> Problem #1: your OpenSSL doesn't have the error messages loaded so you're
> getting a rather non-descriptive error message. No big deal, it just
> means you have to look harder to find out what the error means.
How to I load them in order to get a more meaningful description ???
I've recompiled Apache 2.0.40 several times from scratch with following
additional options:
./configure --with-mpm=worker --enable-so --enable-rewrite --enable-ssl --wi
th-ssl=/path/to/openssl --enable-proxy --auth_digest
> Problem #2: SSL23_GET_SERVER_HELLO:unknown protocol: - now I bet if you
> looked at the debug dump you'd see something very similar to:
> 0000 - 3c 21 44 4f 43 54 59 <!DOCTY
> which was mentioned in one of those links the other guy sent you. It's
> telling you that that's what it received from the server. You'll notice
> that "<!DOCTY" is the first few bytes of a standard html page unencrypted.
Indeed, this is the whole output :
CONNECTED(00000003)
write to 0809D018 [0809D060] (124 bytes => 124 (0x7C))
0000 - 80 7a 01 03 01 00 51 00-00 00 20 00 00 16 00 00 .z....Q... .....
0010 - 13 00 00 0a 07 00 c0 00-00 66 00 00 05 00 00 04 .........f......
0020 - 03 00 80 01 00 80 08 00-80 00 00 65 00 00 64 00 ...........e..d.
0030 - 00 63 00 00 62 00 00 61-00 00 60 00 00 15 00 00 .c..b..a..`.....
0040 - 12 00 00 09 06 00 40 00-00 14 00 00 11 00 00 08 [EMAIL PROTECTED]
0050 - 00 00 06 00 00 03 04 00-80 02 00 80 5c ec 7c 7c ............\.||
0060 - 60 b1 2a 84 93 cf ba f5-87 dc 22 63 27 83 c7 16 `.*......."c'...
0070 - f0 68 eb 8b 33 43 57 05-e8 5e a1 ef .h..3CW..^..
read from 0809D018 [080A25C0] (7 bytes => 7 (0x7))
0000 - 3c 21 44 4f 43 54 59 <!DOCTY
SSL_connect:error in SSLv2/v3 read server hello A
1565:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:s23_clnt.c:460:
> So this tells you that your web server is in fact speaking plain HTTP on
> port 443 rather than HTTPS. You probably do not have "SSLEngine on" for
> that virtual host.
This defies purpose. Following is an excerpt from httpd.conf with only those
bits that I believe are relevant . What I done that's wrong :
(httpd.conf)
ServerName www.saysit.com.hk:80
#
<IfModule mod_ssl.c>
# Some MIME-types for downloading Certificates and CRLs
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLSessionCache dbm:logs/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex file:logs/mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
### Section 3: Virtual Hosts
Listen 80
Listen 443
NameVirtualHost 192.168.1.3
<VirtualHost 192.168.1.3:80>
ServerName www.saysit.com.hk
ServerAdmin [EMAIL PROTECTED]
DocumentRoot /var/www/html
ErrorLog /usr/local/apache2/logs/saysit_error.log
CustomLog /usr/local/apache2/logs/saysit_access.log common
SetEnvIf User-Agent ".MSIE.*"\
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
JkMount /saysit ajp13
JkMount /saysit/* ajp13
</VirtualHost>
#
<IfDefine SSL>
<VirtualHost 192.168.1.3:443>
ServerName demo.saysit.com.hk
ServerAdmin [EMAIL PROTECTED]
DocumentRoot /home/nicole/MyDocument/public_html
ErrorLog /usr/local/apache2/logs/nicole_error.log
CustomLog /usr/local/apache2/logs/nicole_access.log common
<IfModule mod_ssl.c>
SSLEngine on
SSLCipherSuite
ALL:!ADH:!EPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /usr/share/ssl/server.crt
SSLCertificateKeyFile /usr/share/ssl/server.key
#### SSLVerifyClient require #### will prompt the client to select a
certificate when browsing demo.saysit
</IfModule>
JkExtractSSL on
JkHTTPSIndicator HTTPS
JkSESSIONIndicator SSL_SESSION_ID
JkCIPHERIndicator SSL_CIPHER
JkCERTSIndicator SSL_CLIENT_CERT
JkMount /saysit ajp13
JkMount /saysit/* ajp13
</VirtualHost>
</IfDefine>
> Problem #3: You mentioned trying to get name-based vhosts to work with
> SSL. You must realize that this doesn't work right in the general case.
> Please see http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#vhosts2 .
Yes, I read that document and I do want to provide both http and https on a
single server with one single IP address (I am NAT-ting on router with one
external ip - does that matter?)
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
