Ask a Question

Advanced Search

Solution ID : SO16902

Last Modified : 05/18/2018

Error: "SSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol"

Problem

Error occurs when connecting
Error: "716:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:28"
Error: "SSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol"
Error: "[error] [client 67.82.186.190] Invalid method in request \x80\x80\x01\x03\x01

Cause

A unique IP address has not been assigned to the 'VirtualHost' directive in the secure virtual host configuration.Extra lines in the httpd.conf file are disabling SSL sessions to Apache.The ip address mapping on the NAT box for the Firewall is mal-configured.

Solution

To resolve the issue, use one of the following methods.

 

Method 1. A unique IP address has not been assigned to the 'VirtualHost' directive in the secure virtual host configuration

 

Assign a unique IP address to the domain name in question. Assign the IP address to the 'VirtualHost' directive in the secure virtual host container, change the line <VirtualHost _default_:443> to <VirtualHost 43.33.35.298:443> (example)

 

Here is an example of a secure virtual host container for Apache modSSL:

 

<VirtualHost 43.33.35.298:443>

 

#  General setup for the virtual host

ServerName www.rapidssl.com

ServerAlias www.rapidssl.com

 

ServerAdmin name@rapidssl.com

DocumentRoot /home/domain/html

ErrorLog logs/error_log

ScriptAlias /cgi-bin/ /home

 

#   SSL Engine Switch:

#   Enable/Disable SSL for this virtual host.

SSLEngine on

 

#   SSL Cipher Suite:

#   List the ciphers that the client is permitted to negotiate.

#   See the mod_ssl documentation for a complete list.

#SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

 

#   Server Certificate:

#   Point SSLCertificateFile at a PEM encoded certificate.  If

#   the certificate is encrypted, then you will be prompted for a

#   pass phrase.  Note that a kill -HUP will prompt again. A test

#   certificate can be generated with 'make certificate' under

#   built time. Keep in mind that if you've both a RSA and a DSA

#   certificate you can configure both in parallel (to also allow

#   the use of DSA ciphers, etc.)

SSLCertificateFile     /usr/local/ssl/certs/www.rapidssl.com.crt

#SSLCertificateFile /etc/httpd/conf/ssl.crt/server-dsa.crt

 

#   Server Private Key:

#   If the key is not combined with the certificate, use this

#   directive to point at the key file.  Keep in mind that if

#   you've both a RSA and a DSA private key you can configure

#   both in parallel (to also allow the use of DSA ciphers, etc.)

SSLCertificateKeyFile   /usr/local/ssl/private/www.rapidssl.com.key

#SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server-dsa.key

 

#   Server Certificate Chain:

#   Point SSLCertificateChainFile at a file containing the

#   concatenation of PEM encoded CA certificates which form the

#   certificate chain for the server certificate. Alternatively

#   the referenced file can be the same as SSLCertificateFile

#   when the CA certificates are directly appended to the server

#   certificate for convinience.

SSLCertificateChainFile /etc/httpd/conf/ssl.crt/ca.crt

 

#   Certificate Authority (CA):

#   Set the CA certificate verification path where to find CA

#   certificates for client authentication or alternatively one

#   huge file containing all of them (file must be PEM encoded)

#   Note: Inside SSLCACertificatePath you need hash symlinks

#         to point to the certificate files. Use the provided

#         Makefile to update the hash symlinks after changes.

#SSLCACertificatePath /etc/httpd/conf/ssl.crt

#SSLCACertificateFile /etc/httpd/conf/ssl.crt/ca-bundle.crt

 

#   Certificate Revocation Lists (CRL):

#   Set the CA revocation path where to find CA CRLs for client

#   authentication or alternatively one huge file containing all

#   of them (file must be PEM encoded)

#   Note: Inside SSLCARevocationPath you need hash symlinks

#         to point to the certificate files. Use the provided

#         Makefile to update the hash symlinks after changes.

#SSLCARevocationPath /etc/httpd/conf/ssl.crl

#SSLCARevocationFile /etc/httpd/conf/ssl.crl/ca-bundle.crl

 

#   o OptRenegotiate:

#     This enables optimized SSL connection renegotiation handling when SSL

#     directives are used in per-directory context.

#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire

<Files  "\.(cgi|shtml|phtml|php3?)$">

    SSLOptions +StdEnvVars

</Files>

<Directory "/var/www/cgi-bin">

    SSLOptions +StdEnvVars

</Directory>

 

</VirtualHost>

 

Method 2. Extra lines in the httpd.conf file are disabling SSL sessions to Apache

 

Check if there is an extra set of "<IfDefine NotDefined>" referenced in the secure virtual host configuration.

 

If your secure virtual host container looks something like this:

 

<IfDefine HAVE_SSL>

<IfDefine NotDefined>

 

  #

  # SSL Virtual Host Context

  #

 

</IfDefine>

</IfDefine>

 

Delete the <IfDefine NotDefined> statement and one of the </IfDefine> closing statements.

 

Method 3. The IP address mapping on the NAT box for the Firewall is configured incorrectly

 

Check the NAT mappings for the firewall. If the incorrect IP addresses are being specified, you will not be able to connect securely.