Error 525 SSL Handshake Error with Origial Server Certificates

Hello,

I have been working on getting the SSL to work on my site for a week now without success. I use an unmanaged Ubuntu server from A2hosting.

I used Cloudflare SSL/TSL facility to generate the origin certificates and copied both the certificates and the private key files to the server and modified the Apache2 config file to point to the certificates and the key file. Setting SSL mode to full in Cloudflare, I have Error 525 SSL handshake fail. The error log has it as Connection reset by peer: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!].

I probably did not do something right in the Apache2 config file, but I don’t know what it can be.

After working on it for a week, I am stuck. Please help. Thank you.

Here are the details:

Ubuntu version:

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.6 LTS
Release: 16.04
Codename: xenial

Error:

Error 525
Ray ID: 575038bf4862e7a0 • 2020-03-16 17:33:51 UTC
SSL handshake failed
Apache2 error log file:
[Mon Mar 16 10:33:51.915246 2020] [ssl:debug] [pid 12749:tid 139994245043968] ssl_engine_kernel.c(2096): [client 173.245.48.134:42954] AH02043: SSL virtual host for servername www.gosuphan.com found
[Mon Mar 16 10:33:51.943305 2020] [ssl:debug] [pid 12749:tid 139994245043968] ssl_engine_io.c(1228): (103)Software caused connection abort: [client 173.245.48.134:42954] AH02007: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
[Mon Mar 16 10:33:51.943338 2020] [ssl:info] [pid 12749:tid 139994245043968] [client 173.245.48.134:42954] AH01998: Connection closed to child 78 with abortive shutdown (server www.gosuphan.com:443)
[Mon Mar 16 10:39:43.598969 2020] [ssl:info] [pid 12749:tid 139994234554112] [client 171.67.70.80:40478] AH01964: Connection to child 79 established (server www.gosuphan.com:443)
[Mon Mar 16 10:39:43.599323 2020] [ssl:debug] [pid 12749:tid 139994234554112] ssl_engine_kernel.c(2124): [client 171.67.70.80:40478] AH02645: Server name not provided via TLS extension (using default/first virtual host)
[Mon Mar 16 10:39:43.696143 2020] [ssl:debug] [pid 12749:tid 139994234554112] ssl_engine_io.c(1228): (104)Connection reset by peer: [client 171.67.70.80:40478] AH02007: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
[Mon Mar 16 10:39:43.696178 2020] [ssl:info] [pid 12749:tid 139994234554112] [client 171.67.70.80:40478] AH01998: Connection closed to child 79 with abortive shutdown (server http://www.gosuphan.com:443)

Apache2 config file:

            ServerAdmin [email protected]
            DocumentRoot /home/szx02f/workspace/esyscom/public
            ServerName www.gosuphan.com

            ErrorLog ${APACHE_LOG_DIR}/error.log
            LogLevel info ssl:debug
            CustomLog ${APACHE_LOG_DIR}/access.log combined

            #   SSL Engine Switch:
            #   Enable/Disable SSL for this virtual host.
            SSLEngine on

            SSLCertificateFile /etc/ssl/certs/cloudflare.pem
            SSLCertificateKeyFile /etc/ssl/private/cloudflare.key

            #   Server Certificate Chain:
             SSLCertificateChainFile /etc/ssl/certs/ca-certificates.crt

            #   Certificate Authority (CA):
            SSLCACertificatePath /etc/ssl/certs/
            #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt << not sure what this is

           SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
            <FilesMatch "\.(cgi|shtml|phtml|php)$">
                            SSLOptions +StdEnvVars
            </FilesMatch>
            <Directory /usr/lib/cgi-bin>
                            SSLOptions +StdEnvVars
            </Directory>

    </VirtualHost>

Verify port 443 is allowed

$:ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

To Action From


80 ALLOW IN Anywhere
443 ALLOW IN Anywhere
7822 ALLOW IN Anywhere
3000 ALLOW IN Anywhere
80 (v6) ALLOW IN Anywhere (v6)
443 (v6) ALLOW IN Anywhere (v6)
7822 (v6) ALLOW IN Anywhere (v6)
3000 (v6) ALLOW IN Anywhere (v6)

Verify a certificate:
:openssl verify -CAfile /etc/ssl/certs/cloudflare.pem /etc/ssl/certs/ca-certificates.crt : /etc/ssl/certs/ca-certificates.crt: OK

Verify that a private key matches a certificate
$(openssl x509 -noout -modulus -in /etc/ssl/certs/cloudflare.pem | openssl md5 ;openssl rsa -noout -modulus -in /etc/ssl/private/cloudflare.key | openssl md5)| uniq
(stdin)= 40b94417a322d49f4e97896584b80fe2

