| Author |
|
sridharb
Joined: 09 Jun 2010
Posts: 16
Location: Chennai, India
|
 Posted: Wed 09 Jun '10 20:39 Post subject: Unable to initialize TLS servername extension callback |
 |
|
Hi,
I upgraded from 2.2.11 to 2.2.15 and I am facing problems with SSL.
I get an error in the log with the message: [error] Unable to initialize TLS servername extension callback (incompatible OpenSSL version?)
I am using OpenSSL 0.9.8o from apachelounge as well.
I realize that the httpd v2.2.15 is compiled with openssl 0.9.8m - could that be the cause of this issue?
I have also tried to put the Apache bin directory which has a 0.9.8m distribution in the path, but to no avail.
What could be going on?
Thanks,
Sridhar |
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
| Posted: Wed 09 Jun '10 22:20 Post subject: |
|
|
What's going on sounds like you are trying to mix and match mod_ssl/openssl versions. For me if I do this the server will not start saying it cannot load/find mod_ssl.
Looking at the openssl package here it's the toolkit but does not include mod_ssl. Since your mod_ssl is linked to 098m you need to have 098m *eay.dll files. That is my experience anyway.
I am curious, did Apache itself come from here or apache.org? If it came from Apache.org well then you're mix and matching visual studio versions which can have odd outcomes. |
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
| Posted: Wed 09 Jun '10 22:31 Post subject: |
|
|
Wait a minute.
TLS servername extension = tlsext = SNI (server name indication)
Something was built with SNI disabled and the other piece of the puzzle with SNI enabled.
My suggestion then is;
1. Get the same update from www.apachehaus.com. there are SNI and non-SNI enabled versions. I'd currently suggest the SNI enabled one.
2. get rid of all prior openssl and mod_ssl files off the machine. Put on USB stick or something [1].
3. Unzip the update from AH into a temp folder.
4. move the openssl.exe, libeay32.dll & ssleay32.dll files to Apache's bin folder
5. move the mod_ssl.so file to Apache's modules folder.
Start Apache and see what happens.
[1]. make sure there are no old openssl files in the %PATH% as well. If you have subversion, it get's me all the time since it installs itself in the Path and includes OpenSSL as well. Other software may do same. |
|
| Back to top |
|
sridharb
Joined: 09 Jun 2010
Posts: 16
Location: Chennai, India
|
| Posted: Thu 10 Jun '10 18:13 Post subject: |
|
|
Hi,
Thanks for responding.
I tried the SNI versions from apachehaus and got the same error.
When I tried the non-SNI version from apachehaus, this error went away.
The Apache2 bin folder is the first in the path and it should find those DLLs/EXE.
All other openssl.exe files (like from SVN and cygwin) have been moved away from the path.
What else could be causing this?
Thanks,
Sridhar |
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
| Posted: Thu 10 Jun '10 18:33 Post subject: |
|
|
Not sure at the moment, maybe something in the config.
I do know:
tlsext is enabled or disabled during build of Openssl
mod_ssl picks this up during it's build (why changing mod_ssl is also needed).
mod_ssl is larger if tlsext is enabled since there is then all the code to deal with multiple SSL hosts on the single IP compiled in. |
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
| Posted: Mon 14 Jun '10 0:51 Post subject: |
|
|
I did not forget. The problem is I cannot seem to duplicate this.
Either the server will not start (claiming it cannot find mod_ssl), or it runs when all files match. |
|
| Back to top |
|
