top button
Flag Notify
    Connect to us
      Site Registration

Site Registration

SSL Library Error with TLS enabled

+2 votes
768 views

I'm trying to set TLS protocol with the next parameter into the ssl.conf file:

 SSLProtocol all -SSLv2 -SSLv3 

but then my web application fails. I only can see next error in log file

[info] SSL library error 1 in handshake (server my.server:443, client xx.xx.xx.xx)
[info] SSL Library Error: 336027900 error:140760FC:SSL routines:func(118):reason(252)
[info] Connection to child 4 closed with abortive shutdown(server my.server:443, client xx.xx.xx.xx) 

I can`t see as well, into the customlog file, a "GET" that I can see when all protocols are enabled (no forcing TLS):

10.5.137.162 - - [03/Feb/2015:09:30:47 0100] "GET /application/resources/css/template_v6.0.xsl HTTP/1.0" 200 28323  

Any help will be appreciated

posted Feb 3, 2015 by anonymous

Looking for an answer?  Promote on:
Facebook Share Button Twitter Share Button LinkedIn Share Button

Similar Questions
+1 vote

I've been off the list for a bit, getting ducks in a row here and everything.

I noticed a number of posts about SSL & TLS security settings lately and I wanted to point out that maintaining your SSL configurations is an on-going processes.

New exploits are discovered and released quite often, and often the fault lies with a cipher and not necessarily an overall SSL/TLS protocol.

So using a cipher list like "all except RC4" is probably not sufficient anymore. And what is secure may depend completely on the SSL/TLS software you use, be it OpenSSL or Java's built in SSL libraries.

For example, with OpenSSL, you should be using 1.0.1t or higher, and even then only TLS1.2 with a handful of ciphers. I'm not sure what the recommended options for java's libraries are at the moment. A really good, free tool is Qualys' SSL Labs server test tool located at: https://www.ssllabs.com/ssltest/ Run that against your implementation and follow its recommendations.

Of course, at the end of the day, it will be up to you and your firm to decide what risks you are willing to take with your SSL communications and whether or not you need to support insecure browsers, i.e. browsers that cannot negotiate up to the most secure protocol and ciphers.

+1 vote

Is it possible to speed up httpd ssl? In my tests serving a static file compared to lighttpd, lighttpd is about 7.5 times faster.

I used a default httpd configuration and the way i did my test was:

cd /document/root
mkdir -p ram
mount -t tmpfs -osize=512M tmpfs ram/
cd ram
dd if=/dev/urandom of=file.bin

wget --no-check-certificate https://localhost/file.bin -O /dev/null

My test system here is linux 3.9.11 on Intel i5 760 @ 2.80GHz

lighttpd does about 135 MB/sec
apache httpd does 17.5 MB/sec

changing apache httpd.conf with:

SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:!aNULL:!MD5
SSLHonorCipherOrder on

apache httpd then does 18 MB/sec.

checking with google chrome, with default configurations, both lighttpd and apache httpd negotiate TLS 1.1. AES 256 The self signed certificate file apache httpd and lighttpd is identical. Both are linked
to the same openssl libs.

I want to use apache httpd on a LAN with gbit speed, serving files, and using WebDAV. When using embedded ARM processor @ 1ghz apache httpd is doing about 4MB/sec.

Any tips here? Is the apache httpd doing a lot of copies of the data from one buffer to another in the code that would be possible to optimize out?

I would prefer apache httpd, as the webdav compatibility is very good, vs lighttpd webdav is not fully implemented.

0 votes

I am trying to refresh our web site with the latest version of apache. As part of the refresh I want to enforce SSL access to the site. I've setup SSL and the site mostly works with basic authentication, but I have errors when trying to download/view video files from the web site.

I've tried several different clients and 80% of the time I get a window with a big square and if one clicks on the square it says "The specified movie could not be found". Sometime firefox on a Mac will actually play the movie but mostly not.

I can retrieve the movie using wget just fine.

In the error log a debug trace shows it making one request for the web page and the authentication for that suceeds, but then the second request for the video file is rejected because the credentials are not available! Is there an option which tells the client not to send the authentication information? or to clear when requesting?

AH01626: authorization result of Require group svsaccess: granted,
AH01626: authorization result of Require group svsaccess: denied (no authenticated user yet)

BTW, the site works as expected under non-SSL connections.

0 votes

How to use multiple virtual hosts with a single SSL instance running on the standard https port.

+4 votes

The ssl cert on my apache server have expired. It is actually a server at work - a important one as well so I'm a bit stressed at the moment.

The cert is renewed and I have received the cert files. I'm now trying to install them but I can't get it to work.

I thought it was as simple as just copying the new crt file to the server and restart apache but apache start fails.

I see this in the log:

509 certificate routines:X509_check_private_key:key values mismatch

Server: Apache 2.2.22 on Ubuntu 12.04. How does one install a renewed ssl cert? Do I need to create a new private key and ca-bundle? Please point me in the right direction.

...