Nope I can't comment out the key file without not being able to start the
daemon. I generated the server.key , server.crt, and ca.crt like the
following...
openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server.csr
openssl genrsa -des3 -out ca.key 1024
the server.key was signed with sign.sh ..
also i'm using RSA encoding.
>From: David Rees <[EMAIL PROTECTED]>
>Reply-To: [EMAIL PROTECTED]
>To: [EMAIL PROTECTED]
>Subject: Re: somebody shoot me, please
>Date: Thu, 16 Nov 2000 00:39:30 -0800
>
>Can you comment out SSLCertificateKeyFile?
>
>How was the certifcate generated?
>
>-Dave
>
>On Thu, Nov 16, 2000 at 01:22:54AM -0600, Brendon Maragia wrote:
> > Thanks everyone for your suggestions :) but its still not working :( I
> > will do anything to get this working :( here is my new virtual host i
>took
> > your suggestions to heart, however, some of them are giving me errors.
>For
> > instance if I try to use strictly sslv2 I get this error when trying to
> > connect with a msie5.x brower...
> >
> > [error] OpenSSL: error:1407D0AF:SSL routines:SSL2_READ:non sslv2 initial
> > packet
> >
> > here are some additional errors i've recieved when using sslv3..
> >
> > [error] OpenSSL: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
> > unknown ca
> >
> > ok here is the most important part of my httpd.conf... again hehe
> >
> > <IfDefine SSL>
> > Listen 216.186.181.230:443
> > NameVirtualHost 216.186.181.230:443
> > </IfDefine>
> >
> > <VirtualHost 216.186.181.230:443>
> >
> > DocumentRoot /home/commaflex/public_html/checkout
> > ServerAdmin [EMAIL PROTECTED]
> > ServerName checkout.commaflex.com
> > ErrorLog /home/commaflex/public_html/checkout/.error.log
> > TransferLog /home/commaflex/public_html/checkout/.transfer.log
> >
> > SSLEngine on
> > SSLCertificateFile
> > /usr/local/ssl.keys/checkout.commaflex.com/ssl.csr/server.crt
> > SSLCertificateKeyFile
> > /usr/local/ssl.keys/checkout.commaflex.com/ssl.key/server.key
> > SSLCipherSuite
> >
>!EXP1024-RC4-SHA:!EXP1024-DES-CBC-SHA:ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> > SSLCertificateChainFile
> > /usr/local/ssl.keys/checkout.commaflex.com/ssl.crt/ca.crt
> >
> > SetEnvIf User-Agent ".*MSIE.*" \
> > nokeepalive ssl-unclean-shutdown \
> > downgrade-1.0 force-response-1.0
> >
> > <Files ~ "\.(cgi|shtml)$">
> > SSLOptions +StdEnvVars
> > </Files>
> >
> > <Directory "/usr/local/apache/htdocs/cgi-bin">
> > SSLOptions +StdEnvVars
> > </Directory>
> >
> > CustomLog /var/log/apache_ssl_request_log \
> > "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
> >
> > SSLLogLevel debug
> >
> > </VirtualHost>
> >
> >
> > ..I went ahead and 'deleted the SSLCertificateChainFile', 'deleted the
> > SSLCipherSuite', and changed it to SSLProtocol SSLv2, however all these
> > resulted in where errors :(. I would appreciate so very much any more
> > suggestions that anyone has.
> >
> > P.S. with the virtual host configuration i'm using above, the server
> > reports NO errors it completess the hand shake successfully and then
>shuts
> > the connection leaving me with a 'page cannot be displayed'.
> >
> > brendon
> >
> > >From: Austin Gonyou <[EMAIL PROTECTED]>
> > >Reply-To: [EMAIL PROTECTED]
> > >To: [EMAIL PROTECTED]
> > >Subject: Re: somebody shoot me, please
> > >Date: Wed, 15 Nov 2000 22:42:56 GMT
> > >
> > >Have you tried not loading the chain file and commentint out the
> > >SSLCipherSuite stuff?
> > >Austin
> > >
> > > >>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<<
> > >
> > >On 11/15/00, 4:15:59 PM, Brendon Maragia <[EMAIL PROTECTED]> wrote
> > >regarding Re: somebody shoot me, please:
> > >
> > >
> > > > Thanks for the idea, Dan but it didn't work :( . Anybody else have
>any
> > >
> > > > suggestions? This is getting to be ridiculous lol :( Am I doomed?
>Am
> > > > I
> > > > going to have to use Apache-SSL? Ahh god please say no!!!
> > >
> > >
> > > > >From: Dan Roscigno <[EMAIL PROTECTED]>
> > > > >Reply-To: [EMAIL PROTECTED]
> > > > >To: [EMAIL PROTECTED]
> > > > >Subject: Re: somebody shoot me, please
> > > > >Date: Wed, 15 Nov 2000 08:05:00 -0800 (PST)
> > > > >
> > > > >
> > > > >I think you might need to limit the ciphers you accept. To get all
>of
> > > > my
> > > > >(known) clients working I wathed my logs to see what cipher was
>being
> > > > used
> > > > >by the clients which failed and then removed that from the list
>(with a
> > > > >`!'). Here is what I ended up with:
> > > > >
> > > > >SSLCipherSuite
> > > >
> >!EXP1024-RC4-SHA:!EXP1024-DES-CBC-SHA:ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+ME
> > > > DIUM:+LOW:+SSLv2:+EXP:+eNULL
> > > > >
> > > > >The EXP1024-* ciphers were my problems.
> > > > >
> > > > >Dan Roscigno [EMAIL PROTECTED]
> > > > >(425)864-5540
> > > > >
> > > > >On Wed, 15 Nov 2000, Brendon Maragia wrote:
> > > > >
> > > > > > First i'd like to thank everyone for their advice about my
>MOD_SSL +
> > >
> > > > >MSIE5.x
> > > > > > problem. I recompiled everything WITHOUT rsaref-2.0 and I still
> > > > cannot
> > > > >get
> > > > > > a connection with MSIE5.5 only MSIE4.0 & 5.0. Heres a quick run
> > > > down of
> > > > > > what i'm running and the virtual host i'm trying to connect
>to...
> > > > > >
> > > > > > apache_1.3.14
> > > > > > mod_ssl-2.7.1-1.3.14
> > > > > > openssl-0.9.6
> > > > > >
> > > > > > My Virtual Host:
> > > > > >
> > > > > > <VirtualHost 216.186.181.230:443>
> > > > > > DocumentRoot /home/commaflex/public_html/checkout
> > > > > > ServerAdmin [EMAIL PROTECTED]
> > > > > > ServerName checkout.commaflex.com
> > > > > > ErrorLog /home/commaflex/public_html/checkout/.error.log
> > > > > > TransferLog /home/commaflex/public_html/checkout/.transfer.log
> > > > > > SSLEngine on
> > > > > >
> > > > > > SSLCertificateFile
> > > > > > /usr/local/ssl.keys/checkout.commaflex.com/ssl.csr/server.crt
> > > > > >
> > > > > > SSLCertificateKeyFile
> > > > > > /usr/local/ssl.keys/checkout.commaflex.com/ssl.key/server.key
> > > > > >
> > > > > > SSLCipherSuite
> > > > ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
> > > > > > SSLCertificateChainFile
> > > > > > /usr/local/ssl.keys/checkout.commaflex.com/ssl.crt/ca.crt
> > > > > >
> > > > > > <Files ~ "\.(cgi|shtml)$">
> > > > > > SSLOptions +StdEnvVars
> > > > > > </Files>
> > > > > > <Directory "/usr/local/apache/htdocs/cgi-bin">
> > > > > > SSLOptions +StdEnvVars
> > > > > > </Directory>
> > > > > >
> > > > > > SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
> > > > > > downgrade-1.0 force-response-1.0
> > > > > >
> > > > > > CustomLog /var/log/apache_ssl_request_log \
> > > > > > "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
> > > > > > SSLLogLevel debug
> > > > > > </VirtualHost>
> > > > > >
> > > > > > ...I've checked all my logs upon trying to connect with MSIE5.0
>and
> > > > the
> > > > > > server seems to execute a standard hand shake, and then
>gracefully
> > > > >execute a
> > > > > > standard shutdown with no complaints.
> > > > > >
> > > > > > All I get from MSIE5.x is "Page Could Not Be Displayed". Could
> > > > someone
> > > > > > pleassee pleaseee help :)
> > > > > >
> > > > > > Brendon
> > > > > >
> > > >
> >_______________________________________________________________________
> > > > __
> > > > > > Get Your Private, Free E-mail from MSN Hotmail at
> > > > >http://www.hotmail.com.
> > > > > >
> > > > > > Share information about yourself, create your own public profile
>at
> > > > > > http://profiles.msn.com.
> > > > > >
> > > > > >
> > > >
>______________________________________________________________________
> > > > > > Apache Interface to OpenSSL (mod_ssl)
> > > > www.modssl.org
> > > > > > User Support Mailing List
> > > > [EMAIL PROTECTED]
> > > > > > Automated List Manager
> > > > [EMAIL PROTECTED]
> > > > > >
> > > > >
> > > >
> >______________________________________________________________________
> > > > >Apache Interface to OpenSSL (mod_ssl)
>www.modssl.org
> > > > >User Support Mailing List
>[EMAIL PROTECTED]
> > > > >Automated List Manager
>[EMAIL PROTECTED]
> > >
> > > >
>________________________________________________________________________
> > > > _____________
> > > > Get more from the Web. FREE MSN Explorer download :
> > > > http://explorer.msn.com
> > >
> > > >
>______________________________________________________________________
> > > > Apache Interface to OpenSSL (mod_ssl)
>www.modssl.org
> > > > User Support Mailing List
>[EMAIL PROTECTED]
> > > > Automated List Manager
>[EMAIL PROTECTED]
> > >______________________________________________________________________
> > >Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > >User Support Mailing List [EMAIL PROTECTED]
> > >Automated List Manager [EMAIL PROTECTED]
> >
> >
>_________________________________________________________________________
> > Get Your Private, Free E-mail from MSN Hotmail at
>http://www.hotmail.com.
> >
> > Share information about yourself, create your own public profile at
> > http://profiles.msn.com.
> >
> > ______________________________________________________________________
> > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > User Support Mailing List [EMAIL PROTECTED]
> > Automated List Manager [EMAIL PROTECTED]
>______________________________________________________________________
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List [EMAIL PROTECTED]
>Automated List Manager [EMAIL PROTECTED]
_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
Share information about yourself, create your own public profile at
http://profiles.msn.com.
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
