> -----Urspr�ngliche Nachricht----- > Von: John Ott [SMTP:[EMAIL PROTECTED]] > Gesendet am: Donnerstag, 10. Mai 2001 16:37 > An: [EMAIL PROTECTED] > Betreff: Re: Network Error: Connection refused > > Henning von Bargen wrote: > > > Is there nobody in this list who can help me? > > I _guess_ it's a simple configuration problem, > > but I didn't find an answer in the FAQ or in the mailing-list archive. > > pls help > > Henning > > > > >Network Error: Connection refused > > > > This usually means there is no service running on the port > you tried to connect to. > > Did you try to connect https and do ./apachectl start > instead of ./apachectl startssl ? The server is running on NT as a service :-) SSL on port 443 is working, I can access the site with Microsoft Internet Explorer 5.5 or Opera 4.0.2, only Netscape Navigator gives an error message. > > > > > > -----Urspr�ngliche Nachricht----- > > > Von: Henning von Bargen [SMTP:[EMAIL PROTECTED]] > > > Gesendet am: Mittwoch, 9. Mai 2001 11:23 > > > An: [EMAIL PROTECTED] > > > Betreff: RE: Network Error: Connection refused > > > > > > I discovered that I could partially work around this problem by > > configuring > > > the Netscape browser as follows: > > > In Security Info / Navigator / Configure SSL v3 : > > > [x] RC4 encryption with a 128-bit key and an MD5 MAC (When > > > permitted) > > > [x] FIPS 140-1 compliant triple DES encryption and SHA-1 MAC (When > > > permitted) > > > [x] Triple DES encryption with a 168-bit key and a SHA-1 MAC (When > > > permitted) > > > [ ] RC4 encryption with a 56-bit key and a SHA-1 MAC > > > [ ] DES encryption in CBC mode with a 56-bit key and a SHA-1 MAC > > > [ ] RC4 encryption with a 40-bit key and an MD5 MAC > > > [ ] RC2 encryption with a 40-bit key and an MD5 MAC > > > [ ] No encryption with an MD5 MAC > > > That is, I cleared the checkboxes 4,5,6,7 which were checked by default. > > > > > > However, when I open the page now, I get a messagebox: > > > New Site Certificate > > > Certificate for: ... > > > Signed by: Verisign Trust Network > > > Encryption: Export Grade (RC4-Export with 40-bit > > > secret key) > > > > > > shouldn't it be possible with a Verisign Global Server ID to > > > have 128 bit encryption with Netscape 4.7, too? > > > And why does Netscape Navigator complain about the certificate at all > > > whereas Internet Explorer doesn't? > > > > > > Please help. > > > > > > Henning > > > > > > > -----Urspr�ngliche Nachricht----- > > > > Von: Henning von Bargen [SMTP:[EMAIL PROTECTED]] > > > > Gesendet am: Dienstag, 8. Mai 2001 16:13 > > > > An: [EMAIL PROTECTED] > > > > Betreff: Network Error: Connection refused > > > > > > > > We have a web site running > > > > Oracle iAS 1.0.1 for NT alias Apache 1.3.12 / mod_ssl 2.6.4 / OpenSSL > > > 0.9.5a > > > > on a Windows NT 4 workstation. > > > > It has a Verisign Global Server ID installed. > > > > I can access the SSL pages fine with Microsoft IE 5.0, 5.5 and KDE 2.1 > > > > Konqueror. > > > > > > > > However, when I try to access an SSL page with Netscape 4.7, > > > > I get the following error message box: > > > > Netscape > > > > A network error occured while Netscape was receiving data. > > > > (Network Error: Connection refused) > > > > Try connecting again. > > > > > > > > Is this a Netscape bug or a server mis-configuration? > > > > > > > > One perhaps unusual thing is that we have a start page at > > > > http://xxx.xxx.de/index.html > > > > that redirects to https://xxx.xxx.de/ucl/html with > > > > <meta http-equiv="refresh" content="1; > > URL="https://xxx.xxx.de/ucl/html";> > > > > > > > > The Apache httpd.conf looks like this (excerpt). > > > > I didn't change anything from the defaults except > > > > ServerName, ServerAdmin, and the various certificate file locations. > > > > > > > > Any help is highly appreciated... > > > > > > > > Henning > > > > > > > > > > > > ## > > > > ## SSL Virtual Host Context > > > > ## > > > > > > > > <VirtualHost _default_:443> > > > > > > > > # General setup for the virtual host > > > > DocumentRoot "D:\iAS_101\Apache\Apache\htdocs" > > > > ServerName xxx.xxx.de > > > > ServerAdmin [EMAIL