Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Apache: Users

SSL received a record that exceeded the maximum permissible length.

 

 

Apache users RSS feed   Index | Next | Previous | View Threaded


joliver at john-oliver

Nov 13, 2009, 9:21 AM

Post #1 of 6 (16439 views)
Permalink
SSL received a record that exceeded the maximum permissible length.

I have one physical server with two IP addresses. I created
VirtualHosts for each:

NameVirtualHost 192.168.1.47:443
NameVirtualHost 192.168.1.129:443

<VirtualHost 192.168.1.47:443>
ServerName virtual.host1
DocumentRoot /var/www/html2
ErrorLog logs/ssl_error2_log
CustomLog logs/ssl_request2_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
SSLEngine on
SSLProtocol all -SSLv2
SSLVerifyClient require
SSLVerifyDepth 10
SSLCertificateFile /etc/pki/tls/certs/subscriber.pem
SSLCACertificateFile /etc/pki/tls/certs/cabundle.crt
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</VirtualHost>

<VirtualHost 192.168.1.129:443>
ServerName virtual.host2
DocumentRoot /var/www/html
ErrorLog logs/ssl_error_log
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
SSLEngine on
SSLProtocol all -SSLv2
SSLCertificateFile /etc/pki/tls/certs/ois_cert.pem
SSLCertificateKeyFile /etc/pki/tls/private/ois_key.pem
SSLCACertificateFile /etc/pki/tls/certs/cabundle.crt
SSLVerifyClient require
SSLVerifyDepth 10
</VirtualHost>

When I visit https://virtual.host2/ I get:

SSL received a record that exceeded the maximum permissible length.

(Error code: ssl_error_rx_record_too_long)


But nothing is logged, even if I change LogLevel to 'debug'.
https://192.168.1.129/ works just fine. I've double-checked the file
permissions for the cert and key, and that the cert is not expired.
Googling hasn't helped. I'm at kind of a loss here! What else can I
look at for more clues?

--
***********************************************************************
* John Oliver http://www.john-oliver.net/ *
* *
***********************************************************************

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


phil at philipwigg

Nov 13, 2009, 9:29 AM

Post #2 of 6 (16339 views)
Permalink
Re: SSL received a record that exceeded the maximum permissible length. [In reply to]

> NameVirtualHost 192.168.1.47:443
> NameVirtualHost 192.168.1.129:443

You can't use name based virtual hosting with SSL. Try these lines
out. You need to make sure you have a Listen directive for those
IP/port combinations though.

Cheers,
Phil.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


covener at gmail

Nov 13, 2009, 9:31 AM

Post #3 of 6 (16340 views)
Permalink
Re: SSL received a record that exceeded the maximum permissible length. [In reply to]

> <VirtualHost 192.168.1.47:443>
> <VirtualHost 192.168.1.129:443>

> When I visit https://virtual.host2/ I get:
>
> SSL received a record that exceeded the maximum permissible length.
>
> (Error code: ssl_error_rx_record_too_long)
>

My guess is that your actually receving this connection on an
interface not listed in any of your vhosts, so it's handled as HTTP by
the "base" server config.

Can you use at least 1 *:443?

--
Eric Covener
covener [at] gmail

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


joliver at john-oliver

Nov 13, 2009, 10:20 AM

Post #4 of 6 (16342 views)
Permalink
Re: SSL received a record that exceeded the maximum permissible length. [In reply to]

On Fri, Nov 13, 2009 at 12:31:50PM -0500, Eric Covener wrote:
> > <VirtualHost 192.168.1.47:443>
> > <VirtualHost 192.168.1.129:443>
>
> > When I visit https://virtual.host2/ I get:
> >
> > SSL received a record that exceeded the maximum permissible length.
> >
> > (Error code: ssl_error_rx_record_too_long)
> >
>
> My guess is that your actually receving this connection on an
> interface not listed in any of your vhosts, so it's handled as HTTP by
> the "base" server config.
>
> Can you use at least 1 *:443?

When I had *:443 I got a message about:

[warn] NameVirtualHost *:443 has no VirtualHosts

And there are no other interfaces. eth0 and eth1, each with one of the
two IPs above.

--
***********************************************************************
* John Oliver http://www.john-oliver.net/ *
* *
***********************************************************************

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


joliver at john-oliver

Nov 13, 2009, 10:24 AM

Post #5 of 6 (16346 views)
Permalink
Re: SSL received a record that exceeded the maximum permissible length. [In reply to]

On Fri, Nov 13, 2009 at 05:29:07PM +0000, Philip Wigg wrote:
> > NameVirtualHost 192.168.1.47:443
> > NameVirtualHost 192.168.1.129:443
>
> You can't use name based virtual hosting with SSL. Try these lines
> out. You need to make sure you have a Listen directive for those
> IP/port combinations though.

Oh, duh... :-)

Thanks, I'm back in business.

--
***********************************************************************
* John Oliver http://www.john-oliver.net/ *
* *
***********************************************************************

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


crypto.sal at gmail

Nov 13, 2009, 11:04 PM

Post #6 of 6 (16318 views)
Permalink
Re: SSL received a record that exceeded the maximum permissible length. [In reply to]

On 11/13/2009 12:29 PM, Philip Wigg wrote:
>> NameVirtualHost 192.168.1.47:443
>> NameVirtualHost 192.168.1.129:443
>>
> You can't use name based virtual hosting with SSL. Try these lines
> out. You need to make sure you have a Listen directive for those
> IP/port combinations though.
>
> Cheers,
> Phil.
>
>
>

Phil,

As of Apache 2.2.12 + OpenSSL 0.9.8f/j, you can. You may thank RFC 4366
for SNI (Server Name Indication). However, most version of IE (any
version on XP) don't support it. :-P


http://en.wikipedia.org/wiki/Server_Name_Indication

http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd

Apache users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.