Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 14362 invoked from network); 29 Jun 2005 13:59:17 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 29 Jun 2005 13:59:17 -0000 Received: (qmail 70021 invoked by uid 500); 29 Jun 2005 13:58:50 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 70009 invoked by uid 500); 29 Jun 2005 13:58:50 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 69981 invoked by uid 99); 29 Jun 2005 13:58:49 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 29 Jun 2005 06:58:49 -0700 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: pass (asf.osuosl.org: local policy) Received: from [146.109.240.235] (HELO ns0b.swx.com) (146.109.240.235) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 29 Jun 2005 06:58:52 -0700 Received: from gate0b.unix.swx.ch (gate0b [192.168.252.145]) by ns0b.swx.com (8.12.10/8.12.10) with ESMTP id j5TDwkLh013206 for ; Wed, 29 Jun 2005 15:58:46 +0200 (MEST) Received: from CIWMEXZSA0E.ex.ordersx.org (localhost [127.0.0.1]) by gate0b.unix.swx.ch (8.12.10/8.12.10) with ESMTP id j5TDwkrx005740 for ; Wed, 29 Jun 2005 15:58:46 +0200 (MEST) Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Importance: normal Priority: normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0 Date: Wed, 29 Jun 2005 15:58:46 +0200 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [users@httpd] Help with Apache and SSL Thread-Index: AcV8p6qLTZ/qoarGSIS2rvbGWADJCQACnsnw From: "Boyle Owen" To: X-Virus-Checked: Checked by ClamAV on apache.org Subject: RE: [users@httpd] Help with Apache and SSL X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N > -----Original Message----- > From: Vance Karimi [mailto:vance.karimi@enstinct.com] > Sent: Mittwoch, 29. Juni 2005 14:39 > To: users@httpd.apache.org > Subject: RE: [users@httpd] Help with Apache and SSL >=20 >=20 > You can certainly try it: www.smsticketing.com.au > I do https://www.smsticketing.com.au > With 'FW', do you mean forward?=20 No. FW =3D firewall. If it's timing-out it's usually because the connection has been dropped. = A webserver usually responds immediately with the page or with an error = message. It can't drop the connection (HTTP RFC requires this). So a = dropped connection is usually due to a FW (it's a deliberate security = ploy just to ignore unwanted packets - then the sender doesn't know if = he's being denied or if it's just network latency. This slows down his = attack). Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored.=20 > We don't do a forward or=20 > redirect. We have > an A-Record in the root DNS server of the hosting company. >=20 > Regards, > Vance >=20 > > -----Original Message----- > > From: Boyle Owen [mailto:Owen.Boyle@swx.com] > > Sent: Wednesday, 29 June 2005 8:07 PM > > To: users@httpd.apache.org > > Subject: RE: [users@httpd] Help with Apache and SSL > >=20 > > > -----Original Message----- > > > From: Vance Karimi [mailto:vance.karimi@enstinct.com] > > > Sent: Mittwoch, 29. Juni 2005 07:41 > > > To: users@httpd.apache.org > > > Subject: [users@httpd] Help with Apache and SSL > > > > > > > > > Hi list, > > > > > > With the number of threads regarding Apache and SSL, you'd > > > think I would > > > find a solution...sigh...I feel I'm missing something trivial. > > > > > > I appologise for the long post. > > > > > > I performed a build of 2.0.54 with mod_ssl and installed on > > > Fedora core 3. > > > I built with the following configure options: > > > % ./configure --prefix=3D/usr/local/apache2 --enable-ssl = --enable-so > > > All is well and I can get to the default apache page=20 > using IE/Mozilla. > > > > > > I created the cert and cert request, created my own CA and > > > signed my csr > > > according to: > > > http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html > > > Copied server.key to conf/ssl.key/. > > > Copied server.crt to conf/ssl.crt/. > > > > > > > > > Configuration files: > > > conf/httpd.conf is stock standard and includes conf/ssl.conf, > > > however I > > > changed the log level to 'info'. > > > > > > conf/ssl.conf looks like so (without comments): > > > > > > SSLRandomSeed startup builtin > > > SSLRandomSeed connect builtin > > > > > > > > > Listen 443 > > > AddType application/x-x509-ca-cert .crt > > > AddType application/x-pkcs7-crl .crl > > > SSLPassPhraseDialog builtin > > > SSLSessionCache dbm:/usr/local/apache2/logs/ssl_scache > > > SSLSessionCacheTimeout 300 > > > SSLMutex file:/usr/local/apache2/logs/ssl_mutex > > > > > > > > > DocumentRoot /usr/local/apache2/htdocs > > > ServerName www.mydomain.com.au > > > ServerAdmin admin@mydomain.com.au > > > ErrorLog /usr/local/apache2/logs/error_log > > > TransferLog /usr/local/apache2/logs/access_log > > > SSLEngine on > > > SSLCipherSuite > > > ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL > > > SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt > > > SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/server.key > > > > > > > > > SSLOptions +StdEnvVars > > > > > > > > > SSLOptions +StdEnvVars > > > > > > > > > SetEnvIf User-Agent ".*MSIE.*" \ > > > nokeepalive ssl-unclean-shutdown \ > > > downgrade-1.0 force-response-1.0 > > > CustomLog /usr/local/apache2/logs/ssl_request_log \ > > > "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" > > > > > > > > > > > > > > > > > > > > > I start up apache: > > > ./apachectl startssl > > > > > > error_log reads: > > > > > > [Wed Jun 29 13:00:12 2005] [info] Init: Initializing=20 > OpenSSL library > > > [Wed Jun 29 13:00:12 2005] [info] Init: Seeding PRNG with=20 > 136 bytes of > > > entropy > > > [Wed Jun 29 13:00:12 2005] [info] Loading certificate &=20 > private key of > > > SSL-aware server > > > [Wed Jun 29 13:00:12 2005] [info] Init: Requesting pass > > > phrase via builtin > > > terminal dialog > > > [Wed Jun 29 13:00:18 2005] [info] Init: Wiped out the queried > > > pass phrases > > > from memory > > > [Wed Jun 29 13:00:18 2005] [info] Init: Generating temporary > > > RSA private > > > keys (512/1024 bits) > > > [Wed Jun 29 13:00:19 2005] [info] Init: Generating temporary > > > DH parameters > > > (512/1024 bits) > > > [Wed Jun 29 13:00:19 2005] [info] Init: Initializing > > > (virtual) servers for > > > SSL > > > [Wed Jun 29 13:00:19 2005] [info] Configuring server for=20 > SSL protocol > > > [Wed Jun 29 13:00:19 2005] [info] Server: Apache/2.0.54,=20 > Interface: > > > mod_ssl/2.0.54, Library: OpenSSL/0.9.7a > > > [Wed Jun 29 13:00:19 2005] [info] Init: Initializing=20 > OpenSSL library > > > [Wed Jun 29 13:00:19 2005] [info] Init: Seeding PRNG with=20 > 136 bytes of > > > entropy > > > [Wed Jun 29 13:00:19 2005] [info] Loading certificate &=20 > private key of > > > SSL-aware server > > > [Wed Jun 29 13:00:19 2005] [info] www.mydomain.com.au:443 > > > reusing existing > > > RSA private key on restart > > > [Wed Jun 29 13:00:19 2005] [info] Init: Generating temporary > > > RSA private > > > keys (512/1024 bits) > > > [Wed Jun 29 13:00:19 2005] [info] Init: Generating temporary > > > DH parameters > > > (512/1024 bits) > > > [Wed Jun 29 13:00:19 2005] [info] Init: Initializing > > > (virtual) servers for > > > SSL > > > [Wed Jun 29 13:00:19 2005] [info] Configuring server for=20 > SSL protocol > > > [Wed Jun 29 13:00:19 2005] [info] Server: Apache/2.0.54,=20 > Interface: > > > mod_ssl/2.0.54, Library: OpenSSL/0.9.7a > > > [Wed Jun 29 13:00:19 2005] [notice] Apache/2.0.54 (Unix) > > > mod_ssl/2.0.54 > > > OpenSSL/0.9.7a configured -- resuming normal operations > > > [Wed Jun 29 13:00:19 2005] [info] Server built: Jun 29=20 > 2005 01:50:33 > > > > > > > > > To do the basic test: > > > $ openssl s_client -connect localhost:443 > > > > > > I get the following to stdout: > > > ..... > > > No client certificate CA names sent > > > --- > > > SSL handshake has read 1357 bytes and written 340 bytes > > > --- > > > New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA > > > Server public key is 1024 bit > > > SSL-Session: > > > Protocol : TLSv1 > > > Cipher : DHE-RSA-AES256-SHA > > > Session-ID: > > > C883239FD990EC30F05A3E127968FD62D08A2D0B17D468965FFDB3989B7ECE7D > > > Session-ID-ctx: > > > Master-Key: > > > 978C61CA859767E541F22D7828FEE851D636AB35A3E1F04F2172214E9DCF8C > > > 673FAE3427454B > > > FF0769033382A7FD18DC > > > Key-Arg : None > > > Krb5 Principal: None > > > Start Time: 1120022013 > > > Timeout : 300 (sec) > > > Verify return code: 21 (unable to verify the first=20 > certificate) > > > > > > I then enter: > > > $ GET / HTTP/1.0 > > > $ > > > > > > And receive the html headers and response as expected. > > > > > > Error_log shows: > > > > > > [Wed Jun 29 13:13:33 2005] [info] Connection to child 2 > > > established (server > > > www.mydomain.com.au:443, client 127.0.0.1) > > > [Wed Jun 29 13:13:33 2005] [info] Seeding PRNG with 136 bytes > > > of entropy > > > [Wed Jun 29 13:16:00 2005] [info] Initial (No.1) HTTPS > > > request received for > > > child 2 (server www.smsticketing.com.au:443) > > > [Wed Jun 29 13:16:00 2005] [info] Connection to child 2 > > > closed with standard > > > shutdown(server www.mydomain.com.au:443, client 127.0.0.1) > > > > > > > > > When I run curl: > > > $ curl --insecure https://www.mydomain.com.au/ > > > produces the same result above. > > > > > > $ curl https://www.mydomain.com.au/ > > > > > > I get the following to stdout (I presume as expected since I > > > was my own CA) > > > > > > curl: (60) SSL certificate problem, verify that the CA cert > > > is OK. Details: > > > error:14090086:SSL > > > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify > > > failed > > > More details here: http://curl.haxx.se/docs/sslcerts.html > > > > > > curl performs SSL certificate verification by default, using > > > a "bundle" > > > of Certificate Authority (CA) public keys (CA certs). The default > > > bundle is named curl-ca-bundle.crt; you can specify an=20 > alternate file > > > using the --cacert option. > > > If this HTTPS server uses a certificate signed by a CA=20 > represented in > > > the bundle, the certificate verification probably failed due to a > > > problem with the certificate (it might be expired, or=20 > the name might > > > not match the domain name in the URL). > > > If you'd like to turn off curl's verification of the=20 > certificate, use > > > the -k (or --insecure) option. > > > > > > > > > Error_log shows: > > > > > > [Wed Jun 29 13:25:55 2005] [info] Connection to child 0 > > > established (server > > > www.smsticketing.com.au:443, client 10.1.3.120) > > > [Wed Jun 29 13:25:55 2005] [info] Seeding PRNG with 136 bytes > > > of entropy > > > [Wed Jun 29 13:25:55 2005] [info] SSL library error 1 in > > > handshake (server > > > www.mydomain.com.au:443, client 10.1.3.120) > > > [Wed Jun 29 13:25:55 2005] [info] SSL Library Error: 336151576 > > > error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca > > > [Wed Jun 29 13:25:55 2005] [info] Connection to child 0 > > > closed with abortive > > > shutdown(server www.mydomain.com.au:443, client 10.1.3.120) > >=20 > > So curl looks OK... > >=20 > > > > > > > > > In the browser: > > > In IE, I get the 'The page cannot be displayed' page. > > > In Firefox I get an alert stating "The operation timed out > > > when attempting > > > to contact www.mydomain.com.au". > >=20 > > - Are you sure you're putting "https" in the protocol part=20 > of the URL? > > - Is there a FW between the browser and server? > > - If you post your real domain-name, we can test it... > >=20 > > Rgds, > > Owen Boyle > > Disclaimer: Any disclaimer attached to this message may be ignored. > >=20 > > > Neither produce entries in the logs. > > > > > > > > > I feel my self signed cert may be the cause. > > > If anyone has any suggestions, please let me know. > > > > > > Thanks, > > > Vance > > > > > > > > >=20 > --------------------------------------------------------------------- > > > The official User-To-User support forum of the Apache HTTP > > > Server Project. > > > See for more info. > > > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org > > > " from the digest: users-digest-unsubscribe@httpd.apache.org > > > For additional commands, e-mail: users-help@httpd.apache.org > > > > > > > > Diese E-mail ist eine private und pers=F6nliche Kommunikation. Sie = hat > > keinen Bezug zur B=F6rsen- bzw. Gesch=E4ftst=E4tigkeit der SWX=20 > Gruppe. This e- > > mail is of a private and personal nature. It is not related to the > > exchange or business activities of the SWX Group. Le=20 > pr=E9sent e-mail est un > > message priv=E9 et personnel, sans rapport avec l'activit=E9=20 > boursi=E8re du > > Groupe SWX. > >=20 > >=20 > > This message is for the named person's use only. It may contain > > confidential, proprietary or legally privileged information. No > > confidentiality or privilege is waived or lost by any=20 > mistransmission. If > > you receive this message in error, please notify the sender=20 > urgently and > > then immediately delete the message and any copies of it=20 > from your system. > > Please also immediately destroy any hardcopies of the=20 > message. You must > > not, directly or indirectly, use, disclose, distribute,=20 > print, or copy any > > part of this message if you are not the intended recipient.=20 > The sender's > > company reserves the right to monitor all e-mail=20 > communications through > > their networks. Any views expressed in this message are those of the > > individual sender, except where the message states otherwise and the > > sender is authorised to state them to be the views of the sender's > > company. > >=20 > >=20 > --------------------------------------------------------------------- > > The official User-To-User support forum of the Apache HTTP=20 > Server Project. > > See for more info. > > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org > > " from the digest: users-digest-unsubscribe@httpd.apache.org > > For additional commands, e-mail: users-help@httpd.apache.org >=20 >=20 > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP=20 > Server Project. > See for more info. > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org > " from the digest: users-digest-unsubscribe@httpd.apache.org > For additional commands, e-mail: users-help@httpd.apache.org >=20 > =20 =20 This message is for the named person's use only. It may contain = confidential, proprietary or legally privileged information. No = confidentiality or privilege is waived or lost by any mistransmission. = If you receive this message in error, please notify the sender urgently = and then immediately delete the message and any copies of it from your = system. Please also immediately destroy any hardcopies of the message. = You must not, directly or indirectly, use, disclose, distribute, print, = or copy any part of this message if you are not the intended recipient. = The sender's company reserves the right to monitor all e-mail = communications through their networks. Any views expressed in this = message are those of the individual sender, except where the message = states otherwise and the sender is authorised to state them to be the = views of the sender's company. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org