问一个Apache集成openssl的问题

若鱼1919 2017-10-11 02:17:39

问题描述：
有一个域名：www.aaa.com 对应的IP地址是：106.10.10.10（CentOS）

在106.10.10.10上做了端口映射，106.10.10.10的80端口映射到106.20.20.20的80端口，106.10.10.10的443端口映射到106.20.20.20的443端口，应用实际是部署在106.20.20.20上。

现在，在106.20.20.20上安装了apache，http://www.aaa.com来访问是ok的，但是https://www.aaa.com却不行。

ssl相关的配置如下：



<VirtualHost _default_:443>

#   General setup for the virtual host

DocumentRoot "/var/www/html"

ServerName www.aaa.com:443

ServerAdmin you@example.com

ErrorLog "/usr/local/apache/logs/error_log"

TransferLog "/usr/local/apache/logs/access_log"

...

在106.20.20.20上执行curl：
[root@dzp tmp]# curl -v https://www.aaa.com



* About to connect() to www.aaa.com port 443 (#0)

*   Trying  106.10.10.10...

* Connected to www.aaa.com (106.10.10.10) port 443 (#0)

* Initializing NSS with certpath: sql:/etc/pki/nssdb

*   CAfile: /etc/pki/tls/certs/ca-bundle.crt

  CApath: none

* NSS error -12263 (SSL_ERROR_RX_RECORD_TOO_LONG)

* SSL received a record that exceeded the maximum permissible length.

* Closing connection 0

curl: (35) SSL received a record that exceeded the maximum permissible length.

求教诸位大神，这是什么原因？

...全文

510 10 打赏收藏转发到动态举报

写回复

用AI写文章

10 条回复

切换为时间正序

请发表友善的回复…

发表回复

若鱼1919 2017-10-12

打赏
举报

引用 9 楼 aschouas 的回复:

read from 0x2451b80 [0x249b0c0] (7 bytes => 7 (0x7)) 明显返回字节数不对

read from 0x2451b80 [0x249b0c0] (7 bytes => 7 (0x7)) 0000 - 48 54 54 50 2f 31 2e HTTP/1. 这个看上去是http协议而不是https

一个治疗术 2017-10-11

打赏
举报

read from 0x2451b80 [0x249b0c0] (7 bytes => 7 (0x7)) 明显返回字节数不对

一个治疗术 2017-10-11

打赏
举报

引用 7 楼 goldenfish1919 的回复:


[root@dzp tmp]# openssl s_client -connect www.aaa.com:443 -debug 
CONNECTED(00000003)
write to 0x2451b80 [0x2495b60] (289 bytes => 289 (0x121))
0000 - 16 03 01 01 1c 01 00 01-18 03 03 a6 82 25 a2 ae   .............%..
0010 - ad 0c 1a 89 69 c0 ba c7-eb d9 72 a2 6a 8a 9b f9   ....i.....r.j...
0020 - ed d7 6a 97 88 69 2b c9-a9 14 f4 00 00 ac c0 30   ..j..i+........0
0030 - c0 2c c0 28 c0 24 c0 14-c0 0a 00 a5 00 a3 00 a1   .,.(.$..........
0040 - 00 9f 00 6b 00 6a 00 69-00 68 00 39 00 38 00 37   ...k.j.i.h.9.8.7
0050 - 00 36 00 88 00 87 00 86-00 85 c0 32 c0 2e c0 2a   .6.........2...*
0060 - c0 26 c0 0f c0 05 00 9d-00 3d 00 35 00 84 c0 2f   .&.......=.5.../
0070 - c0 2b c0 27 c0 23 c0 13-c0 09 00 a4 00 a2 00 a0   .+.'.#..........
0080 - 00 9e 00 67 00 40 00 3f-00 3e 00 33 00 32 00 31   ...g.@.?.>.3.2.1
0090 - 00 30 00 9a 00 99 00 98-00 97 00 45 00 44 00 43   .0.........E.D.C
00a0 - 00 42 c0 31 c0 2d c0 29-c0 25 c0 0e c0 04 00 9c   .B.1.-.).%......
00b0 - 00 3c 00 2f 00 96 00 41-c0 12 c0 08 00 16 00 13   .<./...A........
00c0 - 00 10 00 0d c0 0d c0 03-00 0a 00 07 c0 11 c0 07   ................
00d0 - c0 0c c0 02 00 05 00 04-00 ff 01 00 00 43 00 0b   .............C..
00e0 - 00 04 03 00 01 02 00 0a-00 0a 00 08 00 17 00 19   ................
00f0 - 00 18 00 16 00 23 00 00-00 0d 00 20 00 1e 06 01   .....#..... ....
0100 - 06 02 06 03 05 01 05 02-05 03 04 01 04 02 04 03   ................
0110 - 03 01 03 02 03 03 02 01-02 02 02 03 00 0f 00 01   ................
0120 - 01                                                .
read from 0x2451b80 [0x249b0c0] (7 bytes => 7 (0x7))
0000 - 48 54 54 50 2f 31 2e                              HTTP/1.
140380083570592:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:794:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 289 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1507712694
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

这个是不是说并不是用https实际是用http来访问的？

no peer certificate available --- No client certificate CA names sent --------你确定的证书搞对了？

一个治疗术 2017-10-11

打赏
举报

在ports.conf配置 Listen 80 Listen 443 https 试试

若鱼1919 2017-10-11

打赏
举报


[root@dzp tmp]# openssl s_client -connect www.aaa.com:443 -debug 
CONNECTED(00000003)
write to 0x2451b80 [0x2495b60] (289 bytes => 289 (0x121))
0000 - 16 03 01 01 1c 01 00 01-18 03 03 a6 82 25 a2 ae   .............%..
0010 - ad 0c 1a 89 69 c0 ba c7-eb d9 72 a2 6a 8a 9b f9   ....i.....r.j...
0020 - ed d7 6a 97 88 69 2b c9-a9 14 f4 00 00 ac c0 30   ..j..i+........0
0030 - c0 2c c0 28 c0 24 c0 14-c0 0a 00 a5 00 a3 00 a1   .,.(.$..........
0040 - 00 9f 00 6b 00 6a 00 69-00 68 00 39 00 38 00 37   ...k.j.i.h.9.8.7
0050 - 00 36 00 88 00 87 00 86-00 85 c0 32 c0 2e c0 2a   .6.........2...*
0060 - c0 26 c0 0f c0 05 00 9d-00 3d 00 35 00 84 c0 2f   .&.......=.5.../
0070 - c0 2b c0 27 c0 23 c0 13-c0 09 00 a4 00 a2 00 a0   .+.'.#..........
0080 - 00 9e 00 67 00 40 00 3f-00 3e 00 33 00 32 00 31   ...g.@.?.>.3.2.1
0090 - 00 30 00 9a 00 99 00 98-00 97 00 45 00 44 00 43   .0.........E.D.C
00a0 - 00 42 c0 31 c0 2d c0 29-c0 25 c0 0e c0 04 00 9c   .B.1.-.).%......
00b0 - 00 3c 00 2f 00 96 00 41-c0 12 c0 08 00 16 00 13   .<./...A........
00c0 - 00 10 00 0d c0 0d c0 03-00 0a 00 07 c0 11 c0 07   ................
00d0 - c0 0c c0 02 00 05 00 04-00 ff 01 00 00 43 00 0b   .............C..
00e0 - 00 04 03 00 01 02 00 0a-00 0a 00 08 00 17 00 19   ................
00f0 - 00 18 00 16 00 23 00 00-00 0d 00 20 00 1e 06 01   .....#..... ....
0100 - 06 02 06 03 05 01 05 02-05 03 04 01 04 02 04 03   ................
0110 - 03 01 03 02 03 03 02 01-02 02 02 03 00 0f 00 01   ................
0120 - 01                                                .
read from 0x2451b80 [0x249b0c0] (7 bytes => 7 (0x7))
0000 - 48 54 54 50 2f 31 2e                              HTTP/1.
140380083570592:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:794:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 289 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1507712694
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

这个是不是说并不是用https实际是用http来访问的？

若鱼1919 2017-10-11

打赏
举报

引用 5 楼 aschouas 的回复:

在ports.conf配置 Listen 80 Listen 443 https 试试

这两个已经加上了

若鱼1919 2017-10-11

打赏
举报

引用 3 楼 aschouas 的回复:

你10的443端口启用了没。。。

在本机用telnet www.aaa.com 443 是能连上的

一个治疗术 2017-10-11

打赏
举报

引用 2 楼 goldenfish1919 的回复:

[quote=引用 1 楼 aschouas 的回复:] 可以贴下apache 的ports.conf

没有配置这个ports.conf，仅仅是简单的配置。 curl -v https://localhost –insecure 能正常访问 curl -v https://www.aaa.com –insecure 报错。有没有可能是因为www.aaa.com这个域名绑定到的是106.10.10.10，但是实际的服务器却是106.20.20.20，20的https是没问题的，但是10上却没有正确配置。 [/quote] 你10的443端口启用了没。。。