SSL handshake issue with remote apache httpd server, works locally

2
votes

I'm getting strange issue: I have installed/configured ssl certificate/key and ca certs etc in apache, and now can access it on latest chrome/firefox browser from local machine, and they show the certificate is all good (total green lock icon), and also shows it using modern cipher suite. Note that i'm accessing it from local machine via server name itself, not from localhost etc, and not by changing hosts file.. Also it is accessible from another computer in same network without any issue..

But when i try to access this from different, remote machine (not in same network) or via a vpn etc, i get ssl connection error. Firefox indicates "Peer reports it experienced an internal error. (Error code: ssl_error_internal_error_alert)".

I used openssl command on remote machine to mimic a client:

*openssl s_client -connect xyz.com:443 -state -nbio 2>&1*

it shows:

WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Loading 'screen' into random state - done
CONNECTED(00000170)
turning on non blocking io
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:error in SSLv2/v3 read server hello A
write R BLOCK
SSL3 alert read:fatal:internal error
SSL_connect:error in SSLv2/v3 read server hello A
7020:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:.\ssl\s23_clnt.c:762:
- - - 
no peer certificate available
- - - 
No client certificate CA names sent
- - - 
SSL handshake has read 7 bytes and written 307 bytes
- - - 
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
- - -

I have to use apache httpd to use https, and fwd requests to tomcat, which is only using http, and used ajp-proxy for this purpose.

I tried to remove proxy configuration, restarted and still no luck - on local machine it show "it works" page, and on remote machine, same ssl connection error. Nothing in apache logs also corresponding to the tries from remote machine (i.e. they are not reaching till those logs).

BUT strangely, the existing configuration do work from remote machine for 30-40 minutes (i.e. for some time) after a long not-working period. and then same configuration go for toss again.. can't understand why. During whole this period, it always remain accessible/fine from the local machine..

Here is ssl-conf:

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:SSL_RSA_WITH_RC4_128_SHA:HIGH:MEDIUM:!MD5:!RC4
SSLProxyCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:HIGH:MEDIUM:!MD5:!RC4
SSLHonorCipherOrder on 
SSLProtocol all  -SSLv2 -SSLv3
SSLProxyProtocol all -SSLv2  -SSLv3
SSLSessionCache        "shmcb:c:/Apache24/logs/ssl_scache(512000)"
SSLSessionCacheTimeout  300
SSLUseStapling On
SSLStaplingCache "shmcb:c:/Apache24/logs/ssl_stapling(150000)"
SSLStaplingStandardCacheTimeout 3600
<VirtualHost *:443>
    DocumentRoot "c:/Apache24/htdocs"
    ServerName www.xyz.com
    ServerAlias xyz.com

    ServerAdmin [email protected]
    ErrorLog "c:/Apache24/logs/error.log"
    TransferLog "c:/Apache24/logs/access.log"
    SSLEngine on
    SSLCertificateFile "C:/Apache24/xyz/certs/server.crt"
    SSLCertificateKeyFile "C:/Apache24/xyz/certs/private_key_no_pswd.pem"
    SSLCertificateChainFile "C:/Apache24/xyz/certs/gd_bundle-g2-g1.crt"
    <FilesMatch "\.(cgi|shtml|phtml|php)$">
        SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory "c:/Apache24/cgi-bin">
        SSLOptions +StdEnvVars
    </Directory>
    CustomLog "c:/Apache24/logs/ssl_request.log" \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    #ProxyRequests Off
    ProxyPreserveHost On
    SSLProxyEngine on
    SSLProxyVerify none 
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off
    SSLProxyCheckPeerExpire off

    <Proxy *>
        #Order allow,deny
        Allow from all
        Deny from none
        Require all granted

        #Deny from all
        #Allow from 127.0.0.0/255.0.0.0 ::1/128

        # Order deny,allow
        # Allow from localhost
        # Require ip 127.0.0.1
    </Proxy>

    ProxyPass   /  ajp://localhost:8009/
</VirtualHost>

You can see many things tried in virtualHost configs (was getting permission denied and other problems), and tried many things till it worked from local machine..

My env is: Win-XP sp3 (i know its old), ApacheLounge httpd- VC-10 v-2.4.x (on port 443), tomcat-1.6 (on 8080)

Please let me know if i'm doing anything wrong, or you need any other config to see.

Thanks.

1
apachesslhttpssslhandshakeexception

1 Answers

1
votes

This at works in the local network and not outside it sounds very much like a firewall protecting your network. Another possibility is that the same hostname resolves to different IP addresses within your local and the remote network and thus it tries to reach different hosts from local and remote. And yet another thing could be that the hostname resolves to IPv4 and IPv6 addresses but your server uses only IPv4. If you then do only IPv4 in your local network and the other network can do IPv6 you will see similar effects.

To debug this problem I would suggest to do packet captures at your local client, at the remote client and compare them. Also check with packet capturing if the data from the remote client reaches the server at all (or if a firewall blocks it).

Edit: from the comment it looks like that local and remote client see different IP addresses for the same server. To debug why this is the case first check that both sides actually use the same server, because often you see that one uses www.example.com and the other example.com (without www) but there are different IP addresses for the names. If you are sure that this is not the case check what the real IP address should be and then look in more detail at the party which has the wrong name. This wrong name might be caused by an entry in the hosts file (from testing?), by cached entries (changes to the DNS take some time to propagate, sometimes a day or longer) or because a split DNS setup is used. Split DNS is not uncommon in companies where they have servers facing extern and intern and they want the intern cients to use the internal IP address and extern clients to use the external IP address.