Hi, One more piece of information, Apache never prompts me for the Pass Phrase when it starts with https enabled on Redhat which it supposed to. It prompts me to enter pass phrase on my Solaris Apache reverse proxy server. Ryan Jiang -----Original Message----- From: Ruiyuan Jiang [mailto:Ruiyuan_Jiang@xxxxxxx] Sent: Monday, January 23, 2012 6:00 PM To: users@xxxxxxxxxxxxxxxx Subject: RE: Apache 2.2.21 SSL on RHEL v5.7 HI, I modified Apache's LD_LIBRARY_PATH to first check /usr/local/ssl/lib before I recompiled Apache and modified envvars in the bin directory to have /usr/local/ssl/lib directory listed but no help. Any reason why? Thanks. Ryan -----Original Message----- From: Ruiyuan Jiang [mailto:Ruiyuan_Jiang@xxxxxxx] Sent: Monday, January 23, 2012 3:12 PM To: users@xxxxxxxxxxxxxxxx Subject: RE: Apache 2.2.21 SSL on RHEL v5.7 Thanks for the reply, Rainer. I checked that Redhat comes with openssl v0.9.8e not 1.x. When I compiled Apache, one of the option that I used is "--with-ssl=/usr/local/ssl" which is the one I compiled myself. This time I think I waited long enough so I got some messages from one of two https virtual servers: [Mon Jan 23 14:31:12 2012] [error] Init: Unable to read pass phrase [Hint: key introduced or changed before restart?] [Mon Jan 23 14:31:12 2012] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag [Mon Jan 23 14:31:12 2012] [error] SSL Library Error: 218640442 error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error [Mon Jan 23 14:31:12 2012] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag [Mon Jan 23 14:31:12 2012] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error [Mon Jan 23 14:31:12 2012] [error] SSL Library Error: 67710980 error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib [Mon Jan 23 14:31:12 2012] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag [Mon Jan 23 14:31:12 2012] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error Can I copy keys and certs from Solaris to Redhat through sftp? Maybe not enough entropy on /den/random or /dev/urandom whatever is used? Can you explain a little bit more and what should I do to fix it? Thanks. Ryan Jiang -----Original Message----- From: Rainer Jung [mailto:rainer.jung@xxxxxxxxxxx] Sent: Monday, January 23, 2012 2:43 PM To: users@xxxxxxxxxxxxxxxx Subject: Re: Apache 2.2.21 SSL on RHEL v5.7 On 23.01.2012 20:02, Ruiyuan Jiang wrote: > Hi, > > I have two Apache 2.2.21 reverse proxy servers on Solaris 10 (SPARC) and additional modules that not in the Apache distribution. They are running fine so far. Now we want to migrate Apache to Redhat Enterprise server v5.7. I compiled Apache the same way and same option as on the Solaris through a script that I saved. I copied all the modified necessary configuration files from Solaris and certificates from Solaris to Redhat and made necessary changes such as IP addresses. The syntax check is OK. When I start Apache on the Redhat, "apachectl start" just sits there without giving back the shell prompt. The access log and error log are empty so I don't know the reason. If I disable httpd-ssl.conf file which will not start https, Apache starts fine. Does anyone know what could be for ssl problem on Redhat? Maybe not enough entropy on /den/random or /dev/urandom whatever is used? > Also I first compiled openssl 1.0.0f on Redhat, I then downloaded openssl 1.0.0g once it became available and compiled it at the same location. On Solaris if I restart Apache, the error log will show the new version of Openssl but on Redhat, Apache shows the old version (1.0.0f) of OpenSSL. Why? Thanks. Solaris doesn't have OpenSSL 1.0 linbs installed in the default lib directories, so mod_ssl will find your custom build one. RedHat comes with OpenSSL 1.0 installed, so you have to set LD_LIBRARY_PATH or link statically into mod_ssl in order to let mod_ssl find the right OpenSSL lib. If there is other stuff in your Apache which also has dependencies to OpenSSL, like e.g. something doing ldaps, then things will become quite tricky :( Regards, Rainer --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|