为什么Apache 2.4使用错误的证书链,即使我在VirtualHost配置中指定了其他证书捆绑包
我正在尝试使SSL在运行Apache HTTPD 2.4.37的Oraclelinux服务器上工作。
我的VirtualHost块如下:
<VirtualHost phxacrstage.oraclecorp.com:443>
ServerName phxacrstage.oraclecorp.com:443
DocumentRoot /var/www/html
ErrorLog logs/phxacrstage-ssl-error_log
TransferLog logs/phxacrstage-ssl-access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA
SSLCertificateFile /etc/pki/tls/certs/phxacrstage.oraclecorp.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/phxacrstage.oraclecorp.com.key
SSLCertificateChainFile /etc/pki/tls/certs/CombinedSHA-1RootSHA-256Intermediate-09-JUN-2021.crt
</VirtualHost>
当我使用curl用命令测试配置时:
curl -v http:/// phxacrstage.oraclecorp.com:443
我得到:
* Rebuilt URL to: http://phxacrstage.oraclecorp.com:443/
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 100.104.244.56...
* TCP_NODELAY set
* Connected to phxacrstage.oraclecorp.com (100.104.244.56) port 443 (#0)
> GET / HTTP/1.1
> Host: phxacrstage.oraclecorp.com:443
> User-Agent: curl/7.61.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Thu, 21 Apr 2022 21:24:39 GMT
< Server: Apache/2.4.37 (Oracle Linux) OpenSSL/1.1.1k
< Last-Modified: Wed, 20 Apr 2022 23:33:57 GMT
< ETag: "7c-5dd1e6d6516db"
< Accept-Ranges: bytes
< Content-Length: 124
< Content-Type: text/html; charset=UTF-8
<
{ [124 bytes data]
100 124 100 124 0 0 41333 0 --:--:-- --:--:-- --:--:-- 41333
* Connection #0 to host phxacrstage.oraclecorp.com left intact
<html>
<head>
<title>PHXAcrStage1 server</title>
</head>
<body>
<h1>Welcome to the PHXAcrStage1 server</h1>
</body>
</html>
这是我期望的。 但是,如果我使用卷曲来访问网站,如下所示:
curl -v https://phxacrstage.oraclecorp.com
我得到以下输出:
* Rebuilt URL to: https://phxacrstage.oraclecorp.com/
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 100.104.244.56...
* TCP_NODELAY set
* Connected to phxacrstage.oraclecorp.com (100.104.244.56) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* error:1408F10B:SSL routines:ssl3_get_record:wrong version number
0 0 0 0 0 0 0 0-: - : - : - : - : - : - : - : - 0 *关闭连接0 curl:(35)错误:1408F10B:SSL例程:SSL3_Get_Record:错误的版本号码,
如此结果所示,Apache正在使用/ETC/pki/tls/certs/cercerts/ca-bundle.crt,即使我专门用于证书链告诉apache tot在上面唯一的虚拟霍斯特块中使用其他证书捆绑包。
在其他服务器中,我尝试使用以下方式检索证书链:
openssl s_client -connect phxacrstage.oraclecorp.com:443
我回来了:
139886046541632:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:332:
CONNECTED(00000003)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 324 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
I am seeing the following in my access_log:
10.154.171.241 - - [21/Apr/2022:22:30:45 +0000] "\x16\x03\x01\x02" 400 226 `"-" "-"`
The output from apachectl -S is:
Passing arguments to httpd using apachectl is no longer supported.
You can only start/stop/restart httpd using this script.
If you want to pass extra arguments to httpd, edit the
/etc/sysconfig/httpd config file.
VirtualHost configuration:
100.104.246.211:443 phxacrstage.oraclecorp.com (/etc/httpd/conf.d/acrtool_ssl.conf:13)
100.102.121.253:80 acrstage.oraclecorp.com (/etc/httpd/conf.d/acrtool.conf:23)
ServerRoot: "/etc/httpd"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/etc/httpd/logs/error_log"
Mutex default: dir="/etc/httpd/run/" mechanism=default
Mutex cache-socache: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex watchdog-callback: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex authdigest-client: using_defaults
Mutex lua-ivm-shm: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
PidFile: "/etc/httpd/run/httpd.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="apache" id=48
Group: name="apache" id=48
I am trying to get ssl working on an oracleLinux server running apache httpd 2.4.37.
My virtualHost block is as follows:
<VirtualHost phxacrstage.oraclecorp.com:443>
ServerName phxacrstage.oraclecorp.com:443
DocumentRoot /var/www/html
ErrorLog logs/phxacrstage-ssl-error_log
TransferLog logs/phxacrstage-ssl-access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA
SSLCertificateFile /etc/pki/tls/certs/phxacrstage.oraclecorp.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/phxacrstage.oraclecorp.com.key
SSLCertificateChainFile /etc/pki/tls/certs/CombinedSHA-1RootSHA-256Intermediate-09-JUN-2021.crt
</VirtualHost>
When I use curl to test the configuration with the command:
curl -v http://phxacrstage.oraclecorp.com:443
I get:
* Rebuilt URL to: http://phxacrstage.oraclecorp.com:443/
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 100.104.244.56...
* TCP_NODELAY set
* Connected to phxacrstage.oraclecorp.com (100.104.244.56) port 443 (#0)
> GET / HTTP/1.1
> Host: phxacrstage.oraclecorp.com:443
> User-Agent: curl/7.61.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Thu, 21 Apr 2022 21:24:39 GMT
< Server: Apache/2.4.37 (Oracle Linux) OpenSSL/1.1.1k
< Last-Modified: Wed, 20 Apr 2022 23:33:57 GMT
< ETag: "7c-5dd1e6d6516db"
< Accept-Ranges: bytes
< Content-Length: 124
< Content-Type: text/html; charset=UTF-8
<
{ [124 bytes data]
100 124 100 124 0 0 41333 0 --:--:-- --:--:-- --:--:-- 41333
* Connection #0 to host phxacrstage.oraclecorp.com left intact
<html>
<head>
<title>PHXAcrStage1 server</title>
</head>
<body>
<h1>Welcome to the PHXAcrStage1 server</h1>
</body>
</html>
which is what I would expect.
However if I use curl to access the site as follows:
curl -v https://phxacrstage.oraclecorp.com
I get the following output:
* Rebuilt URL to: https://phxacrstage.oraclecorp.com/
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 100.104.244.56...
* TCP_NODELAY set
* Connected to phxacrstage.oraclecorp.com (100.104.244.56) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* error:1408F10B:SSL routines:ssl3_get_record:wrong version number
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
* Closing connection 0
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number
As can be seen in this result, apache is using /etc/pki/tls/certs/ca-bundle.crt for the certificate chain even though I specifically tell apache tot use a different certificate bundle in my only virtualhost block above.
From a different server I tried to retrieve the certificate chain using:
openssl s_client -connect phxacrstage.oraclecorp.com:443
I got back:
139886046541632:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:332:
CONNECTED(00000003)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 324 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
I am seeing the following in my access_log:
10.154.171.241 - - [21/Apr/2022:22:30:45 +0000] "\x16\x03\x01\x02" 400 226 `"-" "-"`
The output from apachectl -S is:
Passing arguments to httpd using apachectl is no longer supported.
You can only start/stop/restart httpd using this script.
If you want to pass extra arguments to httpd, edit the
/etc/sysconfig/httpd config file.
VirtualHost configuration:
100.104.246.211:443 phxacrstage.oraclecorp.com (/etc/httpd/conf.d/acrtool_ssl.conf:13)
100.102.121.253:80 acrstage.oraclecorp.com (/etc/httpd/conf.d/acrtool.conf:23)
ServerRoot: "/etc/httpd"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/etc/httpd/logs/error_log"
Mutex default: dir="/etc/httpd/run/" mechanism=default
Mutex cache-socache: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex watchdog-callback: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex authdigest-client: using_defaults
Mutex lua-ivm-shm: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
PidFile: "/etc/httpd/run/httpd.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="apache" id=48
Group: name="apache" id=48
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论