httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Slater <li...@humanesoftware.com>
Subject [users@httpd] self-signed SSL cert problems with httpd-2.0.55 and openssl-0.9.7i
Date Thu, 16 Mar 2006 22:46:08 GMT
I've been building my own binaries for apache and openssl for a few  
years now, and I can't recall ever having a problem like this before.  
Both packages built find and both seem to be working correctly,  
except that apache is unable to use the self-signed SSL certificate I  
created. Apache is working just fine on http, and at the same time  
failing on https.

The procedure I'm using is the same as I've used on machines I've set  
up previously. The biggest difference is that the new machine is  
running MacOS X on an Intel chip. Everything has been compiled  
natively for it (I didn't copy any binaries from other machines), so  
I would have assumed the procedures for generating a self-signed  
certificate would be the same.

In the past, I've found these instructions worked just fine, even  
with Apache 2.x
     http://developer.apple.com/internet/serverside/modssl.html

These instructions are basically the same as the ones found on the  
mod_ssl website:
     http://www.modssl.org/docs/2.8/ssl_faq.html#cert-real
     http://www.modssl.org/docs/2.8/ssl_faq.html#cert-ownca

   539  openssl genrsa -des3 -out server.key 1024
   540  openssl req -new -key server.key -out server.csr
   541  dir
   542  openssl genrsa -des3 -out ca.key 1024
   543  openssl req -new -x509 -days 365 -key ca.key -out ca.crt
   544  mroe sign.sh
   545  more sign.sh
   546  ./sign.sh server.csr
   547  sudo cp server.key /usr/local/apache2/conf/ssl.key/
   548  sudo cp server.crt /usr/local/apache2/conf/ssl.crt/
   549  sudo /usr/local/apache2/bin/apachectl stop
   550  sudo /usr/local/apache2/bin/apachectl startssl


However, when I followed them this time and restarted apache, my  
browser was unable to create a secure connection. There are no error  
messages in the log files related to SSL. I used curl to see if I  
could get more information:

======================================================================== 
=
$ curl -g -3 -k https://whisper.cse.ucsc.edu
curl: (35) error:04077068:rsa routines:RSA_verify:bad signature
======================================================================== 
=

Then I ran openssl's s_client command and got this:

======================================================================== 
=
$ openssl s_client -connect localhost:443
CONNECTED(00000003)
depth=0 /C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE  
Software Engineering Lab/CN=whisper.cse.ucsc.edu/ 
emailAddress=mslater@soe.ucsc.edu
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE  
Software Engineering Lab/CN=whisper.cse.ucsc.edu/ 
emailAddress=mslater@soe.ucsc.edu
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE  
Software Engineering Lab/CN=whisper.cse.ucsc.edu/ 
emailAddress=mslater@soe.ucsc.edu
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE Software  
Engineering Lab/CN=whisper.cse.ucsc.edu/ 
emailAddress=mslater@soe.ucsc.edu
    i:/C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE  
Software Engineering Lab/CN=Mark Slater/ 
emailAddress=mslater@soe.ucsc.edu
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC3DCCAkUCAQEwDQYJKoZIhvcNAQEEBQAwgbExCzAJBgNVBAYTAlVTMRMwEQYD
VQQIEwpDYWxpZm9ybmlhMRMwEQYDVQQHEwpTYW50YSBDcnV6MRYwFAYDVQQKEw1V
QyBTYW50YSBDcnV6MSUwIwYDVQQLExxTT0UgU29mdHdhcmUgRW5naW5lZXJpbmcg
TGFiMRQwEgYDVQQDEwtNYXJrIFNsYXRlcjEjMCEGCSqGSIb3DQEJARYUbXNsYXRl
ckBzb2UudWNzYy5lZHUwHhcNMDYwMzE2MjAzODMwWhcNMDcwMzE2MjAzODMwWjCB
ujELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEzARBgNVBAcTClNh
bnRhIENydXoxFjAUBgNVBAoTDVVDIFNhbnRhIENydXoxJTAjBgNVBAsTHFNPRSBT
b2Z0d2FyZSBFbmdpbmVlcmluZyBMYWIxHTAbBgNVBAMTFHdoaXNwZXIuY3NlLnVj
c2MuZWR1MSMwIQYJKoZIhvcNAQkBFhRtc2xhdGVyQHNvZS51Y3NjLmVkdTCBnzAN
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA6F0mA2DqryuSduNy3ossnxn3FhR9OnS6
8rrOj/zws85hnUSjeaoVVrYZ9ns50apoovlpPoHJNXTY2AYJBRJEPb7y9g3sn3kw
iE8vljGWHzA2vv/NQNPxAFVRCpvZiys2ixC7rbzosRYnmEbvqzzi9aisJ3vDDOd3
gGZsxm0MWpcCAwEAATANBgkqhkiG9w0BAQQFAAOBgQBKNhqbGIV4lQp5az3ebG2z
GyKVzRrd7Oy8D8SUjN3qP+MNLL2i4c2vt7WOZ2nvwgpCEDlPWX4V4uGjDkZhWu1S
0Nd8LHYig+e8eULEJbV+WjMrmz3t0gflBcJkR7b2ri2qbYwZoTsA7b+LaeWvmSYj
NbereZPBdGF44YigxjYT5w==
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE  
Software Engineering Lab/CN=whisper.cse.ucsc.edu/ 
emailAddress=mslater@soe.ucsc.edu
issuer=/C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE  
Software Engineering Lab/CN=Mark Slater/ 
emailAddress=mslater@soe.ucsc.edu
---
No client certificate CA names sent
---
SSL handshake has read 1300 bytes and written 346 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
SSL-Session:
     Protocol  : TLSv1
     Cipher    : DHE-RSA-AES256-SHA
     Session-ID:  
6EA0454B3C48C92BE620031BD0302FBDAC8D07A33D7710868A45D4251060D4BD
     Session-ID-ctx:
     Master-Key:  
3E0CF350B3BB3248C20013C8676E5E7D38E85F70CA7BF67D2DEC3A8F950192BB1F91EAB2 
FEE029A0FEED1218FFD7D655
     Key-Arg   : None
     Start Time: 1142545988
     Timeout   : 300 (sec)
     Verify return code: 21 (unable to verify the first certificate)
---
^C
======================================================================== 
=

I then tried this set of directions: http://www.securityfocus.com/ 
infocus/1818

I ran the command: openssl req -new -x509 -days 365 -keyout  
server.key -out server.crt
Then I installed the generated files in apache and restarted  
(apachectl startssl).
I got the same error with my browser and with curl, but openssl  
s_client gave this:

======================================================================== 
=
$ openssl s_client -connect whisper.cse.ucsc.edu:443
CONNECTED(00000003)
depth=0 /C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE  
Software Engineering Lab/CN=whisper.cse.ucsc.edu/ 
emailAddress=mslater@soe.ucsc.edu
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE  
Software Engineering Lab/CN=whisper.cse.ucsc.edu/ 
emailAddress=mslater@soe.ucsc.edu
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE Software  
Engineering Lab/CN=whisper.cse.ucsc.edu/ 
emailAddress=mslater@soe.ucsc.edu
    i:/C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE  
Software Engineering Lab/CN=whisper.cse.ucsc.edu/ 
emailAddress=mslater@soe.ucsc.edu
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEGTCCA4KgAwIBAgIJAIFnlzdIQqO8MA0GCSqGSIb3DQEBBAUAMIG6MQswCQYD
VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTETMBEGA1UEBxMKU2FudGEgQ3J1
ejEWMBQGA1UEChMNVUMgU2FudGEgQ3J1ejElMCMGA1UECxMcU09FIFNvZnR3YXJl
IEVuZ2luZWVyaW5nIExhYjEdMBsGA1UEAxMUd2hpc3Blci5jc2UudWNzYy5lZHUx
IzAhBgkqhkiG9w0BCQEWFG1zbGF0ZXJAc29lLnVjc2MuZWR1MB4XDTA2MDMxNjIx
NTYwMloXDTA3MDMxNjIxNTYwMlowgboxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpD
YWxpZm9ybmlhMRMwEQYDVQQHEwpTYW50YSBDcnV6MRYwFAYDVQQKEw1VQyBTYW50
YSBDcnV6MSUwIwYDVQQLExxTT0UgU29mdHdhcmUgRW5naW5lZXJpbmcgTGFiMR0w
GwYDVQQDExR3aGlzcGVyLmNzZS51Y3NjLmVkdTEjMCEGCSqGSIb3DQEJARYUbXNs
YXRlckBzb2UudWNzYy5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAK4n
3ODtRv7l77GFQkEdRxINB7/CGOJjbTgTB6Q75Chm4NMi7k50uBIVVfY4V7zxuv5m
K4x4y37B6GmG5yXhBAI1LhtZxy9IKkg4brXXzOOJQhBuQSTMempnacMlbxGBRON5
Xqt0iuk06Ly/R1lCdDJCSJwVMJmCZYJRhPls2GttAgMBAAGjggEjMIIBHzAdBgNV
HQ4EFgQUBUP6LK0EJZrh80OYfsZonqwoTfYwge8GA1UdIwSB5zCB5IAUBUP6LK0E
JZrh80OYfsZonqwoTfahgcCkgb0wgboxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpD
YWxpZm9ybmlhMRMwEQYDVQQHEwpTYW50YSBDcnV6MRYwFAYDVQQKEw1VQyBTYW50
YSBDcnV6MSUwIwYDVQQLExxTT0UgU29mdHdhcmUgRW5naW5lZXJpbmcgTGFiMR0w
GwYDVQQDExR3aGlzcGVyLmNzZS51Y3NjLmVkdTEjMCEGCSqGSIb3DQEJARYUbXNs
YXRlckBzb2UudWNzYy5lZHWCCQCBZ5c3SEKjvDAMBgNVHRMEBTADAQH/MA0GCSqG
SIb3DQEBBAUAA4GBAJo/Y40mwSmttCGon0TuYBtB/paGhbummFiwDhsYZbTn5VUW
kOAiv4Y4FOOe6sEyzt9GGBeRjSoBJ3Ja6UqTo2trcJN8ulfAZaMAx7uVNwbdZvei
xe19jcPtxvfRuk6izJt+XgfmIuy3tFbADRCESzezC3eCZV16ucedP/gBJie3
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE  
Software Engineering Lab/CN=whisper.cse.ucsc.edu/ 
emailAddress=mslater@soe.ucsc.edu
issuer=/C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE  
Software Engineering Lab/CN=whisper.cse.ucsc.edu/ 
emailAddress=mslater@soe.ucsc.edu
---
No client certificate CA names sent
---
SSL handshake has read 1617 bytes and written 346 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
SSL-Session:
     Protocol  : TLSv1
     Cipher    : DHE-RSA-AES256-SHA
     Session-ID:  
002C52406C37D29DEA0DFB9BDEDE44DB3289F0E5719767A449CDD6C2FBDD1989
     Session-ID-ctx:
     Master-Key:  
235C61CC423B0D9E386E4767EF8F0F0B9A98DE490DEF4CC20F7B9A7E820A314CC8504957 
441F473D582F9A7283654B46
     Key-Arg   : None
     Start Time: 1142546565
     Timeout   : 300 (sec)
     Verify return code: 18 (self signed certificate)
---
closed
======================================================================== 
=

Could this be an endian issue with the intel processor? I would think  
that, since I built the binaries on the intel machine (and saw the  
processor correctly registered in the ./configure process), that  
endianness wouldn't be an issue. Is there something else that I  
should be doing instead?

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message