SSL Error: Record Exceeded Maximum Permissible Length - Analysis and Solutions

Error Phenomenon and Background

When configuring HTTPS services on Apache servers, users frequently encounter the SSL received a record that exceeded the maximum permissible length error with error code ssl_error_rx_record_too_long. This error typically occurs during SSL/TLS handshake processes, indicating that the client received a data record exceeding the protocol's maximum allowed length limit.

Root Cause Analysis

Based on case analysis, the primary cause of this error is port configuration mismatch. When applications incorrectly send HTTPS requests to the HTTP default port 80, the server expects plain text HTTP communication while the client attempts SSL/TLS encrypted handshake, resulting in protocol confusion.

Consider the following erroneous redirection code example:

// Incorrect redirection implementation
function redirectToSecure() {
    // Incorrectly specifying port 80
    window.location.href = "https://example.com:80/secure-page";
}

The correct implementation should omit the port number or explicitly use port 443:

// Correct redirection implementation
function redirectToSecure() {
    // Using default HTTPS port 443
    window.location.href = "https://example.com/secure-page";
    
    // Or explicitly specify port 443
    // window.location.href = "https://example.com:443/secure-page";
}

Technical Details of Protocol Confusion

During SSL/TLS connection establishment, the client sends a ClientHello message to initiate the handshake process. This message contains protocol version, random values, session ID, cipher suite list, and other information. When this handshake message is sent to an HTTP port, the server treats it as a regular HTTP request, but due to incompatibility between SSL record format and HTTP message format, length verification fails.

The following pseudocode illustrates the basic structure of SSL handshake messages:

SSLRecord {
    ContentType type;          // Record type (e.g., handshake)
    ProtocolVersion version;   // Protocol version
    uint16 length;            // Record length
    opaque fragment[length];  // Record data
}

ClientHello {
    ProtocolVersion client_version;     // Client-supported protocol version
    Random random;                     // Client random values
    SessionID session_id;              // Session ID
    CipherSuite cipher_suites;         // Supported cipher suite list
    CompressionMethod compression_methods; // Compression methods
    Extension extensions;              // Extension fields
}

Apache Server Configuration Verification

Ensuring proper SSL module configuration in Apache is crucial. Use the following commands to enable SSL sites:

# Enable SSL site configuration
a2ensite default-ssl

# Reload Apache configuration
service apache2 reload

# Or restart Apache service
service apache2 restart

Verify that the SSL module is loaded:

# Check loaded modules
apache2ctl -M | grep ssl

# Expected output should include:
# ssl_module (shared)

Symbolic Link Configuration Check

In Debian-based systems, Apache uses the sites-enabled directory to manage virtual host configurations. Ensure correct symbolic links are created:

# Create symbolic link from sites-enabled to sites-available
ln -s /etc/apache2/sites-available/default-ssl /etc/apache2/sites-enabled/000-default-ssl

# Verify the link is correctly created
ls -la /etc/apache2/sites-enabled/ | grep default-ssl

Browser Behavior and HTTPS Enforcement

Modern browsers may automatically upgrade HTTP requests to HTTPS, which can cause unexpected protocol conflicts. As mentioned in the reference article, certain browser extensions or settings may enforce HTTPS usage even when HTTP is explicitly specified.

Use the following methods to bypass browser HTTPS enforcement during testing:

// Use incognito/private browsing mode
// Disable browser extensions
// Explicitly use http:// prefix
// Temporarily disable HTTPS-only mode

Diagnostic Tool Usage

Use OpenSSL command-line tools to diagnose SSL/TLS connection issues:

# Test SSL/TLS connection
openssl s_client -connect example.com:443

# If connection fails, try specifying protocol version
openssl s_client -connect example.com:443 -tls1_2

# Use sslscan for more detailed cipher suite scanning
sslscan example.com:443

Complete Solution Workflow

1. Verify Port Configuration: Ensure HTTPS requests use port 443 or omit port number

2. Check Apache Configuration: Confirm SSL module is enabled and site configuration is correct

3. Verify Symbolic Links: Ensure sites-enabled directory contains correct configuration links

4. Test Connection: Use OpenSSL tools to verify SSL/TLS handshake functionality

5. Browser Testing: Test in incognito mode to exclude extension interference

Preventive Measures and Best Practices

To prevent such errors, adopt the following best practices:

• Avoid hardcoding port numbers in code, especially combining HTTPS with port 80

• Use environment variables or configuration management tools for port configuration

• Regularly use SSL scanning tools to check server configuration

• Thoroughly test HTTPS redirection logic in development environments

• Keep Apache and OpenSSL components updated

Through systematic diagnosis and repair, the ssl_error_rx_record_too_long error can be effectively resolved, ensuring normal SSL/TLS communication for web applications.