我尝试用sslconfigurationapache-tomcat,但是发现一些问题
[root@manage conf]# openssl s_client -state -debug -connect 10.104.1.38:443 -key server.key -cert server.crt CONNECTED(00000003) SSL_connect:before/connect initialization write to 0x80f1e98 [0x811d5e8] (121 bytes => 121 (0x79)) 0000 - 80 77 01 03 01 00 4e 00-00 00 20 00 00 39 00 00 .w....N... ..9.. 0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 8..5............ 0020 - 00 00 33 00 00 32 00 00-2f 03 00 80 00 00 05 00 ..3..2../....... 0030 - 00 04 01 00 80 00 00 15-00 00 12 00 00 09 06 00 ................ 0040 - 40 00 00 14 00 00 11 00-00 08 00 00 06 04 00 80 @............... 0050 - 00 00 03 02 00 80 00 00-ff 0a 86 af 23 f2 2f a1 ............#./. 0060 - 4b 2d 9b f3 a9 d9 0e 1b-34 4d 0c e4 1a 06 b6 25 K-......4M.....% 0070 - 76 04 de bd 6f 50 86 a1-9f v...oP... SSL_connect:SSLv2/v3 write client hello A read from 0x80f1e98 [0x8122b48] (7 bytes => 7 (0x7)) 0000 - 3c 21 44 4f 43 54 59 <!DOCTY SSL_connect:error in SSLv2/v3 read server hello A 23995:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:588: 这里是我的Apacheconfiguration
[root@manage extra]# cat httpd-ssl.conf Listen 443 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl SSLPassPhraseDialog builtin SSLSessionCache "shmcb:/usr/local/apache/logs/ssl_scache(512000)" SSLSessionCacheTimeout 300 SSLMutex "file:/usr/local/apache/logs/ssl_mutex" <VirtualHost _default_:443> ErrorLog "/usr/local/tomcat/logs/error_log" TransferLog "/usr/local/tomcat/logs/access_log" SSLEngine on SSLProtocol +SSLv3 +TLSv1 SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP+SSLv3: ServerName manage.xyz DocumentRoot /usr/local/tomcat/webapps/xyz ServerAdmin [email protected] Alias /backup "/var/backupdata/" Alias /logbackup "/var/logbackupdata/" Alias /autologbackupdata "/var/autologbackupdata/" Alias /client "/usr/local/xxxx/clientfiles/" Alias /syshealth "/usr/local/tomcat/webapps/xyz/syshealth/" Alias /connection "/tmp" Alias /cacheimages "/var/cacherrdimages" Alias /xyz/images "/usr/local/xxxx/images/" Alias /images "/usr/local/xxxx/images/" Alias /javaplugin "/usr/local/xxxx/javaplugin/" Alias /bandwidthgraph "/var/bandwidthgraphs" Alias /usergraph "/var/bandwidthgraphs/userimage" JkMount /xyz/servlet/* ajp13 JkMount /xyz/*.jsp ajp13 SSLCertificateFile "/usr/local/apache/conf/server.crt" SSLCertificateKeyFile "/usr/local/apache/conf/server.key" SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory "/usr/local/apache/cgi-bin"> SSLOptions +StdEnvVars </Directory> BrowserMatch "MSIE [2-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 CustomLog "/usr/local/apache/logs/ssl_request_log" "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost>
error_log输出
[Tue Aug 05 13:44:03 2014] [info] [client 127.0.0.1] Connection to child 2 established (server manage.xyz:443) [Tue Aug 05 13:44:03 2014] [info] Seeding PRNG with 136 bytes of entropy [Tue Aug 05 13:44:03 2014] [debug] ssl_engine_kernel.c(1903): OpenSSL: Handshake: start [Tue Aug 05 13:44:03 2014] [debug] ssl_engine_kernel.c(1911): OpenSSL: Loop: before/accept initialization [Tue Aug 05 13:44:03 2014] [debug] ssl_engine_io.c(1939): OpenSSL: read 7/11 bytes from BIO#8136940 [mem: 813dfc0] (BIO dump follows) [Tue Aug 05 13:44:03 2014] [debug] ssl_engine_io.c(1872): +-------------------------------------------------------------------------+ [Tue Aug 05 13:44:03 2014] [debug] ssl_engine_io.c(1911): | 0000: 15 03 01 00 02 01 ...... | [Tue Aug 05 13:44:03 2014] [debug] ssl_engine_io.c(1915): | 0007 - <SPACES/NULS> [Tue Aug 05 13:44:03 2014] [debug] ssl_engine_io.c(1917): +-------------------------------------------------------------------------+ [Tue Aug 05 13:44:03 2014] [debug] ssl_engine_io.c(1950): OpenSSL: I/O error, 4 bytes expected to read on BIO#8136940 [mem: 813dfc7] [Tue Aug 05 13:44:03 2014] [debug] ssl_engine_kernel.c(1940): OpenSSL: Exit: error in SSLv2/v3 read client hello A [Tue Aug 05 13:44:03 2014] [info] [client 127.0.0.1] (70014)End of file found: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] [Tue Aug 05 13:44:03 2014] [info] [client 127.0.0.1] Connection closed to child 2 with abortive shutdown (server manage.xyz:443) [Tue Aug 05 13:45:37 2014] [error] [client 10.104.1.38] Invalid method in request \x80w\x01\x03\x01
当我尝试没有-cert和-cert选项时,这里是相关的输出:
[root@manage extra]# openssl s_client -state -debug -connect 10.104.1.38:443 CONNECTED(00000003) SSL_connect:before/connect initialization write to 0x80f0da0 [0x811c4f8] (121 bytes => 121 (0x79)) 0000 - 80 77 01 03 01 00 4e 00-00 00 20 00 00 39 00 00 .w....N... ..9.. 0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 8..5............ 0020 - 00 00 33 00 00 32 00 00-2f 03 00 80 00 00 05 00 ..3..2../....... 0030 - 00 04 01 00 80 00 00 15-00 00 12 00 00 09 06 00 ................ 0040 - 40 00 00 14 00 00 11 00-00 08 00 00 06 04 00 80 @............... 0050 - 00 00 03 02 00 80 00 00-ff 10 44 3f 7f e0 41 4d ..........D?..AM 0060 - fd 08 dd 10 5b bb f7 10-c6 ec cd 59 b8 ff 55 db ....[......Y..U. 0070 - 70 cd 97 8d af 9d 2a 65-2a p.....*e* SSL_connect:SSLv2/v3 write client hello A read from 0x80f0da0 [0x8121a58] (7 bytes => 7 (0x7)) 0000 - 3c 21 44 4f 43 54 59 <!DOCTY SSL_connect:error in SSLv2/v3 read server hello A 32453:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:588:
apache同时login日志:
[Tue Aug 05 14:23:49 2014] [error] [client 10.104.1.38] Invalid method in request \x80w\x01\x03\x01
访问日志
10.104.1.38 - - [05/Aug/2014:14:23:49 -0400] "\x80w\x01\x03\x01" 501 217
以下是我重新启动Httpd服务时的日志。 没有错误发现我猜。
==> error_log <== [Tue Aug 05 14:36:44 2014] [info] removed PID file /var/run/httpd.pid (pid=18411) [Tue Aug 05 14:36:44 2014] [notice] caught SIGTERM, shutting down [Tue Aug 05 14:37:09 2014] [info] Init: Seeding PRNG with 136 bytes of entropy [Tue Aug 05 14:37:09 2014] [info] Loading certificate & private key of SSL-aware server [Tue Aug 05 14:37:09 2014] [debug] ssl_engine_pphrase.c(470): unencrypted RSA private key - pass phrase not required [Tue Aug 05 14:37:09 2014] [info] Init: Generating temporary RSA private keys (512/1024 bits) [Tue Aug 05 14:37:09 2014] [info] Init: Generating temporary DH parameters (512/1024 bits) [Tue Aug 05 14:37:09 2014] [info] Init: Initializing (virtual) servers for SSL [Tue Aug 05 14:37:09 2014] [info] Configuring server for SSL protocol [Tue Aug 05 14:37:09 2014] [debug] ssl_engine_init.c(521): Creating new SSL context (protocols: SSLv3, TLSv1) [Tue Aug 05 14:37:09 2014] [debug] ssl_engine_init.c(759): Configuring permitted SSL ciphers [ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP+SSLv3:] [Tue Aug 05 14:37:09 