Problem with apache + ssl: length mismatch error and ocasional bad request

Posted on

Problem with apache + ssl: length mismatch error and ocasional bad request – Problems with loading a website are often blamed on the Internet connection, but even the most perfectly set up network cannot help if there is no service to reply at your destination. One of the most popular HTTP servers used for this task is Apache2. Much of Apache’s popularity can be attributed to its easy installation and use, but never the less it is possible to run into problems with even the easiest of the software. If you’ve encountered an issue loading your web page, follow these simple troubleshooting methods outlined in this guide to attempt to get your web server back up and working again. Below are some tips in manage your apache2 server when you find problem about linux, apache-2.2, ssl, , .

we migrated a server from slicehost to linode recently, we copied the config from one server to the other. Everything works perfectly except that we get:

Occasional errors with “Bad Request”, this error is not common, you can use it all day and not see it, and the next day it will happen a lot.

apart from that, a lot of the time, event though the request works fine we get some errors.

using ssldump we get:

New TCP connection #1: myip(39831) <-> develserk(443)
1 1  0.2316 (0.2316)  C>S SSLv2 compatible client hello
  Version 3.1 
  cipher suites
  Unknown value 0x39  
  Unknown value 0x38  
  Unknown value 0x35  
  TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA  
  TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA  
  TLS_RSA_WITH_3DES_EDE_CBC_SHA  
  SSL2_CK_3DES  
  Unknown value 0x33  
  Unknown value 0x32  
  Unknown value 0x2f  
  SSL2_CK_RC2  
  TLS_RSA_WITH_RC4_128_SHA  
  TLS_RSA_WITH_RC4_128_MD5  
  SSL2_CK_RC4  
  TLS_DHE_RSA_WITH_DES_CBC_SHA  
  TLS_DHE_DSS_WITH_DES_CBC_SHA  
  TLS_RSA_WITH_DES_CBC_SHA  
  SSL2_CK_DES  
  TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA  
  TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA  
  TLS_RSA_EXPORT_WITH_DES40_CBC_SHA  
  TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5  
  SSL2_CK_RC2_EXPORT40  
  TLS_RSA_EXPORT_WITH_RC4_40_MD5  
  SSL2_CK_RC4_EXPORT40  
1 2  0.2429 (0.0112)  S>C  Handshake
      ServerHello
        Version 3.1 
        session_id[32]=
          9a 1e ae c4 5f df 99 47 97 40 42 71 97 eb b9 14 
          96 2d 11 ac c0 00 15 67 4e f3 7d 65 4e c4 30 e9 
        cipherSuite         Unknown value 0x39
        compressionMethod                   NULL
1 3  0.2429 (0.0000)  S>C  Handshake
      Certificate
1 4  0.2429 (0.0000)  S>C  Handshake
      ServerKeyExchange
1 5  0.2429 (0.0000)  S>C  Handshake
      ServerHelloDone
1 6  0.4965 (0.2536)  C>S  Handshake
      ClientKeyExchange
1 7  0.4965 (0.0000)  C>S  ChangeCipherSpec
1 8  0.4965 (0.0000)  C>S  Handshake
1 9  0.5040 (0.0075)  S>C  ChangeCipherSpec
1 10 0.5040 (0.0000)  S>C  Handshake
ERROR: Length mismatch

from the apache error.log

[Fri Aug 27 14:50:05 2010] [debug] ssl_engine_io.c(1892): OpenSSL: I/O error, 5 bytes expected to read on BIO#b80c1e70 [mem: b8100918]

the server is ubuntu 10.04.1

the apache version is 2.2.14-5ubuntu8

the openssl version is 0.9.8k-7ubuntu8

It appears that your SSL handshake is dieing during cipher negotiation.

I would check your SSLCipherSuite Apache configuration directive. The URL below points to the Apache documentation for this directive.

http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslciphersuite

Both sides have to support a common set of ciphers, or the connection will fail.

Hope this helps.

only listed the conf file for the 443 host, not the 80 host. I’ve copied it below:

NamevirtualHost *:80

DocumentRoot /var/www/

ServerName yeswedeal.com:80

ProxyPass / http://yeswedeal.com/
ProxyPassReverse / http//yeswedeal.com/

CustomLog /var/log/apache2/myservername-access.log combined
ErrorLog /var/log/apache2/myservername-error.log

If I understand you correctly the rewrite syntax should go in the *:80 site rather than the *:443 site. Is that correct?

Leave a Reply

Your email address will not be published.