Debugging “SSL Input Filter Read Failed” Errors in Apache HTTPS Configuration


2 views

When examining Apache error logs, you might encounter repeated entries like:

[client xxx.xxx.xx.xx] AH01991: SSL input filter read failed.
(70014)End of file found: [client xxx.xxx.xx.xx] AH01991: SSL input filter read failed.
(70007)The timeout specified has expired: [client xxx.xxx.xx.xx] AH01991: SSL input filter read failed.

These messages typically appear when there's an issue with SSL/TLS handshakes or connection stability in your Apache configuration.

Several factors could contribute to these SSL read failures:

  • Incomplete SSL certificate chain configuration
  • Mismatched protocols between client and server
  • Network timeouts during handshake
  • Resource constraints on the server
  • Mixed HTTP/HTTPS content issues

Let's examine the critical SSL configuration elements in your virtual host:

SSLEngine on
SSLCertificateFile ./mywebsite.crt
SSLCertificateKeyFile ./mywebsite.key
SSLCertificateChainFile ./intermediate.crt

Potential issues here include:

  1. Relative paths for certificate files (should use absolute paths)
  2. Missing SSLProtocol and SSLCipherSuite directives
  3. No timeout configuration for SSL handshakes

Here's an improved SSL virtual host configuration:


    ServerName www.mywebsite.com
    DocumentRoot /home/mywebsite/www/public

    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/mywebsite.crt
    SSLCertificateKeyFile /etc/ssl/private/mywebsite.key
    SSLCertificateChainFile /etc/ssl/certs/intermediate.crt
    
    # Security enhancements
    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite HIGH:!aNULL:!MD5:!RC4:!3DES
    SSLHonorCipherOrder on
    SSLCompression off
    
    # Timeout adjustments
    Timeout 300
    SSLProxyEngine off
    
    # HSTS header for security
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
    
    # Logging configuration
    ErrorLog ${APACHE_LOG_DIR}/ssl_error.log
    CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined

To troubleshoot further, use these commands:

# Check SSL handshake
openssl s_client -connect www.mywebsite.com:443 -showcerts

# Verify certificate chain
openssl verify -CAfile /etc/ssl/certs/intermediate.crt /etc/ssl/certs/mywebsite.crt

# Check Apache SSL module status
apachectl -M | grep ssl

For high-traffic sites, consider adding these optimizations:

# Enable SSL session caching
SSLSessionCache shmcb:/var/run/ssl_scache(512000)
SSLSessionCacheTimeout 300

# OCSP Stapling for better performance
SSLUseStapling on
SSLStaplingCache shmcb:/var/run/ocsp(128000)

When examining Apache error logs with SSL-related failures, we typically encounter two distinct error patterns:

[client 192.168.1.100] AH01991: SSL input filter read failed. (70014)End of file found
[client 192.168.1.100] AH01991: SSL input filter read failed. (70007)The timeout specified has expired

The current VirtualHost setup shows several potential weak points in SSL handling:

<VirtualHost *:443>
    SSLEngine on
    SSLCertificateFile ./mywebsite.crt
    SSLCertificateKeyFile ./mywebsite.key
    SSLCertificateChainFile ./intermediate.crt
</VirtualHost>
  • Certificate path issues (relative paths like "./" are problematic)
  • Missing SSL protocol directives
  • Incomplete cipher suite configuration
  • Timeout conflicts between Apache and client

Here's a more robust SSL configuration example:

<VirtualHost *:443>
    ServerName www.mywebsite.com
    DocumentRoot /home/mywebsite/www/public
    
    SSLEngine on
    SSLProtocol all -SSLv2 -SSLv3
    SSLCipherSuite HIGH:!aNULL:!MD5
    SSLHonorCipherOrder on
    
    # Absolute paths for certificates
    SSLCertificateFile /etc/ssl/certs/mywebsite.crt
    SSLCertificateKeyFile /etc/ssl/private/mywebsite.key
    SSLCertificateChainFile /etc/ssl/certs/intermediate.crt
    
    # Timeout adjustments
    TimeOut 300
    KeepAlive On
    KeepAliveTimeout 5
</VirtualHost>

To identify specific problems:

# Verify SSL handshake
openssl s_client -connect www.mywebsite.com:443 -showcerts -servername www.mywebsite.com

# Check certificate chain
openssl verify -CAfile /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/mywebsite.crt

For high-traffic sites, consider these additions:

# Enable SSL session caching
SSLSessionCache "shmcb:/var/run/apache2/ssl_scache(512000)"
SSLSessionCacheTimeout 300

# OCSP Stapling configuration
SSLUseStapling on
SSLStaplingCache "shmcb:/var/run/apache2/ssl_stapling(32768)"

After configuration changes:

apachectl configtest
systemctl restart apache2