I found a lot of similar questions, but no solution works here.
https://pmadmin.qno.de/index.html:443
shows in the browser:
Diese Website kann keine sichere Verbindung bereitstellen
pmadmin.qno.de hat eine ungültige Antwort gesendet.
Versuche, die Windows-Netzwerkdiagnose auszuführen.
ERR_SSL_PROTOCOL_ERROR
root@bywater ~ # cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=22.04
DISTRIB_CODENAME=jammy
DISTRIB_DESCRIPTION="Ubuntu 22.04.4 LTS"
root@bywater ~ # dpkg -l apache2
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-=================-============-=================================
ii apache2 2.4.52-1ubuntu4.8 amd64 Apache HTTP Server
root@bywater ~ # dpkg -l openssl
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-=================-============-====================================================
ii openssl 3.0.2-0ubuntu1.15 amd64 Secure Sockets Layer toolkit - cryptographic utility
In the access.log
, i find:
2003:e9:4f12:6d00:4539:bdd0:36ce:1851 - - [18/Mar/2024:20:21:02 +0100] "\x16\x03\x01\x02\x11\x01" 400 488 "-" "-"
2003:e9:4f12:6d00:4539:bdd0:36ce:1851 - - [18/Mar/2024:20:21:02 +0100] "\x16\x03\x01\x02\x11\x01" 400 488 "-" "-"
There is no entry in error.log
In ssl_engine.log
, i find:
[Mon Mar 18 20:21:02.357687 2024] [core:debug] [pid 595065] protocol.c(1449): [client 2003:e9:4f12:6d00:4539:bdd0:36ce:1851:49640] AH00566: request failed: malformed request line
[Mon Mar 18 20:21:02.434954 2024] [core:debug] [pid 595066] protocol.c(1449): [client 2003:e9:4f12:6d00:4539:bdd0:36ce:1851:49642] AH00566: request failed: malformed request line
/etc/apache2/sites-enabled/a02-phpmyadmin-le-ssl.conf
:
<IfModule mod_ssl.c>
<VirtualHost 65.21.136.15:443 [2a01:04f9:003b:25b0:0009:0006:0001:0a02]:443>
HttpProtocolOptions Unsafe
ServerAdmin [email protected]
DocumentRoot /srv/phpmyadmin_html
ServerName pmadmin.qno.de
ErrorLog /var/log/apache2/a02_phpmyadmin/error.log
CustomLog /var/log/apache2/a02_phpmyadmin/access.log combined
AddDefaultCharset UTF-8
AddOutputFilterByType DEFLATE text/html text/plain text/xml
DirectoryIndex index.php index.html
SSLProtocol TLSv1.3 TLSv1.2
SSLHonorCipherOrder On
SSLCompression off
SSLCipherSuite 'RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5:!SHA1'
ErrorLog /var/log/apache2/a02_phpmyadmin/ssl_engine.log
LogLevel debug
SSLCertificateFile /etc/letsencrypt/live/pmadmin.qno.de/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/pmadmin.qno.de/privkey.pem
<Directory /srv/phpmyadmin_html>
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
</IfModule>
root@bywater ~ # apache2ctl -t
Syntax OK
root@bywater ~ # apache2ctl -S
VirtualHost configuration:
[2a01:4f9:3b:25b0:9:6:1:a02]:443 pmadmin.qno.de (/etc/apache2/sites-enabled/a02-phpmyadmin-le-ssl.conf:2)
[2a01:4f9:3b:25b0:9:6:1:a02]:80 pmadmin.qno.de (/etc/apache2/sites-enabled/a02-phpmyadmin.conf:1)
[2a01:4f9:3b:25b0:9:6:1:b01]:80 www.sk-koenig-tegel.de (/etc/apache2/sites-enabled/b01-tegel.conf:2)
[2a01:4f9:3b:25b0:9:6:1:b01]:443 www.sk-koenig-tegel.de (/etc/apache2/sites-enabled/b01-tegel.conf:28)
65.21.136.15:80 is a NameVirtualHost
default server pmadmin.qno.de (/etc/apache2/sites-enabled/a02-phpmyadmin.conf:1)
port 80 namevhost pmadmin.qno.de (/etc/apache2/sites-enabled/a02-phpmyadmin.conf:1)
port 80 namevhost www.sk-koenig-tegel.de (/etc/apache2/sites-enabled/b01-tegel.conf:2)
alias sk-koenig-tegel.de
65.21.136.15:443 is a NameVirtualHost
default server pmadmin.qno.de (/etc/apache2/sites-enabled/a02-phpmyadmin-le-ssl.conf:2)
port 443 namevhost pmadmin.qno.de (/etc/apache2/sites-enabled/a02-phpmyadmin-le-ssl.conf:2)
port 443 namevhost www.sk-koenig-tegel.de (/etc/apache2/sites-enabled/b01-tegel.conf:28)
alias sk-koenig-tegel.de
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33
root@bywater ~ # netstat -tlpn|grep 443
tcp6 0 0 :::443 :::* LISTEN 268958/apache2
root@bywater ~ # openssl s_client -tls1_3 -connect pmadmin.qno.de:443 -6
CONNECTED(00000003)
4087D64E7E7F0000:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:354:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 248 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
Von extern:
root@raspberry ~ # nmap -6 -sT -sV -p 443 pmadmin.qno.de
Starting Nmap 7.70 ( https://nmap.org ) at 2024-03-18 20:35 CET
Nmap scan report for pmadmin.qno.de (2a01:4f9:3b:25b0:9:6:1:a02)
Host is up (0.041s latency).
Other addresses for pmadmin.qno.de (not scanned): 65.21.136.15
PORT STATE SERVICE VERSION
443/tcp open ssl/https Apache/2.4.52 (Ubuntu)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.28 seconds
root@raspberry ~ # nmap -4 -sT -sV -p 443 pmadmin.qno.de
Starting Nmap 7.70 ( https://nmap.org ) at 2024-03-18 20:36 CET
Nmap scan report for pmadmin.qno.de (65.21.136.15)
Host is up (0.038s latency).
Other addresses for pmadmin.qno.de (not scanned): 2a01:4f9:3b:25b0:9:6:1:a02
rDNS record for 65.21.136.15: bywater.qno.de
PORT STATE SERVICE VERSION
443/tcp open ssl/https Apache/2.4.52 (Ubuntu)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.17 seconds
I hope i included all information that lead to a solution in other cases. No idea what i could try ...
TIA QNo
!SHA1
already causes both this item and AES128-SHA to be ignored.