[solved] SSL 500 Internal Server error with Mac/iPad/Safari

Discussion in 'Install/Configuration' started by thehelpdesk, Feb 10, 2011.

  1. thehelpdesk

    thehelpdesk New Member

    We've got LiteSpeed Web Server 4.0.19 installed on a CentOS 5.5 x86_64 base. A chained CA SSL certificate is installed on one of the virtual hosts as an SSL listener on the standard port 443.

    All Windows based browsers and clients can access the site without any problems over SSL. However, when a Mac with Safari or Chrome, or an iPad, tries to access the site they get a 500 Internal Server error. When this certificate is installed on an Apache server there's no problem or error with any clients on Windows or Mac.

    It seemed to be an SSL negotiation error so we referenced Apple's mod_ssl developer list and changed the LiteSpeed Web Server cipher manually to "ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL" as a test but that still does not work for these Mac based clients. We then backed out SSLv2 and enabled SSLv3 and TLSv1 as another test "ALL:!ADH:!EXPORT56:RC4+RSA:+SSLv3:-SSLv2:+TLSv1:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL" but this also fails for these Mac based clients.

    When the entire site structure is removed and we only have a "hello world" file there the clients get a timeout error. We have increased all the LSWS timeouts, dynamic and static etc, to 60 seconds and longer to no avail.

    Has anyone else experienced problems with SSL and LSWS web server like this and were able to overcome them?
    Last edited by a moderator: Feb 12, 2011
  2. mistwang

    mistwang LiteSpeed Staff

    enable debug logging, then check error log.
  3. thehelpdesk

    thehelpdesk New Member

    We've enabled Debug logging at the Server and Virtual Host levels, restarted LSWS, and reviewed the error log. The error log does not log anything in relation to the hits/500 time out errors we're seeing on the Mac based computers. We also don't see anything logged in relation to them in the access log. Which seems to indicate its dying out at the encryption or protocol level.
  4. mistwang

    mistwang LiteSpeed Staff

    Can you try tcpdump on server side or Mac side

    tcpdump -s0 -X host <ip_of_peer>
  5. NiteWave

    NiteWave Administrator

    confirmed to be a firewall issue and fixed. from customer:
    "there was an errant firewall rule ... That has been corrected and now the SSL encryption is going through... not LiteSpeed's SSL implementation"

Share This Page