How do I resolve the error "SSL received a record that exceeded the maximum permissible length" in apache2?

apache-2.2 ssl

I am getting the following error on a site I've just setup in Apache 2:

SSL received a record that exceeded the maximum permissible length

The fixes I've seen around suggest that a fix is to be sure the default-ssl site is enabled, which I have done, but am still getting the error.


That usually means that you are sending a HTTPS request to a HTTP service. The message is from the browser complaining that it was unable to to complete the SSL handshake that it was expecting.

do you have

SSLEngine on

configured for that vhost?


It's possible to get this error if your virtual host configuration is incomplete and relies on ssl.conf (vendor installed) to do the setup for you. For example if you have a something like this (RHEL7/httpd 2.4):

/etc/httpd/conf.d/confluence.conf

<VirtualHost *:443>
    ServerName  localhost.localdomain
    DocumentRoot /var/www/html
</VirtualHost>

/var/www/html/index.html

helo

Then because confluence.conf is alphabetically before ssl.conf, the SSL virtual host will not yet have been evaluated and httpd will use port 443 to serve unencrypted data, which you can prove like this:

[root@localhost ~]# curl https://localhost.localdomain 
curl: (35) SSL received a record that exceeded the maximum permissible length.
[root@localhost ~]# curl http://localhost.localdomain:443   
helo

In this case we can see the second curl works because the connection on port 443 is speaking plain http.

If we rename confluence.conf to be alphabetically after ssl.conf, then the SSL port will have been setup and it all starts working, eg:

[root@localhost vagrant]# curl https://localhost.localdomain -k
curl: (35) SSL received a record that exceeded the maximum permissible length.
[root@localhost vagrant]# mv /etc/httpd/conf.d/confluence.conf /etc/httpd/conf.d/t.conf         
[root@localhost vagrant]# systemctl restart httpd
[root@localhost vagrant]# curl https://localhost.localdomain -k
helo

My recommendation to fix this would be to configure mod_ssl within the VirtualHost directive:

<VirtualHost *:443>
    ...
    SSLEngine on
    SSLCertificateFile /etc/pki/tls/certs/localhost.crt
    SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
</VirtualHost>

Alternatively, renaming the file containing the VirtualHost definition to come alphabetically after ssl.conf will will work but this technique can be easily overlooked.

Related

Setting up an NTP server from LAN - KoD packet has inconsistent xmt/org/rec timestamps. Ignoring
Apache Not Redirecting Non-WWW to WWW HTTPS
Ansible include_vars: Including dictionary variables from a file
Do NTP pool servers use gpsd?
Wine in Docker - "reg add" only keeps effects temporarily
IPv6, IPv4, UDP, and TCP all on one instance in Google Cloud
Difference between different ways of writing records to Cassandra using Flink
Calculating first and second derivative when coefficients stored in a csv file in python
AWS Lambda - How to change the handler value
How to write to a array in JSON file without replacing the entire file
Discord.py - How to get member count not including bots?
Getting Mockito Exception : checked exception is invalid for this method