httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From daniel.goul...@and.co.uk
Subject RE: [users@httpd] SSL on Apache 2.2.14
Date Thu, 26 Nov 2009 12:15:49 GMT
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META charset=US-ASCII; delsp="yes" format="flowed;" plain; text Content-Type: 
7bit Content-Transfer-Encoding:>
<META name=GENERATOR content="MSHTML 8.00.6001.18852"></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=465370712-26112009><FONT color=#0000ff

size=2 face=Arial>Maybe you could try --enable-shared in your configure 
arguments?</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=465370712-26112009><FONT color=#0000ff

size=2 face=Arial></FONT></SPAN>&nbsp;</DIV>
<DIV dir=ltr align=left><SPAN class=465370712-26112009><FONT color=#0000ff

size=2 face=Arial>what do you get from a 'pldd &lt;pid_of_httpd&gt;' 
?</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=465370712-26112009><FONT color=#0000ff

size=2 face=Arial></FONT></SPAN>&nbsp;</DIV>
<DIV dir=ltr align=left><SPAN class=465370712-26112009><FONT color=#0000ff

size=2 face=Arial>You might want to ensure that your LDFLAGS are set as 
"-L/home/consolati1/openssl/openssl-0.9.8g/installed/lib 
-R/home/consolati1/openssl/openssl-0.9.8g/installed/lib" when you build 
Apache.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=465370712-26112009><FONT color=#0000ff

size=2 face=Arial></FONT></SPAN>&nbsp;</DIV>
<DIV dir=ltr align=left><SPAN class=465370712-26112009><FONT color=#0000ff

size=2 face=Arial>
<DIV dir=ltr align=left><SPAN class=465370712-26112009><FONT color=#0000ff

size=2 face=Arial>And check the LD_LIBRARY_PATH ('pargs -e 
&lt;pid_of_apache&gt;' will tell you what this is)</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=465370712-26112009><FONT color=#0000ff

size=2 face=Arial></FONT></SPAN>&nbsp;</DIV>Also check your crle
output to see 
where Solaris is looking for libssl and libcrypto (ldd would have used these 
paths)</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=465370712-26112009><FONT color=#0000ff

size=2 face=Arial></FONT></SPAN>&nbsp;</DIV>
<DIV dir=ltr lang=en-us class=OutlookMessageHeader align=left>
<HR tabIndex=-1>
<FONT size=2 face=Tahoma><B>From:</B> "John J. Consolati" 
&lt;consolati1@llnl.gov&gt; [mailto:"John J. Consolati" 
&lt;consolati1@llnl.gov&gt;] <BR><B>Sent:</B> 25 November 2009 
22:25<BR><B>To:</B> users@httpd.apache.org<BR><B>Subject:</B>
Re: [users@httpd] 
SSL on Apache 2.2.14<BR></FONT><BR></DIV>
<DIV></DIV>Here are the build commands I've tried: <BR><BR>./configure

--prefix=/home/consolati1/apache/httpd-2.2.14/installed -- 
<BR>enable-static-support --enable-ssl --with-ssl=/home/consolati1/openssl/ 
<BR>openssl-0.9.8l/installed --with-mpm=prefork <BR><BR>./configure 
--prefix=/home/consolati1/apache/httpd-2.2.14/installed/ -- <BR>enable-ssl 
--with-ssl=/home/consolati1/openssl/openssl-0.9.8g/ <BR>installed/ (currently 
using this one) <BR><BR>Both of them result in the same thing, and were the 
commands my <BR>predecessor used. <BR><BR>I will try building it with the

configure command you sent. I haven't <BR>personally tried gcc, but my coworkers 
have left extensive notes of <BR>errors that gcc throws. It couldn't hurt to try 
again. <BR><BR>It is odd that libssl and libcrypt aren't in there -- I tried 
building <BR>statically, as you can see, but the httpd -l that I posted was from 
<BR>the second one (which should be dynamic). Any ideas why they're <BR>missing?

<BR><BR>Thanks, <BR>John <BR><BR>On Nov 25, 2009, at 2:14 PM,
Dan_Mitton@YMP.GOV 
wrote: <BR><BR>&gt; <BR>&gt; We are only at Apache 2.2.9, but don't
have any 
problems. The <BR>&gt; command I use to build apache with is: <BR>&gt;
<BR>&gt; 
./configure --prefix=/usr/local/apache-2.2.9 --with-ssl=/usr/local/ <BR>&gt; ssl

--with-z=/usr/local/lib --enable-ssl --enable-cache --enable- <BR>&gt; 
disk-cache --enable-mem-cache --enable-autoindex --enable-mods- <BR>&gt; 
shared="rewrite ssl dav dav-fs proxy" <BR>&gt; <BR>&gt; of course, this
is 
building a shared mod_ssl.so, and a few other <BR>&gt; things. We use gcc 
instead of Sun's. Can you try it with gcc? I <BR>&gt; can't image that is the 
problem, but it might be worth a test. <BR>&gt; <BR>&gt; We have changed
both 
Apache and OpenSSL versions, several times, and <BR>&gt; never had any 
certificate problems. <BR>&gt; <BR>&gt; Here is one thing to look into...

