http to https ErrorDocument redirect stops working when only TLSv1.2 specified (Apache Users)

On Thu, Jun 24, 2021 at 4:22 AM Pavel Heimlich, a.k.a. hajma <tropikhajma@xxxxxxxxx> wrote:

With the
SSLProtocol -ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2
line in config:

[Thu Jun 24 07:59:41.488363 2021] [ssl:info] [pid 2213:tid 1] AH01883: Init: Initialized OpenSSL library
[Thu Jun 24 07:59:41.488427 2021] [ssl:warn] [pid 2213:tid 1] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache]
[Thu Jun 24 07:59:41.488443 2021] [ssl:info] [pid 2213:tid 1] AH01887: Init: Initializing (virtual) servers for SSL
[Thu Jun 24 07:59:41.488456 2021] [ssl:info] [pid 2213:tid 1] AH01914: Configuring server 127.0.0.1:443 for SSL protocol
[Thu Jun 24 07:59:41.488779 2021] [ssl:debug] [pid 2213:tid 1] ssl_engine_init.c(2097): AH02209: CA certificate: CN=solaris,O=Host Root CA
[Thu Jun 24 07:59:41.488961 2021] [ssl:debug] [pid 2213:tid 1] ssl_engine_init.c(1142): AH01904: Configuring server certificate chain (1 CA certificate)
[Thu Jun 24 07:59:41.488980 2021] [ssl:debug] [pid 2213:tid 1] ssl_engine_init.c(500): AH01893: Configuring TLS extension handling
[Thu Jun 24 07:59:41.489222 2021] [ssl:debug] [pid 2213:tid 1] ssl_util_ssl.c(451): AH02412: [127.0.0.1:443] Cert does not match for name '127.0.0.1' [subject: CN=ST098 / issuer: CN=solaris,O=Host Root CA / serial: 4A755690944C / notbefore: Jun 9 14:26:00 2021 GMT / notafter: Jun 9 14:26:00 2022 GMT]
[Thu Jun 24 07:59:41.489250 2021] [ssl:warn] [pid 2213:tid 1] AH01909: 127.0.0.1:443:0 server certificate does NOT include an ID which matches the server name
[Thu Jun 24 07:59:41.489263 2021] [ssl:info] [pid 2213:tid 1] AH02568: Certificate and private key 127.0.0.1:443:0 configured from /etc/certs/localhost/host.crt and /etc/certs/localhost/host.key
[Thu Jun 24 07:59:41.489416 2021] [ssl:info] [pid 2213:tid 1] AH01876: mod_ssl/2.4.47 compiled against Server: Apache/2.4.47, Library: OpenSSL/1.0.2y
[Thu Jun 24 07:59:41.489752 2021] [mpm_event:notice] [pid 2213:tid 1] AH00489: Apache/2.4.47 (Unix) OpenSSL/1.0.2y-fips configured -- resuming normal operations
[Thu Jun 24 07:59:41.489773 2021] [mpm_event:info] [pid 2213:tid 1] AH00490: Server built: May 21 2021 14:00:57
[Thu Jun 24 07:59:41.489786 2021] [core:notice] [pid 2213:tid 1] AH00094: Command line: '/usr/apache2/2.4/bin/httpd'
[Thu Jun 24 07:59:41.489804 2021] [core:debug] [pid 2213:tid 1] log.c(1570): AH02639: Using SO_REUSEPORT: no (1)
[Thu Jun 24 07:59:42.493418 2021] [mpm_event:debug] [pid 2752:tid 2] event.c(2298): AH02471: start_threads: Using port (wakeable)
[Thu Jun 24 07:59:42.497865 2021] [mpm_event:debug] [pid 2753:tid 2] event.c(2298): AH02471: start_threads: Using port (wakeable)
[Thu Jun 24 07:59:42.565017 2021] [mpm_event:debug] [pid 2754:tid 2] event.c(2298): AH02471: start_threads: Using port (wakeable)
Note ^ Now the server is fully started
Note v Starting the client
[Thu Jun 24 08:00:39.187556 2021] [ssl:info] [pid 2754:tid 27] [client 10.175.18.160:60576] AH01964: Connection to child 152 established (server 127.0.0.1:443)
[Thu Jun 24 08:00:39.188524 2021] [ssl:info] [pid 2754:tid 27] [client 10.175.18.160:60576] AH02008: SSL library error 1 in handshake (server 127.0.0.1:443)
[Thu Jun 24 08:00:39.188666 2021] [ssl:info] [pid 2754:tid 27] SSL Library Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
[Thu Jun 24 08:00:39.188694 2021] [ssl:info] [pid 2754:tid 27] [client 10.175.18.160:60576] AH01998: Connection closed to child 152 with abortive shutdown (server 127.0.0.1:443)
[Thu Jun 24 08:00:39.306587 2021] [ssl:info] [pid 2754:tid 27] [client 10.175.18.160:60578] AH01964: Connection to child 152 established (server 127.0.0.1:443)
[Thu Jun 24 08:00:39.306887 2021] [ssl:info] [pid 2754:tid 27] (-1385897552)Unknown error: [client 10.175.18.160:60578] AH02008: SSL library error 1 in handshake (server 127.0.0.1:443)
[Thu Jun 24 08:00:39.307024 2021] [ssl:info] [pid 2754:tid 27] SSL Library Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
[Thu Jun 24 08:00:39.307044 2021] [ssl:info] [pid 2754:tid 27] [client 10.175.18.160:60578] AH01998: Connection closed to child 152 with abortive shutdown (server 127.0.0.1:443)
[Thu Jun 24 08:00:39.438365 2021] [ssl:info] [pid 2754:tid 27] [client 10.175.18.160:60580] AH01964: Connection to child 152 established (server 127.0.0.1:443)
[Thu Jun 24 08:00:39.438634 2021] [ssl:info] [pid 2754:tid 27] (-1385897552)Unknown error: [client 10.175.18.160:60580] AH02008: SSL library error 1 in handshake (server 127.0.0.1:443)
[Thu Jun 24 08:00:39.438686 2021] [ssl:info] [pid 2754:tid 27] SSL Library Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
