I have an annoying issue after migrating to Apache 2.4.37 using ppa:ondrej/apache2. After the change I've got a lot of ERR_SSL_PROTOCOL_ERROR while accessing my sites.

The effect is that when having a site that has some ajax script that keeps checking for some data periodically, every second request, sometime more keeps returning the error mentioned above. The same happens when refreshing a site - it keeps being in loop 'insecure - secure - insecure'.

[EDIT] Whenever that happens, there are no errors in the log regarding that matter. Not to mention, that it happens globally - all sites served from the server have this issue at the same moment, for similar period of time.

The request on browser look like this:

devtools request list

For certification on my server I'm using Let'sEncrypt certbot, also in every SSL enabled vhost I have included the options-ssl-apache.conf provided by Let'sEncrypt.

I will point out, that my vhost confs did not change after the update, nor the cert files used by the sites. - the issue does not happen on 2.4.7, only when updated to 2.4.37.

Wireshark logs

Time Source Target Protocol Info
9.759740 local_ip server_ip TCP 60485 → 443 [ACK] Seq=1 Ack=1 Win=256 Len=1 [TCP segment of a reassembled PDU]
9.886868 server_ip local_ip TCP 443 → 60485 [ACK] Seq=1 Ack=2 Win=653 Len=0 SLE=1 SRE=2
11.082160 local_ip server_ip TLSv1.2 Ignored Unknown Record
11.209445 server_ip local_ip TCP 443 → 60485 [ACK] Seq=1 Ack=966 Win=668 Len=0
11.209446 server_ip local_ip TLSv1.2 Alert (Level: Fatal, Description: Unexpected Message)
11.209446 server_ip local_ip TCP 443 → 60485 [FIN, ACK] Seq=8 Ack=966 Win=668 Len=0
11.209495 local_ip server_ip TCP 60485 → 443 [ACK] Seq=966 Ack=9 Win=256 Len=0
11.209645 local_ip server_ip TLSv1.2 Encrypted Alert
11.209917 local_ip server_ip TCP 60485 → 443 [FIN, ACK] Seq=989 Ack=9 Win=256 Len=0
11.336928 server_ip local_ip TCP 443 → 60485 [RST] Seq=9 Win=0 Len=0
11.336991 server_ip local_ip TCP 443 → 60485 [RST] Seq=9 Win=0 Len=0
72.078422 local_ip server_ip TCP 60691 → 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
72.209323 server_ip local_ip TCP 443 → 60691 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=128
72.209390 local_ip server_ip TCP 60691 → 443 [ACK] Seq=1 Ack=1 Win=65536 Len=0
72.209587 local_ip server_ip TLSv1.2 Client Hello
72.340476 server_ip local_ip TCP 443 → 60691 [ACK] Seq=1 Ack=518 Win=30336 Len=0
72.341920 server_ip local_ip TLSv1.2 Server Hello, Change Cipher Spec, Encrypted Handshake Message
72.342281 local_ip server_ip TLSv1.2 Change Cipher Spec, Encrypted Handshake Message
72.343018 local_ip server_ip TLSv1.2 Application Data
72.473941 server_ip local_ip TCP 443 → 60691 [ACK] Seq=149 Ack=1525 Win=32256 Len=0
72.510918 server_ip local_ip TLSv1.2 Application Data
72.552329 local_ip server_ip TCP 60691 → 443 [ACK] Seq=1525 Ack=935 Win=64512 Len=0
117.510566 local_ip server_ip TCP [TCP Keep-Alive] 60691 → 443 [ACK] Seq=1524 Ack=935 Win=64512 Len=1
117.641439 server_ip local_ip TCP [TCP Keep-Alive ACK] 443 → 60691 [ACK] Seq=935 Ack=1525 Win=32256 Len=0 SLE=1524 SRE=1525
132.080054 local_ip server_ip TLSv1.2 Application Data
132.211048 server_ip local_ip TCP 443 → 60691 [ACK] Seq=935 Ack=2489 Win=34176 Len=0
132.211049 server_ip local_ip TLSv1.2 Alert (Level: Fatal, Description: Unexpected Message)
132.211049 server_ip local_ip TCP 443 → 60691 [FIN, ACK] Seq=942 Ack=2489 Win=34176 Len=0
132.211148 local_ip server_ip TCP 60691 → 443 [ACK] Seq=2489 Ack=943 Win=64512 Len=0
132.211288 local_ip server_ip TLSv1.2 Encrypted Alert
132.211496 local_ip server_ip TCP 60691 → 443 [FIN, ACK] Seq=2512 Ack=943 Win=64512 Len=0
132.342025 server_ip local_ip TCP 443 → 60691 [RST] Seq=943 Win=0 Len=0
132.342255 server_ip local_ip TCP 443 → 60691 [RST] Seq=943 Win=0 Len=0

2

1 Answer

I am also experiencing issues with my SSL enabled VirtualHosts which are running RT4 ticketing systems. I upgraded to apache2 2.4.37-1+ubuntu18.04.1+deb.sury.org+1 and openssl 1.1.1-3+ubuntu18.04.1+deb.sury.org+3.

For me the situation is as follows. Remotely, I can access the website running on the server just fine using a browser on my local machine. But when I use the command line tools on the server itself to access the tickets, then the command times out and I get to see an error. Also, the rt-mailgate program which is used to feed new tickets is also failing with an error. Unfortunately, I don't see a lot of errors appearing in the logfiles when I use the debug level :-(

If I reconfigure the setup and disable the SSL (so running via http instead of via https), then these scripts run fine again. So the SSL-layer looks to be the culprit...

Maybe this is related to the bug ticket "Login with client cert times out" at On (at least the combo apache2/openssl versions are the same).

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password Submit

Post as a guest

Post Your Answer Discard

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy