Andrew Musselman
[EMAIL PROTECTED]
>>> [EMAIL PROTECTED] 8/16/2005 11:06 AM >>>
On Tue, Aug 16, 2005 at 09:57:38AM -0700, Andrew Musselman wrote:
> I am trying to set up apache2 to provide SSL support for a
VirtualHost
> running on port 81.
>
"Have you added a virtualhost for port 81 and the corresponding Listen
statement?"
Yes. Here is the section of httpd.conf that introduces the
virtualhost:
Listen 81
<VirtualHost *:81>
ServerAdmin [EMAIL PROTECTED]
DocumentRoot /usr/local/www/printers
ServerName pc74965.cts.cwu.edu
DirectoryIndex index.html index.php
ErrorLog /var/log/printers-error_log
CustomLog /var/log/printers-error_log combined
</VirtualHost>
Do I need to add any ssl-specific directives in there?
> Openssl seems to be running fine, as these commands from the FAQ at
> http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html return no errors:
>
> $ openssl s_client -connect localhost:443 -state -debug
> GET / HTTP/1.0
>
"What if you use localhost:81 instead?"
openssl s_client -connect localhost:81 -state -debug
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 08097700 [080AF000] (142 bytes => 142 (0x8E))
0000 - 80 8c 01 03 01 00 63 00-00 00 20 00 00 39 00 00 ......c...
..9..
0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0
8..5............
0020 - 00 00 33 00 00 32 00 00-2f 03 00 80 00 00 66 00
..3..2../.....f.
0030 - 00 05 00 00 04 01 00 80-08 00 80 00 00 63 00 00
.............c..
0040 - 62 00 00 61 00 00 15 00-00 12 00 00 09 06 00 40
b..a...........@
0050 - 00 00 65 00 00 64 00 00-60 00 00 14 00 00 11 00
..e..d..`.......
0060 - 00 08 00 00 06 04 00 80-00 00 03 02 00 80 65 43
..............eC
0070 - 72 73 95 0d 7b b2 15 ca-94 15 4a 87 2f 27 30 03
rs..{.....J./'0.
0080 - 9b 3a 3c 1c 9a be 06 01-b3 68 ef 27 53 8b
.:<......h.'S.
SSL_connect:SSLv2/v3 write client hello A
read from 08097700 [080B5000] (7 bytes => 7 (0x7))
0000 - 3c 21 44 4f 43 54 59 <!DOCTY
SSL_connect:error in SSLv2/v3 read server hello A
3835:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:478:
"We need more info like the SSL specific part of the conf and perhaps
output of openssl s_client."
Here is my ssl.conf with extra comments taken out:
#
# This is the Apache server configuration file providing SSL support.
# It contains the configuration directives to instruct the server how
to
# serve pages over an https connection. For detailing information about
these
# directives see
<URL:http://httpd.apache.org/docs-2.0/mod/mod_ssl.html>
#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are
unsure
# consult the online docs. You have been warned.
#
#
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the SSL library.
# The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. This means you then cannot use the /dev/random device
# because it would lead to very long connection times (as long as
# it requires to make more entropy available). But usually those
# platforms additionally provide a /dev/urandom device which doesn't
# block. So, if available, use this one instead. Read the mod_ssl User
# Manual for more details.
#
# Note: This must come before the <IfDefine SSL> container to support
# starting without SSL on platforms with no /dev/random
equivalent
# but a statically compiled-in mod_ssl.
#
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
<IfDefine SSL>
#
# When we also provide SSL we have to listen to the
# standard HTTP port (see above) and to the HTTPS port
#
# Note: Configurations that use IPv6 but not IPv4-mapped addresses need
two
# Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443"
#
Listen 443
##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##
#
# Some MIME-types for downloading Certificates and CRLs
#
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
# Pass Phrase Dialog:
SSLPassPhraseDialog builtin
# Inter-Process Session Cache:
SSLSessionCache dbm:/var/run/ssl_scache
SSLSessionCacheTimeout 300
# Semaphore:
# Configure the path to the mutual exclusion semaphore the
# SSL engine uses internally for inter-process synchronization.
SSLMutex file:/var/run/ssl_mutex
##
## SSL Virtual Host Context
##
<VirtualHost _default_:443>
# General setup for the virtual host
DocumentRoot "/usr/local/www/data"
ServerName pc74965.cts.cwu.edu:443
ServerAdmin [EMAIL PROTECTED]
ErrorLog /var/log/httpd-error.log
TransferLog /var/log/httpd-access.log
# SSL Engine Switch:
SSLEngine on
# SSL Cipher Suite:
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
# Server Certificate:
SSLCertificateFile /usr/local/etc/apache2/ssl.crt/server.crt
# Server Private Key:
SSLCertificateKeyFile /usr/local/etc/apache2/ssl.key/server.key
# Set various options for the SSL engine.
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/usr/local/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
# SSL Protocol Adjustments:
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/usr/local/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
# SSL Protocol Adjustments:
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# Per-Server Logging:
CustomLog /var/log/httpd-ssl_request.log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
</IfDefine>
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager [EMAIL PROTECTED]