Looking back at your 'ldd httpd' <BR>&gt; output, there is no mention of libssl

or libcrypt, so I assume that <BR>&gt; you are statically linking them in. Are 
you sure that you are <BR>&gt; picking up the OpenSSL version and not Sun's 
default installed <BR>&gt; version in /lib ? Can you post your build command? 
Personally, I <BR>&gt; like dynamic linking, so that you can upgrade to a new 
OpenSSL, <BR>&gt; without having to redo everything that uses it. <BR>&gt;

<BR>&gt; Dan <BR>&gt; <BR>&gt; <BR>&gt; Please respond
to users@httpd.apache.org 
<BR>&gt; <BR>&gt; <BR>&gt; To: users@httpd.apache.org <BR>&gt;
cc: (bcc: Dan 
Mitton/YD/RWDOE) <BR>&gt; Subject: Re: [users@httpd] SSL on Apache 2.2.14 
<BR>&gt; <BR>&gt; <BR>&gt; LSN: Not Relevant <BR>&gt;
User Filed as: Not a 
Record <BR>&gt; <BR>&gt; Dan, <BR>&gt; <BR>&gt; The
error occurs on both Safari 
and Firefox on Apache 2.2.14. We <BR>&gt; don't have IE in our environment. Both

Safari and Firefox work as <BR>&gt; they should with 2.0.47. <BR>&gt;
<BR>&gt; 
It looks like mod_ssl.c is compiled in -- it shows up with httpd -l. <BR>&gt; 
<BR>&gt; I've checked the links you sent me. The description doesn't provide a 
<BR>&gt; whole lot of detail, and, according to the other one, I checked to 
<BR>&gt; make sure I am using prefork instead of MPM -- it seems to default to 
<BR>&gt; prefork anyway, but I specified it in the /config before compilation. 
<BR>&gt; <BR>&gt; I've Googled to my wit's end for several days without
finding 
anything <BR>&gt; conclusive. Some pages hint at compilation options, others at

<BR>&gt; compilers (I'm using Sun's cc, not gcc), but nothing conclusive. 
<BR>&gt; <BR>&gt; Here is one question I couldn't find the answer to,
though: if 
I <BR>&gt; requested a server certificate using a specific version of OpenSSL, 
<BR>&gt; can I use that same certificate in a different version of Apache with 
<BR>&gt; a different version of OpenSSL? Or do I have to re-request if I 
<BR>&gt; upgrade OpenSSL? A long shot I know, but I'm running out of <BR>&gt;

options... <BR>&gt; <BR>&gt; Thank you for the help, <BR>&gt;
John <BR>&gt; 
<BR>&gt; On Nov 25, 2009, at 12:07 PM, Dan_Mitton@YMP.GOV wrote: <BR>&gt;

<BR>&gt; &gt; <BR>&gt; &gt; John, <BR>&gt; &gt;
<BR>&gt; &gt; You should not 
need to upgrade Solaris. I've got apache running on <BR>&gt; &gt; a solaris
9 
box just fine. <BR>&gt; &gt; <BR>&gt; &gt; Your "wrong path" shouldn't
be a 
problem either. Those are just <BR>&gt; &gt; "the last place to look" for an

.so. Solaris will use what is in <BR>&gt; &gt; the 'crle' command and the 
LD_LIBRARY_PATH environment variable <BR>&gt; &gt; first (I'm not sure of the

order). <BR>&gt; &gt; <BR>&gt; &gt; You may or may not have a
mod_ssl.so, 
depending on how you compiled <BR>&gt; &gt; apache. If you run: <BR>&gt;
&gt; 
<BR>&gt; &gt; httpd -l (that's an el) <BR>&gt; &gt; <BR>&gt;
&gt; It will list 
out which modules are compiled in. If you see <BR>&gt; &gt; mod_ssl.c, you will

not have a mod_ssl.so. Otherwise, mod_ssl.so <BR>&gt; &gt; should normally be
in 
your apache's modules subdirectory. <BR>&gt; &gt; <BR>&gt; &gt;
Do you only get 
the error on Firefox and not IE? <BR>&gt; &gt; <BR>&gt; &gt; Dan
<BR>&gt; &gt; 
<BR>&gt; &gt; <BR>&gt; &gt; Please respond to users@httpd.apache.org
<BR>&gt; 
&gt; <BR>&gt; &gt; <BR>&gt; &gt; To: users@httpd.apache.org
<BR>&gt; &gt; cc: 
(bcc: Dan Mitton/YD/RWDOE) <BR>&gt; &gt; Subject: Re: [users@httpd] SSL on 
Apache 2.2.14 <BR>&gt; &gt; <BR>&gt; &gt; <BR>&gt; &gt;
LSN: Not Relevant 
<BR>&gt; &gt; User Filed as: Not a Record <BR>&gt; &gt; <BR>&gt;
&gt; Here is 
the complete command: <BR>&gt; &gt; <BR>&gt; &gt; openssl s_server
-cert 
/erd/www/erd/server/apache/httpd-2.2.14/ <BR>&gt; &gt; 
installed/conf/ssl.crt/www-erdc.crt -key /erd/www/erd/server/apache/ <BR>&gt; 
&gt; httpd-2.2.14/installed/conf/ssl.key/www-erdc.secureprivate.key - <BR>&gt;

&gt; CAfile /erd/www/erd/server/apache/httpd-2.2.14/installed/conf/ <BR>&gt;

ssl.crt/ <BR>&gt; &gt; intermediate.crt -www <BR>&gt; &gt; <BR>&gt;
&gt; Your 
suggested 'GET / HTTP/1.0\r\r' was successful. <BR>&gt; &gt; <BR>&gt;
&gt; 
However, I found something interesting doing an ldd -- a few of them <BR>&gt; 
&gt; have wrong paths: <BR>&gt; &gt; <BR>&gt; &gt; bash-2.05#
ldd httpd <BR>&gt; 
&gt; libm.so.1 =&gt; /usr/lib/libm.so.1 <BR>&gt; &gt; libaprutil-1.so.0
=&gt; 
/wrong/path <BR>&gt; &gt; libexpat.so.0 =&gt; /wrong/path <BR>&gt;
&gt; 
libapr-1.so.0 =&gt; /wrong/path <BR>&gt; &gt; libuuid.so.1 =&gt; 
/usr/lib/libuuid.so.1 <BR>&gt; &gt; libsendfile.so.1 =&gt; 
/usr/lib/libsendfile.so.1 <BR>&gt; &gt; librt.so.1 =&gt; /usr/lib/librt.so.1

<BR>&gt; &gt; libsocket.so.1 =&gt; /usr/lib/libsocket.so.1 <BR>&gt;
&gt; 
libnsl.so.1 =&gt; /usr/lib/libnsl.so.1 <BR>&gt; &gt; libpthread.so.1 =&gt;

/usr/lib/libpthread.so.1 <BR>&gt; &gt; libdl.so.1 =&gt; /usr/lib/libdl.so.1

<BR>&gt; &gt; libthread.so.1 =&gt; /usr/lib/libthread.so.1 <BR>&gt;
&gt; 
libc.so.1 =&gt; /usr/lib/libc.so.1 <BR>&gt; &gt; libucb.so.1 =&gt; (file
not 
found) <BR>&gt; &gt; libresolv.so.2 =&gt; /usr/lib/libresolv.so.2 <BR>&gt;
&gt; 
libelf.so.1 =&gt; /usr/lib/libelf.so.1 <BR>&gt; &gt; libucb.so.1 =&gt;

/usr/ucblib/libucb.so.1 <BR>&gt; &gt; libaio.so.1 =&gt; /usr/lib/libaio.so.1

<BR>&gt; &gt; libmd5.so.1 =&gt; /usr/lib/libmd5.so.1 <BR>&gt;
&gt; libmp.so.2 
=&gt; /usr/lib/libmp.so.2 <BR>&gt; &gt; 
/usr/platform/SUNW,Sun-Fire-V250/lib/libc_psr.so.1 <BR>&gt; &gt; 
/usr/platform/SUNW,Sun-Fire-V250/lib/libmd5_psr.so.1 <BR>&gt; &gt; <BR>&gt;
&gt; 
I wasn't sure where to find mod_ssl.so -- I could only find <BR>&gt; mod_ssl.h.

<BR>&gt; &gt; <BR>&gt; &gt; Is there a way to change the links
without 
rebuilding? <BR>&gt; &gt; <BR>&gt; &gt; Thank you, <BR>&gt;
&gt; John <BR>&gt; 
&gt; <BR>&gt; &gt; On Nov 25, 2009, at 11:21 AM, Sander Temme wrote: <BR>&gt;

&gt; <BR>&gt; &gt; &gt; <BR>&gt; &gt; &gt; On Nov
25, 2009, at 10:17 AM, John J. 
Consolati wrote: <BR>&gt; &gt; &gt; <BR>&gt; &gt; &gt;&gt;
Thank you for the 
reply. <BR>&gt; &gt; &gt;&gt; <BR>&gt; &gt; &gt;&gt;
Unfortunately, upgrading 
Solaris isn't an option. Here is the <BR>&gt; &gt; &gt;&gt; version
I have to 
work with (quite old..): <BR>&gt; &gt; &gt;&gt; <BR>&gt; &gt;
&gt;&gt; 
bash-2.05# cat /etc/release <BR>&gt; &gt; &gt;&gt; Solaris 9 4/04 s9s_u6wos_08a

