logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: SSL Handshake Interrupted
Author
apishdad



Joined: 01 Jul 2019
Posts: 44
Location: Canada, Toronto

PostPosted: Wed 21 Oct '20 9:02    Post subject: SSL Handshake Interrupted Reply with quote

Hi,
I am having some issue when starting Apache. The service starts fine but I keep getting the following in my logs:

AH02007: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]

The SSL certificate loads fine and people can use the site, but this message keeps on coming up.

I have defined my virtual hosts as follows:
<virtualhost *:443>
servername www.abc.com
etc...

and when I change to
<virtualhost www.abc.com:443>

it works fine. Until I have multiple virtualhosts and then it gives the same error again.

Anybody has any ideas?
Whats the proper way to define virtualhosts?

Is it
<virtualhost *:443>
or
<virtualhost www.abc.com:443>

I have tried both cases, and both work, but whats the right way?

Thanks
Afshin
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg

PostPosted: Thu 22 Oct '20 15:40    Post subject: Reply with quote

Please post your current SSL config.
Back to top
tangent
Moderator


Joined: 16 Aug 2020
Posts: 348
Location: UK

PostPosted: Thu 22 Oct '20 18:02    Post subject: Reply with quote

I would go for the form which listens on all defined interfaces, and then define the ServerName associated with that virtual host, viz.

Code:
<VirtualHost *:443>
  ServerName www.abc.com

  SSLEngine on
  SSLCertificateFile "conf/www.abc.com.crt"
  SSLCertificateKeyFile "conf/www.abc.com.key"

  etc...
</VirtualHost>

Repeat for each virtual host as required, noting your common SSL configuration should be defined before the VirtualHost blocks.

You will need local host/DNS entries which resolve to one of your defined interfaces. Also the first VirtualHost definition is the default one, which will be used if the hostname in the SNI request does not match any of the virtual host ServerName entries.

This setup has worked for me.
Back to top
apishdad



Joined: 01 Jul 2019
Posts: 44
Location: Canada, Toronto

PostPosted: Tue 27 Oct '20 9:09    Post subject: Reply with quote

Thanks for the reply back.
I have combined my virtual host block with my main block in one file.

Here is the whole file


Admin note : moved the whole file to : https://apaste.info/hFl3 , see forum rules.
Back to top
apishdad



Joined: 01 Jul 2019
Posts: 44
Location: Canada, Toronto

PostPosted: Tue 27 Oct '20 9:14    Post subject: Reply with quote

Why does the SSL Configuration needs to be declared before the virtual host block. I have configured few servers where the SSL configuration is defined within the virtual hosts block and they work just fine.

Appreciate your response.

Thanks
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg

PostPosted: Tue 27 Oct '20 16:51    Post subject: Reply with quote

apishdad wrote:
Why does the SSL Configuration needs to be declared before the virtual host block.


There are several places where many option can be defined. For example SSLCipherSuite can be server config, virtual host, directory, .htaccess
SSLHonorCipherOrder can be in server config, virtual host

Most people declare that in Server config / global, to have the same settings for each vhost. And not have redundant config lines.
Back to top
apishdad



Joined: 01 Jul 2019
Posts: 44
Location: Canada, Toronto

PostPosted: Mon 02 Nov '20 6:32    Post subject: Reply with quote

Thanks James, I really appreciate your answer
Afshin
Back to top
apishdad



Joined: 01 Jul 2019
Posts: 44
Location: Canada, Toronto

PostPosted: Mon 05 Apr '21 6:34    Post subject: Reply with quote

Hi,
Its been a while since my last post on this thread. I was setting up another server and noticed again the same message as before :

AH02007: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]

I did a Wireshark trace on the server and noticed that the IP address that is causing this situation is a load balancer that is doing health checks on my server.

For every health check this message gets displayed, and I dont know how to stop the log files from growing when every minute a message like this gets logged. I have tried :

BrowserMatchNoCase HTTP-Monitor DontLog
SetEnvIfNoCase Request_URI ^/(MSOffice|_vti_bin|_vti_inf\.html$) DontLog
SetEnvIfNoCase Request_URI (?i)^/favicon.ico$ DontLog
SetEnvIfNoCase Request_URI ^/$ DontLog

But still seems that these health checks get logged.

Any ideas would greatly be appreciated.

Thanks
Back to top
tangent
Moderator


Joined: 16 Aug 2020
Posts: 348
Location: UK

PostPosted: Mon 05 Apr '21 22:34    Post subject: Reply with quote

This error message denotes an I/O error occurred at the TCP socket level below Apache (being returned to ssl_engine_io.c), and don't believe you can change the Apache configuration to prevent that error message being recorded.

I suspect your load balancer (or a firewall between it and you) is starting a TCP connection, but then simply issuing a TCP reset rather than completing the connection. You should be able to verify this from your Wireshark captures.

Armed with this information, I'd go back to your network team and ask them to refine their health check probes, to actually check for a valid HTTPS response. Ideally, you could consider providing a healthcheck page, which they check for some defined content string.

If required, you could then potentially script a content change on this page, to take the node off-line to the outside world for maintenance, testing, etc.
Back to top
apishdad



Joined: 01 Jul 2019
Posts: 44
Location: Canada, Toronto

PostPosted: Wed 07 Apr '21 18:50    Post subject: Reply with quote

Greatly appreciated tangent for your wisdom and help
Back to top


Reply to topic   Topic: SSL Handshake Interrupted View previous topic :: View next topic
Post new topic   Forum Index -> Apache