Dear Wiki user, You have subscribed to a wiki page or wiki category on "Httpd Wiki" for change notification.
The "ScratchPad" page has been changed by TomasPospisek: http://wiki.apache.org/httpd/ScratchPad?action=diff&rev1=1&rev2=2 Comment: working on the "debugging SSL" article = Writing space for new content = + = Debugging SSL Problems = + + Here are some tips on what to do if the SSL connection to your server just isn't working as it should. + + This article reflects the limited knowledge of it's author(s). If you discover anything incorrect when reading this article, you are asked to please either correct the text, or to leave a note in the text stating the problem. + + == Understanding modssl's components == + + Modssl does not implement the SSL protocol. It uses the [[http://www.openssl.org/|openssl]] library to do the SSL negotiation, handshaking and encoding into the SSL protocol. + + That has the implication that if you need to debug what's happening during a connection you'll need to read openssl's documentation. + + However the configuration of the handshake phase, that is: + + * which certificates you want to be used by your server + * which certificates are to be sent to the client + * which certificates the client should send back to the server (in the case of client authentication) + + are done with modssl means, in the apache configuration. + + That is as far as the author of this article understands, modssl proper is only there to properly parametrize the openssl library, as required by a web server. + + + == Understanding SSL communications setup == + + [[The http://httpd.apache.org/docs/2.2/ssl/ssl_intro.html|SSL/TLS Strong Encryption: An Introduction]] provides some intermediate level on how SSL communication works - in particular the paragraph [[http://httpd.apache.org/docs/2.2/ssl/ssl_intro.html#ssl|Secure Sockets Layer (SSL)]]. + + When an SSL communication is being set up, all the phases up to the final data transfer, that is the handshaking and certificate exchanges are done unencrypted. That means they can be examined and thus debugged from the outside of the two communication parties. + + == Debugging tools == + + Since, as noted in the last paragraph the setup of the SSL connection is not encrypted, we can sniff the traffic. That can be done with: + + * [[http://www.wireshark.org/|Wireshark]] or + * [[http://www.microsoft.com/download/en/details.aspx?id=4865|Microsoft Network Monitor]](runs on Windows only) + + which both include SSL protocol dissectors, and thus are able to decode and display SSL handshakes in a human understandable format. + + If you need to analyse traffic that is happening during the data transfer phase, then you'll need [[http://www.thoughtcrime.org/software/sslsniff/|sslsniff]] which is able to decode traffic when given the apropriate certificate keys. + + == Enable SSL logging == + + The first step when debugging SSL problems is to setup proper logging: + + {{{ + <IfModule mod_ssl.c> + ErrorLog /var/log/apache2/ssl_engine.log + LogLevel debug + </IfModule> + }}} + + See also: + * http://httpd.apache.org/docs/trunk/ssl/ssl_howto.html#logging + * http://httpd.apache.org/docs/trunk/mod/core.html#loglevel + + Unfortunately the "info" LogLevel is not enough and "debug" is overkill. [[http://www.modssl.org/|modssl by Ralf S. Engelschall]] on which Apache's modssl is based had a [[http://www.modssl.org/docs/2.7/ssl_reference.html#ToC20|"trace"]] Level, which is [[http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?revision=1180329&view=markup|still]] present in Apache's modsll source code. But it is not known how that "trace" log level can be activated from the configuration file. + --------------------------------------------------------------------- To unsubscribe, e-mail: docs-unsubscr...@httpd.apache.org For additional commands, e-mail: docs-h...@httpd.apache.org
