Show:
grep -Ri SSLCipherSuite /etc/apache2
3 Likes
/etc/apache2/migrate/conf/ssl.conf:SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
/etc/apache2/migrate/conf.d/ssl.conf:SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
/etc/apache2/mods-available/ssl.conf: SSLCipherSuite HIGH:!aNULL
/etc/apache2/sites-available/httpd-surething.conf:SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256
/etc/apache2/mods-enabled/ssl.conf: SSLCipherSuite HIGH:!aNULL
/etc/apache2/sites-enabled/httpd-surething.conf:SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256
1 Like
Thanks to everyone for their input in trying to track this down!
2 Likes
openssl s_client -connect www.surething.com:443 -servername www.surething.com
3 Likes
OK, on a closer look, I do see it as well:
4077DE04A47F0000:error:0A000172:SSL routines:tls12_check_peer_sigalg:wrong signature type:../ssl/t1_lib.c:1567:
4 Likes
curl https://surething.com/
curl: (35) error:0A000172:SSL routines::wrong signature type
3 Likes
should I run this curl command to fix it or will this just give more info? It seems hopeful that somehow the signature is wrong, but weird it worked for almost two weeks.
The certificate is fine; that isn't the source of your problems.
There's something going wrong in the handshake. I don't immediately see the problem, unfortunately.
What version of OpenSSL and Apache are you using?
Though I don't see what the problem is immediately, I'd suggest switching to a configuration suggested by Mozilla's config generator. Perhaps there's something my eyes skim over that is wrong.
4 Likes
I think that may be the issue. Our OpenSSL version is from from 2014. It has been reliable until now, but I suspect this is having problems with the latest versions of Chrome, which is why it still works on earlier versions of Chrome. My problem now is how to update it without disturbing the rest of the server, since the server itself is fairly old. Any suggestions welcome. Because of some legacy software, it is problematic to update the server at this point.
One potential option is running a more modern piece of software in front of your Apache, and allow it to handle the HTTPS.
Something like this, redirecting from 443 (https port) to 80 (http port):
Because Caddy is Go and includes everything in one binary, you won't use the old system libraries.
If you do want to upgrade just OpenSSL and need help, I believe OpenSSL has support contracts available as well, and will be experts in helping upgrade it: /support/contracts.html
6 Likes
Thank you! Both options are a bit scary since I wasn't involvef with the initial configuration of this site, and i't worked well for a long time, but times change. I'll explore both options, thank you!
2 Likes
Interesting, this looks to be specific to the TLS implementation used in Chrome which I believe is Boring SSL, derived from OpenSSL (which curl also uses). Your site works in MS Edge (which probably has different defaults to Chrome) and Firefox (which uses it's own TLS stack).
If I go to chrome://flags and search TLS, then Enable Allow SHA-1 server signatures in TLS. your site works. This may be a bit of red-herring because I don't see your server using a SHA-1 signature..
2 Likes
My suspicion is that it's falling back to a TLS Cipher Suite that doesn't match the TLS 1.2 spec and that if you omit SSLCipherSuite from your site config httpd-surething.conf and restart apache that it would start working again [because it would fallback to the more permissive global settings] (maybe), but I'm not an Apache expert. I think the root cause is that your config is quite restrictive/modern but your actual software (apache and openssl) is 10 years old. If you're not confident of moving the site I'd start doing migration planning/testing now so you can move everything to a newer machine. Eventually you have to move stuff because OSes and their components get old.
[From wireshark capture:]
4 Likes
Another possible problematic area is: Using multiple and different SSLCipherSuite settings:
I would remove the one local to surething and modify the global one [only - and only as needed].
4 Likes
Ah, this is definitely it! I thought it might be, but didn't have wireshark handy when I looked earlier (and don't know of any other tools to detect this, at least today).
The other thing that I didn't realize is that Chrome flag is on by default as of 117:
https://chromestatus.com/feature/4832850040324096
7 Likes
https://bugs.chromium.org/p/chromium/issues/detail?id=1488571
Here's a similar thread from the Chrome side, in which they also suggest upgrading openssl.
6 Likes
Unless you run Debian and upgrade in place forever. 
3 Likes
I was quite hopeful for this but removing the SSLCipherSuite from the httpd-surething.conf did not solve the issue. It still works in pre-117 Chrome and Safari, Firefox, etc. I'm not sure if I should put it back or not, since the two seem to be conflicting with each other anyway.
Do you think my next step should be to update OpenSSL?
I appreciate all you have done to help so far!
1 Like
This at least explains why it suddenly started happening.
1 Like
Yes.
Not.
I would edit the single global setting.
2 Likes