Here's a snapshot of the SSL configuration directives in my httpd.conf - Pl.
note that the http and the https port numbers have been changed. Also, as
mentioned in my earlier mail, I've moved some of the config directives that
were under "<IfDefine SSL> ..." to within "<IfModule mod_ssl.c> ...".
Thanks
-Madhu
***********STARTS HERE **************
<IfModule mod_ssl.c>
Listen 8080
Listen 8443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog builtin
# Inter-Process Session Cache:
# Configure the SSL Session Cache: First either `none'
# or `dbm:/path/to/file' for the mechanism to use and
# second the expiring timeout (in seconds).
#SSLSessionCache none
#SSLSessionCache shm:/opt/apache2s/logs/ssl_scache(512000)
SSLSessionCache dbm:/opt/apache2s/logs/ssl_scache
SSLSessionCacheTimeout 300
# Semaphore:
# Configure the path to the mutual explusion semaphore the
# SSL engine uses internally for inter-process synchronization.
SSLMutex file:/opt/apache2s/logs/ssl_mutex
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the
# SSL library. The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. This means you then cannot use the /dev/random device
# because it would lead to very long connection times (as long as
# it requires to make more entropy available). But usually those
# platforms additionally provide a /dev/urandom device which doesn't
# block. So, if available, use this one instead. Read the mod_ssl User
# Manual for more details.
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed startup file:/dev/urandom 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512
# Logging:
# The home of the dedicated SSL protocol logfile. Errors are
# additionally duplicated in the general error log file. Put
# this somewhere where it cannot be used for symlink attacks on
# a real server (i.e. somewhere where only root can write).
# Log levels are (ascending order: higher ones include lower ones):
# none, error, warn, info, trace, debug.
SSLLog /opt/apache2s/logs/ssl_engine_log
SSLLogLevel info
##
## SSL Virtual Host Context
##
<VirtualHost _default_:8443>
# General setup for the virtual host
DocumentRoot "/opt/apache2s/htdocs"
ServerName jolteon.cup.hp.com
ServerAdmin [EMAIL PROTECTED]
ErrorLog /opt/apache2s/logs/error_log
TransferLog /opt/apache2s/logs/access_log
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A test
# certificate can be generated with `make certificate' under
# built time. Keep in mind that if you've both a RSA and a DSA
# certificate you can configure both in parallel (to also allow
# the use of DSA ciphers, etc.)
SSLCertificateFile /opt/apache2s/conf/ssl.crt/server.crt
#SSLCertificateFile /opt/apache2s/conf/ssl.crt/server-dsa.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /opt/apache2s/conf/ssl.key/server.key
#SSLCertificateKeyFile /opt/apache2s/conf/ssl.key/server-dsa.key
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /opt/apache2s/conf/ssl.crt/ca.crt
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
# Note: Inside SSLCACertificatePath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCACertificatePath /opt/apache2s/conf/ssl.crt
#SSLCACertificateFile /opt/apache2s/conf/ssl.crt/ca-bundle.crt
# Certificate Revocation Lists (CRL):
# Set the CA revocation path where to find CA CRLs for client
# authentication or alternatively one huge file containing all
# of them (file must be PEM encoded)
# Note: Inside SSLCARevocationPath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCARevocationPath /opt/apache2s/conf/ssl.crl
#SSLCARevocationFile /opt/apache2s/conf/ssl.crl/ca-bundle.crl
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth 10
# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_ssl documentation
# for more details.
#<Location />
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means
that
# the standard Auth/DBMAuth methods can be used for access control. The
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the
user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment
variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o CompatEnvVars:
# This exports obsolete environment variables for backward compatibility
# to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use
this
# to provide compatibility to existing CGI scripts.
# o StrictRequire:
# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
# under a "Satisfy any" situation, i.e. when it applies access is denied
# and no other module can change it.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
<Files ~ "\.(cgi|shtml)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/opt/apache2s/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait
for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is send or allowed to received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach
where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is send and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers.
Use
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
#CustomLog /opt/apache2s/logs/ssl_request_log \
# "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
</IfModule>
*************ENDS HERE ************
-----Original Message-----
From: Gonyou, Austin [mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 12, 2001 7:56 AM
To: '[EMAIL PROTECTED]'
Subject: RE: Filters : mod_ssl - WORKS
I think posting the portion of the working config for mod_ssl/TLS the the
list is best, so more people can test it.
--
Austin Gonyou
Systems Architect, CCNA
Coremetrics, Inc.
Phone: 512-796-9023
email: [EMAIL PROTECTED]
> -----Original Message-----
> From: Daniel Stone [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, July 12, 2001 3:03 AM
> To: [EMAIL PROTECTED]
> Subject: Re: Filters : mod_ssl - WORKS
>
>
> On Wed, Jul 11, 2001 at 07:31:26PM -0400, Cliff Woolley wrote:
> > On Wed, 11 Jul 2001, MATHIHALLI,MADHUSUDAN (HP-Cupertino,ex1) wrote:
> >
> > > Thanks very much for you valuable tips. I was able to
> establish a
> > > https connection successfully thru' the mod_ssl :-!..
> (mod_ssl works !!!)..
> > > I'll be doing some basic testing and should be able to
> send out a patch
> > > sometime tommorow.
> >
> > SWEET!! I look forward to the updated patch. =-)
>
> Can someone please send me an example working config file with SSL/TLS
> stuff?
>
> --
> Daniel Stone
> <[EMAIL PROTECTED]>
> <Nuke> "can NE1 help me aim nuclear weaponz????? /MSG ME!!"
>
RE: Filters : mod_ssl - WORKS
MATHIHALLI,MADHUSUDAN (HP-Cupertino,ex1) Thu, 12 Jul 2001 09:04:12 -0700
- RE: Filters : mod_ssl - WORKS MATHIHALLI,MADHUSUDAN (HP-Cupertino,ex1)
- RE: Filters : mod_ssl - WORK... Cliff Woolley
- Re: Filters : mod_ssl - ... Daniel Stone
- RE: Filters : mod_ssl - WORK... Gonyou, Austin
- RE: Filters : mod_ssl - WORK... MATHIHALLI,MADHUSUDAN (HP-Cupertino,ex1)
- Re: Filters : mod_ssl - WORK... MATHIHALLI,MADHUSUDAN (HP-Cupertino,ex1)
- Re: Filters : mod_ssl - ... Justin Erenkrantz
- Re: Filters : mod_ss... rbb
- Re: Filters : mod_ss... Gomez Henri
- RE: Filters : mod_ssl - WORK... Gonyou, Austin
- RE: Filters : mod_ssl - WORK... MATHIHALLI,MADHUSUDAN (HP-Cupertino,ex1)
- RE: Filters : mod_ssl - WORK... GOMEZ Henri
- RE: Filters : mod_ssl - WORK... Gonyou, Austin
- RE: Filters : mod_ssl - ... rbb
- RE: Filters : mod_ssl - ... Dale Ghent
