httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mark Lavi" <ml...@sgi.com>
Subject RE: [users@httpd] SSL and Apache
Date Fri, 16 Feb 2007 19:12:04 GMT
Sorry, I've not tried to get Apache with SSL working on Windows -- but
let me give you some suggestions even though I'm not a deep SSL expert.

First: you didn't mention your version of Apache or OpenSSL, how you
obtained them and configured them -- so it's extremely hard to
troubleshoot.

Second: just because certificates are loaded, that does not mean they
are configured properly to work with the SSL engine! It probably means
that they are of the proper format to load into the engine.

How to trouble shoot SSL: establish the basic configuration, then modify
what works incrementally to isolate configuration issues.

I would suggest that you try to get the default configuration of SSL
working with the "SnakeOil" generic, self signed certificate. After that
works, then adapt it to your desired configuration one or two directive
changes at a time. The goal would be to isolate configuration errors
with the certificate before moving on to ciphers or the virtual host.

I'm not sure that the default Windows Apache 2.2.x version has SnakeOil
certificates, but that is how I learned to master Apache SSL the first
time when I built it from 1.3.x source with mod_ssl on Solaris in a long
time ago in a galaxy far, far away...

I also noticed the warning line in your logs where the certificate name
doesn't match the server name: you could try fixing your httpd.conf file
because it would make sense to me that a mismatch might stop Apache from
starting, since that's a fatal mismatch. You could also increase the log
level detail and check the ERROR logs as well to help troubleshoot.

I hope this helps!

--Mark 
Mark Lavi, Enterprise Web Management Team @ SGI
mailto:mlavi@sgi.com || phone:+1-650-933-7707

-----Original Message-----
From: Brian Gordon [mailto:bgordon0@gmail.com] 
Sent: Friday, February 16, 2007 5:36 AM
To: users@httpd.apache.org
Subject: [users@httpd] SSL and Apache

I've been trying for ages to get my server running SSL successfully. I
don't need port 80 (unencrypted traffic) at all, just 411.

I have the module set up just fine, and apache runs fine unless I
define a valid cert and key:

SSLCertificateFile pw/my-server.cert
SSLCertificateKeyFile pw/my-server.key

These are unencrypted (win32 doesn't support encrypted keys) SSL keys
that are valid for apache (when they're not valid it tells me so and
refuses to load them). But when I have these defined, and I start
apache, the "starting apache" console window comes up and takes longer
than usual, then just crashes and the vista "Apache HTTP server
stopped working and was closed" window comes up.

This is the entire debug log for an attempted start:

[Fri Feb 16 01:29:29 2007] [info] Init: Seeding PRNG with 136 bytes of
entropy
[Fri Feb 16 01:29:29 2007] [info] Loading certificate & private key of
SSL-aware server
[Fri Feb 16 01:29:29 2007] [debug] ssl_engine_pphrase.c(469):
unencrypted RSA private key - pass phrase not required
[Fri Feb 16 01:29:29 2007] [info] Init: Generating temporary RSA
private keys (512/1024 bits)
[Fri Feb 16 01:29:29 2007] [info] Init: Generating temporary DH
parameters (512/1024 bits)
[Fri Feb 16 01:29:29 2007] [info] Init: Initializing (virtual) servers
for SSL
[Fri Feb 16 01:29:29 2007] [info] Configuring server for SSL protocol
[Fri Feb 16 01:29:29 2007] [debug] ssl_engine_init.c(405): Creating
new SSL context (protocols: SSLv2, SSLv3, TLSv1)
[Fri Feb 16 01:29:29 2007] [debug] ssl_engine_init.c(729): Configuring
RSA server certificate
[Fri Feb 16 01:29:29 2007] [warn] RSA server certificate CommonName
(CN) `163.11.110.152:443' does NOT match server name!?
[Fri Feb 16 01:29:29 2007] [debug] ssl_engine_init.c(768): Configuring
RSA server private key
[Fri Feb 16 01:29:29 2007] [info] Server: Apache/2.2.3, Interface:
mod_ssl/2.2.3, Library: OpenSSL/0.9.8d
[Fri Feb 16 01:29:29 2007] [info] Init: Seeding PRNG with 136 bytes of
entropy
[Fri Feb 16 01:29:29 2007] [info] Loading certificate & private key of
SSL-aware server

It abruptly ends at that last line.

This is the relevant section from my httpd.conf. It's basically
identical to ssl.conf and including that doesn't make a difference.
And like I said, if I just take out those two cert/key lines then it
will start fine (but of course tell me that there's no way ssl will
work without a certificate).

#SSL

Listen 163.11.110.152:443

AddType application/x-x509-ca-cert .cert
AddType application/x-pkcs7-crl    .crl

SSLMutex default
SSLRandomSeed startup builtin
SSLSessionCache none

LogLevel debug

<VirtualHost 163.11.110.152:443>
SSLEngine On
SSLCertificateFile pw/my-server.cert
SSLCertificateKeyFile pw/my-server.key
</VirtualHost>

Does anyone know what's going on? I see hundreds of success stories
around the internet about making the key file unencrypted, but mine is
already unencrypted. Also it's Listening on a specific IP address,
something that helped some other people. What else is there left ot
try?


-- 
Brian Gordon

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message