SPARC <BR>&gt; &gt; &gt;&gt; Copyright 2004 Sun Microsystems, Inc. All
Rights 
<BR>&gt; &gt; Reserved. <BR>&gt; &gt; &gt;&gt; Use is
subject to license terms. 
<BR>&gt; &gt; &gt;&gt; Assembled 22 March 2004 <BR>&gt; &gt;
&gt;&gt; bash-2.05# 
uname -a <BR>&gt; &gt; &gt;&gt; SunOS lucky 5.9 Generic_118558-17 sun4u
sparc 
SUNW,Sun-Fire-V250 <BR>&gt; &gt; &gt;&gt; <BR>&gt; &gt;
&gt;&gt; I've been using 
the Sun cc, not gcc, to compile everything. <BR>&gt; &gt; &gt;&gt; <BR>&gt;
&gt; 
&gt;&gt; <BR>&gt; &gt; &gt;&gt; Here is the output from the
openSSL commands: 
<BR>&gt; &gt; &gt;&gt; <BR>&gt; &gt; &gt;&gt;
openssl -certs....etc etc <BR>&gt; 
&gt; &gt; <BR>&gt; &gt; &gt; What is your complete command line
here? <BR>&gt; 
&gt; &gt; <BR>&gt; &gt; &gt;&gt; Using default temp DH parameters
<BR>&gt; &gt; 
&gt;&gt; Using default temp ECDH parameters <BR>&gt; &gt; &gt;&gt;
ACCEPT 
<BR>&gt; &gt; &gt;&gt; -----BEGIN SSL SESSION PARAMETERS----- <BR>&gt;
&gt; 
&gt;&gt; MHUCAQECAgMBBAIAOQQgXdTo4sJayMnyXJOOV7YI1JLumr7lqj4Sj+kZZTIeX2wE 
<BR>&gt; &gt; &gt;&gt; 
MO2ne8Ry2DUppChW6xz01mi4gMU+WsyaH6SPREMHpFcSCBYmpX5sD+VVBS3F/Ajy <BR>&gt; &gt;

&gt;&gt; V6EGAgRLDXPAogQCAgEspAYEBAAAAAE= <BR>&gt; &gt; &gt;&gt;
-----END SSL 
SESSION PARAMETERS----- <BR>&gt; &gt; &gt;&gt; Shared 
ciphers:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256- <BR>&gt; &gt; SHA:EDH-

<BR>&gt; &gt; &gt;&gt; 
RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA- <BR>&gt; AES128- 
<BR>&gt; &gt; &gt;&gt; 
SHA:DHE-DSS-AES128-SHA:AES128-SHA:IDEA-CBC-SHA:RC4-SHA:RC4- <BR>&gt; MD5:EDH- 
<BR>&gt; &gt; &gt;&gt; 
RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES- <BR>&gt; &gt;

CBC- <BR>&gt; &gt; &gt;&gt; 
SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP- <BR>&gt; &gt;

RC4- <BR>&gt; &gt; &gt;&gt; MD5 <BR>&gt; &gt; &gt;&gt;
CIPHER is 
DHE-RSA-AES256-SHA <BR>&gt; &gt; &gt;&gt; <BR>&gt; &gt;
&gt;&gt; <BR>&gt; &gt; 
&gt;&gt; <BR>&gt; &gt; &gt;&gt; And on the other terminal: <BR>&gt;
&gt; 
&gt;&gt; <BR>&gt; &gt; &gt;&gt; bash-2.05$ openssl s_client
-connect 
localhost:4433 <BR>&gt; &gt; &gt;&gt; CONNECTED(00000003) <BR>&gt;
&gt; &gt;&gt; 
depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms <BR>&gt; &gt;

&gt;&gt; of use at <A 
href="https://***www.***verisign.com/rpa">https://***www.***verisign.com/rpa</A>

(c)05/CN=VeriSign <BR>&gt; &gt; Class 3 <BR>&gt; &gt; &gt;&gt;
Secure Server CA 
<BR>&gt; &gt; &gt;&gt; verify error:num=20:unable to get local issuer

certificate <BR>&gt; &gt; &gt;&gt; verify return:0 <BR>&gt;
&gt; &gt; <BR>&gt; 
&gt; &gt; That's not a problem, just OpenSSL complaining it can't find the 
<BR>&gt; &gt; &gt; Verisign root cert. If you happen to have a copy of that

(like <BR>&gt; your <BR>&gt; &gt; &gt; browser does) and point
openssl s_client 
to it, it can verify all <BR>&gt; &gt; &gt; the way to the top. This does
not 
impact the connection itself. <BR>&gt; &gt; &gt; <BR>&gt; &gt;
&gt;&gt; --- 
<BR>&gt; &gt; &gt;&gt; Certificate chain <BR>&gt; &gt;
&gt;&gt; 0 
s:/C=US/ST=California/L=Livermore/O=Lawrence Livermore National <BR>&gt; &gt;

&gt;&gt; Laboratory/OU=Environmental Restoration Division erdc/CN=www- <BR>&gt;

&gt; &gt;&gt; erdc.llnl.gov <BR>&gt; &gt; &gt;&gt; i:/C=US/O=VeriSign,

Inc./OU=VeriSign Trust Network/OU=Terms of <BR>&gt; use <BR>&gt; &gt;
&gt;&gt; 
at <A 
href="https://***www.***verisign.com/rpa">https://***www.***verisign.com/rpa</A>

(c)05/CN=VeriSign Class 3 <BR>&gt; &gt; Secure <BR>&gt; &gt; &gt;&gt;
Server CA 
<BR>&gt; &gt; &gt;&gt; 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust

Network/OU=Terms of <BR>&gt; &gt; &gt;&gt; use at <A 
href="https://***www.***verisign.com/rpa">https://***www.***verisign.com/rpa</A>

