Re: Browser issues
> May not be the answer you're looking for, but have you read/tried the > advice in this section of the manual? > > http://www.modssl.org/docs/2.8/ssl_faq.html#io-ie Yes, we have had it configured this way for a couple years or so. The problem now is that people are starting to disable SSL2, if you're wondering how many of these you're getting, look for this in your logs: [Thu Feb 13 12:04:23 2003] [error] mod_ssl: SSL handshake failed (server *.***.com:443, client 66.20.223.3) (OpenSSL library error follows) [Thu Feb 13 12:04:23 2003] [error] OpenSSL: error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number I am pretty sure this is internet explorer saying "I want to use SSL3 and only SSL3" and my server has SSL3 disabled. I spoke with a customer who had the IE error page, and sure enough he had SSL2 and TLS1 disabled, only SSL3 was enabled, so what is there to do about this, other than running two separate apaches? > > Good morning, > > > > Our company has been noticing quite a few ssl errors in our http logs, > > we have had SSL3 disabled due to a bug in internet explorer 5.x I'm sure > > you're all aware of, but lately it seems more and more browsers are > > disabling SSL2, probably due to some vulnerabilities, and IE6 has TLS1 > > disabled by default, so the only thing these newer browsers are > > accepting is SSL3. The only way I can think of to allow all browsers is > > by running two different https servers, on different ports, same domain, > > one with SSL3 enabled where the IE6 clients (with SSL2 disabled) will be > > sent, the other with SSL3 disabled where IE5.x clients will be sent. My > > first question is, will this work? I see some discussion about problems > > with multiple https ports on the same server, they would all be on the > > same certificate/domain. Second question: is there a better way of > > overcoming this problem? Can I put something in the httpd.conf that says > > "if IE6, allow SSL3, otherwise don't"? My google searches have yielded > > nothing. I'd appreciate any input from anybody dealing with this issue. > > > > Regards, > > > > Jeffrey Moss > > [EMAIL PROTECTED] > > > > > > > > > > > > > > __ > > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > > User Support Mailing List [EMAIL PROTECTED] > > Automated List Manager[EMAIL PROTECTED] > > > === > Alan Sparks, UNIX/Linux Systems Administrator<[EMAIL PROTECTED]> > > > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Starting apache with ssl module
Here's what we did: # notes to install and configure apache with modules, mod_perl, so # extract the packages $ gzip -d -c openssl-0.9.6g.tar.gz | tar xvf - !!! ## Then INSTALL openssl first !!! ## !!! $ gzip -d -c apache_1.3.27.tar.gz | tar xvf - $ gzip -d -c mod_ssl-2.8.11-1.3.27.tar.gz | tar xvf - $ gzip -d -c mod_perl-1.26.tar.gz | tar xvf - # apply mod_ssl to Apache source tree cd mod_ssl* ./configure --with-apache=../apache_1.3.27 # apply mod_perl to Apache source tree # and build/install the Perl-side of mod_perl cd mod_perl-1.26 perl Makefile.PL EVERYTHING=1 APACHE_SRC=../apache_1.3.27/src USE_APACI=1 PREP_HTTPD=1 DO_HTTPD=1 make make install cd ../ # build/install Apache with mod_ssl and mod_perl cd apache_1.3.27 SSL_BASE=../openssl-0.9.6g ./configure --prefix=/usr/local/apache --enable-module=ssl --activate-module=src/modules/perl/libperl.a --enable-module=perl --enable-module=so make make certificate make install cd ../ /usr/local/apache/bin/apachectl startssl Troy Garner Information Technology Manager Gulf Winds International, Inc. 713.747.4909 x5753 www.gwii.com Larry Cotton <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 02/20/2003 12:37 PM Please respond to modssl-users To: [EMAIL PROTECTED] cc: Subject: Starting apache with ssl module Hi I'm trying to run apache including the ssl module, but am having some problems starting it up. I'm using red hat linux ver 7.1. uname -r gives the following output : Linux localhost.localdomain 2.2.16-22 #1 Tue Aug 22 16:49:06 EDT 2000 i686 unknown. I've been through the following steps : 1) Downloaded OpenSSL version 0.9.7a (the latest as far as I could make out), extracted it, built and installed it without error. For this I simply used the defaults : ./configure make make test [su root] make install 2) Downloaded apache 2.0.44, extract and configure using the command : CPPFLAGS="-I/usr/local/ssl/include/openssl -I/usr/local/ssl/include" \ ./configure --prefix=/home/Larry/WebServer/Apache \ --enable-so \ --enable-cgi \ --enable-info \ --enable-usertrack \ --enable-ssl \ --enable-mime-magic This was successful. 3) make - seemed to compile OK 4) su root make install - seemed to install OK 5) cd /home/Larry/WebServer/Apache su root ./apachectl start Results in the following error appearing in the error log : Could not set permissions on ssl_mutex: check User and Group directives Cnfiguration Failed I've not changed the configuration file, so the settings are currently the default ones. The User and Group directives are currently set as: User nobody Group #-1 Note that I compiled as user Larry, installed as root and am trying to start apache as root. Does anyone have any idea what might be going on here? Cheers Larry
Starting apache with ssl module
Hi I'm trying to run apache including the ssl module, but am having some problems starting it up. I'm using red hat linux ver 7.1. uname -r gives the following output : Linux localhost.localdomain 2.2.16-22 #1 Tue Aug 22 16:49:06 EDT 2000 i686 unknown. I've been through the following steps : 1) Downloaded OpenSSL version 0.9.7a (the latest as far as I could make out), extracted it, built and installed it without error. For this I simply used the defaults : ./configure make make test [su root] make install 2) Downloaded apache 2.0.44, extract and configure using the command : CPPFLAGS="-I/usr/local/ssl/include/openssl -I/usr/local/ssl/include" \ ./configure --prefix=/home/Larry/WebServer/Apache \ --enable-so \ --enable-cgi \ --enable-info \ --enable-usertrack \ --enable-ssl \ --enable-mime-magic This was successful. 3) make - seemed to compile OK 4) su root make install - seemed to install OK 5) cd /home/Larry/WebServer/Apache su root ./apachectl start Results in the following error appearing in the error log : Could not set permissions on ssl_mutex: check User and Group directives Cnfiguration Failed I've not changed the configuration file, so the settings are currently the default ones. The User and Group directives are currently set as: User nobody Group #-1 Note that I compiled as user Larry, installed as root and am trying to start apache as root. Does anyone have any idea what might be going on here? Cheers Larry
Browser issues
Good morning, Our company has been noticing quite a few ssl errors in our http logs, we have had SSL3 disabled due to a bug in internet explorer 5.x I'm sure you're all aware of, but lately it seems more and more browsers are disabling SSL2, probably due to some vulnerabilities, and IE6 has TLS1 disabled by default, so the only thing these newer browsers are accepting is SSL3. The only way I can think of to allow all browsers is by running two different https servers, on different ports, same domain, one with SSL3 enabled where the IE6 clients (with SSL2 disabled) will be sent, the other with SSL3 disabled where IE5.x clients will be sent. My first question is, will this work? I see some discussion about problems with multiple https ports on the same server, they would all be on the same certificate/domain. Second question: is there a better way of overcoming this problem? Can I put something in the httpd.conf that says "if IE6, allow SSL3, otherwise don't"? My google searches have yielded nothing. I'd appreciate any input from anybody dealing with this issue. Regards, Jeffrey Moss [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Multiple SSL VirtualHosts in apache
Yes, and thanks to Owen for rounding out our, mine and yours, knowledge levels on this. I seem to have forgotten the FDQN is what the browsing public is used to for web traversals. Few fall back to IP's even in times when DNS is borked. I get firewall-1 licesning issues and cert issues confused at times. Hopefully I did not mislead anyone . Thanks, Ron DuFresne On Thu, 20 Feb 2003, Jack L. Stone wrote: > Owens' reply is more in line with what I thought. In applying for my Cert, > I provided docs to prove ownership of the www.domain, addresses and some > other stuff. When clicking on the website, the Cert requested must match > the domain requested -- nothing about IPs has ever been involved. > > This is why the post about IPs caught my attention and wondered if I was > behind the times. I'm applying for a renewal now and again it's all about > the www.domain and nothing is entered into the cert about the IP verification. > > Then, there is the question of a wildcard cert which I understand can be > used for several vhosts without setting off alarms on the browser. > > If there is anyone who would be willing to share with me their httpd.conf > setup when using vhosting, I would be forever greatful. Offlist would be > fine if need for privacy. > > Thanks. > > >> > >>It's IP and/or port based. But, do remember, if port based then one is > >>server only one cert, and the trouble is making sure the cert is > >>constructed in a fashoin such that hostnames are not contained > >>within the CN and such. In this case, and others can correct me if I'm > >>wrong here, you would need to generate the cert on the IP rather then > >>FDQN. And I'm not sure openssl allows such a cert, but others might well > be > >>better clued then I on this . > > > >A server cert bound to an IP address wouldn't make much sense (not sure if > you can even do it). > > > >The thing to remember is that SSL is about two things - encryption and > authentication. For encryption to work you just need to send the server's > public key to the client - the hostname is not important. However, for the > authentication aspect, it is essential that the the common name in the > server cert matches the FQDN in the client request. Put it another way, you > surf to amazon.com and are about to type in your credit card number but > then you look inside the server cert and see that it is registered to > "shady-character.com". Do you still send your card number? This is why > browsers always complain when you use a test or self signed certificate if > the CN doesn't match the FQDN. > > > >So, while you can have an encrypted session with an untrusted server, in > the real world it doesn't make much sense to do so. Encryption is sending > your money to the bank in an armoured car, authentication is making sure > the armoured car actually goes to the bank. > > > >Rgds, > >Owen Boyle > > > >> > >>Thanks, > >> > >>Ron DuFresne > >> > >>On Wed, 19 Feb 2003, Jack L. Stone wrote: > >> > >>> Please excuse the top post: > >>> > >>> Ian or anyone, are you sure that a wildcard setup won't > >>work??? Just > >>> getting ready to do a fresh install involvoing vhosts and > >>this will become > >>> an important issue. > >>> > >>> Thanks! > >>> > >>> At 10:02 AM 2.19.2003 -0700, Ian Moon wrote: > >>> >I believe that I read somewhere that you must have a different > >>> >ip address for each ssl virtualhost. > >>> > > >>> >Ian Moon > >>> > > >>> >On Wed, 19 Feb 2003, Boyle Owen wrote: > >>> > > >>> >> >-Original Message- > >>> >> >From: Steve Pirk [mailto:[EMAIL PROTECTED]] > >>> >> >Sent: Donnerstag, 6. Februar 2003 02:02 > >>> >> >To: [EMAIL PROTECTED] > >>> >> >Subject: Multiple SSL VirtualHosts in apache > >>> >> > > >>> >> > > >>> >> >I check the mail archives, but could not find a good > >>> >> >answer for this "problem" I am having. > >>> >> > > >>> >> >I am building out a dev environment using apache > >>> >> >on Solaris. The dev environment needs to run under > >>> >> >SSL (to simulate the production environment). I am > >>> >> >starting with 4 virtual servers. They all use the > >>> >> >same cert file, but are on different ports. > >>> >> > > >>> >> >The problem I am running into is that only the "first" > >>> >> >VirtualHost works. Requests to subsequent ports result > >>> >> >in a mod_ssl:error:HTTP-request error. Here is the error_log > >>> >> >entry: > >>> >> > > >>> >> >[Wed Feb 5 16:45:11 2003] [error] mod_ssl: SSL > >>handshake failed: HTTP > >>> >> >spoken on HTTPS port; trying to send HTML error page > >>(OpenSSL library > >>> >> >error follows) > >>> >> > >>> >> This looks like you typed http://server:7001/ into the > >>browser. You > >>> >> still need to define https even if you have the port number, i.e. > >>> >> https://server:7001/. > >>> >> > >>> >> Can you confirm that if you do this, you still get an error? > >>> >> > >>> >> Rgds, > >>> >> Owen Boyle > >>> >> > >>> >> > >>> >> >[Wed Feb 5 16:45:11 2003] [e
RE: Multiple SSL VirtualHosts in apache
>-Original Message- >From: Jack L. Stone [mailto:[EMAIL PROTECTED]] > >Then, there is the question of a wildcard cert which I >understand can be >used for several vhosts without setting off alarms on the browser. Search the archives for posts about wildcards - this comes up from time to time and a few weeks ago John Airey gave a good summary of the situation (basically, they're getting harder and harder to get). >If there is anyone who would be willing to share with me their >httpd.conf setup when using vhosting, I would be forever greatful. It's no mystery - you just need to ensure that the different VHs are distinguished at the TCP/IP layer (i.e. only one VH per IP/port number pair). You cannot use application layer attributes (such as the Host header) to define VHs because the SSL channel must be established before any application layer traffic occurs. Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. >Offlist would be >fine if need for privacy. > >Thanks. > >>> >>>It's IP and/or port based. But, do remember, if port based >then one is >>>server only one cert, and the trouble is making sure the cert is >>>constructed in a fashoin such that hostnames are not contained >>>within the CN and such. In this case, and others can >correct me if I'm >>>wrong here, you would need to generate the cert on the IP >rather then >>>FDQN. And I'm not sure openssl allows such a cert, but >others might well >be >>>better clued then I on this . >> >>A server cert bound to an IP address wouldn't make much sense >(not sure if >you can even do it). >> >>The thing to remember is that SSL is about two things - encryption and >authentication. For encryption to work you just need to send >the server's >public key to the client - the hostname is not important. >However, for the >authentication aspect, it is essential that the the common name in the >server cert matches the FQDN in the client request. Put it >another way, you >surf to amazon.com and are about to type in your credit card number but >then you look inside the server cert and see that it is registered to >"shady-character.com". Do you still send your card number? This is why >browsers always complain when you use a test or self signed >certificate if >the CN doesn't match the FQDN. >> >>So, while you can have an encrypted session with an untrusted >server, in >the real world it doesn't make much sense to do so. Encryption >is sending >your money to the bank in an armoured car, authentication is >making sure >the armoured car actually goes to the bank. >> >>Rgds, >>Owen Boyle >> >>> >>>Thanks, >>> >>>Ron DuFresne >>> >>>On Wed, 19 Feb 2003, Jack L. Stone wrote: >>> Please excuse the top post: Ian or anyone, are you sure that a wildcard setup won't >>>work??? Just getting ready to do a fresh install involvoing vhosts and >>>this will become an important issue. Thanks! At 10:02 AM 2.19.2003 -0700, Ian Moon wrote: >I believe that I read somewhere that you must have a different >ip address for each ssl virtualhost. > >Ian Moon > >On Wed, 19 Feb 2003, Boyle Owen wrote: > >> >-Original Message- >> >From: Steve Pirk [mailto:[EMAIL PROTECTED]] >> >Sent: Donnerstag, 6. Februar 2003 02:02 >> >To: [EMAIL PROTECTED] >> >Subject: Multiple SSL VirtualHosts in apache >> > >> > >> >I check the mail archives, but could not find a good >> >answer for this "problem" I am having. >> > >> >I am building out a dev environment using apache >> >on Solaris. The dev environment needs to run under >> >SSL (to simulate the production environment). I am >> >starting with 4 virtual servers. They all use the >> >same cert file, but are on different ports. >> > >> >The problem I am running into is that only the "first" >> >VirtualHost works. Requests to subsequent ports result >> >in a mod_ssl:error:HTTP-request error. Here is the error_log >> >entry: >> > >> >[Wed Feb 5 16:45:11 2003] [error] mod_ssl: SSL >>>handshake failed: HTTP >> >spoken on HTTPS port; trying to send HTML error page >>>(OpenSSL library >> >error follows) >> >> This looks like you typed http://server:7001/ into the >>>browser. You >> still need to define https even if you have the port >number, i.e. >> https://server:7001/. >> >> Can you confirm that if you do this, you still get an error? >> >> Rgds, >> Owen Boyle >> >> >> >[Wed Feb 5 16:45:11 2003] [error] OpenSSL: error:1407609C:SSL >> >routines:SSL23_GET_CLIENT_HELLO:http request [Hint: speaking >> >HTTP to HTTPS >> >port!?] >> > >> >This is being used in conjunction with an auth package, >> >but the redirect after logging in is https:// >> > >> >Does anyone knnow of a good way to have
RE: Multiple SSL VirtualHosts in apache