PROTECTED] > > > > ErrorLog logs/error_log > > > > TransferLog logs/access_log > > > > > > > > # SSL Engine Switch: > > > > # Enable/Disable SSL for this virtual host. > > > > SSLEngine on > > > > > > > > # SSL Cipher Suite: > > > > # List the ciphers that the client is permitted to negotiate. > > > > # See the mod_ssl documentation for a complete list. > > > > #SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL > > > > > > > > # Server Certificate: > > > > # Point SSLCertificateFile at a PEM encoded certificate. If > > > > # the certificate is encrypted, then you will be prompted for a > > > > # pass phrase. Note that a kill -HUP will prompt again. A test > > > > # certificate can be generated with `make certificate' under > > > > # built time. Keep in mind that if you've both a RSA and a DSA > > > > # certificate you can configure both in parallel (to also allow > > > > # the use of DSA ciphers, etc.) > > > > #SSLCertificateFile \conf\ssl.crt\server.crt > > > > SSLCertificateFile \conf\ssl.crt\tup.crt > > > > > > > > # Server Private Key: > > > > # If the key is not combined with the certificate, use this > > > > # directive to point at the key file. Keep in mind that if > > > > # you've both a RSA and a DSA private key you can configure > > > > # both in parallel (to also allow the use of DSA ciphers, etc.) > > > > #SSLCertificateKeyFile conf\ssl.key\server.key > > > > SSLCertificateKeyFile conf\ssl.key\key-tup > > > > > > > > # Server Certificate Chain: > > > > # Point SSLCertificateChainFile at a file containing the > > > > # concatenation of PEM encoded CA certificates which form the > > > > # certificate chain for the server certificate. Alternatively > > > > # the referenced file can be the same as SSLCertificateFile > > > > # when the CA certificates are directly appended to the server > > > > # certificate for convinience. > > > > #SSLCertificateChainFile conf\ssl.crt\ca.crt > > > > > > > > # Certificate Authority (CA): > > > > # Set the CA certificate verification path where to find CA > > > > # certificates for client authentication or alternatively one > > > > # huge file containing all of them (file must be PEM encoded) > > > > # Note: Inside SSLCACertificatePath you need hash symlinks > > > > # to point to the certificate files. Use the provided > > > > # Makefile to update the hash symlinks after changes. > > > > #SSLCACertificateFile conf\ssl.crt\ca-bundle.crt > > > > > > > > # Certificate Revocation Lists (CRL): > > > > # Set the CA revocation path where to find CA CRLs for client > > > > # authentication or alternatively one huge file containing all > > > > # of them (file must be PEM encoded) > > > > # Note: Inside SSLCARevocationPath you need hash symlinks > > > > # to point to the certificate files. Use the provided > > > > # Makefile to update the hash symlinks after changes. > > > > #SSLCARevocationFile conf\ssl.crl\ca-bundle.crl > > > > > > > > # Client Authentication (Type): > > > > # Client certificate verification type and depth. Types are > > > > # none, optional, require and optional_no_ca. Depth is a > > > > # number which specifies how deeply to verify the certificate > > > > # issuer chain before deciding the certificate is not valid. > > > > #SSLVerifyClient require > > > > #SSLVerifyDepth 10 > > > > > > > > # Access Control: > > > > # With SSLRequire you can do per-directory access control based > > > > # on arbitrary complex boolean expressions containing server > > > > # variable checks and other lookup directives. The syntax is a > > > > # mixture between C and Perl. See the mod_ssl documentation > > > > # for more details. > > > > #<Location /> > > > > #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \ > > > > # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ > > > > # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ > > > > # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ > > > > # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ > > > > # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ > > > > #</Location> > > > > > > > > # SSL Engine Options: > > > > # Set various options for the SSL engine. > > > > # o