Hi list,
With the number of threads regarding Apache and SSL, you'd think I would
find a solution...sigh...I feel I'm missing something trivial.
I appologise for the long post.
I performed a build of 2.0.54 with mod_ssl and installed on Fedora core 3.
I built with the following configure options:
% ./configure --prefix=/usr/local/apache2 --enable-ssl --enable-so
All is well and I can get to the default apache page using IE/Mozilla.
I created the cert and cert request, created my own CA and signed my csr
according to:
http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html
Copied server.key to conf/ssl.key/.
Copied server.crt to conf/ssl.crt/.
Configuration files:
conf/httpd.conf is stock standard and includes conf/ssl.conf, however I
changed the log level to 'info'.
conf/ssl.conf looks like so (without comments):
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
<IfDefine SSL>
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache dbm:/usr/local/apache2/logs/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex file:/usr/local/apache2/logs/ssl_mutex
<VirtualHost _default_:443>
DocumentRoot /usr/local/apache2/htdocs
ServerName www.mydomain.com.au
ServerAdmin admin@xxxxxxxxxxxxxxx
ErrorLog /usr/local/apache2/logs/error_log
TransferLog /usr/local/apache2/logs/access_log
SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt
SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/server.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/usr/local/apache2/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /usr/local/apache2/logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
</IfDefine>
I start up apache:
./apachectl startssl
error_log reads:
[Wed Jun 29 13:00:12 2005] [info] Init: Initializing OpenSSL library
[Wed Jun 29 13:00:12 2005] [info] Init: Seeding PRNG with 136 bytes of
entropy
[Wed Jun 29 13:00:12 2005] [info] Loading certificate & private key of
SSL-aware server
[Wed Jun 29 13:00:12 2005] [info] Init: Requesting pass phrase via builtin
terminal dialog
[Wed Jun 29 13:00:18 2005] [info] Init: Wiped out the queried pass phrases
from memory
[Wed Jun 29 13:00:18 2005] [info] Init: Generating temporary RSA private
keys (512/1024 bits)
[Wed Jun 29 13:00:19 2005] [info] Init: Generating temporary DH parameters
(512/1024 bits)
[Wed Jun 29 13:00:19 2005] [info] Init: Initializing (virtual) servers for
SSL
[Wed Jun 29 13:00:19 2005] [info] Configuring server for SSL protocol
[Wed Jun 29 13:00:19 2005] [info] Server: Apache/2.0.54, Interface:
mod_ssl/2.0.54, Library: OpenSSL/0.9.7a
[Wed Jun 29 13:00:19 2005] [info] Init: Initializing OpenSSL library
[Wed Jun 29 13:00:19 2005] [info] Init: Seeding PRNG with 136 bytes of
entropy
[Wed Jun 29 13:00:19 2005] [info] Loading certificate & private key of
SSL-aware server
[Wed Jun 29 13:00:19 2005] [info] www.mydomain.com.au:443 reusing existing
RSA private key on restart
[Wed Jun 29 13:00:19 2005] [info] Init: Generating temporary RSA private
keys (512/1024 bits)
[Wed Jun 29 13:00:19 2005] [info] Init: Generating temporary DH parameters
(512/1024 bits)
[Wed Jun 29 13:00:19 2005] [info] Init: Initializing (virtual) servers for
SSL
[Wed Jun 29 13:00:19 2005] [info] Configuring server for SSL protocol
[Wed Jun 29 13:00:19 2005] [info] Server: Apache/2.0.54, Interface:
mod_ssl/2.0.54, Library: OpenSSL/0.9.7a
[Wed Jun 29 13:00:19 2005] [notice] Apache/2.0.54 (Unix) mod_ssl/2.0.54
OpenSSL/0.9.7a configured -- resuming normal operations
[Wed Jun 29 13:00:19 2005] [info] Server built: Jun 29 2005 01:50:33
To do the basic test:
$ openssl s_client -connect localhost:443
I get the following to stdout:
.....
No client certificate CA names sent
---
SSL handshake has read 1357 bytes and written 340 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID:
C883239FD990EC30F05A3E127968FD62D08A2D0B17D468965FFDB3989B7ECE7D
Session-ID-ctx:
Master-Key:
978C61CA859767E541F22D7828FEE851D636AB35A3E1F04F2172214E9DCF8C673FAE3427454B
FF0769033382A7FD18DC
Key-Arg : None
Krb5 Principal: None
Start Time: 1120022013
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
I then enter:
$ GET / HTTP/1.0
$ <CR>
And receive the html headers and response as expected.
Error_log shows:
[Wed Jun 29 13:13:33 2005] [info] Connection to child 2 established (server
www.mydomain.com.au:443, client 127.0.0.1)
[Wed Jun 29 13:13:33 2005] [info] Seeding PRNG with 136 bytes of entropy
[Wed Jun 29 13:16:00 2005] [info] Initial (No.1) HTTPS request received for
child 2 (server www.smsticketing.com.au:443)
[Wed Jun 29 13:16:00 2005] [info] Connection to child 2 closed with standard
shutdown(server www.mydomain.com.au:443, client 127.0.0.1)
When I run curl:
$ curl --insecure https://www.mydomain.com.au/
produces the same result above.
$ curl https://www.mydomain.com.au/
I get the following to stdout (I presume as expected since I was my own CA)
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). The default
bundle is named curl-ca-bundle.crt; you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
Error_log shows:
[Wed Jun 29 13:25:55 2005] [info] Connection to child 0 established (server
www.smsticketing.com.au:443, client 10.1.3.120)
[Wed Jun 29 13:25:55 2005] [info] Seeding PRNG with 136 bytes of entropy
[Wed Jun 29 13:25:55 2005] [info] SSL library error 1 in handshake (server
www.mydomain.com.au:443, client 10.1.3.120)
[Wed Jun 29 13:25:55 2005] [info] SSL Library Error: 336151576
error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
[Wed Jun 29 13:25:55 2005] [info] Connection to child 0 closed with abortive
shutdown(server www.mydomain.com.au:443, client 10.1.3.120)
In the browser:
In IE, I get the 'The page cannot be displayed' page.
In Firefox I get an alert stating "The operation timed out when attempting
to contact www.mydomain.com.au".
Neither produce entries in the logs.
I feel my self signed cert may be the cause.
If anyone has any suggestions, please let me know.
Thanks,
Vance
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|