How to Fix “SSL received a record that exceeded the maximum permissible length” Error in Apache2 Web Server


3 views

This notorious Apache2 error typically occurs when:

  • The SSL handshake process fails due to oversized records
  • There's a mismatch between client and server SSL/TLS configurations
  • Certificate chain issues exist in the SSL configuration

First, verify your SSL virtual host is properly configured:


<VirtualHost *:443>
    ServerName yourdomain.com
    DocumentRoot /var/www/html
    
    SSLEngine on
    SSLCertificateFile /path/to/cert.pem
    SSLCertificateKeyFile /path/to/privkey.pem
    SSLCertificateChainFile /path/to/chain.pem
    
    SSLProtocol all -SSLv2 -SSLv3
    SSLCipherSuite HIGH:!aNULL:!MD5
    SSLHonorCipherOrder on
    
    Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains"
</VirtualHost>

If the basic configuration doesn't resolve the issue, try these additional measures:

1. Check for Certificate Chain Issues

openssl s_client -connect yourdomain.com:443 -showcerts

This will show the complete certificate chain being presented.

2. Adjust SSL Buffer Size

Add to your Apache configuration:

SSLRenegBufferSize 1048576

3. Verify Protocol Compatibility

Modern systems should use:


SSLProtocol TLSv1.2 TLSv1.3
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

Enable verbose SSL logging in your Apache config:


LogLevel debug ssl:warn
ErrorLog ${APACHE_LOG_DIR}/ssl_error.log
  • Missing intermediate certificates
  • Outdated OpenSSL versions
  • Incorrect file permissions on SSL certificates
  • Client-side browser caching issues

After making changes, test with:

apachectl configtest
systemctl restart apache2
openssl s_client -connect localhost:443 -state -debug

html

The error "SSL received a record that exceeded the maximum permissible length" typically occurs when Apache2 encounters an oversized SSL/TLS record during the handshake process. This often happens due to misconfigured SSL settings or incompatible cipher suites.

  • Missing or misconfigured SSLEngine directive
  • Incorrect SSLProtocol settings
  • Problematic cipher suite configurations
  • Missing default SSL virtual host

First, check if your SSL virtual host is properly configured:


<VirtualHost *:443>
    ServerName yourdomain.com
    SSLEngine on
    SSLProtocol all -SSLv2 -SSLv3
    SSLCipherSuite HIGH:!aNULL:!MD5
    SSLCertificateFile /path/to/your/cert.pem
    SSLCertificateKeyFile /path/to/your/privkey.pem
    SSLCertificateChainFile /path/to/your/chain.pem
</VirtualHost>

You can diagnose the issue using OpenSSL:


openssl s_client -connect yourdomain.com:443 -showcerts

Look for any errors during the handshake process.

If the issue persists, try increasing the SSL buffer size in your Apache configuration:


SSLVerifyDepth 10
SSLSessionCacheTimeout 300
SSLRenegBufferSize 10486000

Ensure you're not mixing incompatible protocols. A modern secure configuration should look like:


SSLProtocol TLSv1.2
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLHonorCipherOrder on
  1. Restart Apache after making changes: sudo systemctl restart apache2
  2. Verify your configuration: apachectl configtest
  3. Check error logs: tail -f /var/log/apache2/error.log