在Ubuntu 16中,配置用于开发(localhost的基于IP的虚拟主机, Chrome无法使用<VirtualHost 127.0.0.1:443>加载页面,并且出现SSL握手错误但可以使用 <VirtualHost _default_:443>使用。另一方面, Firefox可以毫无问题地处理两种配置。
Apache错误日志未显示Chrome连接的任何错误。 Chrome内部构件列出此错误:
t=0 [st=0] +SOCKET_ALIVE [dt=5]
--> source_dependency = 2641 (TRANSPORT_CONNECT_JOB)
t=0 [st=0] +TCP_CONNECT [dt=1]
--> address_list = ["[::1]:443","127.0.0.1:443"]
t=0 [st=0] TCP_CONNECT_ATTEMPT [dt=1]
--> address = "[::1]:443"
t=1 [st=1] -TCP_CONNECT
--> source_address = "[::1]:58726"
t=4 [st=4] +SOCKET_IN_USE [dt=1]
--> source_dependency = 2640 (SSL_CONNECT_JOB)
t=4 [st=4] +SSL_CONNECT [dt=1]
t=4 [st=4] SSL_HANDSHAKE_MESSAGE_SENT
--> hex_encoded_bytes =
01 00 01 FD 03 03 3E 21 9E 15 91 F9 BF BE 94 E0 . ....>!........
4C C7 14 7C 08 28 02 E9 38 CE 60 94 7E AC BB 32 L..|.(..8.`.~..2
F4 F5 F2 31 59 35 20 42 A7 E9 31 D0 2A C9 1D E1 ...1Y5 B..1.*...
86 3C 45 26 9E B7 76 86 BD 09 65 25 2E 29 6E 9E .<E&..v...e%.)n.
C6 F7 56 4F 71 EC 8D 00 22 AA AA 13 01 13 02 13 ..VOq.. ".......
03 C0 2B C0 2F C0 2C C0 30 CC A9 CC A8 C0 13 C0 ..+./.,.0.......
14 00 9C 00 9D 00 2F 00 35 00 0A 01 00 01 92 9A . . . / 5 .. ...
9A 00 00 FF 01 00 01 00 00 00 00 0E 00 0C 00 00 . .. . . .
09 6C 6F 63 61 6C 68 6F 73 74 00 17 00 00 00 23 .localhost . #
00 D0 E8 34 20 5D FB 0A F5 E9 C6 A0 1E 2D 5D E4 ..4 ].......-].
3F 80 28 3B A0 35 94 51 68 A9 DA 36 B2 E9 2B 0F ?.(;.5.Qh..6..+.
C3 32 BC 7D C0 B6 D5 06 26 24 C9 A4 79 74 52 D6 .2.}....&$..ytR.
64 38 70 97 9F E8 D9 EC 56 79 37 D8 A2 A7 D7 EC d8p.....Vy7.....
8D 58 CF 3B 40 C1 12 32 30 29 81 29 9E A6 F9 94 .X.;@..20).)....
47 02 5E 40 56 09 79 CB E3 AF D4 C1 57 71 AA 61 G.^@V.y.....Wq.a
6B D2 6D E8 44 53 0A 2F 7C EB CC E0 FF E7 DF 25 k.m.DS./|......%
22 A6 E4 CE 2B 92 FF 4A 41 FD 7A AD CF 0C 3A 40 "...+..JA.z...:@
8B C0 70 B5 4D 6E 35 3C C9 7F C9 16 CC 1B F4 98 ..p.Mn5<........
B8 81 B5 67 86 4A DE 0C 3D F1 5B AE A9 36 81 19 ...g.J..=.[..6..
CF 65 1F 9B F4 51 EC A6 C8 D6 BF 5A 16 B8 03 5C .e...Q.....Z...\
B5 1C 67 F0 38 17 4C EE F8 5A 28 3B 9B 9D BA 6F ..g.8.L..Z(;...o
6F 28 18 7F 4D D6 28 F7 11 23 20 2A 16 CF E8 81 o(..M.(..# *....
1F DF 00 0D 00 14 00 12 04 03 08 04 04 01 05 03 .. . . .........
08 05 05 01 08 06 06 01 02 01 00 05 00 05 01 00 .......... . ..
00 00 00 00 12 00 00 00 10 00 0E 00 0C 02 68 32 . . . ..h2
08 68 74 74 70 2F 31 2E 31 75 50 00 00 00 0B 00 .http/1.1uP .
02 01 00 00 33 00 2B 00 29 CA CA 00 01 00 00 1D .. 3 + ).. . .
00 20 3E 83 B1 D0 63 C9 5C D4 CE A1 09 A7 60 50 >...c.\.....`P
A7 59 EB F5 73 A2 A9 26 E6 DC D4 69 9C EE 6D A7 .Y..s..&...i..m.
C6 09 00 2D 00 02 01 01 00 2B 00 0B 0A 2A 2A 7F .. - ... + ..**.
17 03 03 03 02 03 01 00 0A 00 0A 00 08 CA CA 00 ....... . . ...
1D 00 17 00 18 00 1B 00 03 02 00 02 AA AA 00 01 . . . . .. ... .
00
--> type = 1
t=4 [st=4] SOCKET_BYTES_SENT
--> byte_count = 518
t=5 [st=5] SOCKET_BYTES_RECEIVED
--> byte_count = 482
t=5 [st=5] SOCKET_BYTES_SENT
--> byte_count = 7
t=5 [st=5] SSL_ALERT_SENT
--> hex_encoded_bytes =
02 46 .F
t=5 [st=5] SSL_HANDSHAKE_ERROR
--> error_lib = 16
--> error_reason = 247
--> file = "../../third_party/boringssl/src/ssl/tls_record.cc"
--> line = 242
--> net_error = -107 (ERR_SSL_PROTOCOL_ERROR)
--> ssl_error = 1
t=5 [st=5] -SSL_CONNECT
--> net_error = -107 (ERR_SSL_PROTOCOL_ERROR)
t=5 [st=5] -SOCKET_IN_USE
t=5 [st=5] -SOCKET_ALIVE
在此上方的SSL_HANDSHAKE_ERROR之后是tls_record.cc文件中的代码。出现错误的行是OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_VERSION_NUMBER);:
bool version_ok;
if (ssl->s3->aead_read_ctx->is_null_cipher()) {
// Only check the first byte. Enforcing beyond that can prevent decoding
// version negotiation failure alerts.
version_ok = (version >> 8) == SSL3_VERSION_MAJOR;
} else {
version_ok = version == ssl->s3->aead_read_ctx->RecordVersion();
}
if (!version_ok) {
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_VERSION_NUMBER); // This is the error line !!!!!!
*out_alert = SSL_AD_PROTOCOL_VERSION;
return ssl_open_record_error;
}
注意:为了进行测试,我仅使用Ubuntu中Apache随附的未修改的默认default-ssl.cnf文件。
这是Apache conf文件:
<IfModule mod_ssl.c>
<VirtualHost 127.0.0.1:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/localhost.pem
SSLCertificateKeyFile /etc/ssl/private/localhost.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
</IfModule>