Apache mod_ssl ssl_error_rx_record_too_long

apache mod_ssl ssl_error_rx_record_too_long

ssl_error_rx_record_too_long. in Apache. Was confused at first, but then realized I had not configured SSL properly – Firefox was attempting to parse http. SSL received a record that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long). SSL received a record that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long)". Cause. The web server is sending non-secure.

Opinion: Apache mod_ssl ssl_error_rx_record_too_long

Cisco sip/2.0 500 internal server error
Apache mod_ssl ssl_error_rx_record_too_long
Apache mod_ssl ssl_error_rx_record_too_long
Apache mod_ssl ssl_error_rx_record_too_long
Gabbaplanet.clan.su this is terror
apache mod_ssl ssl_error_rx_record_too_long

Apache mod_ssl ssl_error_rx_record_too_long - apologise, but

Confluence Support

Overview

This error appears most commonly in Firefox browsers, though similar errors can occur in other browsers as well. This may be related to SSL or Proxy misconfigured.

Symptoms

After configuring Confluence or JIRA to work over HTTPS, the following error came up when the user tries to access the site:

In order to test this behavior is attempt connecting to the site from outside the current network with a number of different web browsers. See if the error persists. If the error is not shown, the proxy is possibly misconfigured.

Cause

This error often occurs because SSL traffic is not set up correctly on the target secure server. For instance, the DNS is may not be correct in the DNS name on your VirtualHost. This error can also occur if there is a misconfigured proxy that doesn't allow an SSL handshake on port correctly. 

Resolution

Below are some ways to fix this error:

  • Ensure that port is open and enabled on the server. This is the standard port for https communications.
  • If SSL is using a non-standard port then FireFox can sometimes give this error. Ensure SSL is running on port
  • If using Apache2 check that port for SSL is being used. This can be done by setting the sprers.eu file as it follows
Listen 80
Listen https
  • Make sure you do not have more than one SSL certificate sharing the same IP. Please ensure that all SSL certificates utilise their own dedicated IP.
  • If using Apache2 check your vhost config. Some users have reported changing <VirtualHost>to _default_ resolved the error.
  • Make sure that your SSL certificate is not expired

 

 

 

Tomcat can use three different implementations of SSL:

  • JSSE implementation provided as part of the Java runtime
  • JSSE implementation that uses OpenSSL
  • APR implementation, which uses the OpenSSL engine by default

The exact configuration details depend on which implementation is being used. If you configured Connector by specifying generic then the implementation used by Tomcat is chosen automatically. If the installation uses APR - i.e. you have installed the Tomcat native library - then it will use the JSSE OpenSSL implementation, otherwise it will use the Java JSSE implementation.

Auto-selection of implementation can be avoided if needed. It is done by specifying a classname in the protocol attribute of the Connector.

To define a Java (JSSE) connector, regardless of whether the APR library is loaded or not, use one of the following:

The OpenSSL JSSE implementation can also be configured explicitly if needed. If the APR library is installed (as for using the APR connector), using the sslImplementationName attribute allows enabling it. When using the OpenSSL JSSE implementation, the configuration can use either the JSSE attributes or the OpenSSL attributes (as used for the APR connector), but must not mix attributes from both types in the same SSLHostConfig or Connector element.

Alternatively, to specify an APR connector (the APR library must be available) use:

If you are using APR or JSSE OpenSSL, you have the option of configuring an alternative engine to OpenSSL.

The default value is

Also the attribute may be used to have Tomcat default to using the APR connector rather than the NIO connector:

So to enable OpenSSL, make sure the SSLEngine attribute is set to something other than . The default value is and if you specify another value, it has to be a valid OpenSSL engine name.

SSLRandomSeed allows to specify a source of entropy. Productive system needs a reliable source of entropy but entropy may need a lot of time to be collected therefore test systems could use no blocking entropy sources like "/dev/urandom" that will allow quicker starts of Tomcat.

The final step is to configure the Connector in the file, where represents the base directory for the Tomcat instance. An example element for an SSL connector is included in the default file installed with Tomcat. To configure an SSL connector that uses JSSE, you will need to remove the comments and edit it so it looks something like this:

Note: If tomcat-native is installed, the configuration will use JSSE with an OpenSSL implementation, which supports either this configuration or the APR configuration example given below.

