Andrew Musselman [EMAIL PROTECTED]
>>> [EMAIL PROTECTED] 8/16/2005 11:06 AM >>> On Tue, Aug 16, 2005 at 09:57:38AM -0700, Andrew Musselman wrote: > I am trying to set up apache2 to provide SSL support for a VirtualHost > running on port 81. > "Have you added a virtualhost for port 81 and the corresponding Listen statement?" Yes. Here is the section of httpd.conf that introduces the virtualhost: Listen 81 <VirtualHost *:81> ServerAdmin [EMAIL PROTECTED] DocumentRoot /usr/local/www/printers ServerName pc74965.cts.cwu.edu DirectoryIndex index.html index.php ErrorLog /var/log/printers-error_log CustomLog /var/log/printers-error_log combined </VirtualHost> Do I need to add any ssl-specific directives in there? > Openssl seems to be running fine, as these commands from the FAQ at > http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html return no errors: > > $ openssl s_client -connect localhost:443 -state -debug > GET / HTTP/1.0 > "What if you use localhost:81 instead?" openssl s_client -connect localhost:81 -state -debug CONNECTED(00000003) SSL_connect:before/connect initialization write to 08097700 [080AF000] (142 bytes => 142 (0x8E)) 0000 - 80 8c 01 03 01 00 63 00-00 00 20 00 00 39 00 00 ......c... ..9.. 0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 8..5............ 0020 - 00 00 33 00 00 32 00 00-2f 03 00 80 00 00 66 00 ..3..2../.....f. 0030 - 00 05 00 00 04 01 00 80-08 00 80 00 00 63 00 00 .............c.. 0040 - 62 00 00 61 00 00 15 00-00 12 00 00 09 06 00 40 b..a...........@ 0050 - 00 00 65 00 00 64 00 00-60 00 00 14 00 00 11 00 ..e..d..`....... 0060 - 00 08 00 00 06 04 00 80-00 00 03 02 00 80 65 43 ..............eC 0070 - 72 73 95 0d 7b b2 15 ca-94 15 4a 87 2f 27 30 03 rs..{.....J./'0. 0080 - 9b 3a 3c 1c 9a be 06 01-b3 68 ef 27 53 8b .:<......h.'S. SSL_connect:SSLv2/v3 write client hello A read from 08097700 [080B5000] (7 bytes => 7 (0x7)) 0000 - 3c 21 44 4f 43 54 59 <!DOCTY SSL_connect:error in SSLv2/v3 read server hello A 3835:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:478: "We need more info like the SSL specific part of the conf and perhaps output of openssl s_client." Here is my ssl.conf with extra comments taken out: # # This is the Apache server configuration file providing SSL support. # It contains the configuration directives to instruct the server how to # serve pages over an https connection. For detailing information about these # directives see <URL:http://httpd.apache.org/docs-2.0/mod/mod_ssl.html> # # Do NOT simply read the instructions in here without understanding # what they do. They're here only as hints or reminders. If you are unsure # consult the online docs. You have been warned. # # # Pseudo Random Number Generator (PRNG): # Configure one or more sources to seed the PRNG of the SSL library. # The seed data should be of good random quality. # WARNING! On some platforms /dev/random blocks if not enough entropy # is available. This means you then cannot use the /dev/random device # because it would lead to very long connection times (as long as # it requires to make more entropy available). But usually those # platforms additionally provide a /dev/urandom device which doesn't # block. So, if available, use this one instead. Read the mod_ssl User # Manual for more details. # # Note: This must come before the <IfDefine SSL> container to support # starting without SSL on platforms with no /dev/random equivalent # but a statically compiled-in mod_ssl. # SSLRandomSeed startup builtin SSLRandomSeed connect builtin <IfDefine SSL> # # When we also provide SSL we have to listen to the # standard HTTP port (see above) and to the HTTPS port # # Note: Configurations that use IPv6 but not IPv4-mapped addresses need two # Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443" # Listen 443 ## ## SSL Global Context ## ## All SSL configuration in this context applies both to ## the main server and all SSL-enabled virtual hosts. ## # # Some MIME-types for downloading Certificates and CRLs # AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl # Pass Phrase Dialog: SSLPassPhraseDialog builtin # Inter-Process Session Cache: SSLSessionCache dbm:/var/run/ssl_scache SSLSessionCacheTimeout 300 # Semaphore: # Configure the path to the mutual exclusion semaphore the # SSL engine uses internally for inter-process synchronization. SSLMutex file:/var/run/ssl_mutex ## ## SSL Virtual Host Context ## <VirtualHost _default_:443> # General setup for the virtual host DocumentRoot "/usr/local/www/data" ServerName pc74965.cts.cwu.edu:443 ServerAdmin [EMAIL PROTECTED] ErrorLog /var/log/httpd-error.log TransferLog /var/log/httpd-access.log # SSL Engine Switch: SSLEngine on # SSL Cipher Suite: SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL # Server Certificate: SSLCertificateFile /usr/local/etc/apache2/ssl.crt/server.crt # Server Private Key: SSLCertificateKeyFile /usr/local/etc/apache2/ssl.key/server.key # Set various options for the SSL engine. <Files ~ "\.(cgi|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars </Files> <Directory "/usr/local/www/cgi-bin"> SSLOptions +StdEnvVars </Directory> # SSL Protocol Adjustments: <Files ~ "\.(cgi|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars </Files> <Directory "/usr/local/www/cgi-bin"> SSLOptions +StdEnvVars </Directory> # SSL Protocol Adjustments: SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 # Per-Server Logging: CustomLog /var/log/httpd-ssl_request.log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost> </IfDefine> ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager [EMAIL PROTECTED]