TransWikia.com

OpenSSL - error in SSLv2/v3 read client hello A

Server Fault Asked by Tuyen Nguyen on December 13, 2021

Do you know how to resolve OpenSSL errors:

  • ssl_engine_io.c(2079): – OpenSSL: I/O error, 11 bytes expected to read on BIO#55900da46090 [mem: 55900da4d700]
  • ssl_engine_kernel.c(1809): OpenSSL: Exit: error in SSLv2/v3 read client hello A

I have 2 websites using SSL/TLS hosted in the SAME Apache web server inside the SAME Linux machine. (Two sites in 1 web server.)

The first website https://dev.thestack.ca is working fine without error logs.

The second website https://test.thestack.ca is working fine but GENERATES A LOT OF SSL ERROR LOG ENTRIES in the Linux web server.

Below are error log entries in web server for https://test.thestack.ca website.

[Thu Jul 23 06:57:37.493303 2020] [ssl:info] [pid 20920] AH02200: Loading certificate & private key of SSL-aware server 'test.thestack.ca:443'
[Thu Jul 23 06:57:37.517536 2020] [ssl:debug] [pid 20920] ssl_engine_pphrase.c(506): AH02249: unencrypted RSA private key - pass phrase not required
[Thu Jul 23 06:57:37.553250 2020] [ssl:info] [pid 20920] AH01914: Configuring server test.thestack.ca:443 for SSL protocol
[Thu Jul 23 06:57:37.553293 2020] [ssl:trace3] [pid 20920] ssl_engine_init.c(495): Creating new SSL context (protocols: TLSv1, TLSv1.1, TLSv1.2)
[Thu Jul 23 06:57:37.553429 2020] [ssl:trace1] [pid 20920] ssl_engine_init.c(746): Configuring permitted SSL ciphers [HIGH:!aNULL:!MD5]
[Thu Jul 23 06:57:37.553571 2020] [ssl:debug] [pid 20920] ssl_engine_init.c(406): AH01893: Configuring TLS extension handling
[Thu Jul 23 06:57:37.553605 2020] [ssl:debug] [pid 20920] ssl_engine_init.c(933): AH02232: Configuring RSA server certificate
[Thu Jul 23 06:57:37.553740 2020] [ssl:trace3] [pid 20920] ssl_util_ssl.c(484): [test.thestack.ca:443] SSL_X509_match_name: expecting name 'test.thestack.ca', matched by ID 'test.thestack.ca'
[Thu Jul 23 06:57:37.553802 2020] [ssl:debug] [pid 20920] ssl_util_ssl.c(495): AH02412: [test.thestack.ca:443] Cert matches for name 'test.thestack.ca' [subject: CN=test.thestack.ca / issuer: CN=git-W123P-CA,DC=git,DC=ca / serial: 31000002BD03131CEFB23880BF0000000002BD / notbefore: Jul 21 16:45:58 2020 GMT / notafter: Jul 21 16:45:58 2022 GMT]
[Thu Jul 23 06:57:37.553828 2020] [ssl:debug] [pid 20920] ssl_engine_init.c(988): AH02236: Configuring RSA server private key
[Thu Jul 23 06:57:37.602292 2020] [ssl:info] [pid 20920] AH02200: Loading certificate & private key of SSL-aware server 'test.thestack.ca:443'
[Thu Jul 23 06:57:37.602636 2020] [ssl:debug] [pid 20920] ssl_engine_pphrase.c(506): AH02249: unencrypted RSA private key - pass phrase not required
[Thu Jul 23 06:57:37.604227 2020] [ssl:info] [pid 20920] AH01914: Configuring server test.thestack.ca:443 for SSL protocol
[Thu Jul 23 06:57:37.604243 2020] [ssl:trace3] [pid 20920] ssl_engine_init.c(495): Creating new SSL context (protocols: TLSv1, TLSv1.1, TLSv1.2)
[Thu Jul 23 06:57:37.604285 2020] [ssl:trace1] [pid 20920] ssl_engine_init.c(746): Configuring permitted SSL ciphers [HIGH:!aNULL:!MD5]
[Thu Jul 23 06:57:37.604318 2020] [ssl:debug] [pid 20920] ssl_engine_init.c(406): AH01893: Configuring TLS extension handling
[Thu Jul 23 06:57:37.604328 2020] [ssl:debug] [pid 20920] ssl_engine_init.c(933): AH02232: Configuring RSA server certificate
[Thu Jul 23 06:57:37.604368 2020] [ssl:trace3] [pid 20920] ssl_util_ssl.c(484): [test.thestack.ca:443] SSL_X509_match_name: expecting name 'test.thestack.ca', matched by ID 'test.thestack.ca'
