Re: Apache 2.0.44 with Openssl -0.9.7
Did you uncomment out the entropy lines in the ssl.conf file? I am running it with 0.9.7a and it works fine -Ian Quoting Yu, Ming [EMAIL PROTECTED]: Does anyone have problem with apache 2.0.44 and Openssl 0.9.7. I installed the server, no problem. Then I wanted to start the httpd server, even without mod_ssl. ./apachectl -k start There is no message on the screen, but an error message in the log file. The apache engine did not start. [warn] Init: PRNG still contains insufficient entropy! [error] Init: Failed to generate temporary 512 bit RSA private key Configuration Failed Any suggestions. - Ming Yu __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- Ian Miller Sr. Systems Engineer University of Chicago [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Apache 2.0.44 with Openssl -0.9.7
It looks like many people getting this undefined symbol X509_free when we try to build mod_ssl as a shared module. I am still waiting for the solution. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ted Rolle Sent: March 7, 2003 10:36 AM To: [EMAIL PROTECTED] Subject: Re: Apache 2.0.44 with Openssl -0.9.7 YOU GOT Apache-2.0.44 and OpenSSL-0.9.7 WORKING??? What are your ./configure files like? I keep getting the dreaded can't find X509_free message. On Fri, 7 Mar 2003, Ian Miller wrote: Did you uncomment out the entropy lines in the ssl.conf file? I am running it with 0.9.7a and it works fine -Ian Quoting Yu, Ming [EMAIL PROTECTED]: Does anyone have problem with apache 2.0.44 and Openssl 0.9.7. I installed the server, no problem. Then I wanted to start the httpd server, even without mod_ssl. ./apachectl -k start There is no message on the screen, but an error message in the log file. The apache engine did not start. [warn] Init: PRNG still contains insufficient entropy! [error] Init: Failed to generate temporary 512 bit RSA private key Configuration Failed Any suggestions. - Ming Yu __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Ian Miller Sr. Systems Engineer University of Chicago [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Apache 2.0.44 with Openssl -0.9.7
I use the following switches to compile APACHE 2.0.44 with OpenSSL 0.9.7 ./configure --enable-layout=TEST \ --enable-ssl \ --with-ssl=/usr/local/ssl \ --enable-mods-shared=max \ --enable-modules=most \ --with-mpm=worker It went through the installation process. Thanks - Ming Yu -Original Message- From: Ted Rolle [mailto:[EMAIL PROTECTED] Sent: Friday, March 07, 2003 10:36 AM To: [EMAIL PROTECTED] Subject: Re: Apache 2.0.44 with Openssl -0.9.7 YOU GOT Apache-2.0.44 and OpenSSL-0.9.7 WORKING??? What are your ./configure files like? I keep getting the dreaded can't find X509_free message. On Fri, 7 Mar 2003, Ian Miller wrote: Did you uncomment out the entropy lines in the ssl.conf file? I am running it with 0.9.7a and it works fine -Ian Quoting Yu, Ming [EMAIL PROTECTED]: Does anyone have problem with apache 2.0.44 and Openssl 0.9.7. I installed the server, no problem. Then I wanted to start the httpd server, even without mod_ssl. ./apachectl -k start There is no message on the screen, but an error message in the log file. The apache engine did not start. [warn] Init: PRNG still contains insufficient entropy! [error] Init: Failed to generate temporary 512 bit RSA private key Configuration Failed Any suggestions. - Ming Yu __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- Ian Miller Sr. Systems Engineer University of Chicago [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Apache 2.0.44 with Openssl -0.9.7
