> -----Original Message----- > From: Douglas Hobaugh [mailto:doug@xxxxxxxxxx] > Sent: Thursday, January 31, 2008 5:33 PM > To: users@xxxxxxxxxxxxxxxx > Subject: Customers getting "Page Cannot be > Displayed" over SSL > > Hi all, I hope this is the correct list. First time posting. > > I am getting a lot of customers complaining that they get > "Page Cannot be > Displayed" errors when they connect to our SSL server. Browser messages are practically worthless - what's in the error log? Otherwise, guessing... hostname/common-name mismatch, cipher mismatch, keep-alive problems... you name it. Is your site top-secret? Because a quick test would tell a lot... Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. > I > cannot for the life > of me figure out if its my problem or theirs. Below is my > SSL configuration > for my server. Can someone take a look and let me know if its > OK? I have > also included results from an openssl s_client test > > Thanks, > Doug > > > > ## SSL Global Context > <IfDefine SSL> > <IfDefine !NOSSL> > <IfModule mod_ssl.c> > AddType application/x-x509-ca-cert .crt > AddType application/x-pkcs7-crl .crl > SSLPassPhraseDialog builtin > SSLSessionCache shmcb:/var/lib/apache2/ssl_scache > SSLSessionCacheTimeout 600 > SSLMutex sem > SSLRandomSeed startup builtin > SSLRandomSeed connect builtin > </IfModule> > </IfDefine> > </IfDefine> > > <VirtualHost 192.168.0.9:443> > ServerAdmin me@xxxxxxxxxx > ServerName my.server.com:443 > SuexecUserGroup dspam dspam > DocumentRoot /srv/www/vhosts/my.server.com/htdocs > SetEnvIf Remote_Addr "192\.168\.0" dontlog > SetEnvIf Remote_Addr "127\.0\.0\.1" dontlog > SetEnvIf Request_URI "^.*getsessiontime\.php.*$" dontlog > ErrorLog "|/usr/local/sbin/cronolog > /srv/www/vhosts/my.server.com/logs/%m-%Y/error.log" > CustomLog "|/usr/local/sbin/cronolog > /srv/www/vhosts/my.server.com/logs/%m-%Y/access.log" combined > env=!dontlog > > SSLEngine on > SSLCipherSuite > ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL > SSLOptions +StrictRequire > > SSLCertificateFile /etc/apache2/ssl.crt/secure_essex3_com-new2.crt > SSLCertificateKeyFile /etc/apache2/ssl.key/secure-essex3-com-new2.key > SSLCACertificatePath /etc/apache2/ssl.crt > SSLCACertificateFile /etc/apache2/ssl.crt/secure_essex3_com.ca-bundle > > <Directory "/srv/www/vhosts/my.server.com/htdocs"> > Options -Indexes FollowSymLinks > AllowOverride none > Order allow,deny > Allow from all > SSLRequireSSL > </Directory> > > <Directory "/srv/www/vhosts/my.server.com/htdocs/xxx/xxx/admin"> > Order allow,deny > Allow from 192.168.0 > </Directory> > > <Directory "/srv/www/vhosts/my.server.com/htdocs/zzz/vvv"> > php_value register_globals 1 > </Directory> > > Alias /product/base.css /srv/www/htdocs/product/base.css > Alias /product/product-logo-small.gif > /srv/www/htdocs/product/product-logo-small.gif > ScriptAlias /product/ /srv/www/htdocs/product/ > <directory "/srv/www/htdocs/product"> > Options +ExecCGI > AuthName "PRODUCT Quarantine Area" > AuthType Basic > AuthShadow on > Require valid-user > Order Deny,allow > Allow from all > </directory> > > <directory "/srv/www/vhosts/my.server.com/htdocs/yyy/admin"> > Options +ExecCGI > AuthName "Restricted Site" > AuthType Basic > AuthShadow on > Require valid-user > Order Deny,allow > Allow from all > </directory> > > SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown > downgrade-1.0 force-response-1.0 > </VirtualHost> > > > > > openssl s_client -connect my.server.com:443 -state -reconnect > CONNECTED(00000003) > SSL_connect:before/connect initialization > SSL_connect:SSLv2/v3 write client hello A > SSL_connect:SSLv3 read server hello A > ... > SSL_connect:SSLv3 read server certificate A > SSL_connect:SSLv3 read server key exchange A > SSL_connect:SSLv3 read server done A > SSL_connect:SSLv3 write client key exchange A > SSL_connect:SSLv3 write change cipher spec A > SSL_connect:SSLv3 write finished A > SSL_connect:SSLv3 flush data > SSL_connect:SSLv3 read finished A > ... > SSL handshake has read 3080 bytes and written 340 bytes > --- > New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA > Server public key is 1024 bit > SSL-Session: > ... > drop connection and then reconnect > SSL3 alert write:warning:close notify > CONNECTED(00000003) > SSL_connect:before/connect initialization > SSL_connect:SSLv3 write client hello A > SSL_connect:SSLv3 read server hello A > SSL_connect:SSLv3 read finished A > SSL_connect:SSLv3 write change cipher spec A > SSL_connect:SSLv3 write finished A > SSL_connect:SSLv3 flush data > --- > Reused, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA > SSL-Session: > --- > drop connection and then reconnect > SSL3 alert write:warning:close notify > CONNECTED(00000003) > SSL_connect:before/connect initialization > SSL_connect:SSLv3 write client hello A > SSL_connect:SSLv3 read server hello A > SSL_connect:SSLv3 read finished A > SSL_connect:SSLv3 write change cipher spec A > SSL_connect:SSLv3 write finished A > SSL_connect:SSLv3 flush data > --- > Reused, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA > SSL-Session: > --- > drop connection and then reconnect > SSL3 alert write:warning:close notify > CONNECTED(00000003) > SSL_connect:before/connect initialization > SSL_connect:SSLv3 write client hello A > SSL_connect:SSLv3 read server hello A > SSL_connect:SSLv3 read finished A > SSL_connect:SSLv3 write change cipher spec A > SSL_connect:SSLv3 write finished A > SSL_connect:SSLv3 flush data > --- > Reused, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA > SSL-Session: > --- > drop connection and then reconnect > SSL3 alert write:warning:close notify > CONNECTED(00000003) > SSL_connect:before/connect initialization > SSL_connect:SSLv3 write client hello A > SSL_connect:SSLv3 read server hello A > SSL_connect:SSLv3 read finished A > SSL_connect:SSLv3 write change cipher spec A > SSL_connect:SSLv3 write finished A > SSL_connect:SSLv3 flush data > --- > Reused, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA > SSL-Session: > --- > drop connection and then reconnect > SSL3 alert write:warning:close notify > CONNECTED(00000003) > SSL_connect:before/connect initialization > SSL_connect:SSLv3 write client hello A > SSL_connect:SSLv3 read server hello A > SSL_connect:SSLv3 read finished A > SSL_connect:SSLv3 write change cipher spec A > SSL_connect:SSLv3 write finished A > SSL_connect:SSLv3 flush data > --- > Reused, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA > SSL-Session: > > > > > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP > Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. The sender's company reserves the right to monitor all e-mail communications through their networks. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|