Author |
|
apishdad
Joined: 01 Jul 2019 Posts: 44 Location: Canada, Toronto
|
Posted: Wed 21 Oct '20 9:02 Post subject: SSL Handshake Interrupted |
|
|
Hi,
I am having some issue when starting Apache. The service starts fine but I keep getting the following in my logs:
AH02007: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
The SSL certificate loads fine and people can use the site, but this message keeps on coming up.
I have defined my virtual hosts as follows:
<virtualhost *:443>
servername www.abc.com
etc...
and when I change to
<virtualhost www.abc.com:443>
it works fine. Until I have multiple virtualhosts and then it gives the same error again.
Anybody has any ideas?
Whats the proper way to define virtualhosts?
Is it
<virtualhost *:443>
or
<virtualhost www.abc.com:443>
I have tried both cases, and both work, but whats the right way?
Thanks
Afshin |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7373 Location: Germany, Next to Hamburg
|
Posted: Thu 22 Oct '20 15:40 Post subject: |
|
|
Please post your current SSL config. |
|
Back to top |
|
tangent Moderator
Joined: 16 Aug 2020 Posts: 348 Location: UK
|
Posted: Thu 22 Oct '20 18:02 Post subject: |
|
|
I would go for the form which listens on all defined interfaces, and then define the ServerName associated with that virtual host, viz.
Code: | <VirtualHost *:443>
ServerName www.abc.com
SSLEngine on
SSLCertificateFile "conf/www.abc.com.crt"
SSLCertificateKeyFile "conf/www.abc.com.key"
etc...
</VirtualHost> |
Repeat for each virtual host as required, noting your common SSL configuration should be defined before the VirtualHost blocks.
You will need local host/DNS entries which resolve to one of your defined interfaces. Also the first VirtualHost definition is the default one, which will be used if the hostname in the SNI request does not match any of the virtual host ServerName entries.
This setup has worked for me. |
|
Back to top |
|
apishdad
Joined: 01 Jul 2019 Posts: 44 Location: Canada, Toronto
|
Posted: Tue 27 Oct '20 9:09 Post subject: |
|
|
Thanks for the reply back.
I have combined my virtual host block with my main block in one file.
Here is the whole file
Admin note : moved the whole file to : https://apaste.info/hFl3 , see forum rules. |
|
Back to top |
|
apishdad
Joined: 01 Jul 2019 Posts: 44 Location: Canada, Toronto
|
Posted: Tue 27 Oct '20 9:14 Post subject: |
|
|
Why does the SSL Configuration needs to be declared before the virtual host block. I have configured few servers where the SSL configuration is defined within the virtual hosts block and they work just fine.
Appreciate your response.
Thanks |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7373 Location: Germany, Next to Hamburg
|
Posted: Tue 27 Oct '20 16:51 Post subject: |
|
|
apishdad wrote: | Why does the SSL Configuration needs to be declared before the virtual host block. |
There are several places where many option can be defined. For example SSLCipherSuite can be server config, virtual host, directory, .htaccess
SSLHonorCipherOrder can be in server config, virtual host
Most people declare that in Server config / global, to have the same settings for each vhost. And not have redundant config lines. |
|
Back to top |
|
apishdad
Joined: 01 Jul 2019 Posts: 44 Location: Canada, Toronto
|
Posted: Mon 02 Nov '20 6:32 Post subject: |
|
|
Thanks James, I really appreciate your answer
Afshin |
|
Back to top |
|
apishdad
Joined: 01 Jul 2019 Posts: 44 Location: Canada, Toronto
|
Posted: Mon 05 Apr '21 6:34 Post subject: |
|
|
Hi,
Its been a while since my last post on this thread. I was setting up another server and noticed again the same message as before :
AH02007: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
I did a Wireshark trace on the server and noticed that the IP address that is causing this situation is a load balancer that is doing health checks on my server.
For every health check this message gets displayed, and I dont know how to stop the log files from growing when every minute a message like this gets logged. I have tried :
BrowserMatchNoCase HTTP-Monitor DontLog
SetEnvIfNoCase Request_URI ^/(MSOffice|_vti_bin|_vti_inf\.html$) DontLog
SetEnvIfNoCase Request_URI (?i)^/favicon.ico$ DontLog
SetEnvIfNoCase Request_URI ^/$ DontLog
But still seems that these health checks get logged.
Any ideas would greatly be appreciated.
Thanks |
|
Back to top |
|
tangent Moderator
Joined: 16 Aug 2020 Posts: 348 Location: UK
|
Posted: Mon 05 Apr '21 22:34 Post subject: |
|
|
This error message denotes an I/O error occurred at the TCP socket level below Apache (being returned to ssl_engine_io.c), and don't believe you can change the Apache configuration to prevent that error message being recorded.
I suspect your load balancer (or a firewall between it and you) is starting a TCP connection, but then simply issuing a TCP reset rather than completing the connection. You should be able to verify this from your Wireshark captures.
Armed with this information, I'd go back to your network team and ask them to refine their health check probes, to actually check for a valid HTTPS response. Ideally, you could consider providing a healthcheck page, which they check for some defined content string.
If required, you could then potentially script a content change on this page, to take the node off-line to the outside world for maintenance, testing, etc. |
|
Back to top |
|
apishdad
Joined: 01 Jul 2019 Posts: 44 Location: Canada, Toronto
|
Posted: Wed 07 Apr '21 18:50 Post subject: |
|
|
Greatly appreciated tangent for your wisdom and help |
|
Back to top |
|