[Thu Jul 23 06:57:37.604388 2020] [ssl:debug] [pid 20920] ssl_util_ssl.c(495): AH02412: [test.thestack.ca:443] Cert matches for name 'test.thestack.ca' [subject: CN=test.thestack.ca / issuer: CN=git-W123P-CA,DC=git,DC=ca / serial: 31000002BD03131CEFB23880BF0000000002BD / notbefore: Jul 21 16:45:58 2020 GMT / notafter: Jul 21 16:45:58 2022 GMT]
[Thu Jul 23 06:57:37.604392 2020] [ssl:debug] [pid 20920] ssl_engine_init.c(988): AH02236: Configuring RSA server private key
[Thu Jul 23 06:57:37.609350 2020] [proxy:debug] [pid 20921] proxy_util.c(1843): AH00925: initializing worker http://localhost:8080/thestack-admin/upload/renewApp shared
[Thu Jul 23 06:57:37.609384 2020] [proxy:debug] [pid 20921] proxy_util.c(1885): AH00927: initializing worker http://localhost:8080/thestack-admin/upload/renewApp local
[Thu Jul 23 06:57:37.609421 2020] [proxy:debug] [pid 20921] proxy_util.c(1936): AH00931: initialized single connection worker in child 20921 for (localhost)
[Thu Jul 23 06:57:37.609446 2020] [proxy:debug] [pid 20921] proxy_util.c(1843): AH00925: initializing worker http://localhost:8080/thestack-admin/upload/createApp shared
[Thu Jul 23 06:57:37.609472 2020] [proxy:debug] [pid 20921] proxy_util.c(1885): AH00927: initializing worker http://localhost:8080/thestack-admin/upload/createApp local
[Thu Jul 23 06:57:37.609502 2020] [proxy:debug] [pid 20921] proxy_util.c(1936): AH00931: initialized single connection worker in child 20921 for (localhost)
[Thu Jul 23 06:57:37.609522 2020] [proxy:debug] [pid 20921] proxy_util.c(1843): AH00925: initializing worker http://localhost:8080/thestack-admin/consents/user shared
[Thu Jul 23 06:57:37.609548 2020] [proxy:debug] [pid 20921] proxy_util.c(1885): AH00927: initializing worker http://localhost:8080/thestack-admin/consents/user local
[Thu Jul 23 06:57:37.609592 2020] [proxy:debug] [pid 20921] proxy_util.c(1936): AH00931: initialized single connection worker in child 20921 for (localhost)
[Thu Jul 23 06:57:37.609883 2020] [ssl:info] [pid 20921] [client 10.204.39.1:31073] AH01964: Connection to child 0 established (server test.thestack.ca:443)
[Thu Jul 23 06:57:37.610028 2020] [ssl:trace2] [pid 20921] ssl_engine_rand.c(124): Seeding PRNG with 144 bytes of entropy
[Thu Jul 23 06:57:37.610351 2020] [ssl:trace3] [pid 20921] ssl_engine_kernel.c(1771): [client 10.204.39.1:31073] OpenSSL: Handshake: start
[Thu Jul 23 06:57:37.610422 2020] [ssl:trace3] [pid 20921] ssl_engine_kernel.c(1780): [client 10.204.39.1:31073] OpenSSL: Loop: before/accept initialization
[Thu Jul 23 06:57:37.610471 2020] [core:trace6] [pid 20921] core_filters.c(525): [client 10.204.39.1:31073] core_output_filter: flushing because of FLUSH bucket
[Thu Jul 23 06:57:37.610516 2020] [ssl:trace4] [pid 20921] ssl_engine_io.c(2079): [client 10.204.39.1:31073] OpenSSL: I/O error, 11 bytes expected to read on BIO#55900da46090 [mem: 55900da4d700]
[Thu Jul 23 06:57:37.610528 2020] [ssl:trace3] [pid 20921] ssl_engine_kernel.c(1809): [client 10.204.39.1:31073] OpenSSL: Exit: error in SSLv2/v3 read client hello A
[Thu Jul 23 06:57:37.610541 2020] [ssl:debug] [pid 20921] ssl_engine_io.c(1202): (70014)End of file found: [client 10.204.39.1:31073] AH02007: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
[Thu Jul 23 06:57:37.610556 2020] [ssl:info] [pid 20921] [client 10.204.39.1:31073] AH01998: Connection closed to child 0 with abortive shutdown (server test.thestack.ca:443)
[Thu Jul 23 06:57:37.611919 2020] [proxy:debug] [pid 20923] proxy_util.c(1843): AH00925: initializing worker http://localhost:8080/thestack-admin/upload/renewApp shared
[Thu Jul 23 06:57:37.611939 2020] [proxy:debug] [pid 20923] proxy_util.c(1885): AH00927: initializing worker http://localhost:8080/thestack-admin/upload/renewApp local
[Thu Jul 23 06:57:37.612041 2020] [proxy:debug] [pid 20923] proxy_util.c(1936): AH00931: initialized single connection worker in child 20923 for (localhost)
[Thu Jul 23 06:57:37.612075 2020] [proxy:debug] [pid 20923] proxy_util.c(1843): AH00925: initializing worker http://localhost:8080/thestack-admin/upload/createApp shared
[Thu Jul 23 06:57:37.612083 2020] [proxy:debug] [pid 20923] proxy_util.c(1885): AH00927: initializing worker http://localhost:8080/thestack-admin/upload/createApp local
[Thu Jul 23 06:57:37.612131 2020] [proxy:debug] [pid 20922] proxy_util.c(1843): AH00925: initializing worker http://localhost:8080/thestack-admin/upload/renewApp shared
[Thu Jul 23 06:57:37.612149 2020] [proxy:debug] [pid 20922] proxy_util.c(1885): AH00927: initializing worker http://localhost:8080/thestack-admin/upload/renewApp local
[Thu Jul 23 06:57:37.612168 2020] [proxy:debug] [pid 20923] proxy_util.c(1936): AH00931: initialized single connection worker in child 20923 for (localhost)
[Thu Jul 23 06:57:37.612192 2020] [proxy:debug] [pid 20923] proxy_util.c(1843): AH00925: initializing worker http://localhost:8080/thestack-admin/consents/user shared
[Thu Jul 23 06:57:37.612211 2020] [proxy:debug] [pid 20923] proxy_util.c(1885): AH00927: initializing worker http://localhost:8080/thestack-admin/consents/user local
[Thu Jul 23 06:57:37.612214 2020] [proxy:debug] [pid 20922] proxy_util.c(1936): AH00931: initialized single connection worker in child 20922 for (localhost)
[Thu Jul 23 06:57:37.612239 2020] [proxy:debug] [pid 20922] proxy_util.c(1843): AH00925: initializing worker http://localhost:8080/thestack-admin/upload/createApp shared
[Thu Jul 23 06:57:37.612242 2020] [proxy:debug] [pid 20922] proxy_util.c(1885): AH00927: initializing worker http://localhost:8080/thestack-admin/upload/createApp local
[Thu Jul 23 06:57:37.612274 2020] [proxy:debug] [pid 20923] proxy_util.c(1936): AH00931: initialized single connection worker in child 20923 for (localhost)
[Thu Jul 23 06:57:37.612315 2020] [proxy:debug] [pid 20922] proxy_util.c(1936): AH00931: initialized single connection worker in child 20922 for (localhost)
[Thu Jul 23 06:57:37.612325 2020] [proxy:debug] [pid 20922] proxy_util.c(1843): AH00925: initializing worker http://localhost:8080/thestack-admin/consents/user shared
[Thu Jul 23 06:57:37.612334 2020] [proxy:debug] [pid 20922] proxy_util.c(1885): AH00927: initializing worker http://localhost:8080/thestack-admin/consents/user local
[Thu Jul 23 06:57:37.612350 2020] [proxy:debug] [pid 20922] proxy_util.c(1936): AH00931: initialized single connection worker in child 20922 for (localhost)
[Thu Jul 23 06:57:37.615933 2020] [proxy:debug] [pid 20925] proxy_util.c(1843): AH00925: initializing worker http://localhost:8080/thestack-admin/upload/renewApp shared
[Thu Jul 23 06:57:37.615949 2020] [proxy:debug] [pid 20925] proxy_util.c(1885): AH00927: initializing worker http://localhost:8080/thestack-admin/upload/renewApp local
[Thu Jul 23 06:57:37.615967 2020] [proxy:debug] [pid 20925] proxy_util.c(1936): AH00931: initialized single connection worker in child 20925 for (localhost)
[Thu Jul 23 06:57:37.615972 2020] [proxy:debug] [pid 20925] proxy_util.c(1843): AH00925: initializing worker http://localhost:8080/thestack-admin/upload/createApp shared
[Thu Jul 23 06:57:37.615975 2020] [proxy:debug] [pid 20925] proxy_util.c(1885): AH00927: initializing worker http://localhost:8080/thestack-admin/upload/createApp local
[Thu Jul 23 06:57:37.615992 2020] [proxy:debug] [pid 20925] proxy_util.c(1936): AH00931: initialized single connection worker in child 20925 for (localhost)
[Thu Jul 23 06:57:37.615996 2020] [proxy:debug] [pid 20925] proxy_util.c(1843): AH00925: initializing worker http://localhost:8080/thestack-admin/consents/user shared
[Thu Jul 23 06:57:37.616002 2020] [proxy:debug] [pid 20925] proxy_util.c(1885): AH00927: initializing worker http://localhost:8080/thestack-admin/consents/user local
[Thu Jul 23 06:57:37.616021 2020] [proxy:debug] [pid 20925] proxy_util.c(1936): AH00931: initialized single connection worker in child 20925 for (localhost)
[Thu Jul 23 06:57:37.617882 2020] [proxy:debug] [pid 20924] proxy_util.c(1843): AH00925: initializing worker http://localhost:8080/thestack-admin/upload/renewApp shared
[Thu Jul 23 06:57:37.617892 2020] [proxy:debug] [pid 20924] proxy_util.c(1885): AH00927: initializing worker http://localhost:8080/thestack-admin/upload/renewApp local
[Thu Jul 23 06:57:37.617909 2020] [proxy:debug] [pid 20924] proxy_util.c(1936): AH00931: initialized single connection worker in child 20924 for (localhost)
[Thu Jul 23 06:57:37.617914 2020] [proxy:debug] [pid 20924] proxy_util.c(1843): AH00925: initializing worker http://localhost:8080/thestack-admin/upload/createApp shared
[Thu Jul 23 06:57:37.617917 2020] [proxy:debug] [pid 20924] proxy_util.c(1885): AH00927: initializing worker http://localhost:8080/thestack-admin/upload/createApp local
[Thu Jul 23 06:57:37.617928 2020] [proxy:debug] [pid 20924] proxy_util.c(1936): AH00931: initialized single connection worker in child 20924 for (localhost)
[Thu Jul 23 06:57:37.617934 2020] [proxy:debug] [pid 20924] proxy_util.c(1843): AH00925: initializing worker http://localhost:8080/thestack-admin/consents/user shared
[Thu Jul 23 06:57:37.617951 2020] [proxy:debug] [pid 20924] proxy_util.c(1885): AH00927: initializing worker http://localhost:8080/thestack-admin/consents/user local
[Thu Jul 23 06:57:37.617970 2020] [proxy:debug] [pid 20924] proxy_util.c(1936): AH00931: initialized single connection worker in child 20924 for (localhost)
[Thu Jul 23 06:57:42.602787 2020] [ssl:info] [pid 20921] [client 10.204.39.1:42035] AH01964: Connection to child 0 established (server test.thestack.ca:443)
[Thu Jul 23 06:57:42.602974 2020] [ssl:trace2] [pid 20921] ssl_engine_rand.c(124): Seeding PRNG with 144 bytes of entropy
[Thu Jul 23 06:57:42.603055 2020] [ssl:trace3] [pid 20921] ssl_engine_kernel.c(1771): [client 10.204.39.1:42035] OpenSSL: Handshake: start
[Thu Jul 23 06:57:42.603079 2020] [ssl:trace3] [pid 20921] ssl_engine_kernel.c(1780): [client 10.204.39.1:42035] OpenSSL: Loop: before/accept initialization
[Thu Jul 23 06:57:42.603095 2020] [core:trace6] [pid 20921] core_filters.c(525): [client 10.204.39.1:42035] core_output_filter: flushing because of FLUSH bucket
[Thu Jul 23 06:57:42.603120 2020] [ssl:trace4] [pid 20921] ssl_engine_io.c(2079): [client 10.204.39.1:42035] OpenSSL: I/O error, 11 bytes expected to read on BIO#55900da48120 [mem: 55900da4d700]
[Thu Jul 23 06:57:42.603131 2020] [ssl:trace3] [pid 20921] ssl_engine_kernel.c(1809): [client 10.204.39.1:42035] OpenSSL: Exit: error in SSLv2/v3 read client hello A
[Thu Jul 23 06:57:42.603184 2020] [ssl:debug] [pid 20921] ssl_engine_io.c(1202): (70014)End of file found: [client 10.204.39.1:42035] AH02007: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
[Thu Jul 23 06:57:42.603201 2020] [ssl:info] [pid 20921] [client 10.204.39.1:42035] AH01998: Connection closed to child 0 with abortive shutdown (server test.thestack.ca:443)