Owens' reply is more in line with what I thought. In applying for my Cert, I provided docs to prove ownership of the www.domain, addresses and some other stuff. When clicking on the website, the Cert requested must match the domain requested -- nothing about IPs has ever been involved. This is why the post about IPs caught my attention and wondered if I was behind the times. I'm applying for a renewal now and again it's all about the www.domain and nothing is entered into the cert about the IP verification. Then, there is the question of a wildcard cert which I understand can be used for several vhosts without setting off alarms on the browser. If there is anyone who would be willing to share with me their httpd.conf setup when using vhosting, I would be forever greatful. Offlist would be fine if need for privacy. Thanks. >> >>It's IP and/or port based. But, do remember, if port based then one is >>server only one cert, and the trouble is making sure the cert is >>constructed in a fashoin such that hostnames are not contained >>within the CN and such. In this case, and others can correct me if I'm >>wrong here, you would need to generate the cert on the IP rather then >>FDQN. And I'm not sure openssl allows such a cert, but others might well be >>better clued then I on this . > >A server cert bound to an IP address wouldn't make much sense (not sure if you can even do it). > >The thing to remember is that SSL is about two things - encryption and authentication. For encryption to work you just need to send the server's public key to the client - the hostname is not important. However, for the authentication aspect, it is essential that the the common name in the server cert matches the FQDN in the client request. Put it another way, you surf to amazon.com and are about to type in your credit card number but then you look inside the server cert and see that it is registered to "shady-character.com". Do you still send your card number? This is why browsers always complain when you use a test or self signed certificate if the CN doesn't match the FQDN. > >So, while you can have an encrypted session with an untrusted server, in the real world it doesn't make much sense to do so. Encryption is sending your money to the bank in an armoured car, authentication is making sure the armoured car actually goes to the bank. > >Rgds, >Owen Boyle > >> >>Thanks, >> >>Ron DuFresne >> >>On Wed, 19 Feb 2003, Jack L. Stone wrote: >> >>> Please excuse the top post: >>> >>> Ian or anyone, are you sure that a wildcard setup won't >>work??? Just >>> getting ready to do a fresh install involvoing vhosts and >>this will become >>> an important issue. >>> >>> Thanks! >>> >>> At 10:02 AM 2.19.2003 -0700, Ian Moon wrote: >>> >I believe that I read somewhere that you must have a different >>> >ip address for each ssl virtualhost. >>> > >>> >Ian Moon >>> > >>> >On Wed, 19 Feb 2003, Boyle Owen wrote: >>> > >>> >> >-Original Message- >>> >> >From: Steve Pirk [mailto:[EMAIL PROTECTED]] >>> >> >Sent: Donnerstag, 6. Februar 2003 02:02 >>> >> >To: [EMAIL PROTECTED] >>> >> >Subject: Multiple SSL VirtualHosts in apache >>> >> > >>> >> > >>> >> >I check the mail archives, but could not find a good >>> >> >answer for this "problem" I am having. >>> >> > >>> >> >I am building out a dev environment using apache >>> >> >on Solaris. The dev environment needs to run under >>> >> >SSL (to simulate the production environment). I am >>> >> >starting with 4 virtual servers. They all use the >>> >> >same cert file, but are on different ports. >>> >> > >>> >> >The problem I am running into is that only the "first" >>> >> >VirtualHost works. Requests to subsequent ports result >>> >> >in a mod_ssl:error:HTTP-request error. Here is the error_log >>> >> >entry: >>> >> > >>> >> >[Wed Feb 5 16:45:11 2003] [error] mod_ssl: SSL >>handshake failed: HTTP >>> >> >spoken on HTTPS port; trying to send HTML error page >>(OpenSSL library >>> >> >error follows) >>> >> >>> >> This looks like you typed http://server:7001/ into the >>browser. You >>> >> still need to define https even if you have the port number, i.e. >>> >> https://server:7001/. >>> >> >>> >> Can you confirm that if you do this, you still get an error? >>> >> >>> >> Rgds, >>> >> Owen Boyle >>> >> >>> >> >>> >> >[Wed Feb 5 16:45:11 2003] [error] OpenSSL: error:1407609C:SSL >>> >> >routines:SSL23_GET_CLIENT_HELLO:http request [Hint: speaking >>> >> >HTTP to HTTPS >>> >> >port!?] >>> >> > >>> >> >This is being used in conjunction with an auth package, >>> >> >but the redirect after logging in is https:// >>> >> > >>> >> >Does anyone knnow of a good way to have multiple >>> >> >SSL virtual servers on one apache instance? >>> >> >>> >> The way you are doing it is fine. You just have a probelm... >>> >> >>> >> > >>> >> >Here is a sample of httpd.conf. In this case, port 7000 >>> >> >works, but 7001 and 7002 get the mod_ssl error. >>> >> > >>> >> > >>> >> >DocumentRoot
RE: Multiple SSL VirtualHosts in apache
>-Original Message- >From: R. DuFresne [mailto:[EMAIL PROTECTED]] > >It's IP and/or port based. But, do remember, if port based then one is >server only one cert, and the trouble is making sure the cert is >constructed in a fashoin such that hostnames are not contained >within the CN and such. In this case, and others can correct me if I'm >wrong here, you would need to generate the cert on the IP rather then >FDQN. And I'm not sure openssl allows such a cert, but others might well be >better clued then I on this . A server cert bound to an IP address wouldn't make much sense (not sure if you can even do it). The thing to remember is that SSL is about two things - encryption and authentication. For encryption to work you just need to send the server's public key to the client - the hostname is not important. However, for the authentication aspect, it is essential that the the common name in the server cert matches the FQDN in the client request. Put it another way, you surf to amazon.com and are about to type in your credit card number but then you look inside the server cert and see that it is registered to "shady-character.com". Do you still send your card number? This is why browsers always complain when you use a test or self signed certificate if the CN doesn't match the FQDN. So, while you can have an encrypted session with an untrusted server, in the real world it doesn't make much sense to do so. Encryption is sending your money to the bank in an armoured car, authentication is making sure the armoured car actually goes to the bank. Rgds, Owen Boyle > >Thanks, > >Ron DuFresne > >On Wed, 19 Feb 2003, Jack L. Stone wrote: > >> Please excuse the top post: >> >> Ian or anyone, are you sure that a wildcard setup won't >work??? Just >> getting ready to do a fresh install involvoing vhosts and >this will become >> an important issue. >> >> Thanks! >> >> At 10:02 AM 2.19.2003 -0700, Ian Moon wrote: >> >I believe that I read somewhere that you must have a different >> >ip address for each ssl virtualhost. >> > >> >Ian Moon >> > >> >On Wed, 19 Feb 2003, Boyle Owen wrote: >> > >> >> >-Original Message- >> >> >From: Steve Pirk [mailto:[EMAIL PROTECTED]] >> >> >Sent: Donnerstag, 6. Februar 2003 02:02 >> >> >To: [EMAIL PROTECTED] >> >> >Subject: Multiple SSL VirtualHosts in apache >> >> > >> >> > >> >> >I check the mail archives, but could not find a good >> >> >answer for this "problem" I am having. >> >> > >> >> >I am building out a dev environment using apache >> >> >on Solaris. The dev environment needs to run under >> >> >SSL (to simulate the production environment). I am >> >> >starting with 4 virtual servers. They all use the >> >> >same cert file, but are on different ports. >> >> > >> >> >The problem I am running into is that only the "first" >> >> >VirtualHost works. Requests to subsequent ports result >> >> >in a mod_ssl:error:HTTP-request error. Here is the error_log >> >> >entry: >> >> > >> >> >[Wed Feb 5 16:45:11 2003] [error] mod_ssl: SSL >handshake failed: HTTP >> >> >spoken on HTTPS port; trying to send HTML error page >(OpenSSL library >> >> >error follows) >> >> >> >> This looks like you typed http://server:7001/ into the >browser. You >> >> still need to define https even if you have the port number, i.e. >> >> https://server:7001/. >> >> >> >> Can you confirm that if you do this, you still get an error? >> >> >> >> Rgds, >> >> Owen Boyle >> >> >> >> >> >> >[Wed Feb 5 16:45:11 2003] [error] OpenSSL: error:1407609C:SSL >> >> >routines:SSL23_GET_CLIENT_HELLO:http request [Hint: speaking >> >> >HTTP to HTTPS >> >> >port!?] >> >> > >> >> >This is being used in conjunction with an auth package, >> >> >but the redirect after logging in is https:// >> >> > >> >> >Does anyone knnow of a good way to have multiple >> >> >SSL virtual servers on one apache instance? >> >> >> >> The way you are doing it is fine. You just have a probelm... >> >> >> >> > >> >> >Here is a sample of httpd.conf. In this case, port 7000 >> >> >works, but 7001 and 7002 get the mod_ssl error. >> >> > >> >> > >> >> >DocumentRoot/some/doc/root >> >> >SSLEngine on >> >> >SSLCertificateFile/usr/local/apache/certs/my_cert.crt >> >> >SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key >> >> > >> >> > >> >> > >> >> >DocumentRoot/some/doc/root >> >> >SSLEngine on >> >> >SSLCertificateFile/usr/local/apache/certs/my_cert.crt >> >> >SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key >> >> > >> >> > >> >> > >> >> >DocumentRoot/some/doc/root >> >> >SSLEngine on >> >> >SSLCertificateFile/usr/local/apache/certs/my_cert.crt >> >> >SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key >> >> > >> >> > >> >> >-- >> >> >Steve (egrep) >> >> >>__ >> >> >Apache Interface to OpenSSL (mod_ssl) >www.modss