RE: [users@httpd] Help with Apache and SSL

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> -----Original Message-----
> From: Vance Karimi [mailto:vance.karimi@xxxxxxxxxxxx]
> Sent: Mittwoch, 29. Juni 2005 14:39
> To: users@xxxxxxxxxxxxxxxx
> Subject: RE: [users@httpd] Help with Apache and SSL
> 
> 
> You can certainly try it: www.smsticketing.com.au
> I do https://www.smsticketing.com.au
> With 'FW', do you mean forward? 

No. FW = firewall.

If it's timing-out it's usually because the connection has been dropped. A webserver usually responds immediately with the page or with an error message. It can't drop the connection (HTTP RFC requires this). So a dropped connection is usually due to a FW (it's a deliberate security ploy just to ignore unwanted packets - then the sender doesn't know if he's being denied or if it's just network latency. This slows down his attack).

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored. 

> We don't do a forward or 
> redirect. We have
> an A-Record in the root DNS server of the hosting company.
> 
> Regards,
> Vance
> 
> > -----Original Message-----
> > From: Boyle Owen [mailto:Owen.Boyle@xxxxxxx]
> > Sent: Wednesday, 29 June 2005 8:07 PM
> > To: users@xxxxxxxxxxxxxxxx
> > Subject: RE: [users@httpd] Help with Apache and SSL
> > 
> > > -----Original Message-----
> > > From: Vance Karimi [mailto:vance.karimi@xxxxxxxxxxxx]
> > > Sent: Mittwoch, 29. Juni 2005 07:41
> > > To: users@xxxxxxxxxxxxxxxx
> > > Subject: [users@httpd] Help with Apache and SSL
> > >
> > >
> > > Hi list,
> > >
> > > With the number of threads regarding Apache and SSL, you'd
> > > think I would
> > > find a solution...sigh...I feel I'm missing something trivial.
> > >
> > > I appologise for the long post.
> > >
> > > I performed a build of 2.0.54 with mod_ssl and installed on
> > > Fedora core 3.
> > > I built with the following configure options:
> > > % ./configure --prefix=/usr/local/apache2 --enable-ssl --enable-so
> > > All is well and I can get to the default apache page 
> using IE/Mozilla.
> > >
> > > I created the cert and cert request, created my own CA and
> > > signed my csr
> > > according to:
> > > http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html
> > > Copied server.key to conf/ssl.key/.
> > > Copied server.crt to conf/ssl.crt/.
> > >
> > >
> > > Configuration files:
> > > conf/httpd.conf is stock standard and includes conf/ssl.conf,
> > > however I
> > > changed the log level to 'info'.
> > >
> > > conf/ssl.conf looks like so (without comments):
> > >
> > > SSLRandomSeed startup builtin
> > > SSLRandomSeed connect builtin
> > >
> > > <IfDefine SSL>
> > > Listen 443
> > > AddType application/x-x509-ca-cert .crt
> > > AddType application/x-pkcs7-crl    .crl
> > > SSLPassPhraseDialog  builtin
> > > SSLSessionCache         dbm:/usr/local/apache2/logs/ssl_scache
> > > SSLSessionCacheTimeout  300
> > > SSLMutex  file:/usr/local/apache2/logs/ssl_mutex
> > >
> > > <VirtualHost _default_:443>
> > > DocumentRoot /usr/local/apache2/htdocs
> > > ServerName www.mydomain.com.au
> > > ServerAdmin admin@xxxxxxxxxxxxxxx
> > > ErrorLog /usr/local/apache2/logs/error_log
> > > TransferLog /usr/local/apache2/logs/access_log
> > > SSLEngine on
> > > SSLCipherSuite
> > > ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> > > SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt
> > > SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/server.key
> > >
> > > <Files ~ "\.(cgi|shtml|phtml|php3?)$">
> > >     SSLOptions +StdEnvVars
> > > </Files>
> > > <Directory "/usr/local/apache2/cgi-bin">
> > >     SSLOptions +StdEnvVars
> > > </Directory>
> > >
> > > SetEnvIf User-Agent ".*MSIE.*" \
> > >          nokeepalive ssl-unclean-shutdown \
> > >          downgrade-1.0 force-response-1.0
> > > CustomLog /usr/local/apache2/logs/ssl_request_log \
> > >           "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
> > >
> > > </VirtualHost>
> > >
> > > </IfDefine>
> > >
> > >
> > > I start up apache:
> > > ./apachectl startssl
> > >
> > > error_log reads:
> > >
> > > [Wed Jun 29 13:00:12 2005] [info] Init: Initializing 
> OpenSSL library
> > > [Wed Jun 29 13:00:12 2005] [info] Init: Seeding PRNG with 
