Help with SSL support

[billmoseley]

I've been trying to get starman running with SSL for a some local testing, but not having any luck. It's reporting no shared ciphers.

So, I'm looking for some pointers or an example.

Starman 0.4010, IO-Socket-SSL-2.016, CentOS release 6.5

I tried creating a self-signed certificate with:

openssl genrsa -out key.pem 2048
openssl req -new -key key.pem -out csr.pem
openssl req -x509 -days 365 -key key.pem -in csr.pem -out certificate.pem

And then running starman with:

starman --enable-ssl --ssl-key-file=key.pem --ssl-cert-file=certificate.pem --listen :2099:ssl app.psgi

2015/07/14-21:00:35 Starman::Server (type Net::Server::PreFork) starting! pid(24111)
Resolved [*]:2099 to [0.0.0.0]:2099, IPv4
Binding to SSL port 2099 on host 0.0.0.0 with IPv4
Setting gid to "1359 1359 10 1359 1626 1796 12000"
Could not finalize SSL connection with client handle (SSL accept attempt failed error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher)

I also tried using the ssl_key.pem from the Starman distribution and running per the ssl.t file:

starman --enable-ssl --ssl-key-file=ssl_key.pem --ssl-cert-file=ssl_key.pem --listen :2099:ssl app.psgi

with same results. Tried Firefox and Chrome, as well as LWP (lwp-request).

Thanks,

[ap]

                                                                    ↓↓↓
starman --enable-ssl --ssl-key-file=ssl_key.pem --ssl-cert-file=ssl_key.pem --listen :2099:ssl app.psgi
                                                      ↑↑↑↑

Was that just a mistake while typing up this issue, or is that the way you actually ran it?

[billmoseley]

@ap, note that I said I also tried that command because of what I saw in the ssl.t test. See:

https://github.com/miyagawa/Starman/blob/master/t/ssl.t#L41

The ssl_key.pem file in the distribution has both the private key and the certificate.

That resulted in the same issue.

Using the above openssl commands and the starman command listed first, are you able to get SSL to work?

Thanks,

[cwallacetlc]

Any news on this one? I'm getting the same thing.

$ starman -E development --ssl-key-file=key.pem --ssl-cert-file=certificate.pem  --listen :5000 --listen :5001:ssl --workers=10 bin/app.psgi --access-log /dev/null
2016/03/17-12:46:36 Starman::Server (type Net::Server::PreFork) starting! pid(32411)
Resolved [*]:5000 to [::]:5000, IPv6
Not including resolved host [0.0.0.0] IPv4 because it will be handled by [::] IPv6
Resolved [*]:5001 to [::]:5001, IPv6
Not including resolved host [0.0.0.0] IPv4 because it will be handled by [::] IPv6
Binding to TCP port 5000 on host :: with IPv6
Binding to SSL port 5001 on host :: with IPv6
Setting gid to "1000 1000 0 4 24 25 27 29 33 44 46 50 108 113 115 129 1000"
Passed serialize value of none is incompatible with multiple ports - using default serialize
Starman: Accepting connections at http://*:5000/
Could not finalize SSL connection with client handle (SSL accept attempt failed error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher)

[dracos]

Any news on this one? I'm getting the same thing.

You, and the original poster, are using the wrong command line parameters (this has bitten me too). The error could be better! You need to use ssl-key and ssl-cert for starman; the ones you are using are for plackup.

[aa153]

I has such issue and resolved it by installing python-certbot-apache from debian apt repo

But now i have another issue:

SSL_cert_file /etc/letsencrypt/live/.._domain_here_../cert.pem can't be used: Permission denied at /usr/local/share/perl/5.28.1/IO/Socket/SSL.pm line 2375.

chown of dir doesn't help.