Topic: SSL Handshake Interrupted

[apishdad]

Hi,
I am having some issue when starting Apache. The service starts fine but I keep getting the following in my logs:

AH02007: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]

The SSL certificate loads fine and people can use the site, but this message keeps on coming up.

I have defined my virtual hosts as follows:
<virtualhost *:443>
servername www.abc.com
etc...

and when I change to
<virtualhost www.abc.com:443>

it works fine. Until I have multiple virtualhosts and then it gives the same error again.

Anybody has any ideas?
Whats the proper way to define virtualhosts?

Is it
<virtualhost *:443>
or
<virtualhost www.abc.com:443>

I have tried both cases, and both work, but whats the right way?

Thanks
Afshin

[James Blond]

Please post your current SSL config.

[tangent]

I would go for the form which listens on all defined interfaces, and then define the ServerName associated with that virtual host, viz.

[apishdad]

Thanks for the reply back.
I have combined my virtual host block with my main block in one file.

Here is the whole file


Admin note : moved the whole file to : https://apaste.info/hFl3 , see forum rules.

[apishdad]

Why does the SSL Configuration needs to be declared before the virtual host block. I have configured few servers where the SSL configuration is defined within the virtual hosts block and they work just fine.

Appreciate your response.

Thanks

[James Blond]

[apishdad]

Thanks James, I really appreciate your answer
Afshin

[apishdad]

Hi,
Its been a while since my last post on this thread. I was setting up another server and noticed again the same message as before :

AH02007: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]

I did a Wireshark trace on the server and noticed that the IP address that is causing this situation is a load balancer that is doing health checks on my server.

For every health check this message gets displayed, and I dont know how to stop the log files from growing when every minute a message like this gets logged. I have tried :

BrowserMatchNoCase HTTP-Monitor DontLog
SetEnvIfNoCase Request_URI ^/(MSOffice|_vti_bin|_vti_inf\.html$) DontLog
SetEnvIfNoCase Request_URI (?i)^/favicon.ico$ DontLog
SetEnvIfNoCase Request_URI ^/$ DontLog

But still seems that these health checks get logged.

Any ideas would greatly be appreciated.

Thanks

[tangent]

This error message denotes an I/O error occurred at the TCP socket level below Apache (being returned to ssl_engine_io.c), and don't believe you can change the Apache configuration to prevent that error message being recorded.

I suspect your load balancer (or a firewall between it and you) is starting a TCP connection, but then simply issuing a TCP reset rather than completing the connection. You should be able to verify this from your Wireshark captures.

Armed with this information, I'd go back to your network team and ask them to refine their health check probes, to actually check for a valid HTTPS response. Ideally, you could consider providing a healthcheck page, which they check for some defined content string.

If required, you could then potentially script a content change on this page, to take the node off-line to the outside world for maintenance, testing, etc.

[apishdad]

Greatly appreciated tangent for your wisdom and help