> 136 bytes of
> > > entropy
> > > [Wed Jun 29 13:00:12 2005] [info] Loading certificate & 
> private key of
> > > SSL-aware server
> > > [Wed Jun 29 13:00:12 2005] [info] Init: Requesting pass
> > > phrase via builtin
> > > terminal dialog
> > > [Wed Jun 29 13:00:18 2005] [info] Init: Wiped out the queried
> > > pass phrases
> > > from memory
> > > [Wed Jun 29 13:00:18 2005] [info] Init: Generating temporary
> > > RSA private
> > > keys (512/1024 bits)
> > > [Wed Jun 29 13:00:19 2005] [info] Init: Generating temporary
> > > DH parameters
> > > (512/1024 bits)
> > > [Wed Jun 29 13:00:19 2005] [info] Init: Initializing
> > > (virtual) servers for
> > > SSL
> > > [Wed Jun 29 13:00:19 2005] [info] Configuring server for 
> SSL protocol
> > > [Wed Jun 29 13:00:19 2005] [info] Server: Apache/2.0.54, 
> Interface:
> > > mod_ssl/2.0.54, Library: OpenSSL/0.9.7a
> > > [Wed Jun 29 13:00:19 2005] [info] Init: Initializing 
> OpenSSL library
> > > [Wed Jun 29 13:00:19 2005] [info] Init: Seeding PRNG with 
> 136 bytes of
> > > entropy
> > > [Wed Jun 29 13:00:19 2005] [info] Loading certificate & 
> private key of
> > > SSL-aware server
> > > [Wed Jun 29 13:00:19 2005] [info] www.mydomain.com.au:443
> > > reusing existing
> > > RSA private key on restart
> > > [Wed Jun 29 13:00:19 2005] [info] Init: Generating temporary
> > > RSA private
> > > keys (512/1024 bits)
> > > [Wed Jun 29 13:00:19 2005] [info] Init: Generating temporary
> > > DH parameters
> > > (512/1024 bits)
> > > [Wed Jun 29 13:00:19 2005] [info] Init: Initializing
> > > (virtual) servers for
> > > SSL
> > > [Wed Jun 29 13:00:19 2005] [info] Configuring server for 
> SSL protocol
> > > [Wed Jun 29 13:00:19 2005] [info] Server: Apache/2.0.54, 
> Interface:
> > > mod_ssl/2.0.54, Library: OpenSSL/0.9.7a
> > > [Wed Jun 29 13:00:19 2005] [notice] Apache/2.0.54 (Unix)
> > > mod_ssl/2.0.54
> > > OpenSSL/0.9.7a configured -- resuming normal operations
> > > [Wed Jun 29 13:00:19 2005] [info] Server built: Jun 29 
> 2005 01:50:33
> > >
> > >
> > > To do the basic test:
> > > $ openssl s_client -connect localhost:443
> > >
> > > I get the following to stdout:
> > > .....
> > > No client certificate CA names sent
> > > ---
> > > SSL handshake has read 1357 bytes and written 340 bytes
> > > ---
> > > New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> > > Server public key is 1024 bit
> > > SSL-Session:
> > >     Protocol  : TLSv1
> > >     Cipher    : DHE-RSA-AES256-SHA
> > >     Session-ID:
> > > C883239FD990EC30F05A3E127968FD62D08A2D0B17D468965FFDB3989B7ECE7D
> > >     Session-ID-ctx:
> > >     Master-Key:
> > > 978C61CA859767E541F22D7828FEE851D636AB35A3E1F04F2172214E9DCF8C
> > > 673FAE3427454B
> > > FF0769033382A7FD18DC
> > >     Key-Arg   : None
> > >     Krb5 Principal: None
> > >     Start Time: 1120022013
> > >     Timeout   : 300 (sec)
> > >     Verify return code: 21 (unable to verify the first 
> certificate)
> > >
> > > I then enter:
> > > $ GET / HTTP/1.0
> > > $ <CR>
> > >
> > > And receive the html headers and response as expected.
> > >
> > > Error_log shows:
> > >
> > > [Wed Jun 29 13:13:33 2005] [info] Connection to child 2
> > > established (server
> > > www.mydomain.com.au:443, client 127.0.0.1)
> > > [Wed Jun 29 13:13:33 2005] [info] Seeding PRNG with 136 bytes
> > > of entropy
> > > [Wed Jun 29 13:16:00 2005] [info] Initial (No.1) HTTPS
> > > request received for
> > > child 2 (server www.smsticketing.com.au:443)
> > > [Wed Jun 29 13:16:00 2005] [info] Connection to child 2
> > > closed with standard
> > > shutdown(server www.mydomain.com.au:443, client 127.0.0.1)
> > >
> > >
> > > When I run curl:
> > > $ curl --insecure https://www.mydomain.com.au/
> > > produces the same result above.
> > >
> > > $ curl https://www.mydomain.com.au/
> > >
> > > I get the following to stdout (I presume as expected since I
> > > was my own CA)
> > >
> > > curl: (60) SSL certificate problem, verify that the CA cert
> > > is OK. Details:
> > > error:14090086:SSL
> > > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
> > > failed
> > > More details here: http://curl.haxx.se/docs/sslcerts.html
> > >
> > > curl performs SSL certificate verification by default, using
> > > a "bundle"
> > >  of Certificate Authority (CA) public keys (CA certs). The default
> > >  bundle is named curl-ca-bundle.crt; you can specify an 
> alternate file
> > >  using the --cacert option.
> > > If this HTTPS server uses a certificate signed by a CA 
> represented in
> > >  the bundle, the certificate verification probably failed due to a
> > >  problem with the certificate (it might be expired, or 
> the name might
> > >  not match the domain name in the URL).
> > > If you'd like to turn off curl's verification of the 
> certificate, use
> > >  the -k (or --insecure) option.
> > >
> > >
> > > Error_log shows:
> > >
> > > [Wed Jun 29 13:25:55 2005] [info] Connection to child 0
> > > established (server
> > > www.smsticketing.com.au:443, client 10.1.3.120)
> > > [Wed Jun 29 13:25:55 2005] [info] Seeding PRNG with 136 bytes
> > > of entropy
> > > [Wed Jun 29 13:25:55 2005] [info] SSL library error 1 in
> > > handshake (server
> > > www.mydomain.com.au:443, client 10.1.3.120)
> > > [Wed Jun 29 13:25:55 2005] [info] SSL Library Error: 336151576
> > > error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
> > > [Wed Jun 29 13:25:55 2005] [info] Connection to child 0
> > > closed with abortive
> > > shutdown(server www.mydomain.com.au:443, client 10.1.3.120)
> > 
> > So curl looks OK...
> > 
> > >
> > >
> > > In the browser:
> > > In IE, I get the 'The page cannot be displayed' page.
> > > In Firefox I get an alert stating "The operation timed out
> > > when attempting
> > > to contact www.mydomain.com.au".
> > 
> > - Are you sure you're putting "https" in the protocol part 
> of the URL?
> > - Is there a FW between the browser and server?
> > - If you post your real domain-name, we can test it...
> > 
> > Rgds,
> > Owen Boyle
> > Disclaimer: Any disclaimer attached to this message may be ignored.
> > 
> > > Neither produce entries in the logs.
> > >
> > >
> > > I feel my self signed cert may be the cause.
> > > If anyone has any suggestions, please let me know.
> > >
> > > Thanks,
> > > Vance
> > >
> > >
> > > 
> ---------------------------------------------------------------------
> > > The official User-To-User support forum of the Apache HTTP
> > > Server Project.
> > > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> > >    "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> > > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> > >
> > >
> > Diese E-mail ist eine private und persönliche Kommunikation. Sie hat
> > keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX 
> Gruppe. This e-
> > mail is of a private and personal nature. It is not related to the
> > exchange or business activities of the SWX Group. Le 
> présent e-mail est un
> > message privé et personnel, sans rapport avec l'activité 
> boursière du
> > Groupe SWX.
> > 
> > 
> > This message is for the named person's use only. It may contain
> > confidential, proprietary or legally privileged information. No
> > confidentiality or privilege is waived or lost by any 
> mistransmission. If
> > you receive this message in error, please notify the sender 
> urgently and
> > then immediately delete the message and any copies of it 
> from your system.
> > Please also immediately destroy any hardcopies of the 
> message. You must
> > not, directly or indirectly, use, disclose, distribute, 
> print, or copy any
> > part of this message if you are not the intended recipient. 
> The sender's
> > company reserves the right to monitor all e-mail 
> communications through
> > their networks. Any views expressed in this message are those of the
> > individual sender, except where the message states otherwise and the
> > sender is authorised to state them to be the views of the sender's
> > company.
> > 
> > 
> ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP 
> Server Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> >    "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP 
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>    "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> 
>
 
 
This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux