The Linux Page

SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET and ssl3_get_message:unexpected message

Today we had a problem with a combo of website that we never tried to run together.

Looking into it, it was definitely a problem with SSL. However, Apache2 would tell us absolutely nothing about it. No error or access logs. I think this is because it would happen at the time Apache and the client negotiate the SSL connection and Apache does not report such problems (at least by default, it might in case you turn on some debug mode?)

We had two different settings for two websites using the snakeoil certificate (As we test on VM machines, we use the snakeoil certificate as an easy way to check things and it's free.)

The first website was very simple and had:

<VirtualHost *:443>
    SSLEngine On
    SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
    SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
</VirtualHost>

The other website, which is more advance than the first, included another file:

<VirtualHost *:443>
    SSLEngine On
    SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
    SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
    Include /etc/apache2/ssl-snap/snap-apache2-ssl.conf
</VirtualHost>

Our snap-apache2-ssl.conf file includes many parameters that tweak the SSL settings. This includes a list of ciphers. I did not try every single possible combo, but I am pretty certain that would be the culprit. The sites would not work because there was a mixup between both setup with the same certificate. Apparently that is not allowed with Apache2 (we use 2.4.18-2ubuntu3.1 at the moment.)

To fix the problem, I added the Include in the first VirtualHost. Only that file may not be installed on that machine, so I used IncludeOptional. That way it works either way.

<VirtualHost *:443>
    SSLEngine On
    SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
    SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
    IncludeOptional /etc/apache2/ssl-snap/snap-apache2-ssl.conf
</VirtualHost>

Note:

I got the first two errors in my browsers, the last one is what you see with wget -S <page url>

  • SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET
  • ssl3_get_message:unexpected message

My Partner also got a problem with SSL_ERROR_RX_RECORD_TOO_LONG which was happening because of a port forwarding issue. More or less, he was not actually access Apache2 at all. The router in between was not able to forward port 443 and returned with that kind of an error.