Re: SSL errors

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Adding some more info - just now saw this transient error from Chrome:

"Error 126 (net::ERR_SSL_BAD_RECORD_MAC_ALERT): Unknown error."

On Wed, Sep 8, 2010 at 1:03 PM, Yang Zhang <yanghatespam@xxxxxxxxx> wrote:
> I'm running a (self-signed) SSL cert site on Apache/2.2.14 on Ubuntu
> 10.04, but various browsers are giving errors on half the connection
> attempts, and wget too:
>
> $ wget --no-check-certificate https://dev.partyondata.com/deps/
> --2010-09-08 19:30:26--  https://dev.partyondata.com/deps/
> Resolving dev.partyondata.com... 184.72.53.220
> Connecting to dev.partyondata.com|184.72.53.220|:443... connected.
> OpenSSL: error:0407006A:rsa
> routines:RSA_padding_check_PKCS1_type_1:block type is not 01
> OpenSSL: error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed
> OpenSSL: error:1408D07B:SSL routines:SSL3_GET_KEY_EXCHANGE:bad signature
> Unable to establish SSL connection.
>
> Run it right away again and it works:
>
> $ wget --no-check-certificate https://dev.partyondata.com/deps/
> --2010-09-08 19:30:29--  https://dev.partyondata.com/deps/
> Resolving dev.partyondata.com... 184.72.53.220
> Connecting to dev.partyondata.com|184.72.53.220|:443... connected.
> WARNING: cannot verify dev.partyondata.com's certificate, issued by
> `/CN=dev.partyondata.com':
>  Self-signed certificate encountered.
> HTTP request sent, awaiting response... 200 OK
> Length: 3157 (3.1K) [text/html]
> Saving to: `index.html'
>
> 100%[======================================>] 3,157       --.-K/s   in 0s
>
> 2010-09-08 19:30:29 (48.6 MB/s) - `index.html' saved [3157/3157]
>
> In my sites-enabled/default-ssl:
>
>  SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
>  SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
>
> The cert:
>
> -----BEGIN CERTIFICATE-----
> MIIBszCCARwCCQCa0TzNwqLgsTANBgkqhkiG9w0BAQUFADAeMRwwGgYDVQQDExNk
> ZXYucGFydHlvbmRhdGEuY29tMB4XDTEwMDgyNzA2MzA1N1oXDTIwMDgyNDA2MzA1
> N1owHjEcMBoGA1UEAxMTZGV2LnBhcnR5b25kYXRhLmNvbTCBnzANBgkqhkiG9w0B
> AQEFAAOBjQAwgYkCgYEAzXDEULpCUqIc9hV/ESFapkckR2uoYINA81DvG2aQZ9Ot
> Q30OwX2ae2CC4bSzJEIVlahU8vjVrWpmpa28NEhQbqh4ywwbl1XDrEVYI6Gkfimf
> snJhOKyaVrEhlwutYtBjmsz3ZIqwymMPm/6smVcSS5dJIynlSmtltxX6ivPcO8UC
> AwEAATANBgkqhkiG9w0BAQUFAAOBgQBGxHVkpSSOnZjzuySRepjhAlV/yhe9Fx23
> fh12WrjQMEi98B7JEuNSLXDWckUN7O6XRc3RzKmazcGHJqzhn0Ov6gAmAE2XjZ/x
> VW21xmaLwk+KgYKFJbJJaP3jMSpU7I3aa11wqAkR2Zd4Nkm9N0YXYIzcBdfztTVI
> Et8mEHBFdg==
> -----END CERTIFICATE-----
>
> The cert is in turn generated via:
>
> $ make-ssl-cert generate-default-snakeoil --force-overwrite
>
> Apache version.
>
> $ apache2 -V
> Server version: Apache/2.2.14 (Ubuntu)
> Server built:   Apr 13 2010 20:22:19
> Server's Module Magic Number: 20051115:23
> Server loaded:  APR 1.3.8, APR-Util 1.3.9
> Compiled using: APR 1.3.8, APR-Util 1.3.9
> Architecture:   64-bit
> Server MPM:     Worker
>  threaded:     yes (fixed thread count)
>    forked:     yes (variable process count)
> Server compiled with....
>  -D APACHE_MPM_DIR="server/mpm/worker"
>  -D APR_HAS_SENDFILE
>  -D APR_HAS_MMAP
>  -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
>  -D APR_USE_SYSVSEM_SERIALIZE
>  -D APR_USE_PTHREAD_SERIALIZE
>  -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
>  -D APR_HAS_OTHER_CHILD
>  -D AP_HAVE_RELIABLE_PIPED_LOGS
>  -D DYNAMIC_MODULE_LIMIT=128
>  -D HTTPD_ROOT=""
>  -D SUEXEC_BIN="/usr/lib/apache2/suexec"
>  -D DEFAULT_PIDLOG="/var/run/apache2.pid"
>  -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
>  -D DEFAULT_ERRORLOG="logs/error_log"
>  -D AP_TYPES_CONFIG_FILE="/etc/apache2/mime.types"
>  -D SERVER_CONFIG_FILE="/etc/apache2/apache2.conf"
>
> Any ideas? Thanks in advance for any help.
> --
> Yang Zhang
> http://yz.mit.edu/
>



-- 
Yang Zhang
http://yz.mit.edu/

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux