# apache, mod_ssl => ssl handshake interrupted

## questionaire

hi there,

currently facing a problem where i dont know what to do  :Sad: 

did some upgrading and there was also an update from apache 2.0 to 2.2

the box has a thawtee ssl certificate and when i want to connect to it i get the following errors in my ssl log:

```
[Sun Sep 23 20:32:58 2007] [info] Loading certificate & private key of SSL-aware server

[Sun Sep 23 20:32:58 2007] [info] Configuring server for SSL protocol

[Sun Sep 23 20:32:58 2007] [info] [client 127.0.0.1] Connection to child 0 established (server www.domain.com:443)

[Sun Sep 23 20:32:58 2007] [info] Seeding PRNG with 136 bytes of entropy

[Sun Sep 23 20:32:58 2007] [info] [client 127.0.0.1] SSL handshake failed: HTTP spoken on HTTPS port; trying to send HTML error page

[Sun Sep 23 20:32:58 2007] [info] SSL Library Error: 336027804 error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request speaking HTTP to HTTPS port!?

[Sun Sep 23 20:32:58 2007] [info] [client 127.0.0.1] Connection to child 0 established (server www.domain.com:443)

[Sun Sep 23 20:32:58 2007] [info] Seeding PRNG with 136 bytes of entropy

[Sun Sep 23 20:32:58 2007] [info] [client 127.0.0.1] SSL handshake failed: HTTP spoken on HTTPS port; trying to send HTML error page

[Sun Sep 23 20:32:58 2007] [info] SSL Library Error: 336027804 error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request speaking HTTP to HTTPS port!?

[Sun Sep 23 20:32:58 2007] [info] [client 127.0.0.1] Connection to child 0 established (server www.domain.com:443)

[Sun Sep 23 20:32:58 2007] [info] Seeding PRNG with 136 bytes of entropy

[Sun Sep 23 20:32:58 2007] [info] [client 127.0.0.1] SSL handshake failed: HTTP spoken on HTTPS port; trying to send HTML error page

[Sun Sep 23 20:32:58 2007] [info] SSL Library Error: 336027804 error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request speaking HTTP to HTTPS port!?

[Sun Sep 23 20:32:58 2007] [info] [client 127.0.0.1] Connection to child 0 established (server www.domain.com:443)

[Sun Sep 23 20:32:58 2007] [info] Seeding PRNG with 136 bytes of entropy

[Sun Sep 23 20:32:58 2007] [info] [client 127.0.0.1] SSL handshake failed: HTTP spoken on HTTPS port; trying to send HTML error page

[Sun Sep 23 20:32:58 2007] [info] SSL Library Error: 336027804 error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request speaking HTTP to HTTPS port!?

[Sun Sep 23 20:32:58 2007] [info] [client 127.0.0.1] Connection to child 0 established (server www.domain.com:443)

[Sun Sep 23 20:32:58 2007] [info] Seeding PRNG with 136 bytes of entropy

[Sun Sep 23 20:32:58 2007] [info] [client 127.0.0.1] SSL handshake failed: HTTP spoken on HTTPS port; trying to send HTML error page

[Sun Sep 23 20:32:58 2007] [info] SSL Library Error: 336027804 error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request speaking HTTP to HTTPS port!?

[Sun Sep 23 20:33:01 2007] [info] Loading certificate & private key of SSL-aware server

[Sun Sep 23 20:33:01 2007] [info] Configuring server for SSL protocol

[Sun Sep 23 20:33:32 2007] [info] Loading certificate & private key of SSL-aware server

[Sun Sep 23 20:33:32 2007] [info] Configuring server for SSL protocol

[Sun Sep 23 20:35:28 2007] [info] [client 85.127.60.61] Connection to child 1 established (server www.domain.com:443)

[Sun Sep 23 20:35:28 2007] [info] Seeding PRNG with 136 bytes of entropy

[Sun Sep 23 20:35:28 2007] [info] Initial (No.1) HTTPS request received for child 1 (server www.domain.com:443)

[Sun Sep 23 20:35:28 2007] [error] [client 85.127.60.61] client denied by server configuration: /var/www/domain/

[Sun Sep 23 20:35:29 2007] [info] Subsequent (No.2) HTTPS request received for child 1 (server www.domain.com:443)

[Sun Sep 23 20:35:29 2007] [error] [client 85.127.60.61] client denied by server configuration: /var/www/domain/favicon.ico

[Sun Sep 23 20:35:29 2007] [info] [client 85.127.60.61] Connection to child 2 established (server www.domain.com:443)

[Sun Sep 23 20:35:29 2007] [info] Seeding PRNG with 136 bytes of entropy

[Sun Sep 23 20:35:29 2007] [info] [client 85.127.60.61] (70014)End of file found: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]

[Sun Sep 23 20:35:29 2007] [info] [client 85.127.60.61] Connection closed to child 2 with abortive shutdown (server www.domain.com:443)

[Sun Sep 23 20:35:29 2007] [info] [client 85.127.60.61] Connection to child 3 established (server www.domain.com:443)

[Sun Sep 23 20:35:29 2007] [info] Seeding PRNG with 136 bytes of entropy

[Sun Sep 23 20:35:29 2007] [info] Subsequent (No.3) HTTPS request received for child 1 (server www.domain.com:443)

[Sun Sep 23 20:35:29 2007] [error] [client 85.127.60.61] client denied by server configuration: /var/www/domain/favicon.ico

[Sun Sep 23 20:35:29 2007] [info] Initial (No.1) HTTPS request received for child 3 (server www.domain.com:443)

[Sun Sep 23 20:35:29 2007] [error] [client 85.127.60.61] client denied by server configuration: /var/www/domain/favicon.ico

[Sun Sep 23 20:35:44 2007] [info] [client 85.127.60.61] (70007)The timeout specified has expired: SSL input filter read failed.

[Sun Sep 23 20:35:44 2007] [info] [client 85.127.60.61] Connection closed to child 1 with standard shutdown (server www.domain.com:443)

[Sun Sep 23 20:35:44 2007] [info] [client 85.127.60.61] (70007)The timeout specified has expired: SSL input filter read failed.

[Sun Sep 23 20:35:44 2007] [info] [client 85.127.60.61] Connection closed to child 3 with standard shutdown (server www.domain.com:443)
```

that doesnt really help me  :Sad: 

recompiled openssl, recompiled apache

when starting the server i get following output:

```
[Sun Sep 23 18:19:39 2007] [notice] caught SIGTERM, shutting down

[Sun Sep 23 18:19:40 2007] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)

[Sun Sep 23 18:19:40 2007] [info] Init: Seeding PRNG with 136 bytes of entropy

[Sun Sep 23 18:19:40 2007] [info] Loading certificate & private key of SSL-aware server

[Sun Sep 23 18:19:40 2007] [info] Init: Generating temporary RSA private keys (512/1024 bits)

[Sun Sep 23 18:19:40 2007] [info] Init: Generating temporary DH parameters (512/1024 bits)

[Sun Sep 23 18:19:40 2007] [info] Init: Initializing (virtual) servers for SSL

[Sun Sep 23 18:19:40 2007] [info] Configuring server for SSL protocol

[Sun Sep 23 18:19:40 2007] [info] mod_ssl/2.2.6 compiled against Server: Apache/2.2.6, Library: OpenSSL/0.9.8e

[Sun Sep 23 18:19:40 2007] [notice] Digest: generating secret for digest authentication ...

[Sun Sep 23 18:21:32 2007] [notice] Digest: done

[Sun Sep 23 18:21:32 2007] [info] Init: Seeding PRNG with 136 bytes of entropy

[Sun Sep 23 18:21:32 2007] [info] Loading certificate & private key of SSL-aware server

[Sun Sep 23 18:21:32 2007] [info] Init: Generating temporary RSA private keys (512/1024 bits)

[Sun Sep 23 18:21:32 2007] [info] Init: Generating temporary DH parameters (512/1024 bits)

[Sun Sep 23 18:21:32 2007] [info] Shared memory session cache initialised

[Sun Sep 23 18:21:32 2007] [info] Init: Initializing (virtual) servers for SSL

[Sun Sep 23 18:21:32 2007] [info] Configuring server for SSL protocol

[Sun Sep 23 18:21:32 2007] [info] mod_ssl/2.2.6 compiled against Server: Apache/2.2.6, Library: OpenSSL/0.9.8e

[Sun Sep 23 18:21:32 2007] [notice] Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.8e PHP/5.2.4-pl2-gentoo configured -- resuming normal operations

[Sun Sep 23 18:21:32 2007] [info] Server built: Sep 18 2007 10:32:12 
```

mod_ssl config:

```
<IfDefine SSL>

  <IfModule !mod_ssl.c>

    LoadModule ssl_module    modules/mod_ssl.so

  </IfModule>

</IfDefine>

<IfModule mod_ssl.c>

#

# This is the Apache server configuration file providing SSL support.

# It contains the configuration directives to instruct the server how to

# serve pages over an https connection. For detailing information about these 

# directives see <URL:http://httpd.apache.org/docs-2.0/mod/mod_ssl.html>

# 

# Do NOT simply read the instructions in here without understanding

# what they do.  They're here only as hints or reminders.  If you are unsure

# consult the online docs. You have been warned.  

#

#

# Pseudo Random Number Generator (PRNG):

# Configure one or more sources to seed the PRNG of the SSL library.

# The seed data should be of good random quality.

# WARNING! On some platforms /dev/random blocks if not enough entropy

# is available. This means you then cannot use the /dev/random device

# because it would lead to very long connection times (as long as

# it requires to make more entropy available). But usually those

# platforms additionally provide a /dev/urandom device which doesn't

# block. So, if available, use this one instead. Read the mod_ssl User

# Manual for more details.

#

# Note: This must come before the <IfDefine SSL> container to support

#       starting without SSL on platforms with no /dev/random equivalent

#       but a statically compiled-in mod_ssl.

#

SSLRandomSeed startup builtin

SSLRandomSeed connect builtin

#SSLRandomSeed startup file:/dev/random  512

#SSLRandomSeed startup file:/dev/urandom 512

#SSLRandomSeed connect file:/dev/random  512

#SSLRandomSeed connect file:/dev/urandom 512

#

# When we also provide SSL we have to listen to the 

# standard HTTP port (see above) and to the HTTPS port

#

Listen 443

##

##  SSL Global Context

##

##  All SSL configuration in this context applies both to

##  the main server and all SSL-enabled virtual hosts.

##

#

#   Some MIME-types for downloading Certificates and CRLs

#

<IfModule mod_mime.c>

AddType application/x-x509-ca-cert .crt

AddType application/x-pkcs7-crl    .crl

</IfModule>

#   Pass Phrase Dialog:

#   Configure the pass phrase gathering process.

#   The filtering dialog program (`builtin' is a internal

#   terminal dialog) has to provide the pass phrase on stdout.

SSLPassPhraseDialog  builtin

#   Inter-Process Session Cache:

#   Configure the SSL Session Cache: First the mechanism 

#   to use and second the expiring timeout (in seconds).

#SSLSessionCache        none

#SSLSessionCache        shmht:logs/ssl_scache(512000)

#SSLSessionCache        shmcb:logs/ssl_scache(512000)

#SSLSessionCache        dbm:/var/cache/apache2/ssl_scache

SSLSessionCache         shmcb:/var/run/ssl_scache(512000)

SSLSessionCacheTimeout  300

#   Semaphore:

#   Configure the path to the mutual exclusion semaphore the

#   SSL engine uses internally for inter-process synchronization. 

SSLMutex  file:/var/run/ssl_mutex

</IfModule>

```

ssl vhost:

```
<VirtualHost *:443>

  ServerName www.domain.com:443

  ServerAdmin office@domain.com

  ServerAlias www.domain.com

  DocumentRoot /var/www/domain

  ErrorLog /var/logs/apache/domain_ssl.log

  TransferLog /var/logs/apache/domain_transfer.log

  ScriptAlias /cgi-bin/ /var/www/domain/cgi-bin/

  suPHP_ConfigPath /var/php/domain

  <IfModule mod_ssl.c>

    SSLEngine on

    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

    SSLCertificateKeyFile /home/user/ssl/www_domain_com.key

    SSLCertificateFile /home/user/ssl/www_domain_com.cert

    CustomLog "/var/logs/apache/ssl_request_log" "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

    SetEnvIf User-Agent ".*MSIE.*" \

      nokeepalive ssl-unclean-shutdown \

      downgrade-1.0 force-response-1.0

    <Files ~ "\.(cgi|shtml|phtml|php3?)$">

      SSLOptions +StdEnvVars

    </Files>

    <Directory "/var/www/domain/cgi-bin">

      SSLOptions +StdEnvVars

    </Directory>

  </IfModule>

suPHP_UserGroup domain domain

</VirtualHost>

```

hope you have any ideas how to solve that mess  :Sad: 

kind regards, me

----------

## questionaire

no one?   :Crying or Very sad: 

----------

