WG: Mod_ssl Problems? - Additional information

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Dear All,

Here some additional information about how httpd was build and how SSL is "test-configured". The certificates are "borrowed" from our Intranet Server.

The "test configuration" is basically a stripped-down version of the configuration running under Solaris 9 since 4 years now.

Liebe Grüsse, 

Wulf Kaiser
___________________________ 

IT Services - Web & Database Development
Webmaster www.mpimf-heidelberg.mpg.de

Max-Planck-Institut für medizinische Forschung
Jahnstrasse 29 - 69120 Heidelberg
Fon +49 6221 486560    Fax +49 6221 486561

SHA1 Fingerprint:
6a a7 67 d6 e0 21 d1 59 d1 73 20 fb e8 b4 d9 51 ac aa 6d 17
 

> -----Ursprüngliche Nachricht-----
> Von: Wulf Kaiser [mailto:wulf.kaiser@xxxxxxxxxxxxxxxxxxxxxxx] 
> Gesendet: Mittwoch, 16. Juli 2008 14:37
> An: 'users@xxxxxxxxxxxxxxxx'
> Betreff: Mod_ssl Problems?
> Wichtigkeit: Hoch
> 
> Hi all,
> 
> It's me again ;-))
> 
> After the succesful build of httpd-2.2.9 under Solaris 10 
> SPARC, i ran into a SSL problem during the tests - the 
> error_log output (Level: debug) is attached. Any ideas?
> 
> 
> Liebe Grüsse, 
> 
> Wulf Kaiser
> ___________________________ 
> 
> IT Services - Web & Database Development Webmaster 
> www.mpimf-heidelberg.mpg.de
> 
> Max-Planck-Institut für medizinische Forschung Jahnstrasse 29 
> - 69120 Heidelberg
> Fon +49 6221 486560    Fax +49 6221 486561
> 
> SHA1 Fingerprint:
> 6a a7 67 d6 e0 21 d1 59 d1 73 20 fb e8 b4 d9 51 ac aa 6d 17
> 

[Wed Jul 16 14:24:48 2008] [info] Init: Seeding PRNG with 136 bytes of entropy
[Wed Jul 16 14:24:48 2008] [info] Loading certificate & private key of SSL-aware server
[Wed Jul 16 14:24:48 2008] [debug] ssl_engine_pphrase.c(469): unencrypted RSA private key - pass phrase not required
[Wed Jul 16 14:24:48 2008] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Wed Jul 16 14:24:49 2008] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Wed Jul 16 14:24:49 2008] [info] Init: Initializing (virtual) servers for SSL
[Wed Jul 16 14:24:49 2008] [info] Configuring server for SSL protocol
[Wed Jul 16 14:24:49 2008] [debug] ssl_engine_init.c(384): Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1)
[Wed Jul 16 14:24:49 2008] [debug] ssl_engine_init.c(580): Configuring permitted SSL ciphers [ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL]
[Wed Jul 16 14:24:49 2008] [debug] ssl_engine_init.c(664): Configuring server certificate chain (1 CA certificate)
[Wed Jul 16 14:24:49 2008] [debug] ssl_engine_init.c(708): Configuring RSA server certificate
[Wed Jul 16 14:24:49 2008] [warn] RSA server certificate CommonName (CN) `iis.mpimf-heidelberg.mpg.de' does NOT match server name!?
[Wed Jul 16 14:24:49 2008] [debug] ssl_engine_init.c(747): Configuring RSA server private key
[Wed Jul 16 14:24:49 2008] [info] mod_ssl/2.2.9 compiled against Server: Apache/2.2.9, Library: OpenSSL/0.9.8h
[Wed Jul 16 14:24:49 2008] [notice] Digest: generating secret for digest authentication ...
[Wed Jul 16 14:24:49 2008] [notice] Digest: done
[Wed Jul 16 14:24:49 2008] [debug] util_ldap.c(1977): LDAP merging Shared Cache conf: shm=0x102498 rmm=0x1024c8 for VHOST: mysql-db2.mpimf-heidelberg.mpg.de
[Wed Jul 16 14:24:49 2008] [debug] util_ldap.c(1977): LDAP merging Shared Cache conf: shm=0x102498 rmm=0x1024c8 for VHOST: mysql-db2.mpimf-heidelberg.mpg.de
[Wed Jul 16 14:24:49 2008] [info] APR LDAP: Built with OpenLDAP LDAP SDK
[Wed Jul 16 14:24:49 2008] [info] LDAP: SSL support available
[Wed Jul 16 14:24:49 2008] [info] Init: Seeding PRNG with 136 bytes of entropy
[Wed Jul 16 14:24:49 2008] [info] Loading certificate & private key of SSL-aware server
[Wed Jul 16 14:24:49 2008] [debug] ssl_engine_pphrase.c(469): unencrypted RSA private key - pass phrase not required
[Wed Jul 16 14:24:49 2008] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Wed Jul 16 14:24:50 2008] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Wed Jul 16 14:24:50 2008] [debug] ssl_scache_shmcb.c(374): shmcb_init allocated 512000 bytes of shared memory
[Wed Jul 16 14:24:50 2008] [debug] ssl_scache_shmcb.c(554): entered shmcb_init_memory()
[Wed Jul 16 14:24:50 2008] [debug] ssl_scache_shmcb.c(576): for 512000 bytes, recommending 4266 indexes
[Wed Jul 16 14:24:50 2008] [debug] ssl_scache_shmcb.c(619): shmcb_init_memory choices follow
[Wed Jul 16 14:24:50 2008] [debug] ssl_scache_shmcb.c(621): division_mask = 0x1F
[Wed Jul 16 14:24:50 2008] [debug] ssl_scache_shmcb.c(623): division_offset = 64
[Wed Jul 16 14:24:50 2008] [debug] ssl_scache_shmcb.c(625): division_size = 15998
[Wed Jul 16 14:24:50 2008] [debug] ssl_scache_shmcb.c(627): queue_size = 1604
[Wed Jul 16 14:24:50 2008] [debug] ssl_scache_shmcb.c(629): index_num = 133
[Wed Jul 16 14:24:50 2008] [debug] ssl_scache_shmcb.c(631): index_offset = 8
[Wed Jul 16 14:24:50 2008] [debug] ssl_scache_shmcb.c(633): index_size = 12
[Wed Jul 16 14:24:50 2008] [debug] ssl_scache_shmcb.c(635): cache_data_offset = 8
[Wed Jul 16 14:24:50 2008] [debug] ssl_scache_shmcb.c(637): cache_data_size = 14386
[Wed Jul 16 14:24:50 2008] [debug] ssl_scache_shmcb.c(650): leaving shmcb_init_memory()
[Wed Jul 16 14:24:50 2008] [info] Shared memory session cache initialised
[Wed Jul 16 14:24:50 2008] [info] Init: Initializing (virtual) servers for SSL
[Wed Jul 16 14:24:50 2008] [info] Configuring server for SSL protocol
[Wed Jul 16 14:24:50 2008] [debug] ssl_engine_init.c(384): Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1)
[Wed Jul 16 14:24:50 2008] [debug] ssl_engine_init.c(580): Configuring permitted SSL ciphers [ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL]
[Wed Jul 16 14:24:50 2008] [debug] ssl_engine_init.c(664): Configuring server certificate chain (1 CA certificate)
[Wed Jul 16 14:24:50 2008] [debug] ssl_engine_init.c(708): Configuring RSA server certificate
[Wed Jul 16 14:24:50 2008] [warn] RSA server certificate CommonName (CN) `iis.mpimf-heidelberg.mpg.de' does NOT match server name!?
[Wed Jul 16 14:24:50 2008] [debug] ssl_engine_init.c(747): Configuring RSA server private key
[Wed Jul 16 14:24:50 2008] [info] mod_ssl/2.2.9 compiled against Server: Apache/2.2.9, Library: OpenSSL/0.9.8h
[Wed Jul 16 14:24:50 2008] [notice] Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7d DAV/2 configured -- resuming normal operations
[Wed Jul 16 14:24:50 2008] [info] Server built: Jul 16 2008 11:41:10
[Wed Jul 16 14:24:50 2008] [debug] prefork.c(1001): AcceptMutex: fcntl (default: fcntl)
[Wed Jul 16 14:25:11 2008] [info] [client 149.217.48.0]] Connection to child 0 established (server mysql-db2.mpimf-heidelberg.mpg.de:443)
[Wed Jul 16 14:25:11 2008] [info] Seeding PRNG with 136 bytes of entropy
[Wed Jul 16 14:25:11 2008] [debug] ssl_engine_io.c(1817): OpenSSL: read 11/11 bytes from BIO#1bd158 [mem: 1c47e0] (BIO dump follows)
[Wed Jul 16 14:25:11 2008] [debug] ssl_engine_io.c(1750): +-------------------------------------------------------------------------+
[Wed Jul 16 14:25:11 2008] [debug] ssl_engine_io.c(1789): | 0000: 80 4f 01 03 00 00 36 00-00 00 10                 .O....6....      |
[Wed Jul 16 14:25:11 2008] [debug] ssl_engine_io.c(1795): +-------------------------------------------------------------------------+
[Wed Jul 16 14:25:11 2008] [debug] ssl_engine_io.c(1817): OpenSSL: read 70/70 bytes from BIO#1bd158 [mem: 1cfa43] (BIO dump follows)
[Wed Jul 16 14:25:11 2008] [debug] ssl_engine_io.c(1750): +-------------------------------------------------------------------------+
[Wed Jul 16 14:25:11 2008] [debug] ssl_engine_io.c(1789): | 0000: 00 00 88 00 00 87 00 00-39 00 00 38 00 00 84 00  ........9..8.... |
[Wed Jul 16 14:25:11 2008] [debug] ssl_engine_io.c(1789): | 0010: 00 35 00 00 45 00 00 44-00 00 33 00 00 32 00 00  .5..E..D..3..2.. |
[Wed Jul 16 14:25:11 2008] [debug] ssl_engine_io.c(1789): | 0020: 41 00 00 04 00 00 05 00-00 2f 00 00 16 00 00 13  A......../...... |
[Wed Jul 16 14:25:11 2008] [debug] ssl_engine_io.c(1789): | 0030: 00 fe ff 00 00 0a 26 7f-d5 ce 94 c1 3f 23 a7 00  ......&.....?#.. |
[Wed Jul 16 14:25:11 2008] [debug] ssl_engine_io.c(1789): | 0040: 33 11 be 8d 18 e2                                3.....           |
[Wed Jul 16 14:25:11 2008] [debug] ssl_engine_io.c(1795): +-------------------------------------------------------------------------+
[Wed Jul 16 14:25:11 2008] [debug] ssl_engine_io.c(1828): OpenSSL: I/O error, 2 bytes expected to read on BIO#1bd158 [mem: 1cfa38]
[Wed Jul 16 14:25:11 2008] [info] [client 149.217.48.0]] (70014)End of file found: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
[Wed Jul 16 14:25:11 2008] [info] [client 149.217.48.0]] Connection closed to child 0 with abortive shutdown (server mysql-db2.mpimf-heidelberg.mpg.de:443)
##### Environment #####

bash-3.00# unset LD_LIBRARY_PATH PATH LD_RUN_PATH CC CFLAGS CXX CXXFLAGS CPPFLAGS LDFLAGS LDOPTIONS

bash-3.00# 

export PATH="/usr/sfw/bin:/opt/csw/bin:/usr/bin:/usr/sbin:/usr/ccs/bin"
export CC="gcc"
export CFLAGS="-O3 -fPIC -Wall"
export CXX="g++"
export CXXFLAGS="-O3 -fPIC -Wall"
export CPPFLAGS="-I/usr/local/apache-2.2.9/include"
export LDFLAGS="-R/usr/local/apache-2.2.9/lib -L/usr/local/apache-2.2.9/lib"
export LD_OPTIONS="$LDFLAGS"

bash-3.00# mkdir /usr/local/apache-2.2.9
bash-3.00# mkdir -p /usr/local/apache-2.2.9/lib/sparcv9
bash-3.00# cd /usr/local/apache-2.2.9/lib/sparcv9
bash-3.00# cp /usr/sfw/lib/libgcc_s.so.1 .
bash-3.00# ln -s libgcc_s.so.1 libgcc_s.so

bash-3.00# alias make=gmake

##### openssl-0.9.8h #####

bash-3.00# cd /usr/local/src/openssl
bash-3.00# gunzip < openssl-0.9.8h.tar.gz | gtar xvpzf -
bash-3.00# chown -R root:root openssl-0.9.8h
bash-3.00# cd openssl-0.9.8h

bash-3.00#

./config \
--prefix=/usr/local/ssl \
--openssldir=/usr/local/ssl shared \
-R/usr/local/apache-2.2.9/lib -L/usr/local/apache-2.2.9/lib

bash-3.00# gmake
bash-3.00# gmake install

bash-3.00# cd ../
bash-3.00# rm -rf openssl-0.9.8h

##### openldap-2.3.39 #####

bash-3.00# cd /usr/local/src/openldap
bash-3.00# gunzip < openldap-stable-20071118.tgz | gtar xvpof -
bash-3.00# chown -R root:root openldap-2.3.39
bash-3.00# cd openldap-2.3.39

bash-3.00#

./configure \
--prefix=/usr/local/openldap-2.3.39 \
--disable-slapd \
--disable-slurpd \
--with-tls

bash-3.00# gmake depend 
bash-3.00# gmake
bash-3.00# gmake install

bash-3.00# cd ../
bash-3.00# rm -rf openldap-2.3.39

bash-3.00# cd /usr/local
bash-3.00# ln -s openldap-2.3.39 openldap

##### httpd-2.2.9 #####

bash-3.00# cd /usr/local/src/apache
bash-3.00# gunzip < httpd-2.2.9.tar.gz | gtar xovf -
bash-3.00# chown -R root:root httpd-2.2.9
bash-3.00# cd httpd-2.2.9

###### buildconf ######

bash-3.00# ./buildconf

###### apr ######

bash-3.00# cd srclib/apr

bash-3.00# 

./configure \
--prefix=/usr/local/apache-2.2.9 \
--exec-prefix=/usr/local/apache-2.2.9

bash-3.00# gmake
bash-3.00# gmake install

###### apr-util ######

bash-3.00# cd ../apr-util

bash-3.00# 

./configure \
--prefix=/usr/local/apache-2.2.9 \
--exec-prefix=/usr/local/apache-2.2.9 \
--with-apr=/usr/local/apache-2.2.9 \
--with-ldap=ldap \
--with-ldap-include=/usr/local/openldap/include \
--with-ldap-lib=/usr/local/openldap/lib

bash-3.00# gmake
bash-3.00# gmake install

###### httpd ######

bash-3.00# cd ../..
bash-3.00#

./configure \
--prefix=/usr/local/apache-2.2.9 \
--exec-prefix=/usr/local/apache-2.2.9 \
--with-apr=/usr/local/apache-2.2.9 \
--with-apr-util=/usr/local/apache-2.2.9 \
--with-mpm=prefork \
--with-ssl=/usr/local/ssl \
--enable-ssl=shared \
--with-ldap=ldap \
--with-ldap-include=/usr/local/openldap/include \
--with-ldap-lib=/usr/local/openldap/lib \
--enable-ldap \
--enable-authnz-ldap \
--enable-dav \
--enable-dav-fs \
--enable-dav-lock \
--enable-auth-basic=shared \
--enable-auth-digest=shared \
--enable-authn-alias=shared \
--enable-authn-file=shared \
--enable-authz-owner=shared \
--enable-cache=shared \
--enable-file-cache=shared \
--enable-mem-cache=shared \
--enable-disk-cache=shared \
--enable-proxy=shared \
--enable-proxy-connect=shared \
--enable-proxy-ftp=shared \
--enable-proxy-http=shared \
--enable-proxy-ajp=shared \
--enable-proxy-balancer=shared \
--enable-cgi=shared \
--enable-rewrite=shared \
--enable-version=shared \
--enable-vhost-alias=shared \
--enable-so \
--enable-static-rotatelogs

bash-3.00# gmake
bash-3.00# gmake install

bash-3.00# cd ../
bash-3.00# rm -rf httpd-2.2.9

bash-3.00# cd /usr/local
bash-3.00# ln -s apache-2.2.9 apache

Attachment: httpd-ssl.conf
Description: Binary data

Attachment: smime.p7s
Description: S/MIME cryptographic signature

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux