多个 Apache 托管站点的选择性 ERR_SSL_VERSION_OR_CIPHER_MISMATCH 错误
Selective ERR_SSL_VERSION_OR_CIPHER_MISMATCH error with multiple Apache-hosted sites
我在 Apache 上有几个主机名 运行,我想对其进行特定的强 TLS 配置。 Apache 中启用了 2 个 .conf 文件:第一个包含端口 80 的所有虚拟主机(比如 default.conf),另一个存储端口 443 的相应虚拟主机(default443.conf)。
可以通过 https:// 从 default.conf 的第一个 VirtualHost 仅访问主机名。所有剩余的主机都在任何网络浏览器中抛出 ERR_SSL_VERSION_OR_CIPHER_MISMATCH。通过 curl 访问此类失败的主机名时,出现以下错误:
curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
default.conf:
Protocols h2 h2c http/1.1
<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/html/example
RewriteEngine on
RewriteRule ^(.*)$ https://%{HTTP_HOST} [R=301,L]
#RewriteRule ^(.*)$ https://example.com [R=301,L]
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
<VirtualHost *:80>
ServerName example2.com
ServerAlias www.example2.com
DocumentRoot /var/www/html/example2
RewriteEngine on
RewriteRule ^(.*)$ https://example2.com [R=301,L]
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
default443.conf:
Protocols h2 h2c http/1.1
<VirtualHost *:443>
ServerName example.com
DocumentRoot /var/www/html/example
RewriteEngine on
SSLOpenSSLConfCmd ECDHParameters secp384r1
SSLOpenSSLConfCmd Curves secp384r1
SSLEngine On
SSLCertificateFile /path/to/example.crt
SSLCertificateKeyFile /path/to/example.key
Header always set Strict-Transport-Security "max-age=63072000"
</VirtualHost>
<VirtualHost *:443>
ServerName example2.com
ServerAlias www.example2.com
DocumentRoot /var/www/html/example2
RewriteEngine on
RewriteCond %{SERVER_PORT} 443
RewriteCond %{HTTP_HOST} www\.example2\.com$
RewriteRule ^(.*)$ https://example2.com [R=301,L]
SSLEngine On
SSLCertificateFile /path/to/example2.crt
SSLCertificateKeyFile /path/to/example2.key
Header always set Strict-Transport-Security "max-age=63072000"
</VirtualHost>
SSLProtocol -all +TLSv1.2
SSLCipherSuite -all:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
根据上述配置,example.com 使用声明的密码套件通过 https:// 正确解析,而 example2.com.
的 SSL 握手失败
如果评论我们的 SSLCipherSuite 指令或用 TLS 1.2 的 suggested by Mozilla 替换密码套件,example2.com 也可以通过 https:// 开始正常工作。
apachectl -v
Server version: Apache/2.4.41
openssl version
OpenSSL 1.1.1c 28 May 2019
我想弄清楚为什么只有一个主机名可以通过 https:// 正常运行,而其余主机名的 SSL 握手不断失败并声明 ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305 密码。
我在 Apache 上有几个主机名 运行,我想对其进行特定的强 TLS 配置。 Apache 中启用了 2 个 .conf 文件:第一个包含端口 80 的所有虚拟主机(比如 default.conf),另一个存储端口 443 的相应虚拟主机(default443.conf)。
可以通过 https:// 从 default.conf 的第一个 VirtualHost 仅访问主机名。所有剩余的主机都在任何网络浏览器中抛出 ERR_SSL_VERSION_OR_CIPHER_MISMATCH。通过 curl 访问此类失败的主机名时,出现以下错误:
curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
default.conf:
Protocols h2 h2c http/1.1
<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/html/example
RewriteEngine on
RewriteRule ^(.*)$ https://%{HTTP_HOST} [R=301,L]
#RewriteRule ^(.*)$ https://example.com [R=301,L]
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
<VirtualHost *:80>
ServerName example2.com
ServerAlias www.example2.com
DocumentRoot /var/www/html/example2
RewriteEngine on
RewriteRule ^(.*)$ https://example2.com [R=301,L]
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
default443.conf:
Protocols h2 h2c http/1.1
<VirtualHost *:443>
ServerName example.com
DocumentRoot /var/www/html/example
RewriteEngine on
SSLOpenSSLConfCmd ECDHParameters secp384r1
SSLOpenSSLConfCmd Curves secp384r1
SSLEngine On
SSLCertificateFile /path/to/example.crt
SSLCertificateKeyFile /path/to/example.key
Header always set Strict-Transport-Security "max-age=63072000"
</VirtualHost>
<VirtualHost *:443>
ServerName example2.com
ServerAlias www.example2.com
DocumentRoot /var/www/html/example2
RewriteEngine on
RewriteCond %{SERVER_PORT} 443
RewriteCond %{HTTP_HOST} www\.example2\.com$
RewriteRule ^(.*)$ https://example2.com [R=301,L]
SSLEngine On
SSLCertificateFile /path/to/example2.crt
SSLCertificateKeyFile /path/to/example2.key
Header always set Strict-Transport-Security "max-age=63072000"
</VirtualHost>
SSLProtocol -all +TLSv1.2
SSLCipherSuite -all:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
根据上述配置,example.com 使用声明的密码套件通过 https:// 正确解析,而 example2.com.
的 SSL 握手失败如果评论我们的 SSLCipherSuite 指令或用 TLS 1.2 的 suggested by Mozilla 替换密码套件,example2.com 也可以通过 https:// 开始正常工作。
apachectl -v Server version: Apache/2.4.41
openssl version OpenSSL 1.1.1c 28 May 2019
我想弄清楚为什么只有一个主机名可以通过 https:// 正常运行,而其余主机名的 SSL 握手不断失败并声明 ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305 密码。