(c)05/CN=VeriSign <BR>&gt; Class 3 <BR>&gt; &gt; &gt;&gt;
Secure Server CA 
<BR>&gt; &gt; &gt;&gt; i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary

Certification <BR>&gt; &gt; &gt;&gt; Authority <BR>&gt; &gt;
&gt;&gt; --- 
<BR>&gt; &gt; &gt;&gt; Server certificate <BR>&gt; &gt;
&gt;&gt; -----BEGIN 
CERTIFICATE----- <BR>&gt; &gt; &gt;&gt; certificate hash... <BR>&gt;
&gt; 
&gt;&gt; -----END CERTIFICATE----- <BR>&gt; &gt; &gt;&gt; 
subject=/C=US/ST=California/L=Livermore/O=Lawrence Livermore <BR>&gt; &gt; 
&gt;&gt; National Laboratory/OU=Environmental Restoration Division erdc/ 
<BR>&gt; &gt; &gt;&gt; CN=www-erdc.llnl.gov <BR>&gt; &gt;
&gt;&gt; 
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/ <BR>&gt; OU=Terms of 
<BR>&gt; &gt; &gt;&gt; use at <A 
href="https://***www.***verisign.com/rpa">https://***www.***verisign.com/rpa</A>

(c)05/CN=VeriSign <BR>&gt; Class 3 <BR>&gt; &gt; &gt;&gt;
Secure Server CA 
<BR>&gt; &gt; &gt;&gt; --- <BR>&gt; &gt; &gt;&gt;
No client certificate CA names 
sent <BR>&gt; &gt; &gt;&gt; --- <BR>&gt; &gt; &gt;&gt;
SSL handshake has read 
2973 bytes and written 258 bytes <BR>&gt; &gt; &gt;&gt; --- <BR>&gt;
&gt; 
&gt;&gt; New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA <BR>&gt; &gt;
&gt;&gt; 
Server public key is 1024 bit <BR>&gt; &gt; &gt;&gt; Compression: NONE
<BR>&gt; 
&gt; &gt;&gt; Expansion: NONE <BR>&gt; &gt; &gt;&gt; SSL-Session:
<BR>&gt; &gt; 
&gt;&gt; Protocol : TLSv1 <BR>&gt; &gt; &gt;&gt; Cipher : DHE-RSA-AES256-SHA

<BR>&gt; &gt; &gt;&gt; Session-ID: <BR>&gt; &gt; &gt;&gt;

5DD4E8E2C25AC8C9F25C938E57B608D492EE9ABEE5AA3E128FE91965321E5F6C <BR>&gt; &gt;

&gt;&gt; Session-ID-ctx: <BR>&gt; &gt; &gt;&gt; Master-Key:
<BR>&gt; &gt; 
&gt;&gt; <BR>&gt; &gt; <BR>&gt; 
EDA77BC472D83529A42856EB1CF4D668B880C53E5ACC9A1FA48F444307A45712081626A57E6C0FE555052DC5FC08F257

<BR>&gt; &gt; &gt;&gt; Key-Arg : None <BR>&gt; &gt; &gt;&gt;
Start Time: 
1259172800 <BR>&gt; &gt; &gt;&gt; Timeout : 300 (sec) <BR>&gt;
&gt; &gt;&gt; 
Verify return code: 20 (unable to get local issuer certificate) <BR>&gt; &gt;

&gt;&gt; --- <BR>&gt; &gt; &gt;&gt; <BR>&gt; &gt;
&gt;&gt; Looks like there is a 
problem with one of the certificates, but <BR>&gt; I'm <BR>&gt; &gt;
&gt;&gt; 
not sure how to proceed... <BR>&gt; &gt; &gt; <BR>&gt; &gt;
&gt; At this point, 
you have a valid handshake, and the client and <BR>&gt; server <BR>&gt;
&gt; 
&gt; have exchanged data encrypted and MACed with the session keys. <BR>&gt;
All 
<BR>&gt; &gt; &gt; is well. You could type on the command line 'GET / HTTP/1.0\r

<BR>&gt; &gt; &gt; \r' (two returns) and you'll get the status page generated
by 
<BR>&gt; &gt; &gt; openssl s_server -www.*** <BR>&gt; &gt;
&gt; <BR>&gt; &gt; 
&gt; This means you have a configuration problem with Apache. Make <BR>&gt;
sure 
<BR>&gt; &gt; &gt; you're using the ssl and crypto libraries that you think
you 
are <BR>&gt; by <BR>&gt; &gt; &gt; running ldd on the httpd binary
and the 
mod_ssl.so binary. While <BR>&gt; &gt; &gt; the Solaris build environment