[Thu Jun 24 08:00:39.438705 2021] [ssl:info] [pid 2754:tid 27] [client 10.175.18.160:60580] AH01998: Connection closed to child 152 with abortive shutdown (server 127.0.0.1:443)
[Thu Jun 24 08:00:39.559198 2021] [ssl:info] [pid 2754:tid 27] [client 10.175.18.160:60582] AH01964: Connection to child 152 established (server 127.0.0.1:443)
[Thu Jun 24 08:00:39.559407 2021] [ssl:info] [pid 2754:tid 27] (-1385897552)Unknown error: [client 10.175.18.160:60582] AH02008: SSL library error 1 in handshake (server 127.0.0.1:443)
[Thu Jun 24 08:00:39.559448 2021] [ssl:info] [pid 2754:tid 27] SSL Library Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
[Thu Jun 24 08:00:39.559466 2021] [ssl:info] [pid 2754:tid 27] [client 10.175.18.160:60582] AH01998: Connection closed to child 152 with abortive shutdown (server 127.0.0.1:443)
[Thu Jun 24 08:00:39.687589 2021] [ssl:info] [pid 2754:tid 27] [client 10.175.18.160:60584] AH01964: Connection to child 152 established (server 127.0.0.1:443)
[Thu Jun 24 08:00:39.687913 2021] [ssl:info] [pid 2754:tid 27] (-1385897552)Unknown error: [client 10.175.18.160:60584] AH02008: SSL library error 1 in handshake (server 127.0.0.1:443)
[Thu Jun 24 08:00:39.687974 2021] [ssl:info] [pid 2754:tid 27] SSL Library Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
[Thu Jun 24 08:00:39.688008 2021] [ssl:info] [pid 2754:tid 27] [client 10.175.18.160:60584] AH01998: Connection closed to child 152 with abortive shutdown (server 127.0.0.1:443)
[Thu Jun 24 08:00:39.815258 2021] [ssl:info] [pid 2754:tid 27] [client 10.175.18.160:60586] AH01964: Connection to child 152 established (server 127.0.0.1:443)
[Thu Jun 24 08:00:39.815532 2021] [ssl:info] [pid 2754:tid 27] (-1385897552)Unknown error: [client 10.175.18.160:60586] AH02008: SSL library error 1 in handshake (server 127.0.0.1:443)
[Thu Jun 24 08:00:39.815585 2021] [ssl:info] [pid 2754:tid 27] SSL Library Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
[Thu Jun 24 08:00:39.815603 2021] [ssl:info] [pid 2754:tid 27] [client 10.175.18.160:60586] AH01998: Connection closed to child 152 with abortive shutdown (server 127.0.0.1:443)
[Thu Jun 24 08:00:39.945447 2021] [ssl:info] [pid 2754:tid 27] [client 10.175.18.160:60588] AH01964: Connection to child 152 established (server 127.0.0.1:443)
[Thu Jun 24 08:00:39.945650 2021] [ssl:info] [pid 2754:tid 27] (-1385897552)Unknown error: [client 10.175.18.160:60588] AH02008: SSL library error 1 in handshake (server 127.0.0.1:443)
[Thu Jun 24 08:00:39.945692 2021] [ssl:info] [pid 2754:tid 27] SSL Library Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
[Thu Jun 24 08:00:39.945710 2021] [ssl:info] [pid 2754:tid 27] [client 10.175.18.160:60588] AH01998: Connection closed to child 152 with abortive shutdown (server 127.0.0.1:443)
[Thu Jun 24 08:00:40.075017 2021] [ssl:info] [pid 2754:tid 27] [client 10.175.18.160:60590] AH01964: Connection to child 152 established (server 127.0.0.1:443)
[Thu Jun 24 08:00:40.075213 2021] [ssl:info] [pid 2754:tid 27] (-1385897552)Unknown error: [client 10.175.18.160:60590] AH02008: SSL library error 1 in handshake (server 127.0.0.1:443)
[Thu Jun 24 08:00:40.075295 2021] [ssl:info] [pid 2754:tid 27] SSL Library Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
[Thu Jun 24 08:00:40.075342 2021] [ssl:info] [pid 2754:tid 27] [client 10.175.18.160:60590] AH01998: Connection closed to child 152 with abortive shutdown (server 127.0.0.1:443)
[Thu Jun 24 08:00:40.203748 2021] [ssl:info] [pid 2754:tid 26] [client 10.175.18.160:60592] AH01964: Connection to child 151 established (server 127.0.0.1:443)
[Thu Jun 24 08:00:40.203997 2021] [ssl:info] [pid 2754:tid 26] (-1385897552)Unknown error: [client 10.175.18.160:60592] AH02008: SSL library error 1 in handshake (server 127.0.0.1:443)
[Thu Jun 24 08:00:40.204064 2021] [ssl:info] [pid 2754:tid 26] SSL Library Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
[Thu Jun 24 08:00:40.204101 2021] [ssl:info] [pid 2754:tid 26] [client 10.175.18.160:60592] AH01998: Connection closed to child 151 with abortive shutdown (server 127.0.0.1:443)
[Thu Jun 24 08:00:40.331214 2021] [ssl:info] [pid 2754:tid 26] [client 10.175.18.160:60594] AH01964: Connection to child 151 established (server 127.0.0.1:443)
[Thu Jun 24 08:00:40.331513 2021] [ssl:info] [pid 2754:tid 26] (-1385897552)Unknown error: [client 10.175.18.160:60594] AH02008: SSL library error 1 in handshake (server 127.0.0.1:443)
[Thu Jun 24 08:00:40.331555 2021] [ssl:info] [pid 2754:tid 26] SSL Library Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
[Thu Jun 24 08:00:40.331573 2021] [ssl:info] [pid 2754:tid 26] [client 10.175.18.160:60594] AH01998: Connection closed to child 151 with abortive shutdown (server 127.0.0.1:443)

