Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 44673 invoked from network); 29 Jun 2005 12:07:40 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 29 Jun 2005 12:07:40 -0000 Received: (qmail 42883 invoked by uid 500); 29 Jun 2005 12:07:22 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 42861 invoked by uid 500); 29 Jun 2005 12:07:21 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 42848 invoked by uid 99); 29 Jun 2005 12:07:21 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 29 Jun 2005 05:07:21 -0700 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: pass (asf.osuosl.org: local policy) Received: from [146.109.240.235] (HELO ns0b.swx.com) (146.109.240.235) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 29 Jun 2005 05:07:24 -0700 Received: from gate0a.unix.swx.ch (gate0a [192.168.252.17]) by ns0b.swx.com (8.12.10/8.12.10) with ESMTP id j5TC7JLh006807 for ; Wed, 29 Jun 2005 14:07:19 +0200 (MEST) Received: from CIWMEXZSA0E.ex.ordersx.org (localhost [127.0.0.1]) by gate0a.unix.swx.ch (8.12.10/8.12.10) with ESMTP id j5TC7JD6010073 for ; Wed, 29 Jun 2005 14:07:19 +0200 (MEST) Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Importance: normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0 Priority: normal Date: Wed, 29 Jun 2005 14:07:18 +0200 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [users@httpd] Help with Apache and SSL Thread-Index: AcV8bUrlSPm9900GQpiwQ8h28fASLAANXDZA From: "Boyle Owen" To: X-Virus-Checked: Checked by ClamAV on apache.org Subject: RE: [users@httpd] Help with Apache and SSL X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N > -----Original Message----- > From: Vance Karimi [mailto:vance.karimi@enstinct.com] > Sent: Mittwoch, 29. Juni 2005 07:41 > To: users@httpd.apache.org > Subject: [users@httpd] Help with Apache and SSL >=20 >=20 > Hi list, >=20 > With the number of threads regarding Apache and SSL, you'd=20 > think I would > find a solution...sigh...I feel I'm missing something trivial. =20 >=20 > I appologise for the long post. >=20 > I performed a build of 2.0.54 with mod_ssl and installed on=20 > Fedora core 3. > I built with the following configure options: > % ./configure --prefix=3D/usr/local/apache2 --enable-ssl --enable-so > All is well and I can get to the default apache page using IE/Mozilla. >=20 > I created the cert and cert request, created my own CA and=20 > signed my csr > according to: > http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html > Copied server.key to conf/ssl.key/. > Copied server.crt to conf/ssl.crt/. >=20 >=20 > Configuration files: > conf/httpd.conf is stock standard and includes conf/ssl.conf,=20 > however I > changed the log level to 'info'. >=20 > conf/ssl.conf looks like so (without comments): >=20 > SSLRandomSeed startup builtin > SSLRandomSeed connect builtin >=20 > > Listen 443 > AddType application/x-x509-ca-cert .crt > AddType application/x-pkcs7-crl .crl > SSLPassPhraseDialog builtin > SSLSessionCache dbm:/usr/local/apache2/logs/ssl_scache > SSLSessionCacheTimeout 300 > SSLMutex file:/usr/local/apache2/logs/ssl_mutex >=20 > > DocumentRoot /usr/local/apache2/htdocs > ServerName www.mydomain.com.au > ServerAdmin admin@mydomain.com.au > ErrorLog /usr/local/apache2/logs/error_log > TransferLog /usr/local/apache2/logs/access_log > SSLEngine on > SSLCipherSuite > ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL > SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt > SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/server.key >=20 > > SSLOptions +StdEnvVars > > > SSLOptions +StdEnvVars > >=20 > SetEnvIf User-Agent ".*MSIE.*" \ > nokeepalive ssl-unclean-shutdown \ > downgrade-1.0 force-response-1.0 > CustomLog /usr/local/apache2/logs/ssl_request_log \ > "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" >=20 > >=20 > >=20 >=20 > I start up apache: > ./apachectl startssl >=20 > error_log reads: >=20 > [Wed Jun 29 13:00:12 2005] [info] Init: Initializing OpenSSL library > [Wed Jun 29 13:00:12 2005] [info] Init: Seeding PRNG with 136 bytes of > entropy > [Wed Jun 29 13:00:12 2005] [info] Loading certificate & private key of > SSL-aware server > [Wed Jun 29 13:00:12 2005] [info] Init: Requesting pass=20 > phrase via builtin > terminal dialog > [Wed Jun 29 13:00:18 2005] [info] Init: Wiped out the queried=20 > pass phrases > from memory > [Wed Jun 29 13:00:18 2005] [info] Init: Generating temporary=20 > RSA private > keys (512/1024 bits) > [Wed Jun 29 13:00:19 2005] [info] Init: Generating temporary=20 > DH parameters > (512/1024 bits) > [Wed Jun 29 13:00:19 2005] [info] Init: Initializing=20 > (virtual) servers for > SSL > [Wed Jun 29 13:00:19 2005] [info] Configuring server for SSL protocol > [Wed Jun 29 13:00:19 2005] [info] Server: Apache/2.0.54, Interface: > mod_ssl/2.0.54, Library: OpenSSL/0.9.7a > [Wed Jun 29 13:00:19 2005] [info] Init: Initializing OpenSSL library > [Wed Jun 29 13:00:19 2005] [info] Init: Seeding PRNG with 136 bytes of > entropy > [Wed Jun 29 13:00:19 2005] [info] Loading certificate & private key of > SSL-aware server > [Wed Jun 29 13:00:19 2005] [info] www.mydomain.com.au:443=20 > reusing existing > RSA private key on restart > [Wed Jun 29 13:00:19 2005] [info] Init: Generating temporary=20 > RSA private > keys (512/1024 bits) > [Wed Jun 29 13:00:19 2005] [info] Init: Generating temporary=20 > DH parameters > (512/1024 bits) > [Wed Jun 29 13:00:19 2005] [info] Init: Initializing=20 > (virtual) servers for > SSL > [Wed Jun 29 13:00:19 2005] [info] Configuring server for SSL protocol > [Wed Jun 29 13:00:19 2005] [info] Server: Apache/2.0.54, Interface: > mod_ssl/2.0.54, Library: OpenSSL/0.9.7a > [Wed Jun 29 13:00:19 2005] [notice] Apache/2.0.54 (Unix)=20 > mod_ssl/2.0.54 > OpenSSL/0.9.7a configured -- resuming normal operations > [Wed Jun 29 13:00:19 2005] [info] Server built: Jun 29 2005 01:50:33 >=20 >=20 > To do the basic test: > $ openssl s_client -connect localhost:443 >=20 > I get the following to stdout: > ..... > No client certificate CA names sent > --- > SSL handshake has read 1357 bytes and written 340 bytes > --- > New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA > Server public key is 1024 bit > SSL-Session: > Protocol : TLSv1 > Cipher : DHE-RSA-AES256-SHA > Session-ID: > C883239FD990EC30F05A3E127968FD62D08A2D0B17D468965FFDB3989B7ECE7D > Session-ID-ctx: > Master-Key: > 978C61CA859767E541F22D7828FEE851D636AB35A3E1F04F2172214E9DCF8C > 673FAE3427454B > FF0769033382A7FD18DC > Key-Arg : None > Krb5 Principal: None > Start Time: 1120022013 > Timeout : 300 (sec) > Verify return code: 21 (unable to verify the first certificate) >=20 > I then enter: > $ GET / HTTP/1.0 > $ >=20 > And receive the html headers and response as expected. >=20 > Error_log shows: >=20 > [Wed Jun 29 13:13:33 2005] [info] Connection to child 2=20 > established (server > www.mydomain.com.au:443, client 127.0.0.1) > [Wed Jun 29 13:13:33 2005] [info] Seeding PRNG with 136 bytes=20 > of entropy > [Wed Jun 29 13:16:00 2005] [info] Initial (No.1) HTTPS=20 > request received for > child 2 (server www.smsticketing.com.au:443) > [Wed Jun 29 13:16:00 2005] [info] Connection to child 2=20 > closed with standard > shutdown(server www.mydomain.com.au:443, client 127.0.0.1) >=20 >=20 > When I run curl: > $ curl --insecure https://www.mydomain.com.au/ > produces the same result above. >=20 > $ curl https://www.mydomain.com.au/ >=20 > I get the following to stdout (I presume as expected since I=20 > was my own CA) >=20 > curl: (60) SSL certificate problem, verify that the CA cert=20 > is OK. Details: > error:14090086:SSL=20 > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify > failed > More details here: http://curl.haxx.se/docs/sslcerts.html >=20 > curl performs SSL certificate verification by default, using=20 > a "bundle" > of Certificate Authority (CA) public keys (CA certs). The default > bundle is named curl-ca-bundle.crt; you can specify an alternate file > using the --cacert option. > If this HTTPS server uses a certificate signed by a CA represented in > the bundle, the certificate verification probably failed due to a > problem with the certificate (it might be expired, or the name might > not match the domain name in the URL). > If you'd like to turn off curl's verification of the certificate, use > the -k (or --insecure) option. >=20 >=20 > Error_log shows: >=20 > [Wed Jun 29 13:25:55 2005] [info] Connection to child 0=20 > established (server > www.smsticketing.com.au:443, client 10.1.3.120) > [Wed Jun 29 13:25:55 2005] [info] Seeding PRNG with 136 bytes=20 > of entropy > [Wed Jun 29 13:25:55 2005] [info] SSL library error 1 in=20 > handshake (server > www.mydomain.com.au:443, client 10.1.3.120) > [Wed Jun 29 13:25:55 2005] [info] SSL Library Error: 336151576 > error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca > [Wed Jun 29 13:25:55 2005] [info] Connection to child 0=20 > closed with abortive > shutdown(server www.mydomain.com.au:443, client 10.1.3.120) So curl looks OK... >=20 >=20 > In the browser: > In IE, I get the 'The page cannot be displayed' page. > In Firefox I get an alert stating "The operation timed out=20 > when attempting > to contact www.mydomain.com.au". - Are you sure you're putting "https" in the protocol part of the URL? - Is there a FW between the browser and server? - If you post your real domain-name, we can test it... Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored.=20 > Neither produce entries in the logs. >=20 >=20 > I feel my self signed cert may be the cause. > If anyone has any suggestions, please let me know. >=20 > Thanks, > Vance >=20 >=20 > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP=20 > Server Project. > See for more info. > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org > " from the digest: users-digest-unsubscribe@httpd.apache.org > For additional commands, e-mail: users-help@httpd.apache.org >=20 >=20 Diese E-mail ist eine private und pers=F6nliche Kommunikation. Sie hat = keinen Bezug zur B=F6rsen- bzw. Gesch=E4ftst=E4tigkeit der SWX Gruppe. = This e-mail is of a private and personal nature. It is not related to = the exchange or business activities of the SWX Group. Le pr=E9sent = e-mail est un message priv=E9 et personnel, sans rapport avec = l'activit=E9 boursi=E8re du Groupe SWX. =20 =20 This message is for the named person's use only. It may contain = confidential, proprietary or legally privileged information. No = confidentiality or privilege is waived or lost by any mistransmission. = If you receive this message in error, please notify the sender urgently = and then immediately delete the message and any copies of it from your = system. Please also immediately destroy any hardcopies of the message. = You must not, directly or indirectly, use, disclose, distribute, print, = or copy any part of this message if you are not the intended recipient. = The sender's company reserves the right to monitor all e-mail = communications through their networks. Any views expressed in this = message are those of the individual sender, except where the message = states otherwise and the sender is authorised to state them to be the = views of the sender's company. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org