Hello, did you test the openssl command using your IP instead of localhost?
openssl s_client -connect your-ip-here:443 -state -debug Or why don't you change the VirtualHohost to _default_ temporarily and see how it goes. -Kiyoshi Kiyoshi Watanabe > > Problem #1: your OpenSSL doesn't have the error messages loaded so you're > > getting a rather non-descriptive error message. No big deal, it just > > means you have to look harder to find out what the error means. > How to I load them in order to get a more meaningful description ??? > I've recompiled Apache 2.0.40 several times from scratch with following > additional options: > ./configure --with-mpm=worker --enable-so --enable-rewrite --enable-ssl --wi > th-ssl=/path/to/openssl --enable-proxy --auth_digest > > > > Problem #2: SSL23_GET_SERVER_HELLO:unknown protocol: - now I bet if you > > looked at the debug dump you'd see something very similar to: > > 0000 - 3c 21 44 4f 43 54 59 <!DOCTY > > which was mentioned in one of those links the other guy sent you. It's > > telling you that that's what it received from the server. You'll notice > > that "<!DOCTY" is the first few bytes of a standard html page unencrypted. > Indeed, this is the whole output : > CONNECTED(00000003) > write to 0809D018 [0809D060] (124 bytes => 124 (0x7C)) > 0000 - 80 7a 01 03 01 00 51 00-00 00 20 00 00 16 00 00 .z....Q... ..... > 0010 - 13 00 00 0a 07 00 c0 00-00 66 00 00 05 00 00 04 .........f...... > 0020 - 03 00 80 01 00 80 08 00-80 00 00 65 00 00 64 00 ...........e..d. > 0030 - 00 63 00 00 62 00 00 61-00 00 60 00 00 15 00 00 .c..b..a..`..... > 0040 - 12 00 00 09 06 00 40 00-00 14 00 00 11 00 00 08 [EMAIL PROTECTED] > 0050 - 00 00 06 00 00 03 04 00-80 02 00 80 5c ec 7c 7c ............\.|| > 0060 - 60 b1 2a 84 93 cf ba f5-87 dc 22 63 27 83 c7 16 `.*......."c'... > 0070 - f0 68 eb 8b 33 43 57 05-e8 5e a1 ef .h..3CW..^.. > read from 0809D018 [080A25C0] (7 bytes => 7 (0x7)) > 0000 - 3c 21 44 4f 43 54 59 <!DOCTY > SSL_connect:error in SSLv2/v3 read server hello A > 1565:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown > protocol:s23_clnt.c:460: > > > So this tells you that your web server is in fact speaking plain HTTP on > > port 443 rather than HTTPS. You probably do not have "SSLEngine on" for > > that virtual host. > This defies purpose. Following is an excerpt from httpd.conf with only those > bits that I believe are relevant . What I done that's wrong : > (httpd.conf) > > ServerName www.saysit.com.hk:80 > # > <IfModule mod_ssl.c> > # Some MIME-types for downloading Certificates and CRLs > AddType application/x-x509-ca-cert .crt > AddType application/x-pkcs7-crl .crl > SSLSessionCache dbm:logs/ssl_scache > SSLSessionCacheTimeout 300 > SSLMutex file:logs/mutex > SSLRandomSeed startup builtin > SSLRandomSeed connect builtin > </IfModule> > ### Section 3: Virtual Hosts > Listen 80 > Listen 443 > NameVirtualHost 192.168.1.3 > <VirtualHost 192.168.1.3:80> > ServerName www.saysit.com.hk > ServerAdmin [EMAIL PROTECTED] > DocumentRoot /var/www/html > ErrorLog /usr/local/apache2/logs/saysit_error.log > CustomLog /usr/local/apache2/logs/saysit_access.log common > SetEnvIf User-Agent ".MSIE.*"\ > nokeepalive ssl-unclean-shutdown \ > downgrade-1.0 force-response-1.0 > JkMount /saysit ajp13 > JkMount /saysit/* ajp13 > </VirtualHost> > # > <IfDefine SSL> > <VirtualHost 192.168.1.3:443> > ServerName demo.saysit.com.hk > ServerAdmin [EMAIL PROTECTED] > DocumentRoot /home/nicole/MyDocument/public_html > ErrorLog /usr/local/apache2/logs/nicole_error.log > CustomLog /usr/local/apache2/logs/nicole_access.log common > <IfModule mod_ssl.c> > SSLEngine on > SSLCipherSuite > ALL:!ADH:!EPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL > SSLCertificateFile /usr/share/ssl/server.crt > SSLCertificateKeyFile /usr/share/ssl/server.key > #### SSLVerifyClient require #### will prompt the client to select a > certificate when browsing demo.saysit > </IfModule> > JkExtractSSL on > JkHTTPSIndicator HTTPS > JkSESSIONIndicator SSL_SESSION_ID > JkCIPHERIndicator SSL_CIPHER > JkCERTSIndicator SSL_CLIENT_CERT > JkMount /saysit ajp13 > JkMount /saysit/* ajp13 > </VirtualHost> > </IfDefine> > > > > Problem #3: You mentioned trying to get name-based vhosts to work with > > SSL. You must realize that this doesn't work right in the general case. > > Please see http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#vhosts2 . > Yes, I read that document and I do want to provide both http and https on a > single server with one single IP address (I am NAT-ting on router with one > external ip - does that matter?) > > > ______________________________________________________________________ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
