httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <wikidi...@apache.org>
Subject [Httpd Wiki] Update of "ScratchPad" by TomasPospisek
Date Thu, 13 Oct 2011 13:34:15 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Httpd Wiki" for change notification.

The "ScratchPad" page has been changed by TomasPospisek:
http://wiki.apache.org/httpd/ScratchPad?action=diff&rev1=5&rev2=6

Comment:
finishing "debugging SSL" article

  
  
  = Debugging SSL Problems =
+ 
+ <<TableOfContents>>
  
  Here are some tips on what to do if the SSL connection to your server just isn't working
as it should.
  
@@ -51, +53 @@

  
   * [[http://www.wireshark.org/|Wireshark]] or
   * [[http://www.microsoft.com/download/en/details.aspx?id=4865|Microsoft Network Monitor]](runs
on Windows only)
+  * the [[http://www.openssl.org/|openssl]] command line tool
  
  which both include SSL protocol dissectors, and thus are able to decode and display SSL
handshakes in a human understandable format.
  
@@ -83, +86 @@

  
  Also Internet Explorer has a very comprehensive and well structured certificate management
interface, that is helpful for seeing certificate paths and certificate properties.
  
- Unfortunately IE is not helpful at all in its failure mode. When something's wrong, it will
not finalize the setup of the SSL connection and not display any useful error. FF instead
will at least display a semi useful error.
+ Unfortunately IE is not helpful at all in its failure mode. When something's wrong, it will
not finalize the setup of the SSL connection and not display any useful error. FF instead
will at least display a semi useful error. Additionaly, since FF is using the openssl library
as its SSL engine, Firefox' error messages correspong to [[http://www.openssl.org/docs/ssl/SSL_alert_type_string.html|openssl's
alert messages]].
+ 
+ 
+ == Manually verifying certificates ==
+ 
+ You can use the openssl command line tool to do all sorts of certificate manipulation and
analysis tasks:
+ 
+  * Verify that a private key matches a certificate (originally from http://kb.wisc.edu/middleware/page.php?id=4064)
+ 
+ {{{
+   $ (openssl x509 -noout -modulus \
+              -in /etc/apache2/ssl.crt/www.mysite.org.crt | openssl md5 ;\
+      openssl rsa  -noout -modulus
+              -in /etc/apache2/ssl.key/www.mysite.org.key | openssl md5) \
+     | uniq
+ }}}
+ 
+  * display the RSA private key:
+ 
+ {{{
+   $ openssl rsa -in /etc/apache2/ssl.key/www.mysite.org.key -noout -text
+ }}}
+ 
+  * display a X509 SSL certificate:
+ 
+ {{{
+     openssl x509 -in /etc/apache2/ssl.crt/www.mysite.org.crt -noout -text
+ }}}
+ 
+  * verify a certificate:
+ 
+ {{{
+ 	openssl verify -CAfile ca-thawte+sourcepole.crt www.nofloh.ch.crt
+ }}}
  
  
  == Finding out what caused a handshake to fail ==

---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message