httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Boyle Owen" <Owen.Bo...@swx.com>
Subject RE: [users@httpd] Help with Apache and SSL
Date Wed, 29 Jun 2005 12:07:18 GMT
> -----Original Message-----
> From: Vance Karimi [mailto:vance.karimi@enstinct.com]
> Sent: Mittwoch, 29. Juni 2005 07:41
> To: users@httpd.apache.org
> Subject: [users@httpd] Help with Apache and SSL
> 
> 
> Hi list,
> 
> With the number of threads regarding Apache and SSL, you'd 
> think I would
> find a solution...sigh...I feel I'm missing something trivial.  
> 
> I appologise for the long post.
> 
> I performed a build of 2.0.54 with mod_ssl and installed on 
> Fedora core 3.
> I built with the following configure options:
> % ./configure --prefix=/usr/local/apache2 --enable-ssl --enable-so
> All is well and I can get to the default apache page using IE/Mozilla.
> 
> I created the cert and cert request, created my own CA and 
> signed my csr
> according to:
> http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html
> Copied server.key to conf/ssl.key/.
> Copied server.crt to conf/ssl.crt/.
> 
> 
> Configuration files:
> conf/httpd.conf is stock standard and includes conf/ssl.conf, 
> however I
> changed the log level to 'info'.
> 
> conf/ssl.conf looks like so (without comments):
> 
> SSLRandomSeed startup builtin
> SSLRandomSeed connect builtin
> 
> <IfDefine SSL>
> Listen 443
> AddType application/x-x509-ca-cert .crt
> AddType application/x-pkcs7-crl    .crl
> SSLPassPhraseDialog  builtin
> SSLSessionCache         dbm:/usr/local/apache2/logs/ssl_scache
> SSLSessionCacheTimeout  300
> SSLMutex  file:/usr/local/apache2/logs/ssl_mutex
> 
> <VirtualHost _default_:443>
> DocumentRoot /usr/local/apache2/htdocs
> ServerName www.mydomain.com.au
> ServerAdmin admin@mydomain.com.au
> ErrorLog /usr/local/apache2/logs/error_log
> TransferLog /usr/local/apache2/logs/access_log
> SSLEngine on
> SSLCipherSuite
> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt
> SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/server.key
> 
> <Files ~ "\.(cgi|shtml|phtml|php3?)$">
>     SSLOptions +StdEnvVars
> </Files>
> <Directory "/usr/local/apache2/cgi-bin">
>     SSLOptions +StdEnvVars
> </Directory>
> 
> SetEnvIf User-Agent ".*MSIE.*" \
>          nokeepalive ssl-unclean-shutdown \
>          downgrade-1.0 force-response-1.0
> CustomLog /usr/local/apache2/logs/ssl_request_log \
>           "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
> 
> </VirtualHost>
> 
> </IfDefine>
> 
> 
> I start up apache:
> ./apachectl startssl
> 
> error_log reads:
> 
> [Wed Jun 29 13:00:12 2005] [info] Init: Initializing OpenSSL library
> [Wed Jun 29 13:00:12 2005] [info] Init: Seeding PRNG with 136 bytes of
> entropy
> [Wed Jun 29 13:00:12 2005] [info] Loading certificate & private key of
> SSL-aware server
> [Wed Jun 29 13:00:12 2005] [info] Init: Requesting pass 
> phrase via builtin
> terminal dialog
> [Wed Jun 29 13:00:18 2005] [info] Init: Wiped out the queried 
> pass phrases
> from memory
> [Wed Jun 29 13:00:18 2005] [info] Init: Generating temporary 
> RSA private
> keys (512/1024 bits)
> [Wed Jun 29 13:00:19 2005] [info] Init: Generating temporary 
> DH parameters
> (512/1024 bits)
> [Wed Jun 29 13:00:19 2005] [info] Init: Initializing 
> (virtual) servers for
> SSL
> [Wed Jun 29 13:00:19 2005] [info] Configuring server for SSL protocol
> [Wed Jun 29 13:00:19 2005] [info] Server: Apache/2.0.54, Interface:
> mod_ssl/2.0.54, Library: OpenSSL/0.9.7a
> [Wed Jun 29 13:00:19 2005] [info] Init: Initializing OpenSSL library
> [Wed Jun 29 13:00:19 2005] [info] Init: Seeding PRNG with 136 bytes of
> entropy
> [Wed Jun 29 13:00:19 2005] [info] Loading certificate & private key of
> SSL-aware server
> [Wed Jun 29 13:00:19 2005] [info] www.mydomain.com.au:443 
> reusing existing
> RSA private key on restart
> [Wed Jun 29 13:00:19 2005] [info] Init: Generating temporary 
> RSA private
> keys (512/1024 bits)
> [Wed Jun 29 13:00:19 2005] [info] Init: Generating temporary 
> DH parameters
> (512/1024 bits)
> [Wed Jun 29 13:00:19 2005] [info] Init: Initializing 
> (virtual) servers for
> SSL
> [Wed Jun 29 13:00:19 2005] [info] Configuring server for SSL protocol
> [Wed Jun 29 13:00:19 2005] [info] Server: Apache/2.0.54, Interface:
> mod_ssl/2.0.54, Library: OpenSSL/0.9.7a
> [Wed Jun 29 13:00:19 2005] [notice] Apache/2.0.54 (Unix) 
> mod_ssl/2.0.54
> OpenSSL/0.9.7a configured -- resuming normal operations
> [Wed Jun 29 13:00:19 2005] [info] Server built: Jun 29 2005 01:50:33
> 
> 
> To do the basic test:
> $ openssl s_client -connect localhost:443
> 
> I get the following to stdout:
> .....
> No client certificate CA names sent
> ---
> SSL handshake has read 1357 bytes and written 340 bytes
> ---
> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> Server public key is 1024 bit
> SSL-Session:
>     Protocol  : TLSv1
>     Cipher    : DHE-RSA-AES256-SHA
>     Session-ID:
> C883239FD990EC30F05A3E127968FD62D08A2D0B17D468965FFDB3989B7ECE7D
>     Session-ID-ctx:
>     Master-Key:
> 978C61CA859767E541F22D7828FEE851D636AB35A3E1F04F2172214E9DCF8C
> 673FAE3427454B
> FF0769033382A7FD18DC
>     Key-Arg   : None
>     Krb5 Principal: None
>     Start Time: 1120022013
>     Timeout   : 300 (sec)
>     Verify return code: 21 (unable to verify the first certificate)
> 
> I then enter:
> $ GET / HTTP/1.0
> $ <CR>
> 
> And receive the html headers and response as expected.
> 
> Error_log shows:
> 
> [Wed Jun 29 13:13:33 2005] [info] Connection to child 2 
> established (server
> www.mydomain.com.au:443, client 127.0.0.1)
> [Wed Jun 29 13:13:33 2005] [info] Seeding PRNG with 136 bytes 
> of entropy
> [Wed Jun 29 13:16:00 2005] [info] Initial (No.1) HTTPS 
> request received for
> child 2 (server www.smsticketing.com.au:443)
> [Wed Jun 29 13:16:00 2005] [info] Connection to child 2 
> closed with standard
> shutdown(server www.mydomain.com.au:443, client 127.0.0.1)
> 
> 
> When I run curl:
> $ curl --insecure https://www.mydomain.com.au/
> produces the same result above.
> 
> $ curl https://www.mydomain.com.au/
> 
> I get the following to stdout (I presume as expected since I 
> was my own CA)
> 
> curl: (60) SSL certificate problem, verify that the CA cert 
> is OK. Details:
> error:14090086:SSL 
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
> failed
> More details here: http://curl.haxx.se/docs/sslcerts.html
> 
> curl performs SSL certificate verification by default, using 
> a "bundle"
>  of Certificate Authority (CA) public keys (CA certs). The default
>  bundle is named curl-ca-bundle.crt; you can specify an alternate file
>  using the --cacert option.
> If this HTTPS server uses a certificate signed by a CA represented in
>  the bundle, the certificate verification probably failed due to a
>  problem with the certificate (it might be expired, or the name might
>  not match the domain name in the URL).
> If you'd like to turn off curl's verification of the certificate, use
>  the -k (or --insecure) option.
> 
> 
> Error_log shows:
> 
> [Wed Jun 29 13:25:55 2005] [info] Connection to child 0 
> established (server
> www.smsticketing.com.au:443, client 10.1.3.120)
> [Wed Jun 29 13:25:55 2005] [info] Seeding PRNG with 136 bytes 
> of entropy
> [Wed Jun 29 13:25:55 2005] [info] SSL library error 1 in 
> handshake (server
> www.mydomain.com.au:443, client 10.1.3.120)
> [Wed Jun 29 13:25:55 2005] [info] SSL Library Error: 336151576
> error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
> [Wed Jun 29 13:25:55 2005] [info] Connection to child 0 
> closed with abortive
> shutdown(server www.mydomain.com.au:443, client 10.1.3.120)

