Tag Archives: ssl

HTTPS+SSLVerifyClient require in <Directory>+big POST = Apache error

Posted on by
Reply

I was configuring MediaWiki to allow uploads and was getting an error in the browser about the POST data being too large (“does not allow request data with POST requests, or the amount of data provided in the request exceeds the capacity limit.”). I had a look in the Apache error log and found:

[Thu Feb 23 16:12:45 2012] [error] [client 60.240.67.126] request body exceeds m
aximum size (131072) for SSL buffer, referer: https://www.jj5.net/morpheus/Speci
al:Upload
[Thu Feb 23 16:12:45 2012] [error] [client 60.240.67.126] could not buffer messa
ge body to allow SSL renegotiation to proceed, referer: https://www.jj5.net/morp
heus/Special:Upload

So I did some research. I found this document, File upload size which suggested editing /etc/php5/apache2/php.ini which I did:

upload_max_filesize = 20M
post_max_size = 80M

That didn’t fix the problem though. I found Request entity too large which suggested checking my setting for LimitRequestBody, but that wasn’t the problem either.

Eventually I found Bug 491763 – HTTPS+SSLVerifyClient require in <Directory>+big POST = Apache error which suggested I needed to apply the SSLRenegBufferSize directive which I did like this:

  <Location /morpheus>
    SSLVerifyClient require
    SSLVerifyDepth 1
    SSLRenegBufferSize 20971520
  </Location>

And then after restarting Apache the problem was solved.

MySQL SSL connections not working with phpMyAdmin and mysqli

Posted on by
44

I had a problem with phpMyAdmin not using encrypted connections.

My server was correctly configured for SSL as indicated by:

SHOW VARIABLES LIKE '%ssl%'

Which returned:

Variable_name Value
have_openssl YES
have_ssl YES
ssl_ca /etc/mysql/cacert.pem
ssl_capath
ssl_cert /etc/mysql/server-cert.pem
ssl_cipher
ssl_key /etc/mysql/server-key.pem

However when I ran:

SHOW STATUS LIKE 'Ssl_cipher'

I got back a null result, indicating that the connection was not encrypted.

Eventually I figured out that the problem was caused by using the ‘mysqli’ provider for my connections in phpMyAdmin. When I switched my connections to use ‘mysql’ instead then encryption started working and an Ssl_cipher was reported.

I’d love to know what the actual problem is, but for now I’m just happy that my connections are actually encrypted. I spent a while hacking on the mysqli dbi interface to try and get it to play nice with SSL but I didn’t make any progress.

HTTPS and Client Certificates

Posted on by
36

I’m half-way through setting up my web-server for client certificate authentication. Have to get a few other things done first so I’m going to come back to this. Here are my notes so far.

I’m reading OpenSSL and Certificates over on Ubuntu help, and that seems to be a fairly good guide for setting up the server side of things.

I read this article on Email Certificates but that wasn’t that useful for what I’m doing.

I learned a little bit about the update-ca-certificates command that is part of the ca-certificates package, and maybe that will be useful down the track.

In my travels I discovered NSS and SSL Error Codes, but that’s probably not too useful either.

The OpenSSL FAQ was a really useful read. I’ll probably be referring back to that.

I learned about cacert.org which is interesting but probably something I won’t be using.

There’s an SSL Certificates HOWTO over on TLDP and if I can find the time I’d like to read that whole thing, although from what I’ve read so far it’s not complete.

The mod_ssl project has a really handy Reference for all the Apache configuration options, worth a read of.

And that’s it for now. I’ll pick this up again in a day or two.