Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 1519 invoked from network); 4 Jun 2007 06:10:12 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 4 Jun 2007 06:10:12 -0000 Received: (qmail 55085 invoked by uid 500); 4 Jun 2007 06:09:58 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 55065 invoked by uid 500); 4 Jun 2007 06:09:58 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 55050 invoked by uid 99); 4 Jun 2007 06:09:58 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 03 Jun 2007 23:09:58 -0700 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: neutral (herse.apache.org: local policy) Received: from [65.24.5.139] (HELO ms-smtp-05.ohiordc.rr.com) (65.24.5.139) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 03 Jun 2007 23:09:51 -0700 Received: from janus.tacocat.net (cpe-65-29-101-30.twmi.res.rr.com [65.29.101.30]) by ms-smtp-05.ohiordc.rr.com (8.13.6/8.13.6) with ESMTP id l5469MZt014682 for ; Mon, 4 Jun 2007 02:09:29 -0400 (EDT) Received: from [192.168.1.10] (isengard.tacocat.net [192.168.1.10]) by janus.tacocat.net (Postfix) with ESMTP id B82774C068 for ; Mon, 4 Jun 2007 02:09:22 -0400 (EDT) Message-ID: <4663AC92.1090403@tacocat.net> Date: Mon, 04 Jun 2007 02:09:22 -0400 From: Tom Allison User-Agent: Icedove 1.5.0.10 (X11/20070329) MIME-Version: 1.0 To: users@httpd.apache.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: Symantec AntiVirus Scan Engine X-Virus-Checked: Checked by ClamAV on apache.org Subject: [users@httpd] apache+ssl config OK, at one point in my life I had something working for a very brief period that looked like https. Unfortunately after a few days... it stopped. Never got it working again... So I'm trying to get sane directions working and I'm pretty hosed... apache will start but https doesn't respond. This seems fairly common. [Sat Jun 02 22:09:55 2007] [info] Init: Seeding PRNG with 0 bytes of entropy [Sat Jun 02 22:09:55 2007] [info] Init: Generating temporary RSA private keys (512/1024 bits) [Sat Jun 02 22:09:55 2007] [info] Init: Generating temporary DH parameters (512/1024 bits) [Sat Jun 02 22:09:55 2007] [warn] Init: Session Cache is not configured [hint: SSLSessionCache] [Sat Jun 02 22:09:55 2007] [info] Init: Initializing (virtual) servers for SSL [Sat Jun 02 22:09:55 2007] [info] Server: Apache/2.2.3, Interface: mod_ssl/2.2.3, Library: OpenSSL/0.9.8c [Sat Jun 02 22:09:55 2007] [notice] suEXEC mechanism enabled (wrapper: /usr/lib/apache2/suexec) [Sat Jun 02 22:09:55 2007] [info] mod_fcgid: Process manager 16591 started [Sat Jun 02 22:09:55 2007] [info] Init: Seeding PRNG with 0 bytes of entropy [Sat Jun 02 22:09:55 2007] [info] Init: Generating temporary RSA private keys (512/1024 bits) [Sat Jun 02 22:09:55 2007] [info] Init: Generating temporary DH parameters (512/1024 bits) [Sat Jun 02 22:09:55 2007] [info] Init: Initializing (virtual) servers for SSL [Sat Jun 02 22:09:55 2007] [info] Server: Apache/2.2.3, Interface: mod_ssl/2.2.3, Library: OpenSSL/0.9.8c [Sat Jun 02 22:09:55 2007] [notice] Apache/2.2.3 (Debian) mod_ssl/2.2.3 OpenSSL/0.9.8c configured -- resuming normal operations [Sat Jun 02 22:09:55 2007] [info] Server built: Mar 27 2007 14:54:26 The response from Firefox is some error called "has sent an incorrect or unexpected message. Error Code -12263" I have Directives in apache.conf for: Listen 443 Directives in ssl.conf # added by me. SSLEngine on SSLCertificateFile /etc/apache2/ssl/host.cert SSLCertificateKeyFile /etc/apache2/ssl/host.key NOTE: I also have SsLSessionCache called out even though the logs say I don't. It's the debian default so I'm kind of "wtf?" on this one. Now, I have about 100 questions that I've been searching for all night long. I'm either hitting the wrong keywords or just can't find anything. First. If I want to have both SSL and non-SSL Virtual Hosts: It is my understanding that I can only have one HTTPS host but many HTTP hosts (chicken and egg). For the most part, this is fine. I'm primarily looking at a http+https host and perhaps smaller (static) http sites. It's fairly obvious to me that I don't have any clue where to put the SSLEngine/SSLCertificate* directives becuase they just don't act like they are being considered at all. So I'm asking if someone has some concise information on how this can be done.... I assume that no matter what I want to do I have to leave the 'Listen 443' directive in Section 1 of apache.conf. true/false? I suspect that the SSL Directives I want to use have to be entered into a VirtualHost Directive like: SSLEngine on SSLCertificateFile ... SSLCertificateKeyFile ... /// And other stuff there with directories and cgi-bin directories... And so I have to write a *lot* of stuff for the HTTPS stuff to work. Seems that for just about every directive out there (cgi, fcgi, ...) I have to darn near copy and repeat for HTTPS. This seems incorrect because it's repetative, lengthy, and does nothing to restrict sections to only HTTPS. I haven't any idea how to make certain areas HTTP only and others HTTPS only but it's probably related to SSLRequire. Unfortunately, since I have no SSL working at all my ability to investigate this is slightly limited.. ;) So, what's a good practice for doing this kind of stuff. Am I even close? --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org