2014] [debug] ssl_engine_init.c(890): Configuring RSA server certificate [Tue Aug 05 14:37:09 2014] [warn] RSA server certificate CommonName (CN) `jat' does NOT match server name!? [Tue Aug 05 14:37:09 2014] [debug] ssl_engine_init.c(936): Configuring RSA server private key [Tue Aug 05 14:37:09 2014] [info] mod_ssl/2.2.27 compiled against Server: Apache/2.2.27, Library: OpenSSL/0.9.8e-fips-rhel5 [Tue Aug 05 14:37:09 2014] [warn] No JkShmFile defined in httpd.conf. Using default /usr/local/apache/logs/jk-runtime-status [Tue Aug 05 14:37:09 2014] [info] Init: Seeding PRNG with 136 bytes of entropy [Tue Aug 05 14:37:09 2014] [info] Loading certificate & private key of SSL-aware server [Tue Aug 05 14:37:09 2014] [debug] ssl_engine_pphrase.c(470): unencrypted RSA private key - pass phrase not required [Tue Aug 05 14:37:09 2014] [info] Init: Generating temporary RSA private keys (512/1024 bits) [Tue Aug 05 14:37:09 2014] [info] Init: Generating temporary DH parameters (512/1024 bits) [Tue Aug 05 14:37:09 2014] [debug] ssl_scache_shmcb.c(253): shmcb_init allocated 512000 bytes of shared memory [Tue Aug 05 14:37:09 2014] [debug] ssl_scache_shmcb.c(272): for 511952 bytes (512000 including header), recommending 32 subcaches, 133 indexes each [Tue Aug 05 14:37:09 2014] [debug] ssl_scache_shmcb.c(306): shmcb_init_memory choices follow [Tue Aug 05 14:37:09 2014] [debug] ssl_scache_shmcb.c(308): subcache_num = 32 [Tue Aug 05 14:37:09 2014] [debug] ssl_scache_shmcb.c(310): subcache_size = 15996 [Tue Aug 05 14:37:09 2014] [debug] ssl_scache_shmcb.c(312): subcache_data_offset = 2144 [Tue Aug 05 14:37:09 2014] [debug] ssl_scache_shmcb.c(314): subcache_data_size = 13852 [Tue Aug 05 14:37:09 2014] [debug] ssl_scache_shmcb.c(316): index_num = 133 [Tue Aug 05 14:37:09 2014] [info] Shared memory session cache initialised [Tue Aug 05 14:37:09 2014] [info] Init: Initializing (virtual) servers for SSL [Tue Aug 05 14:37:09 2014] [info] Configuring server for SSL protocol [Tue Aug 05 14:37:09 2014] [debug] ssl_engine_init.c(521): Creating new SSL context (protocols: SSLv3, TLSv1) [Tue Aug 05 14:37:09 2014] [debug] ssl_engine_init.c(759): Configuring permitted SSL ciphers [ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP+SSLv3:] [Tue Aug 05 14:37:09 2014] [debug] ssl_engine_init.c(890): Configuring RSA server certificate [Tue Aug 05 14:37:09 2014] [warn] RSA server certificate CommonName (CN) `jat' does NOT match server name!? [Tue Aug 05 14:37:09 2014] [debug] ssl_engine_init.c(936): Configuring RSA server private key [Tue Aug 05 14:37:09 2014] [info] mod_ssl/2.2.27 compiled against Server: Apache/2.2.27, Library: OpenSSL/0.9.8e-fips-rhel5 [Tue Aug 05 14:37:09 2014] [warn] No JkShmFile defined in httpd.conf. Using default /usr/local/apache/logs/jk-runtime-status [Tue Aug 05 14:37:09 2014] [notice] Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.40 configured -- resuming normal operations [Tue Aug 05 14:37:09 2014] [info] Server built: Jun 14 2014 05:04:12 [Tue Aug 05 14:37:09 2014] [debug] prefork.c(1023): AcceptMutex: sysvsem (default: sysvsem)
从上面的评论可以看出,直接的问题是我的服务没有在HTTPS下运行,只是HTTP。 因此, openssl s_client不能连接到它,因为没有任何SSL握手。
根本的问题是在我的Apacheconfiguration。 Apache 2.2的NameVirtualHost指令不支持参数,我已经将NameVirtualHost manage.xxx更改为NameVirtualHost *:80并且它一切正常