Check Cloudflare TLS/SSL browser support:
$:curl https://www.gosuphan.com -svo /dev/null --tlsv1.1

  • Rebuilt URL to: https://www.gosuphan.com/
  • Trying 104.31.94.220…
  • Connected to www.gosuphan.com (104.31.94.220) port 443 (#0)
  • found 148 certificates in /etc/ssl/certs/ca-certificates.crt
  • found 748 certificates in /etc/ssl/certs
  • ALPN, offering http/1.1
  • SSL connection using TLS1.1 / ECDHE_ECDSA_AES_128_CBC_SHA1
  •    server certificate verification OK
    
  •    server certificate status verification SKIPPED
    
  •    common name: sni.cloudflaressl.com (matched)
    
  •    server certificate expiration date OK
    
  •    server certificate activation date OK
    
  •    certificate public key: EC
    
  •    certificate version: #3
    
  •    subject: C=US,ST=CA,L=San Francisco,O=Cloudflare\, Inc.,CN=sni.cloudflaressl.com
    
  •    start date: Fri, 17 Jan 2020 00:00:00 GMT
    
  •    expire date: Fri, 09 Oct 2020 12:00:00 GMT
    
  •    issuer: C=US,ST=CA,L=San Francisco,O=CloudFlare\, Inc.,CN=CloudFlare Inc ECC CA-2
    
  •    compression: NULL
    
  • ALPN, server accepted to use http/1.1

GET / HTTP/1.1
Host: www.gosuphan.com
User-Agent: curl/7.47.0
Accept: /

< HTTP/1.1 525 Origin SSL Handshake Error
< Date: Mon, 16 Mar 2020 18:02:49 GMT
< Content-Type: text/html
< Transfer-Encoding: chunked
< Connection: keep-alive
< Set-Cookie: __cfduid=d7447490586c581a0e078dc8bda3707291584381769; expires=Wed, 15-Apr-20 18:02:49 GMT; path=/; domain=.gosuphan.com; HttpOnly; SameSite=Lax; Secure
< Cache-Control: no-store, no-cache
< Expect-CT: max-age=604800, report-uri=“https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct”
< Server: cloudflare
< CF-RAY: 5750632aa9fbeae7-LAX
<
{ [206 bytes data]

So if you set that hostname to :grey: in Cloudflare DNS, it still doesn’t work?

I set DNS to proxied, the orange cloud. If I set it to DNS only, isn’t that bypassing the security the Cloudflare provided?? If I set to DNS only, I still get the same error:

An error occurred during a connection to www.gosuphan.com. SSL received a malformed Handshake record.

Error code: SSL_ERROR_RX_MALFORMED_HANDSHAKE

If you’re still getting an error when it’s set to :grey:, Cloudflare won’t be able to fix that. You need to troubleshoot your server before setting it back to :orange:.

Hi Sdayman,

Yes, I know Cloudflare won’t be able to fix the problem. There is something wrong with the apache2 config file relating to the certificates. I followed everything that Cloudflare suggested on setting up the server. I just don’t know what is wrong with it. I provided the config file in my original questions. Thanks for replying

stackoverflow is a better source for troubleshooting server errors. For now, see if you can roll back the changes you made.

Okay. Thanks.

1 Like

I think I may know the problem…the certificate max size is probably need to be set larger. It is probably a command that can be put into the Apache2 config file to fix this 525 SSL Handshake error. Anyone know how to set the certificate max size?

Problems solved. This is for FYI for other who may have similar problems.

The default key length is 2048. If your key is longer than that, it will caused this 525 SSL Handshake error. This is because the browser only takes 2048 and the SSL message look malform. Use this command to check your key:

$ openssl x509 -text -in your-certificates.crt -noout

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 6828503384748696800 (0x5ec3b7a6437fa4e0)
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=ACCVRAIZ1, OU=PKIACCV, O=ACCV, C=ES
Validity
Not Before: May 5 09:37:37 2011 GMT
Not After : Dec 31 09:37:37 2030 GMT
Subject: CN=ACCVRAIZ1, OU=PKIACCV, O=ACCV, C=ES
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:9b:a9:ab:bf:61:4a:97:af:2f:97:66:9a:74:5f:

Check the Public-Key length.

If you have this problem, check your apache2.cfg and go through the verification step I took (listed on the original question above). It is likely that you don’t have valid certificate. If you use Cloudflare to generate the certificate and key file, you can use Cloudflare Certificate pem file for SSLCertificateFile, SSLCertificateChainFile, and SSLCACertificateFile. This should fix the 525 SSL handshake error.

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.