Hi Yoshi. I think that works ! Instead of [ssl] # openssl s_client -connect localhost:443 -state -debug I key in [ssl] # openssl s_client -connect 192.168.100.10:443 -state -debug and it worked, no SSL23_GET_SERVER_HELLO error, why is that ??? I am still *VERY CONCERNED* that the output from TCPDUMP contains human readible data (admittedly you won't be able to get much out of that ). Its nothing like the plain text http transmission, try it out !
----- Original Message ----- From: "Kiyoshi Watanabe" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Friday, August 08, 2003 06:44 AM Subject: Re: FRUSTRATION : SSL throws SSL23_GET_SERVER_HELLO error > > Hello, > > did you test the openssl command using your IP instead of localhost? > > openssl s_client -connect your-ip-here:443 -state -debug > > Or why don't you change the VirtualHohost to _default_ temporarily and > see how it goes. > > -Kiyoshi > Kiyoshi Watanabe > > > > > > Problem #1: your OpenSSL doesn't have the error messages loaded so you're > > > getting a rather non-descriptive error message. No big deal, it just > > > means you have to look harder to find out what the error means. > > How to I load them in order to get a more meaningful description ??? > > I've recompiled Apache 2.0.40 several times from scratch with following > > additional options: > > ./configure --with-mpm=worker --enable-so --enable-rewrite --enable-ssl --wi > > th-ssl=/path/to/openssl --enable-proxy --auth_digest > > > > > > > Problem #2: SSL23_GET_SERVER_HELLO:unknown protocol: - now I bet if you > > > looked at the debug dump you'd see something very similar to: > > > 0000 - 3c 21 44 4f 43 54 59 <!DOCTY > > > which was mentioned in one of those links the other guy sent you. It's > > > telling you that that's what it received from the server. You'll notice > > > that "<!DOCTY" is the first few bytes of a standard html page unencrypted. > > Indeed, this is the whole output : > > CONNECTED(00000003) > > write to 0809D018 [0809D060] (124 bytes => 124 (0x7C)) > > 0000 - 80 7a 01 03 01 00 51 00-00 00 20 00 00 16 00 00 .z....Q... ..... > > 0010 - 13 00 00 0a 07 00 c0 00-00 66 00 00 05 00 00 04 .........f...... > > 0020 - 03 00 80 01 00 80 08 00-80 00 00 65 00 00 64 00 ...........e..d. > > 0030 - 00 63 00 00 62 00 00 61-00 00 60 00 00 15 00 00 .c..b..a..`..... > > 0040 - 12 00 00 09 06 00 40 00-00 14 00 00 11 00 00 08 [EMAIL PROTECTED] > > 0050 - 00 00 06 00 00 03 04 00-80 02 00 80 5c ec 7c 7c ............\.|| > > 0060 - 60 b1 2a 84 93 cf ba f5-87 dc 22 63 27 83 c7 16 `.*......."c'... > > 0070 - f0 68 eb 8b 33 43 57 05-e8 5e a1 ef .h..3CW..^.. > > read from 0809D018 [080A25C0] (7 bytes => 7 (0x7)) > > 0000 - 3c 21 44 4f 43 54 59 <!DOCTY > > SSL_connect:error in SSLv2/v3 read server hello A > > 1565:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown > > protocol:s23_clnt.c:460: > > > > > So this tells you that your web server is in fact speaking plain HTTP on > > > port 443 rather than HTTPS. You probably do not have "SSLEngine on" for > > > that virtual host. > > This defies purpose. Following is an excerpt from httpd.conf with only those > > bits that I believe are relevant . What I done that's wrong : > > (httpd.conf) > > > > ServerName www.saysit.com.hk:80 > > # > > <IfModule mod_ssl.c> > > # Some MIME-types for downloading Certificates and CRLs > > AddType application/x-x509-ca-cert .crt > > AddType application/x-pkcs7-crl .crl > > SSLSessionCache dbm:logs/ssl_scache > > SSLSessionCacheTimeout 300 > > SSLMutex file:logs/mutex > > SSLRandomSeed startup builtin > > SSLRandomSeed connect builtin > > </IfModule> > > ### Section 3: Virtual Hosts > > Listen 80 > > Listen 443 > > NameVirtualHost 192.168.1.3 > > <VirtualHost 192.168.1.3:80> > > ServerName www.saysit.com.hk > > ServerAdmin [EMAIL PROTECTED] > > DocumentRoot /var/www/html > > ErrorLog /usr/local/apache2/logs/saysit_error.log > > CustomLog /usr/local/apache2/logs/saysit_access.log common > > SetEnvIf User-Agent ".MSIE.*"\ > > nokeepalive ssl-unclean-shutdown \ > > downgrade-1.0 force-response-1.0 > > JkMount /saysit ajp13 > > JkMount /saysit/* ajp13 > > </VirtualHost> > > # > > <IfDefine SSL> > > <VirtualHost 192.168.1.3:443> > > ServerName demo.saysit.com.hk > > ServerAdmin [EMAIL PROTECTED] > > DocumentRoot /home/nicole/MyDocument/public_html > > ErrorLog /usr/local/apache2/logs/nicole_error.log > > CustomLog /usr/local/apache2/logs/nicole_access.log common > > <IfModule mod_ssl.c> > > SSLEngine on > > SSLCipherSuite > > ALL:!ADH:!EPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL > > SSLCertificateFile /usr/share/ssl/server.crt > > SSLCertificateKeyFile /usr/share/ssl/server.key > > #### SSLVerifyClient require #### will prompt the client to select a > > certificate when browsing demo.saysit > > </IfModule> > > JkExtractSSL on > > JkHTTPSIndicator HTTPS > > JkSESSIONIndicator SSL_SESSION_ID > > JkCIPHERIndicator SSL_CIPHER > > JkCERTSIndicator SSL_CLIENT_CERT > > JkMount /saysit ajp13 > > JkMount /saysit/* ajp13 > > </VirtualHost> > > </IfDefine> > > > > > > > Problem #3: You mentioned trying to get name-based vhosts to work with > > > SSL. You must realize that this doesn't work right in the general case. > > > Please see http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#vhosts2 . > > Yes, I read that document and I do want to provide both http and https on a > > single server with one single IP address (I am NAT-ting on router with one > > external ip - does that matter?) > > > > > > ______________________________________________________________________ > > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > > User Support Mailing List [EMAIL PROTECTED] > > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