With
SSLProtocol TLSv1.1 +TLSv1.2
in config:
(The startup part is identical, skipping that)
[Thu Jun 24 08:07:11.248472 2021] [ssl:info] [pid 2773:tid 27] [client 10.175.18.160:60708] AH01964: Connection to child 344 established (server 127.0.0.1:443)
[Thu Jun 24 08:07:11.249320 2021] [ssl:info] [pid 2773:tid 27] [client 10.175.18.160:60708] AH01996: SSL handshake failed: HTTP spoken on HTTPS port; trying to send HTML error page
[Thu Jun 24 08:07:11.249464 2021] [ssl:info] [pid 2773:tid 27] SSL Library Error: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request -- speaking HTTP to HTTPS port!?
[Thu Jun 24 08:07:11.382584 2021] [ssl:info] [pid 2773:tid 27] [client 10.175.18.160:60710] AH01964: Connection to child 344 established (server 127.0.0.1:443)
[Thu Jun 24 08:07:11.390393 2021] [ssl:debug] [pid 2773:tid 27] ssl_engine_kernel.c(2389): [client 10.175.18.160:60710] AH02044: No matching SSL virtual host for servername myserver found (using default/first virtual host)
[Thu Jun 24 08:07:11.390553 2021] [core:debug] [pid 2773:tid 27] protocol.c(2346): [client 10.175.18.160:60710] AH03155: select protocol from , choices=h2,http/1.1 for server 127.0.0.1
[Thu Jun 24 08:07:11.472125 2021] [ssl:debug] [pid 2773:tid 27] ssl_engine_kernel.c(2252): [client 10.175.18.160:60710] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
[Thu Jun 24 08:07:11.478503 2021] [ssl:debug] [pid 2773:tid 27] ssl_engine_kernel.c(415): [client 10.175.18.160:60710] AH02034: Initial (No.1) HTTPS request received for child 344 (server 127.0.0.1:443)
[Thu Jun 24 08:07:11.478634 2021] [authz_core:debug] [pid 2773:tid 27] mod_authz_core.c(815): [client 10.175.18.160:60710] AH01626: authorization result of Require all granted: granted
[Thu Jun 24 08:07:11.478654 2021] [authz_core:debug] [pid 2773:tid 27] mod_authz_core.c(815): [client 10.175.18.160:60710] AH01626: authorization result of <RequireAny>: granted
[Thu Jun 24 08:07:11.478675 2021] [core:info] [pid 2773:tid 27] [client 10.175.18.160:60710] AH00129: Attempt to serve directory: /var/apache2/2.4/htdocs/

čt 24. 6. 2021 v 3:46 odesílatel Otis Dewitt - NOAA Affiliate <otis.dewitt@xxxxxxxx.invalid> napsal:
What does the /var/log/httpd/error_log say? Paste that.