So curl looks OK...

> 
> 
> In the browser:
> In IE, I get the 'The page cannot be displayed' page.
> In Firefox I get an alert stating "The operation timed out 
> when attempting
> to contact www.mydomain.com.au".

- Are you sure you're putting "https" in the protocol part of the URL?
- Is there a FW between the browser and server?
- If you post your real domain-name, we can test it...

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored. 

> Neither produce entries in the logs.
> 
> 
> I feel my self signed cert may be the cause.
> If anyone has any suggestions, please let me know.
> 
> Thanks,
> Vance
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP 
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 
Diese E-mail ist eine private und persönliche Kommunikation. Sie hat keinen Bezug zur Börsen-
bzw. Geschäftstätigkeit der SWX Gruppe. This e-mail is of a private and personal nature.
It is not related to the exchange or business activities of the SWX Group. Le présent e-mail
est un message privé et personnel, sans rapport avec l'activité boursière du Groupe SWX.
 
 
This message is for the named person's use only. It may contain confidential, proprietary
or legally privileged information. No confidentiality or privilege is waived or lost by any
mistransmission. If you receive this message in error, please notify the sender urgently and
then immediately delete the message and any copies of it from your system. Please also immediately
destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose,
distribute, print, or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail communications through their
networks. Any views expressed in this message are those of the individual sender, except where
the message states otherwise and the sender is authorised to state them to be the views of
the sender's company.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message