usually gets this right by <BR>&gt; hardcoding <BR>&gt; &gt; &gt;
the path to 
the libraries at link time, make sure this is ok at <BR>&gt; run <BR>&gt;
&gt; 
&gt; time. <BR>&gt; &gt; &gt; <BR>&gt; &gt; &gt; Then,
make sure your server is 
configured correctly, and that your <BR>&gt; &gt; &gt; SSL virtual host(s)
use 
the correct combination of <BR>&gt; &gt; &gt; SSLCertificateFile and 
SSLCertificateKeyFile. <BR>&gt; &gt; &gt; <BR>&gt; &gt; &gt;
S. <BR>&gt; &gt; 
&gt; <BR>&gt; &gt; &gt;&gt; Again, thank you for your help, I appreciate
it. 
<BR>&gt; &gt; &gt;&gt; <BR>&gt; &gt; &gt;&gt;
Regards, <BR>&gt; &gt; &gt;&gt; 
John <BR>&gt; &gt; &gt;&gt; <BR>&gt; &gt; &gt;&gt;
<BR>&gt; &gt; &gt;&gt; On Nov 
25, 2009, at 10:00 AM, daniel.goulder@and.co.uk wrote: <BR>&gt; &gt; &gt;&gt;

<BR>&gt; &gt; &gt;&gt;&gt; This sounds like a Solaris bug. <BR>&gt;
&gt; 
&gt;&gt;&gt; <BR>&gt; &gt; &gt;&gt;&gt; Make sure you
have a recent version of 
Solaris or the latest <BR>&gt; &gt; patches <BR>&gt; &gt; &gt;&gt;&gt;

installed... <BR>&gt; &gt; &gt;&gt;&gt; <BR>&gt; &gt;
&gt;&gt;&gt; What 
release/patch level are you using? <BR>&gt; &gt; &gt;&gt;&gt; <BR>&gt;
&gt; 
&gt;&gt;&gt; Danny <BR>&gt; &gt; &gt;&gt;&gt; <BR>&gt;
&gt; &gt;&gt;&gt; 
________________________________ <BR>&gt; &gt; &gt;&gt;&gt; <BR>&gt;
&gt; 
&gt;&gt;&gt; From: "John J. Consolati" &lt; consolati1@llnl.gov&gt; 
[mailto:"John J. <BR>&gt; &gt; &gt;&gt;&gt; Consolati" &lt;

consolati1@llnl.gov&gt;] <BR>&gt; &gt; &gt;&gt;&gt; Sent: 25
November 2009 17:23 
<BR>&gt; &gt; &gt;&gt;&gt; To: users@httpd.apache.org <BR>&gt;
&gt; &gt;&gt;&gt; 
Subject: [users@httpd] SSL on Apache 2.2.14 <BR>&gt; &gt; &gt;&gt;&gt;
<BR>&gt; 
&gt; &gt;&gt;&gt; <BR>&gt; &gt; &gt;&gt;&gt; Hello,
<BR>&gt; &gt; &gt;&gt;&gt; 
<BR>&gt; &gt; &gt;&gt;&gt; Hopefully someone will be able to help,
as I've been 
working on <BR>&gt; &gt; this <BR>&gt; &gt; &gt;&gt;&gt;
problem for quite a 
while and have hit a wall. I'm trying to <BR>&gt; &gt; upgrade <BR>&gt;
&gt; 
&gt;&gt;&gt; Apache 2.0.47 to 2.2.14, and I need SSL support. Everything 
<BR>&gt; &gt; seems to <BR>&gt; &gt; &gt;&gt;&gt;
build and compile okay, but 
when I try to access my site running <BR>&gt; &gt; on <BR>&gt; &gt;
&gt;&gt;&gt; 
2.2.14, I get a strange error from Firefox: "Secure connection <BR>&gt; &gt;

&gt;&gt;&gt; failed. An error occurred during a connection to xxxxxx. SSL 
<BR>&gt; peer <BR>&gt; &gt; &gt;&gt;&gt; reports incorrect
Message 
Authentication Code. (Error code: <BR>&gt; &gt; &gt;&gt;&gt; 
ssl_error_bad_mac_alert)." <BR>&gt; &gt; &gt;&gt;&gt; <BR>&gt;
&gt; &gt;&gt;&gt; 
I've tried compiling with OpenSSL 0.9.8L and 0.9.8G with the <BR>&gt; same 
<BR>&gt; &gt; &gt;&gt;&gt; results. This is hosted on a Solaris
sparc box. The 
2.2.14 <BR>&gt; &gt; server is <BR>&gt; &gt; &gt;&gt;&gt;
utilizing all the same 
files and SSL certificates as the 2.0.47 <BR>&gt; &gt; &gt;&gt;&gt;
server. I've 
called Verisign; I have valid certificates, but <BR>&gt; &gt; they've <BR>&gt;

&gt; &gt;&gt;&gt; never heard of this error before. If I self-sign a certificate

<BR>&gt; and <BR>&gt; &gt; &gt;&gt;&gt; test it with the
2.2.14 server, it seems 
to work (except for the <BR>&gt; &gt; &gt;&gt;&gt; expected error
message 
regarding self-signed certificates). <BR>&gt; &gt; &gt;&gt;&gt;
<BR>&gt; &gt; 
&gt;&gt;&gt; Searching on Google has led me to try forcing Apache to compile 
<BR>&gt; &gt; with <BR>&gt; &gt; &gt;&gt;&gt; prefork
enabled (but it seems to 
default to that anyway on <BR>&gt; &gt; Solaris). <BR>&gt; &gt;
&gt;&gt;&gt; 
I've also tried statically linking Apache during compile with <BR>&gt; the 
<BR>&gt; &gt; &gt;&gt;&gt; same <BR>&gt; &gt; &gt;&gt;&gt;
results. <BR>&gt; 
&gt; &gt;&gt;&gt; <BR>&gt; &gt; &gt;&gt;&gt; If
anyone has any ideas or 
suggestions, I'd very much appreciate <BR>&gt; &gt; &gt;&gt;&gt;
them... 
<BR>&gt; &gt; &gt;&gt;&gt; Thank you, <BR>&gt; &gt;
&gt;&gt;&gt; John <BR>&gt; 
&gt; &gt;&gt;&gt; <BR>&gt; &gt; &gt;&gt;&gt; <BR>&gt;
&gt; <BR>&gt; 
--------------------------------------------------------------------- <BR>&gt; 
&gt; &gt;&gt;&gt; The official User-To-User support forum of the Apache HTTP

<BR>&gt; Server <BR>&gt; &gt; &gt;&gt;&gt; Project. <BR>&gt;
&gt; &gt;&gt;&gt; 
See &lt; URL:<A 
href="http://****httpd.apache.org/userslist.html">http://****httpd.apache.org/userslist.html</A>&gt;

for more <BR>&gt; &gt; info. <BR>&gt; &gt; &gt;&gt;&gt;
To unsubscribe, e-mail: 
users-unsubscribe@httpd.apache.org <BR>&gt; &gt; &gt;&gt;&gt; "
from the digest: 
users-digest-unsubscribe@httpd.apache.org <BR>&gt; &gt; &gt;&gt;&gt;
For 
additional commands, e-mail: users-help@httpd.apache.org <BR>&gt; &gt; 
&gt;&gt;&gt; <BR>&gt; &gt; &gt;&gt;&gt; <BR>&gt;
&gt; &gt;&gt;&gt; <BR>&gt; &gt; 
<BR>&gt; ______________________________________________________________________

<BR>&gt; &gt; &gt;&gt;&gt; This email has been scanned by the MessageLabs
Email 
Security <BR>&gt; &gt; &gt;&gt;&gt; System. <BR>&gt; &gt;
&gt;&gt;&gt; For more 
information please visit <A href="http://*">http://*</A> <BR>&gt; &gt;

***www.****messagelabs.com/ <BR>&gt; &gt; &gt;&gt;&gt; email <BR>&gt;
&gt; 
&gt;&gt;&gt; <BR>&gt; &gt; <BR>&gt; 
______________________________________________________________________ <BR>&gt;

&gt; &gt;&gt;&gt; <BR>&gt; &gt; &gt;&gt;&gt; <BR>&gt;
&gt; &gt;&gt;&gt; <BR>&gt; 
&gt; <BR>&gt; 
______________________________________________________________________ <BR>&gt;

&gt; &gt;&gt;&gt; This e-mail and any attached files are intended for the
named 
<BR>&gt; &gt; &gt;&gt;&gt; addressee only. It contains information,
which may be 
<BR>&gt; confidential <BR>&gt; &gt; &gt;&gt;&gt; and legally
privileged and also 
protected by copyright. Unless <BR>&gt; you <BR>&gt; &gt; &gt;&gt;&gt;
are the 
named addressee (or authorised to receive for the <BR>&gt; &gt; &gt;&gt;&gt;

addressee) you may not copy or use it, or disclose it to anyone <BR>&gt; &gt;

&gt;&gt;&gt; else. If you received it in error please notify the sender <BR>&gt;

&gt; &gt;&gt;&gt; immediately and then delete it from your system. Please
be 
<BR>&gt; advised <BR>&gt; &gt; &gt;&gt;&gt; that the views
and opinions 
expressed in this e-mail may not <BR>&gt; &gt; &gt;&gt;&gt; reflect
the views 
and opinions of Associated Newspapers <BR>&gt; Limited or <BR>&gt; &gt;

&gt;&gt;&gt; any of its subsidiary companies. We make every effort to keep 
<BR>&gt; our <BR>&gt; &gt; &gt;&gt;&gt; network free from
viruses. However, you 
do need to check this e- <BR>&gt; &gt; &gt;&gt;&gt; mail and any
attachments to 
it for viruses as we can take no <BR>&gt; &gt; &gt;&gt;&gt; responsibility
for 
any computer virus which may be transferred <BR>&gt; by <BR>&gt; &gt;

&gt;&gt;&gt; way of this e-mail. Use of this or any other e-mail facility 
<BR>&gt; &gt; &gt;&gt;&gt; signifies consent to any interception
we might 
lawfully carry <BR>&gt; out <BR>&gt; &gt; &gt;&gt;&gt;
to prevent abuse of these 
faciliti <BR>&gt; &gt; &gt;&gt;&gt; es. <BR>&gt; &gt;
&gt;&gt;&gt; Associated 
Newspapers Ltd. Registered Office: Northcliffe <BR>&gt; House, 2 <BR>&gt;
&gt; 
&gt;&gt;&gt; Derry St, Kensington, London, W8 5TT. Registered No 84121 <BR>&gt;

England. <BR>&gt; &gt; &gt;&gt; <BR>&gt; &gt; &gt;&gt;
<BR>&gt; &gt; &gt;&gt; 
<BR>&gt; &gt; <BR>&gt; 
--------------------------------------------------------------------- <BR>&gt; 
&gt; &gt;&gt; The official User-To-User support forum of the Apache HTTP Server

<BR>&gt; &gt; &gt;&gt; Project. <BR>&gt; &gt; &gt;&gt;
See &lt; URL:<A 
href="http://***httpd.apache.org/userslist.html">http://***httpd.apache.org/userslist.html</A>&gt;

for more <BR>&gt; info. <BR>&gt; &gt; &gt;&gt; To unsubscribe,
e-mail: 
users-unsubscribe@httpd.apache.org <BR>&gt; &gt; &gt;&gt; " from the
digest: 
users-digest-unsubscribe@httpd.apache.org <BR>&gt; &gt; &gt;&gt; For
additional 
commands, e-mail: users-help@httpd.apache.org <BR>&gt; &gt; &gt;&gt;
<BR>&gt; 
&gt; &gt;&gt; <BR>&gt; &gt; &gt; <BR>&gt; &gt;
&gt; <BR>&gt; &gt; &gt; <BR>&gt; 
&gt; &gt; -- <BR>&gt; &gt; &gt; Sander Temme <BR>&gt;
&gt; &gt; 
sctemme@apache.org <BR>&gt; &gt; &gt; PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8
B2BE 
BC40 1529 24AF <BR>&gt; &gt; &gt; <BR>&gt; &gt; &gt; <BR>&gt;
&gt; &gt; <BR>&gt; 
&gt; <BR>&gt; &gt; <BR>&gt; &gt; <BR>&gt; 
--------------------------------------------------------------------- <BR>&gt; 
&gt; The official User-To-User support forum of the Apache HTTP Server <BR>&gt;

&gt; Project. <BR>&gt; &gt; See &lt; URL:<A 
href="http://**httpd.apache.org/userslist.html">http://**httpd.apache.org/userslist.html</A>&gt;

for more info. <BR>&gt; &gt; To unsubscribe, e-mail: 
users-unsubscribe@httpd.apache.org <BR>&gt; &gt; " from the digest: 
users-digest-unsubscribe@httpd.apache.org <BR>&gt; &gt; For additional commands,

e-mail: users-help@httpd.apache.org <BR>&gt; &gt; <BR>&gt; &gt;
<BR>&gt; &gt; 
<BR>&gt; <BR>&gt; <BR>&gt; 
--------------------------------------------------------------------- <BR>&gt; 
The official User-To-User support forum of the Apache HTTP Server <BR>&gt; 
Project. <BR>&gt; See &lt; URL:<A 
href="http://*httpd.apache.org/userslist.html">http://*httpd.apache.org/userslist.html</A>&gt;

for more info. <BR>&gt; To unsubscribe, e-mail: 
users-unsubscribe@httpd.apache.org <BR>&gt; " from the digest: 
users-digest-unsubscribe@httpd.apache.org <BR>&gt; For additional commands, 
e-mail: users-help@httpd.apache.org <BR>&gt; <BR>&gt; <BR>&gt;

<BR><BR><BR>---------------------------------------------------------------------

<BR>The official User-To-User support forum of the Apache HTTP Server Project. 
<BR>See &lt; URL:<A 
href="http://httpd.apache.org/userslist.html">http://httpd.apache.org/userslist.html</A>&gt;

for more info. <BR>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org 
<BR>" from the digest: users-digest-unsubscribe@httpd.apache.org <BR>For 
additional commands, e-mail: users-help@httpd.apache.org 
<BR><BR><BR>______________________________________________________________________

<BR>This email has been scanned by the MessageLabs Email Security System. 
<BR>For more information please visit <A 
href="http://www.messagelabs.com/email">http://www.messagelabs.com/email</A> 
<BR>______________________________________________________________________ 
<BR><BR>
______________________________________________________________________<BR>
This e-mail and any attached files are intended for the named addressee only. It contains
information, which may be confidential and legally privileged and also protected by copyright.
Unless you are the named addressee (or authorised to receive for the addressee) you may not
copy or use it, or disclose it to anyone else. If you received it in error please notify the
sender immediately and then delete it from your system. Please be advised that the views and
opinions expressed in this e-mail may not reflect the views and opinions of Associated Newspapers
Limited or any of its subsidiary companies. We make every effort to keep our network free
from viruses. However, you do need to check this e-mail and any attachments to it for viruses
as we can take no responsibility for any computer virus which may be transferred by way of
this e-mail. Use of this or any other e-mail facility signifies consent to any interception
we might lawfully carry out to prevent abuse of these faciliti
 es.<BR>
Associated Newspapers Ltd. Registered Office: Northcliffe House, 2 Derry St, Kensington, London,
W8 5TT. Registered No 84121 England.<BR>
</BODY></HTML>

Mime
View raw message