Excuse me snipping all the old stuff, but I think I noticed from your logs
that you have managed to compile Apache 1.3.12 mod_ssl 2.6.6. against
openssl-0.9.6a, which in itself is quite an achievement. ie:
> [Tue Oct 23 11:52:05 2001] [notice] Apache/1.3.12 (Unix) PHP/4.0.5
> FrontPage/4.0.4.3 mod_ssl/2.6.6 OpenSSL/0.9.6a configured -- resuming
normal
> operations
>
(I wouldn't imagine that such an old version of apache-mod_ssl would compile
against the latest openssl, and probably wouldn't ever try).
The latest version is Apache 1.3.22, mod_ssl 2.8.5 and openssl-0.9.6a, which
is definitely a good idea to upgrade to (notwithstanding that a number of
security issues with the Apache server are resolved, eg cross-site scripting
which is fixed from 1.3.14 onwards).
Getting back to the real issue, that of starting up a secure server.
Provided your Apache server has been compiled with ssl support, a valid
configuration file always gets a secure server up. (Of course, it is
possible to split your configuration file into multiple files if you host
hundreds or thousands of sites).
First of all, test that mod_ssl is compiled in using "httpd -l". You should
then get the following:
Compiled-in modules:
http_core.c
mod_so.c
suexec: enabled; valid wrapper /usr/sbin/suexec
You might get an error at the last line. I've never understood the suexec
part, and apparently it isn't important.
Next, check that your server is listening to port 443 (because if it isn't
listening, it won't be able to receive secure connections). There should be
a line in your httpd.conf saying
Listen 443
There may be a
Listen 80
which isn't actually required as there is a
Port 80
That does exactly the same thing. But it might as well be left in for the
sake of completeness. Next, the mod_ssl module must be loaded into the
server. It is possible to run an apache-mod_ssl server without ssl support,
which is useful for debugging if nothing else. This is what the LoadModule
and AddModule lines do, and both are needed as IIRC Apache reads the module
list twice. If they are enclosed in <IfDefine SSL> statements, then Apache
needs to be started with httpd -DSSL.
Finally, you'll need at least one virtual host listening on Port 443, with
at least these three extra lines defined:
SSLEngine on
SSLCertificateFile /path/to/ssl.crt
SSLCertificateKeyFile /path/to/ssl.key
(Non-SSL hosts need only SSLEngine off defined).
I have to admit that I rarely use "apachectl", preferring instead to use the
following where necessary:
/etc/rc.d/init.d/httpd stop
/etc/rc.d/init.d/httpd start
/etc/rc.d/init.d/httpd restart
/etc/rc.d/init.d/httpd reload
The last one is the most useful, as it re-reads the configuration file
without dropping a single byte. It's useful for moving log files on the fly
or minor changes to the httpd.conf file.
There's no doubt that this stuff is hard (it's taken me years to get to
grips with it), but it's better that running NT any day! (Off Topic: I've
spent the last fortnight testing a single CD method of patching NT/IIS that
works for all the NT servers and workstations I support, yet the procedure
for updating our Linux boxes was written and completed in an afternoon.)
-
John Airey
Internet systems support officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED]
-
NOTICE: The information contained in this email and any attachments is
confidential and may be legally privileged. If you are not the
intended recipient you are hereby notified that you must not use,
disclose, distribute, copy, print or rely on this email's content. If
you are not the intended recipient, please notify the sender
immediately and then delete the email and any attachments from your
system.
RNIB has made strenuous efforts to ensure that emails and any
attachments generated by its staff are free from viruses. However, it
cannot accept any responsibility for any viruses which are
transmitted. We therefore recommend you scan all attachments.
Please note that the statements and views expressed in this email
and any attachments are those of the author and do not necessarily
represent those of RNIB.
RNIB Registered Charity Number: 226227
Website: http://www.rnib.org.uk
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