FakeBasicAuth: > > > > # Translate the client X.509 into a Basic Authorisation. This means > > > > that > > > > # the standard Auth/DBMAuth methods can be used for access control. > > > The > > > > # user name is the `one line' version of the client's X.509 > > > certificate. > > > > # Note that no password is obtained from the user. Every entry in > > the > > > > user > > > > # file needs this password: `xxj31ZMTZzkVA'. > > > > # o ExportCertData: > > > > # This exports two additional environment variables: SSL_CLIENT_CERT > > > and > > > > # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the > > > > # server (always existing) and the client (only existing when client > > > > # authentication is used). This can be used to import the > > certificates > > > > # into CGI scripts. > > > > # o StdEnvVars: > > > > # This exports the standard SSL/TLS related `SSL_*' environment > > > > variables. > > > > # Per default this exportation is switched off for performance > > > reasons, > > > > # because the extraction step is an expensive operation and is > > usually > > > > # useless for serving static content. So one usually enables the > > > > # exportation for CGI and SSI requests only. > > > > # o CompatEnvVars: > > > > # This exports obsolete environment variables for backward > > > compatibility > > > > # to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. > > Use > > > > this > > > > # to provide compatibility to existing CGI scripts. > > > > # o StrictRequire: > > > > # This denies access when "SSLRequireSSL" or "SSLRequire" applied > > even > > > > # under a "Satisfy any" situation, i.e. when it applies access is > > > denied > > > > # and no other module can change it. > > > > # o OptRenegotiate: > > > > # This enables optimized SSL connection renegotiation handling when > > > SSL > > > > # directives are used in per-directory context. > > > > #SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire > > > > <Files ~ "\.(cgi|shtml)$"> > > > > SSLOptions +StdEnvVars > > > > </Files> > > > > <Directory "cgi-bin"> > > > > SSLOptions +StdEnvVars > > > > </Directory> > > > > > > > > # SSL Protocol Adjustments: > > > > # The safe and default but still SSL/TLS standard compliant shutdown > > > > # approach is that mod_ssl sends the close notify alert but doesn't > > wait > > > > for > > > > # the close notify alert from client. When you need a different > > shutdown > > > > # approach you can use one of the following variables: > > > > # o ssl-unclean-shutdown: > > > > # This forces an unclean shutdown when the connection is closed, > > i.e. > > > no > > > > # SSL close notify alert is send or allowed to received. This > > > violates > > > > # the SSL/TLS standard but is needed for some brain-dead browsers. > > Use > > > > # this when you receive I/O errors because of the standard approach > > > > where > > > > # mod_ssl sends the close notify alert. > > > > # o ssl-accurate-shutdown: > > > > # This forces an accurate shutdown when the connection is closed, > > i.e. > > > a > > > > # SSL close notify alert is send and mod_ssl waits for the close > > > notify > > > > # alert of the client. This is 100% SSL/TLS standard compliant, but > > in > > > > # practice often causes hanging connections with brain-dead > > browsers. > > > > Use > > > > # this only for browsers where you know that their SSL > > implementation > > > > # works correctly. > > > > # Notice: Most problems of broken clients are also related to the HTTP > > > > # keep-alive facility, so you usually additionally want to disable > > > > # keep-alive for those clients, too. Use variable "nokeepalive" for > > > this. > > > > SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown > > > > > > > > # Per-Server Logging: > > > > # The home of a custom SSL log file. Use this when you want a > > > > # compact non-error SSL logfile on a virtual host basis. > > > > CustomLog logs/ssl_request_log \ > > > > "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" > > > > > > > > </VirtualHost> > > > > P.S. Sorry, I had trouble posting to modssl-users last week. ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