The APR connector uses different attributes for many SSL settings, particularly keys and certificates. An example of an APR configuration is:

The configuration options and information on which attributes are mandatory, are documented in the SSL Support section of the HTTP connector configuration reference. Make sure that you use the correct attributes for the connector you are using. The NIO and NIO2 connectors use JSSE unless the JSSE OpenSSL implementation is installed (in which case it supports either the JSSE or OpenSSL configuration styles), whereas the APR/native connector uses APR.

The attribute is the TCP/IP port number on which Tomcat will listen for secure connections. You can change this to any port number you wish (such as to the default port for communications, which is ). However, special setup (outside the scope of this document) is necessary to run Tomcat on port numbers lower than on many operating systems.

If you change the port number here, you should also change the value specified for the attribute on the non-SSL connector. This allows Tomcat to automatically redirect users who attempt to access a page with a security constraint specifying that SSL is required, as required by the Servlet Specification.

After completing these configuration changes, you must restart Tomcat as you normally do, and you should be in business. You should be able to access any web application supported by Tomcat via SSL. For example, try:

and you should see the usual Tomcat splash page (unless you have modified the ROOT web application). If this does not work, the following section contains some troubleshooting tips.

Let's Encrypt Community Support

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. sprers.eu?q=sprers.eu), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
sprers.eu

I ran this command:
cerbot --apache

It produced this output:
Created an SSL vhost at /etc/apache2/sites-available/sprers.eu
Deploying Certificate to VirtualHost /etc/apache2/sites-available/sprers.eu
Enabling available site: /etc/apache2/sites-available/sprers.eu
Deploying Certificate to VirtualHost /etc/apache2/sites-available/sprers.eu

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.


1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you’re confident your site works on HTTPS. You can undo this
change by editing your web server’s configuration.


Select the appropriate number [] then [enter] (press ‘c’ to cancel): 1


Congratulations! You have successfully enabled sprers.eu and
sprers.eu

My web server is (include version):
Apache/ (Debian)

The operating system my web server runs on is (include version):
Debian GNU/Linux 9 (stretch)

My hosting provider, if applicable, is:
OVH

I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of or if you’re using Certbot):
certbot

sprers.eu?d=sprers.eu&latest test gives

SSL_ERROR_RX_RECORD_TOO_LONG

1 Like

I&#;m using my server for various admin interfaces and so want to SSL encrypt all traffic to the web server. This is easy enough to add to the default vhosts.

First, we need an SSL certificate. Create it by running:

openssl req -new -x -days -nodes
-out /etc/ssl/certs/sprers.eu
-keyout /etc/ssl/private/sprers.eu

This generates a self-signed certificate. For tests this is good enough; for production sites you WILL want to use a real purchased certificate. Since one of the jobs of SSL is not only to encrypt, but also to authenticate a site to the user, a self-signed certificate will cause browsers to pop up a warning. Users can (permanently) accept this for your site, but it&#;s probably not the impression you want to leave.

Ubuntu&#;s Apache2 will come with the SSL module installed by default, but it&#;s not used. As our next step, we need to enable it:

a2enmod ssl

Finally, we need to create an SSL virtual host. In my case, I want all http traffic to be simply redirected to https. Find the file /etc/apache2/sites-enabled/default and edit it.

Change the existing vhost to listen to Port ; edit the &#;VirtualHost&#; line so it reads:

<VirtualHost *>
[&#;]
</VirtualHost>

(Where [&#;] is of course the rest of your vhost configuration)

Now, inside the VirtualHost definition we&#;ll need to enable SSL and tell it where the certificate resides:

<VirtualHost *>
SSLEngine on
SSLCertificateFile /etc/ssl/certs/sprers.eu
SSLCertificateKeyFile /etc/ssl/private/sprers.eu
[&#;]
</VirtualHost>

Finally, add a new vhost for redirection:

<VirtualHost *>
RedirectPermanent / sprers.eu
</VirtualHost>

Naturally, sprers.eu should point to your machine&#;s name.

Restart Apache:

/etc/init.d/apache2 restart

And that&#;s all. If you go to sprers.eu you should now be redirected to sprers.eu

For final reference, here&#;s my configuration. Note that I commented out the Ubuntu documentation (No need to make this available to the big wide world) and cgi-bin (I&#;m not using this).

<VirtualHost *>
RedirectPermanent / sprers.eu
</VirtualHost>

<VirtualHost *>
SSLEngine on
SSLCertificateFile /etc/ssl/certs/sprers.eu
SSLCertificateKeyFile /etc/ssl/private/sprers.eu

ServerAdmin [email protected]

DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>

#ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
#<Directory &#;/usr/lib/cgi-bin&#;>
# AllowOverride None
# Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
# Order allow,deny
# Allow from all
#</Directory>

ErrorLog ${APACHE_LOG_DIR}/sprers.eu

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn

CustomLog ${APACHE_LOG_DIR}/sprers.eu combined
# Alias /doc/ &#;/usr/share/doc/&#;
# <Directory &#;/usr/share/doc/&#;>
# Options Indexes MultiViews FollowSymLinks
# AllowOverride None
# Order deny,allow
# Deny from all
# Allow from / /
# </Directory>

</VirtualHost>

This post is mostly to record the problem and cause for the record so that hopefully next time it will show up in my (and others) search engine results, as the underlying cause is a regression (something that worked before no longer works). From memory this is at least the second time I've had to reverse engineer this cause from the symptoms :-(

If you are setting up a new webserver, using Apache on a modern Debian/Ubuntu system (eg, Ubuntu Linux LTS), and HTTPS is not working properly -- and apparently your virtual host is not working properly -- there's a change in configuration file arrangement between Debian/Ubuntu's layout for Apache (eg, Ubuntu Linux LTS) and the one for Apache that you need to take into account.

The most obvious symptom is if you try to use HTTPS, and have replicated the setup from an old (Debian/Ubuntu) Apache system to a new (Debian/Ubuntu) Apache system, and HTTPS no longer works at all. If your web browser (eg, Firefox) displays SSL errors like:

and trying to connect with results in errors like:

then this might be your issue.

The next most obvious issue is that the special features of your virtual host do not seem to work -- almost as if your virtual host configuration file is being ignored -- but that can sometimes be harder to recognise, and much harder to find with a search engine, whereas is a reasonable search term that gets you close to the cause without hinting what changed between Apache and Apache configuration on Debian/Ubuntu to cause it.

The cause of the HTTPS error above is that Apache is accepting connections on TCP/ (HTTPS) because the module is loaded, but SSL (TLS) is not active on that port -- so Apache is receiving TLS negotiation and replying with raw HTTP/ that the TLs negotation is not valid HTTP/ Eg, from a packet capture while this issue was happening:

followed by a small HTML document with the default Apache error page. Naturally those bytes make no sense when decoded as TLS, hence the error displayed by Firefox (ssl_error_rx_record_too_long) -- although given how easily this can happen, especially on non-well-known-ports, I'm slightly surprised that Firefox does not have a special case to recognise this has happened and, eg, display a "port speaks HTTP not HTTPS -- configuration error?".

Assuming that you have double checked everything that you copied over from the Apache server to the Apache server, including file permissions, all the config sections copied over, and that there is actually a working link from to the copy in , so that the config appears readable in there is one remaining issue to consider which is a change from the Apache config layout to the Apache config layout: in Apache the files in must end in (but in Apache they could have any ending).

From the Apache :

and from the Apache :

Which means if you (a) used to use, eg, the domain names as the config file names on Apache and (b) just replicated the files and links from the Apache server to the Apache server, the result will be that Apache is ignoring your link -- because it does not end in .

The result of the virtual host being ignored is that by default Apache does not speak TLS on any port, unless you say , and if you have that only in your virtual host configuration files and those configuration files are being ignored you will end up with raw HTTP being spoken on TCP/

An easy way to test if this is your problem is to try accessing the TCP/ port with raw HTTP, eg:

If you get anything that looks even vaguely like a HTTP reply (eg, a ) then for some reason TLS is not active on TCP/

The solution is pretty trivial -- rename the links in to have extensions , eg, gets renamed to , and reload the Apache 2 configuration. It should then work fine.

An alternative approach is to use script (bundled with the Debian/Ubuntu Apache packages) to create the symlink, rather than creating it by hand. But that pushes the problem up one level: expects to be run with the basename of the file, and to find a file ending in in . At least you get a more easily diagnosed error message though!

The moral of this story is that if it seems like your configuration is being ignored, investigate further whether it's actually being loaded at all -- and maybe in a later version something will have changed which causes it not to be read at all.

Looking through the Apache Ubuntu changelog it appears this change was introduced in the Apache package:

and:

The main upstream change causing this seems to be that Apache + supports an Include with a wildcard pattern, which makes it possible to use in Apache , but not in Apache (It appears that of a whole directory does still work, but is not recommended.)

1 Comments

  1. It is a pity, that now I can not express - there is no free time. I will return - I will necessarily express the opinion.

Leave a Comment