Dear Wiki user, You have subscribed to a wiki page or wiki category on "Httpd Wiki" for change notification.
The "ScratchPad" page has been changed by TomasPospisek: http://wiki.apache.org/httpd/ScratchPad?action=diff&rev1=5&rev2=6 Comment: finishing "debugging SSL" article = Debugging SSL Problems = + + <<TableOfContents>> Here are some tips on what to do if the SSL connection to your server just isn't working as it should. @@ -51, +53 @@ * [[http://www.wireshark.org/|Wireshark]] or * [[http://www.microsoft.com/download/en/details.aspx?id=4865|Microsoft Network Monitor]](runs on Windows only) + * the [[http://www.openssl.org/|openssl]] command line tool which both include SSL protocol dissectors, and thus are able to decode and display SSL handshakes in a human understandable format. @@ -83, +86 @@ Also Internet Explorer has a very comprehensive and well structured certificate management interface, that is helpful for seeing certificate paths and certificate properties. - Unfortunately IE is not helpful at all in its failure mode. When something's wrong, it will not finalize the setup of the SSL connection and not display any useful error. FF instead will at least display a semi useful error. + Unfortunately IE is not helpful at all in its failure mode. When something's wrong, it will not finalize the setup of the SSL connection and not display any useful error. FF instead will at least display a semi useful error. Additionaly, since FF is using the openssl library as its SSL engine, Firefox' error messages correspong to [[http://www.openssl.org/docs/ssl/SSL_alert_type_string.html|openssl's alert messages]]. + + + == Manually verifying certificates == + + You can use the openssl command line tool to do all sorts of certificate manipulation and analysis tasks: + + * Verify that a private key matches a certificate (originally from http://kb.wisc.edu/middleware/page.php?id=4064) + + {{{ + $ (openssl x509 -noout -modulus \ + -in /etc/apache2/ssl.crt/www.mysite.org.crt | openssl md5 ;\ + openssl rsa -noout -modulus + -in /etc/apache2/ssl.key/www.mysite.org.key | openssl md5) \ + | uniq + }}} + + * display the RSA private key: + + {{{ + $ openssl rsa -in /etc/apache2/ssl.key/www.mysite.org.key -noout -text + }}} + + * display a X509 SSL certificate: + + {{{ + openssl x509 -in /etc/apache2/ssl.crt/www.mysite.org.crt -noout -text + }}} + + * verify a certificate: + + {{{ + openssl verify -CAfile ca-thawte+sourcepole.crt www.nofloh.ch.crt + }}} == Finding out what caused a handshake to fail == --------------------------------------------------------------------- To unsubscribe, e-mail: docs-unsubscr...@httpd.apache.org For additional commands, e-mail: docs-h...@httpd.apache.org
