结论:我相信我编译Apache时,我的openssl版本不匹配。 它现在有效; 我用已经安装的openssl重新编译了它。 感谢你的帮助,不信的人。
附加信息:我从tomcat连接器的server.xml中找出了另一个相关的设置。 所以,当域错误的时候,tomcat处理每个部分,并且域没有错,tomcat和apache同时处理,这可能是不同版本的openssl的问题。
…或不。
我知道这个问题很奇怪,但我无法想象有什么不同。
基本信息:
服务器在http://连接中正常工作。 (domain:test.domain.com)(Apache 2.2.31(用openssl 1.0.1u编译),Tomcat(6.0.35,之前已经安装)
我已经有* .domain.comauthenticationhttps://连接,我已经在'service.domain.com',所以“https:// service.domain.com”已经在其他服务器/机器/ IP
最后,我试图安装SSL到“test.domain.com”以允许https://连接。
问题:
我发现..
如果我把“.conf”设置错了,
#Wrong.conf <VirtualHost *:443> ServerName testy.domain.com #whatever, but not 'test.domain.com' .... </VirtualHost *:443> 正在工作时,我连接https:// test.domain.com。 (它将使用默认的VirtualHost;只有一个*:443,当我删除了虚拟主机,我得到错误,我无法连接。)没有问题,我得到完美的连接和authentication,我可以阅读我想要的网页。
但是,如果我正确设置了“.conf”
#Correct.conf <VirtualHost *:443> ServerName test.domain.com ... </VirtualHost *:443>
我无法连接https:// test.domain.com。
当我用其他工具检查时,详细的信息,如curl,动词,
当我用#Wrong.conf使用curl的时候
* TLSv1.2 (OUT), TLS handshake, Client hello (1) * TLSv1.2 (IN), TLS handshake, Server hello (2) * TLSv1.2 (IN), TLS handshake, Certificate .... .... (and succeed)
当我用#Correct.conf使用curl的时候
* TLSv1.2 (OUT), TLS handshake, Client hello (1) * Unknown SSL protocol error in connection to test.domain.com:443 * Curl_http_done: called premature == 1 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 * Closing connection 0 curl: (35) Unknown SSL protocol error in connection to test.domain.com:443
其他部分,如“IP”,“TCP_NODELAY”,甚至密码select和CAfile是完全相同的(双重检查,我没有改变)
所以,回到第一个问题,
使用“默认虚拟主机”和“正确命名虚拟主机”有什么区别?
还有什么build议?
更新:
我为您的不便深表歉意。
当它工作时 ; 错误 .conf apachectl -S显示…
VirtualHost configuration: wildcard NameVirtualHosts and _default_ servers: *:80 is a NameVirtualHost default server what.test.domain.com (/holy/apache/conf/httpd.conf:573) port 80 namevhost what.test.domain.com (/holy/apache/conf/httpd.conf:573) port 80 namevhost whatever.test.domain.com (/holy/apache/conf/httpd.conf:580) ... port 80 namvevhost test.domain.com (/holy/apache/conf/httpd.conf:615) *:443 is a NameVirtualHost default server testy.domain.com (/holy/apache/conf/httpd.conf:541) port 443 namevhost testy.domain.com (/holy/apache/conf/httpd.conf:541) Syntax OK
当它不工作 ; 正确 .conf apachectl -S显示…
VirtualHost configuration: wildcard NameVirtualHosts and _default_ servers: *:80 is a NameVirtualHost default server what.test.domain.com (/holy/apache/conf/httpd.conf:573) port 80 namevhost what.test.domain.com (/holy/apache/conf/httpd.conf:573) port 80 namevhost whatever.test.domain.com (/holy/apache/conf/httpd.conf:580) ... port 80 namvevhost test.domain.com (/holy/apache/conf/httpd.conf:615) *:443 is a NameVirtualHost default server test.domain.com (/holy/apache/conf/httpd.conf:541) port 443 namevhost test.domain.com (/holy/apache/conf/httpd.conf:541) Syntax OK
我没有为此做两个.conf,但我只是用我的手改变了ServerName(所以在其他区域没有区别)。
更新:日志
对不起我迟到了。 最后我对这个问题有了一些分歧。 谢谢你,不信的人
在“工作场景”中,我可以看到我所想象的
[debug] ssl_engine_kernel.c(1961): [client (**My IP**)] No matching SSL virtual host for servername test.domain.com found (using default/first virtual host) [debug] ssl_engine_kernel.c(1842): OpenSSL: Loop: SSLv3 read client hello A [debug] ssl_engine_kernel.c(1842): OpenSSL: Loop: SSLv3 write server hello A [debug] ssl_engine_kernel.c(1842): OpenSSL: Loop: SSLv3 write change cipher spec A [debug] ssl_engine_kernel.c(1842): OpenSSL: Loop: SSLv3 write finished A [debug] ssl_engine_kernel.c(1842): OpenSSL: Loop: SSLv3 flush data ... [debug] ssl_engine_kernel.c(1842): OpenSSL: Loop: SSLv3 read finished A [debug] ssl_engine_kernel.c(1838): OpenSSL: Handshake: done [info] Connection: Client IP: (**My IP**), Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
但是,我发现“非工作场景”中有相当多的可疑部分。
1)以双手握手开始。
[info] [client (**My IP**)] Connection to child 0 established (server test.domain.com:443) [info] [client (**My IP**)] Connection to child 1 established (server test.domain.com:443) [info] Seeding PRNG with 144 bytes of entropy [info] Seeding PRNG with 144 bytes of entropy [debug] ssl_engine_kernel.c(1834): OpenSSL: Handshake: start [debug] ssl_engine_kernel.c(1842): OpenSSL: Loop: before/accept initialization [debug] ssl_engine_kernel.c(1834): OpenSSL: Handshake: start [debug] ssl_engine_kernel.c(1842): OpenSSL: Loop: before/accept initialization
2)这些成功的握手没有任何部分(这个日志来自工作场景)
[debug] ssl_engine_kernel.c(1961): [client (**My IP**)] No matching SSL virtual host for servername test.domain.com found (using default/first virtual host) [debug] ssl_engine_kernel.c(1842): OpenSSL: Loop: SSLv3 read client hello A [debug] ssl_engine_kernel.c(1842): OpenSSL: Loop: SSLv3 write server hello A [debug] ssl_engine_kernel.c(1842): OpenSSL: Loop: SSLv3 write change cipher spec A [debug] ssl_engine_kernel.c(1842): OpenSSL: Loop: SSLv3 write finished A [debug] ssl_engine_kernel.c(1842): OpenSSL: Loop: SSLv3 flush data [info] [client (**My IP**)] Connection to child 4 established (server **testy**.domain.com:443)
3)很多分段故障
[notice] child pid 4683 exit signal Segmentation fault (11) [notice] child pid 4684 exit signal Segmentation fault (11) [notice] child pid 4685 exit signal Segmentation fault (11) [notice] child pid 4686 exit signal Segmentation fault (11) [notice] child pid 4687 exit signal Segmentation fault (11)
4)代理日志
[debug] proxy_util.c(1901): proxy: grabbed scoreboard slot 0 in child 4727 for worker proxy:reverse [debug] proxy_util.c(1921): proxy: worker proxy:reverse already initialized [debug] proxy_util.c(2017): proxy: initialized single connection worker 0 in child 4727 for (*) [info] [client (**My IP**)] Connection to child 5 established (server test.domain.com:443) [info] Seeding PRNG with 144 bytes of entropy [debug] proxy_util.c(1901): proxy: grabbed scoreboard slot 0 in child 4728 for worker proxy:reverse [debug] proxy_util.c(1921): proxy: worker proxy:reverse already initialized [debug] proxy_util.c(2017): proxy: initialized single connection worker 0 in child 4728 for (*) [notice] child pid 4727 exit signal Segmentation fault (11) [debug] proxy_util.c(1901): proxy: grabbed scoreboard slot 0 in child 4729 for worker proxy:reverse [debug] proxy_util.c(1921): proxy: worker proxy:reverse already initialized [debug] proxy_util.c(2017): proxy: initialized single connection worker 0 in child 4729 for (*)