Below are Virtual Host configuration of the two websites, they are in the same Linux web server.

NameVirtualHost *:443

<VirtualHost *:443>
    SSLEngine on
    DocumentRoot /app/apache-tomcat-8.5.37/webapps/thestack-portal
    ServerName test.thestack.ca
    ErrorLog /app/apache-tomcat-8.5.37/logs/thestack-user-portal-error_log
    CustomLog /app/apache-tomcat-8.5.37/logs/thestack-user-portal-access_log common
    SSLCertificateFile /app/thestack/cert/user-portal/test.thestack.ca-cert.pem
    SSLCertificateKeyFile /app/thestack/cert/user-portal/test.thestack.ca-server.key
    SSLProtocol all -SSLv2 -SSLv3
    SSLCipherSuite HIGH:!aNULL:!MD5
    ProxyRequests Off
    ProxyPreserveHost On
    ProxyPass /rest/createRenApp http://localhost:8080/thestack-admin/upload/renewAppuser
    ProxyPassReverse /rest/createRenApp http://localhost:8080/thestack-admin/upload/renewAppuser
    ProxyPass /rest/createAsdApp http://localhost:8080/thestack-admin/upload/createAppuser
    ProxyPassReverse /rest/createAsdApp http://localhost:8080/thestack-admin/upload/createAppuser
    ProxyPass /rest/consent http://localhost:8080/thestack-admin/consents/user
    ProxyPassReverse /rest/consent http://localhost:8080/thestack-admin/consents/user
</VirtualHost>

<VirtualHost *:443>
    SSLEngine on
    DocumentRoot /app/apache-tomcat-8.5.37/webapps/dev-thestack-portal
    ServerName dev.thestack.ca
    ErrorLog /app/apache-tomcat-8.5.37/logs/dev-thestack-user-portal-error_log
    CustomLog /app/apache-tomcat-8.5.37/logs/dev-thestack-user-portal-access_log common
    SSLCertificateFile /app/thestack/cert/user-portal/dev.thestack.ca-cert.pem
    SSLCertificateKeyFile /app/thestack/cert/user-portal/dev.thestack.ca-server.key
    SSLProtocol all -SSLv2 -SSLv3
    SSLCipherSuite HIGH:!aNULL:!MD5
    ProxyRequests Off
    ProxyPreserveHost On
    ProxyPass /rest/createRenApp http://localhost:8080/dev-thestack-admin/upload/renewAppuser
    ProxyPassReverse /rest/createRenApp http://localhost:8080/dev-thestack-admin/upload/renewAppuser
    ProxyPass /rest/createAsdApp http://localhost:8080/dev-thestack-admin/upload/createAppuser
    ProxyPassReverse /rest/createAsdApp http://localhost:8080/dev-thestack-admin/upload/createAppuser
    ProxyPass /rest/consent http://localhost:8080/dev-thestack-admin/consents/user
    ProxyPassReverse /rest/consent http://localhost:8080/dev-thestack-admin/consents/user
</VirtualHost>

Thank you!

One Answer

Check your openssl package version on both servers, check if you have gnutls package on both (you're disabling SSL support in your apache config, you're probably missing the gnutls package).

You can try to temporarily change configuration in your apache config to see if it resolves your errors (if it does, it's library issue):

SSLProtocol all
SSLCipherSuite HIGH:!aNULL:!MD5

As Michael Hampton suggested, the SSL config generators if you need more details you find good informations on Mozilla's wiki

My favourite options are (not sure if they are suitable for you):

SSLProtocol -All +TLSv1.2
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

Answered by Geeky Masters on December 13, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP