mod_ssl errors
Hi All, I switched my LogLevel to info and noticed this error in the logs: [client ::1] (70007)The timeout specified has expired: SSL input filter read failed. Furthermore, when I do a graceful restart, I get this error: [client ::1] SSL library error 1 in handshake (server localhost:443) SSL Library Error: 336027900 error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol speaking not SSL to HTTPS port!? [client ::1] Connection closed to child 9 with abortive shutdown (server localhost:443) I am using mod_ssl/2.2.11 compiled against Server: Apache/2.2.11, Library: OpenSSL/0.9.8h on OS X but I have also seen the problem on Linux as well. The setup I have is dead simple - I am setting up a virtual host on port 80 and on port 443, both serving static files from apache/htdocs. Does anybody have any ideas what could be causing these ssl errors? Thanks, Andres __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
FW: Mod_SSL Errors
Trying to get SSL running for the first time. Using Apache 1.2.23, openssl-0.9.6c, mod_ssl-2.8.7-1.3.23. After creating the virtual host and restarting apache I get the following errors: [Mon Mar 18 09:22:56 2002] [error] mod_ssl: Init: (secure.raeinternet.com:443) U nable to configure verify locations for client authentication (OpenSSL library e rror follows) [Mon Mar 18 09:22:56 2002] [error] OpenSSL: error:0906D066:PEM routines:PEM_read_bio:bad end line [Mon Mar 18 09:22:56 2002] [error] OpenSSL: error:0B084009:x509 certificate routines:X509_load_cert_crl_file:missing asn1 eos [Mon Mar 18 09:23:04 2002] [error] mod_ssl: Init: (secure.raeinternet.com:443) Unable to configure verify locations for client authentication (OpenSSL library error follows) [Mon Mar 18 09:23:04 2002] [error] OpenSSL: error:0906D066:PEM routines:PEM_read_bio:bad end line I have seen other have found this error but I could not find a solution. Michael Katz RAE Internet 39 Carthage Road Scarsdale, NY 10583 ph. (914) 725-2370, (877)302-2027 fax (914) 725-2372 http://www.raeinternet.com US Distributor RAV Antivirus __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl errors
- Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, January 29, 2000 11:50 AM Subject: Re: mod_ssl errors Hi - Does anyone on this list know what could be used to encrypt/decrypt streaming files on the fly? I understand that public key encryption could probably be used for encrypting a small key that would unlock the larger file. Regards, Jeff On Sat, 29 Jan 2000, Eckard Wille wrote: jay wrote: [28/Jan/2000 15:54:06 12886] [error] OpenSSL: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate [Hint: No CAs known to server for verification?] Your browser does not present a client cert (at least no cert issued by a CA your server knows), but you enabled client verification. If you set "SSLVerifyClient none" in your httpd.conf, everything should work fine. If you really need client cert verification, you have to get||install a client cert in your browser. Eckard __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] Since SSL is a session based protocol, it is difficult to use it for file encryption. It is based on a secret, that is established during the handshake phase. Once the session is terminated, the secret cannot be recovered. To encrypt files, s/mime surely can be used. Cheers Lin Geng __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl errors
jay wrote: [28/Jan/2000 15:54:06 12886] [error] OpenSSL: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate [Hint: No CAs known to server for verification?] Your browser does not present a client cert (at least no cert issued by a CA your server knows), but you enabled client verification. If you set "SSLVerifyClient none" in your httpd.conf, everything should work fine. If you really need client cert verification, you have to get||install a client cert in your browser. Eckard __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
mod_ssl errors
Sorry I couldn't be more specific with my subject. :)
Anyhow, I've never worked with ssl certs before, and the
only knowledge I have is from reading documenation and
reference manuals. I got a cert from Verisign, installed
Apache+mod_ssl, and configured it to use the cert I got back
from Verisign using what I learned from the documentation.
Getting errors, though. If I try to connect to the ssl
server, I get the following in the ssl log:
[28/Jan/2000 15:53:37 12885] [info] Init: Configuring
server www.myhost.com:443 for SSL protocol
[28/Jan/2000 15:54:03 12886] [info] Connection to child 0
established (server www.myhost.com:443, client 209.133.93.172)
[28/Jan/2000 15:54:06 12886] [error] SSL handshake failed
(server www.myhost.com:443, client 209.133.93.172) (OpenSSL library error follows)
[28/Jan/2000 15:54:06 12886] [error] OpenSSL: error:140890C7:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate [Hint: No CAs
known to server for verification?]
Here are the relevent entries I put into httpd.conf:
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLLog /usr/local/apache/logs/ssl_engine_log
SSLLogLevel info
## there is only one ssl host on the machine, so this
## shouldn't be a problem
VirtualHost 209.133.46.64:443
ServerName www.myhost.com
Port 443
ErrorLog /var/log/www/www.myhost.com/error.log
TransferLog /var/log/www/www.myhost.com/access.log
LogFormat"%{Referer}i - %U" referer
LogFormat"%{User-agent}i" agent
CustomLog/var/log/www/www.myhost.com/referer.log referer
CustomLog/var/log/www/www.myhost.com/agent.log agent
ScriptAlias /cgi-bin/ /usr/local/www/www.myhost.com/cgi-bin/
Options +Includes ExecCGI
SSLEngine on
SSLCertificateFile /usr/local/apache/conf/ssl.crt/www.myhost.com.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/www.myhost.com.key
SSLCACertificateFile /usr/local/apache/conf/ssl.crt/ca-bundle.crt
### ^^^ the CA installed by mod_ssl/OpenSSL
SSLLog /var/log/www/www.myhost.com/ssl.log
SSLOptions +StdEnvVars
SSLVerifyClient 2
SSLVerifyDepth 10
SSLLogLevel info
/VirtualHost
What is the problem here? Thank you for any help.
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl errors
Hi - Does anyone on this list know what could be used to encrypt/decrypt streaming files on the fly? I understand that public key encryption could probably be used for encrypting a small key that would unlock the larger file. Regards, Jeff On Sat, 29 Jan 2000, Eckard Wille wrote: jay wrote: [28/Jan/2000 15:54:06 12886] [error] OpenSSL: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate [Hint: No CAs known to server for verification?] Your browser does not present a client cert (at least no cert issued by a CA your server knows), but you enabled client verification. If you set "SSLVerifyClient none" in your httpd.conf, everything should work fine. If you really need client cert verification, you have to get||install a client cert in your browser. Eckard __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
