A while ago, I set up an SSL certificate authority for our intranet, generated a bunch of certificates and ran a number of sites with them, all on the same physical host with one single Apache2 installation; one root certificate and one certificate for each virtual host. I added the root certificate to the client machines and everything was fine (i.e. all communication was protected).
Now I am trying to switch from mod_ssl
to mod_gnutls
. Changes to the Apache2 configuration were simple:
- disable the SSL module:
a2dismod ssl
- enable the GnuTLS module:
a2enmod gnutls
add a new section to
/etc/apache2/ports.conf
with the same contents as the SSL section:<IfModule mod_gnutls.c> NameVirtualHost *:443 Listen 443 </IfModule>
change per-site configurations in e.g.
/etc/apache2/sites-available/site1.domain-ssl
:<IfModule mod_gnutls.c> <VirtualHost *:443> ServerAdmin webmaster@site1.domain ServerName site1.domain DocumentRoot /var/www/site1.domain_ssl/public_html/ ErrorLog /var/www/site1.domain_ssl/logs/error.log CustomLog /var/www/site1.domain_ssl/logs/access.log combined LogLevel debug # <Directory ... > settings omitted # old SSL configuration: # SSLEngine on # SSLCertificateFile /etc/ssl/certs/site1.cert.pem # SSLCertificateKeyFile /etc/ssl/private/site1.key.pem # new TLS configuration GnuTLSEnable on GnuTLSPriorities NORMAL:!DHE-RSA:!DHE-DSS:!AES-256-CBC:%COMPAT GnuTLSCertificateFile /etc/ssl/certs/site1.domain.cert GnuTLSKeyFile /etc/ssl/private/site1.domain.key </VirtualHost> </IfModule>
I re-created the cetificate authority root certificate from scratch, created new per-site certificates and re-deployed them. (I used to use .pem file suffix with SSL, but dropped that when switching to GnuTLS).
The problem is now that I can not access any virtual hosts.
When I try to connect to the physical host, everything seems fine:
user@host:~$ gnutls-cli-debug host
Resolving 'host'...
Connecting to '127.0.1.1:443'...
Checking for SSL 3.0 support... yes
Checking whether %COMPAT is required... no
Checking for TLS 1.0 support... yes
Checking for TLS 1.1 support... yes
... (etc.) ...
and when I connect using gnutls-cli --x509cafile <my root cert file>
, the root certificate is validated successfully.
However, when I try to connect to one of the virtual hosts, this happens:
user@host:~$ gnutls-cli-debug site1
Resolving 'site1'...
Connecting to '192.168.137.135:443'...
Checking for SSL 3.0 support...|<1>| Received record packet of unknown type 60
no
Checking whether %COMPAT is required...|<1>| Received record packet of unknown type 60
yes
Checking for TLS 1.0 support...|<1>| Received record packet of unknown type 60
no
Checking for TLS 1.1 support...|<1>| Received record packet of unknown type 60
no
... (etc.) ...
and I get error message like these in the Apache log:
[Mon May 19 17:55:35 2014] [info] [client 127.0.0.1] GnuTLS: Handshake Failed (-21) 'Could not negotiate a supported cipher suite.'
[Mon May 19 17:55:35 2014] [info] (70014)End of file found: GnuTLS: Error reading data. (-9) 'A TLS packet with unexpected length was received.'
[Mon May 19 17:59:58 2014] [error] [client 192.168.137.135] Invalid method in request \x16\x03
Of course there are plenty of Google results about these errors, but despite spending pretty much the entire weekend searching, nothing conclusive has come up.
This is all taking place under a fresh installation of the latest Debian 7.5 i386 on a VM (which I've set up to find the error, the actual intranet server is a real machine), so Apache does support SNI:
user@host:~$ aptitude show apache2-mpm-worker | grep Version
Version: 2.2.22-13+deb7u1
user@host:~$ aptitude show libapache2-mod-gnutls | grep Version
Version: 0.5.10-1.1
The mod-gnutls page explicitely states that it supports Server Name Indication, but to me, it looks like this is simply not the case.
Can anyone help me ?