Hi all, I hope this is the correct list. First time posting. I am getting a lot of customers complaining that they get "Page Cannot be Displayed" errors when they connect to our SSL server. I cannot for the life of me figure out if its my problem or theirs. Below is my SSL configuration for my server. Can someone take a look and let me know if its OK? I have also included results from an openssl s_client test Thanks, Doug ## SSL Global Context <IfDefine SSL> <IfDefine !NOSSL> <IfModule mod_ssl.c> AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl SSLPassPhraseDialog builtin SSLSessionCache shmcb:/var/lib/apache2/ssl_scache SSLSessionCacheTimeout 600 SSLMutex sem SSLRandomSeed startup builtin SSLRandomSeed connect builtin </IfModule> </IfDefine> </IfDefine> <VirtualHost 192.168.0.9:443> ServerAdmin me@xxxxxxxxxx ServerName my.server.com:443 SuexecUserGroup dspam dspam DocumentRoot /srv/www/vhosts/my.server.com/htdocs SetEnvIf Remote_Addr "192\.168\.0" dontlog SetEnvIf Remote_Addr "127\.0\.0\.1" dontlog SetEnvIf Request_URI "^.*getsessiontime\.php.*$" dontlog ErrorLog "|/usr/local/sbin/cronolog /srv/www/vhosts/my.server.com/logs/%m-%Y/error.log" CustomLog "|/usr/local/sbin/cronolog /srv/www/vhosts/my.server.com/logs/%m-%Y/access.log" combined env=!dontlog SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLOptions +StrictRequire SSLCertificateFile /etc/apache2/ssl.crt/secure_essex3_com-new2.crt SSLCertificateKeyFile /etc/apache2/ssl.key/secure-essex3-com-new2.key SSLCACertificatePath /etc/apache2/ssl.crt SSLCACertificateFile /etc/apache2/ssl.crt/secure_essex3_com.ca-bundle <Directory "/srv/www/vhosts/my.server.com/htdocs"> Options -Indexes FollowSymLinks AllowOverride none Order allow,deny Allow from all SSLRequireSSL </Directory> <Directory "/srv/www/vhosts/my.server.com/htdocs/xxx/xxx/admin"> Order allow,deny Allow from 192.168.0 </Directory> <Directory "/srv/www/vhosts/my.server.com/htdocs/zzz/vvv"> php_value register_globals 1 </Directory> Alias /product/base.css /srv/www/htdocs/product/base.css Alias /product/product-logo-small.gif /srv/www/htdocs/product/product-logo-small.gif ScriptAlias /product/ /srv/www/htdocs/product/ <directory "/srv/www/htdocs/product"> Options +ExecCGI AuthName "PRODUCT Quarantine Area" AuthType Basic AuthShadow on Require valid-user Order Deny,allow Allow from all </directory> <directory "/srv/www/vhosts/my.server.com/htdocs/yyy/admin"> Options +ExecCGI AuthName "Restricted Site" AuthType Basic AuthShadow on Require valid-user Order Deny,allow Allow from all </directory> SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 </VirtualHost> openssl s_client -connect my.server.com:443 -state -reconnect CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A ... SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server key exchange A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A ... SSL handshake has read 3080 bytes and written 340 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit SSL-Session: ... drop connection and then reconnect SSL3 alert write:warning:close notify CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv3 write client hello A SSL_connect:SSLv3 read server hello A SSL_connect:SSLv3 read finished A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data --- Reused, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA SSL-Session: --- drop connection and then reconnect SSL3 alert write:warning:close notify CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv3 write client hello A SSL_connect:SSLv3 read server hello A SSL_connect:SSLv3 read finished A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data --- Reused, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA SSL-Session: --- drop connection and then reconnect SSL3 alert write:warning:close notify CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv3 write client hello A SSL_connect:SSLv3 read server hello A SSL_connect:SSLv3 read finished A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data --- Reused, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA SSL-Session: --- drop connection and then reconnect SSL3 alert write:warning:close notify CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv3 write client hello A SSL_connect:SSLv3 read server hello A SSL_connect:SSLv3 read finished A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data --- Reused, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA SSL-Session: --- drop connection and then reconnect SSL3 alert write:warning:close notify CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv3 write client hello A SSL_connect:SSLv3 read server hello A SSL_connect:SSLv3 read finished A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data --- Reused, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA SSL-Session: --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|