httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vance Karimi" <vance.kar...@enstinct.com>
Subject RE: [users@httpd] Help with Apache and SSL
Date Wed, 29 Jun 2005 12:39:26 GMT
You can certainly try it: www.smsticketing.com.au
I do https://www.smsticketing.com.au
With 'FW', do you mean forward? We don't do a forward or redirect. We have
an A-Record in the root DNS server of the hosting company.

Regards,
Vance

> -----Original Message-----
> From: Boyle Owen [mailto:Owen.Boyle@swx.com]
> Sent: Wednesday, 29 June 2005 8:07 PM
> To: users@httpd.apache.org
> Subject: RE: [users@httpd] Help with Apache and SSL
> 
> > -----Original Message-----
> > From: Vance Karimi [mailto:vance.karimi@enstinct.com]
> > Sent: Mittwoch, 29. Juni 2005 07:41
> > To: users@httpd.apache.org
> > Subject: [users@httpd] Help with Apache and SSL
> >
> >
> > Hi list,
> >
> > With the number of threads regarding Apache and SSL, you'd
> > think I would
> > find a solution...sigh...I feel I'm missing something trivial.
> >
> > I appologise for the long post.
> >
> > I performed a build of 2.0.54 with mod_ssl and installed on
> > Fedora core 3.
> > I built with the following configure options:
> > % ./configure --prefix=/usr/local/apache2 --enable-ssl --enable-so
> > All is well and I can get to the default apache page using IE/Mozilla.
> >
> > I created the cert and cert request, created my own CA and
> > signed my csr
> > according to:
> > http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html
> > Copied server.key to conf/ssl.key/.
> > Copied server.crt to conf/ssl.crt/.
> >
> >
> > Configuration files:
> > conf/httpd.conf is stock standard and includes conf/ssl.conf,
> > however I
> > changed the log level to 'info'.
> >
> > conf/ssl.conf looks like so (without comments):
> >
> > SSLRandomSeed startup builtin
> > SSLRandomSeed connect builtin
> >
> > <IfDefine SSL>
> > Listen 443
> > AddType application/x-x509-ca-cert .crt
> > AddType application/x-pkcs7-crl    .crl
> > SSLPassPhraseDialog  builtin
> > SSLSessionCache         dbm:/usr/local/apache2/logs/ssl_scache
> > SSLSessionCacheTimeout  300
> > SSLMutex  file:/usr/local/apache2/logs/ssl_mutex
> >
> > <VirtualHost _default_:443>
> > DocumentRoot /usr/local/apache2/htdocs
> > ServerName www.mydomain.com.au
> > ServerAdmin admin@mydomain.com.au
> > ErrorLog /usr/local/apache2/logs/error_log
> > TransferLog /usr/local/apache2/logs/access_log
> > SSLEngine on
> > SSLCipherSuite
> > ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> > SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt
> > SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/server.key
> >
> > <Files ~ "\.(cgi|shtml|phtml|php3?)$">
> >     SSLOptions +StdEnvVars
> > </Files>
> > <Directory "/usr/local/apache2/cgi-bin">
> >     SSLOptions +StdEnvVars
> > </Directory>
> >
> > SetEnvIf User-Agent ".*MSIE.*" \
> >          nokeepalive ssl-unclean-shutdown \
> >          downgrade-1.0 force-response-1.0
> > CustomLog /usr/local/apache2/logs/ssl_request_log \
> >           "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
> >
> > </VirtualHost>
> >
> > </IfDefine>
> >
> >
> > I start up apache:
> > ./apachectl startssl
> >
> > error_log reads:
> >
> > [Wed Jun 29 13:00:12 2005] [info] Init: Initializing OpenSSL library
> > [Wed Jun 29 13:00:12 2005] [info] Init: Seeding PRNG with 136 bytes of
> > entropy
> > [Wed Jun 29 13:00:12 2005] [info] Loading certificate & private key of
> > SSL-aware server
> > [Wed Jun 29 13:00:12 2005] [info] Init: Requesting pass
> > phrase via builtin
> > terminal dialog
> > [Wed Jun 29 13:00:18 2005] [info] Init: Wiped out the queried
> > pass phrases
> > from memory
> > [Wed Jun 29 13:00:18 2005] [info] Init: Generating temporary
> > RSA private
> > keys (512/1024 bits)
> > [Wed Jun 29 13:00:19 2005] [info] Init: Generating temporary
> > DH parameters
> > (512/1024 bits)
> > [Wed Jun 29 13:00:19 2005] [info] Init: Initializing
> > (virtual) servers for
> > SSL
> > [Wed Jun 29 13:00:19 2005] [info] Configuring server for SSL protocol
> > [Wed Jun 29 13:00:19 2005] [info] Server: Apache/2.0.54, Interface:
> > mod_ssl/2.0.54, Library: OpenSSL/0.9.7a
> > [Wed Jun 29 13:00:19 2005] [info] Init: Initializing OpenSSL library
> > [Wed Jun 29 13:00:19 2005] [info] Init: Seeding PRNG with 136 bytes of
> > entropy
> > [Wed Jun 29 13:00:19 2005] [info] Loading certificate & private key of
> > SSL-aware server
> > [Wed Jun 29 13:00:19 2005] [info] www.mydomain.com.au:443
> > reusing existing
> > RSA private key on restart
> > [Wed Jun 29 13:00:19 2005] [info] Init: Generating temporary
> > RSA private
> > keys (512/1024 bits)
> > [Wed Jun 29 13:00:19 2005] [info] Init: Generating temporary
> > DH parameters
> > (512/1024 bits)
> > [Wed Jun 29 13:00:19 2005] [info] Init: Initializing
> > (virtual) servers for
> > SSL
> > [Wed Jun 29 13:00:19 2005] [info] Configuring server for SSL protocol
> > [Wed Jun 29 13:00:19 2005] [info] Server: Apache/2.0.54, Interface:
> > mod_ssl/2.0.54, Library: OpenSSL/0.9.7a
> > [Wed Jun 29 13:00:19 2005] [notice] Apache/2.0.54 (Unix)
> > mod_ssl/2.0.54
> > OpenSSL/0.9.7a configured -- resuming normal operations
> > [Wed Jun 29 13:00:19 2005] [info] Server built: Jun 29 2005 01:50:33
> >
> >
> > To do the basic test:
> > $ openssl s_client -connect localhost:443
> >
> > I get the following to stdout:
> > .....
> > No client certificate CA names sent
> > ---
> > SSL handshake has read 1357 bytes and written 340 bytes
> > ---
> > New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> > Server public key is 1024 bit
> > SSL-Session:
> >     Protocol  : TLSv1
> >     Cipher    : DHE-RSA-AES256-SHA
> >     Session-ID:
> > C883239FD990EC30F05A3E127968FD62D08A2D0B17D468965FFDB3989B7ECE7D
> >     Session-ID-ctx:
> >     Master-Key:
> > 978C61CA859767E541F22D7828FEE851D636AB35A3E1F04F2172214E9DCF8C
> > 673FAE3427454B
> > FF0769033382A7FD18DC
> >     Key-Arg   : None
> >     Krb5 Principal: None
> >     Start Time: 1120022013
> >     Timeout   : 300 (sec)
> >     Verify return code: 21 (unable to verify the first certificate)
> >
> > I then enter:
> > $ GET / HTTP/1.0
> > $ <CR>
> >
> > And receive the html headers and response as expected.
> >
> > Error_log shows:
> >
> > [Wed Jun 29 13:13:33 2005] [info] Connection to child 2
> > established (server
> > www.mydomain.com.au:443, client 127.0.0.1)
> > [Wed Jun 29 13:13:33 2005] [info] Seeding PRNG with 136 bytes
> > of entropy
> > [Wed Jun 29 13:16:00 2005] [info] Initial (No.1) HTTPS
> > request received for
> > child 2 (server www.smsticketing.com.au:443)
> > [Wed Jun 29 13:16:00 2005] [info] Connection to child 2
> > closed with standard
> > shutdown(server www.mydomain.com.au:443, client 127.0.0.1)
> >
> >
> > When I run curl:
> > $ curl --insecure https://www.mydomain.com.au/
> > produces the same result above.
> >
> > $ curl https://www.mydomain.com.au/
> >
> > I get the following to stdout (I presume as expected since I
> > was my own CA)
> >
> > curl: (60) SSL certificate problem, verify that the CA cert
> > is OK. Details:
> > error:14090086:SSL
> > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
> > failed
> > More details here: http://curl.haxx.se/docs/sslcerts.html
> >
> > curl performs SSL certificate verification by default, using
> > a "bundle"
> >  of Certificate Authority (CA) public keys (CA certs). The default
> >  bundle is named curl-ca-bundle.crt; you can specify an alternate file
> >  using the --cacert option.
> > If this HTTPS server uses a certificate signed by a CA represented in
> >  the bundle, the certificate verification probably failed due to a
> >  problem with the certificate (it might be expired, or the name might
> >  not match the domain name in the URL).
> > If you'd like to turn off curl's verification of the certificate, use
> >  the -k (or --insecure) option.
> >
> >
> > Error_log shows:
> >
> > [Wed Jun 29 13:25:55 2005] [info] Connection to child 0
> > established (server
> > www.smsticketing.com.au:443, client 10.1.3.120)
> > [Wed Jun 29 13:25:55 2005] [info] Seeding PRNG with 136 bytes
> > of entropy
> > [Wed Jun 29 13:25:55 2005] [info] SSL library error 1 in
> > handshake (server
> > www.mydomain.com.au:443, client 10.1.3.120)
> > [Wed Jun 29 13:25:55 2005] [info] SSL Library Error: 336151576
> > error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
> > [Wed Jun 29 13:25:55 2005] [info] Connection to child 0
> > closed with abortive
> > shutdown(server www.mydomain.com.au:443, client 10.1.3.120)
> 
> So curl looks OK...
> 
> >
> >
> > In the browser:
> > In IE, I get the 'The page cannot be displayed' page.
> > In Firefox I get an alert stating "The operation timed out
> > when attempting
> > to contact www.mydomain.com.au".
> 
> - Are you sure you're putting "https" in the protocol part of the URL?
> - Is there a FW between the browser and server?
> - If you post your real domain-name, we can test it...
> 
> Rgds,
> Owen Boyle
> Disclaimer: Any disclaimer attached to this message may be ignored.
> 
> > Neither produce entries in the logs.
> >
> >
> > I feel my self signed cert may be the cause.
> > If anyone has any suggestions, please let me know.
> >
> > Thanks,
> > Vance
> >
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP
> > Server Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
> Diese E-mail ist eine private und persönliche Kommunikation. Sie hat
> keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Gruppe. This e-
> mail is of a private and personal nature. It is not related to the
> exchange or business activities of the SWX Group. Le présent e-mail est un
> message privé et personnel, sans rapport avec l'activité boursière du
> Groupe SWX.
> 
> 
> This message is for the named person's use only. It may contain
> confidential, proprietary or legally privileged information. No
> confidentiality or privilege is waived or lost by any mistransmission. If
> you receive this message in error, please notify the sender urgently and
> then immediately delete the message and any copies of it from your system.
> Please also immediately destroy any hardcopies of the message. You must
> not, directly or indirectly, use, disclose, distribute, print, or copy any
> part of this message if you are not the intended recipient. The sender's
> company reserves the right to monitor all e-mail communications through
> their networks. Any views expressed in this message are those of the
> individual sender, except where the message states otherwise and the
> sender is authorised to state them to be the views of the sender's
> company.
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message