Of course. When you build mod_ssl into apache (that is STATIC), you won't encounter X509_free issue. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yu, Ming Sent: March 7, 2003 10:57 AM To: '[EMAIL PROTECTED]' Subject: RE: Apache 2.0.44 with Openssl -0.9.7 I use the following switches to compile APACHE 2.0.44 with OpenSSL 0.9.7 ./configure --enable-layout=TEST \ --enable-ssl \ --with-ssl=/usr/local/ssl \ --enable-mods-shared=max \ --enable-modules=most \ --with-mpm=worker It went through the installation process. Thanks - Ming Yu -Original Message- From: Ted Rolle [mailto:[EMAIL PROTECTED] Sent: Friday, March 07, 2003 10:36 AM To: [EMAIL PROTECTED] Subject: Re: Apache 2.0.44 with Openssl -0.9.7 YOU GOT Apache-2.0.44 and OpenSSL-0.9.7 WORKING??? What are your ./configure files like? I keep getting the dreaded can't find X509_free message. On Fri, 7 Mar 2003, Ian Miller wrote: Did you uncomment out the entropy lines in the ssl.conf file? I am running it with 0.9.7a and it works fine -Ian Quoting Yu, Ming [EMAIL PROTECTED]: Does anyone have problem with apache 2.0.44 and Openssl 0.9.7. I installed the server, no problem. Then I wanted to start the httpd server, even without mod_ssl. ./apachectl -k start There is no message on the screen, but an error message in the log file. The apache engine did not start. [warn] Init: PRNG still contains insufficient entropy! [error] Init: Failed to generate temporary 512 bit RSA private key Configuration Failed Any suggestions. - Ming Yu __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Ian Miller Sr. Systems Engineer University of Chicago [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Apache 2.0.44 with Openssl -0.9.7
I just run config with ./configure --enable-ssl --with-ssl=/usr/local/ssl --enable-so --enable-rewrite --enable-speling solairs 9 8 systems gcc 3.2.2 gnu binutils 2.13.2.1 I think I had a problem once ... I just recompiled ssl and ran the make check or make test everything worked then Quoting apachep2 [EMAIL PROTECTED]: Of course. When you build mod_ssl into apache (that is STATIC), you won't encounter X509_free issue. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yu, Ming Sent: March 7, 2003 10:57 AM To: '[EMAIL PROTECTED]' Subject: RE: Apache 2.0.44 with Openssl -0.9.7 I use the following switches to compile APACHE 2.0.44 with OpenSSL 0.9.7 ./configure --enable-layout=TEST \ --enable-ssl \ --with-ssl=/usr/local/ssl \ --enable-mods-shared=max \ --enable-modules=most \ --with-mpm=worker It went through the installation process. Thanks - Ming Yu -Original Message- From: Ted Rolle [mailto:[EMAIL PROTECTED] Sent: Friday, March 07, 2003 10:36 AM To: [EMAIL PROTECTED] Subject: Re: Apache 2.0.44 with Openssl -0.9.7 YOU GOT Apache-2.0.44 and OpenSSL-0.9.7 WORKING??? What are your ./configure files like? I keep getting the dreaded can't find X509_free message. On Fri, 7 Mar 2003, Ian Miller wrote: Did you uncomment out the entropy lines in the ssl.conf file? I am running it with 0.9.7a and it works fine -Ian Quoting Yu, Ming [EMAIL PROTECTED]: Does anyone have problem with apache 2.0.44 and Openssl 0.9.7. I installed the server, no problem. Then I wanted to start the httpd server, even without mod_ssl. ./apachectl -k start There is no message on the screen, but an error message in the log file. The apache engine did not start. [warn] Init: PRNG still contains insufficient entropy! [error] Init: Failed to generate temporary 512 bit RSA private key Configuration Failed Any suggestions. - Ming Yu __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Ian Miller Sr. Systems Engineer University of Chicago [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- Ian Miller Sr. Systems Engineer University of Chicago [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: private key not found
I'm not sure what you mean. I followed the mod_ssl faq to generate all the key/csr/crt files, then $./sign.sh the server.csr to make the server.crt. /etc/httpd/ssl.key/server.key is the correct path and the file is there. I finally managed to chmod it to 0400. (I got confused to what rw-r--r-- was vs. r). However, the result was still the same. I've since remade the keys, thinking that also might be a problem. Everything was running smoothly until I got to the final step, (using the $./sign.sh on server.csr). It generated an error that I believe I also got the first time I made the keys a couple weks ago (unfortunately I wasn't paying enough attention): 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated CA verifying: server.crt - CA cert server.crt: /C=US/ST=Kansas/L=Lawrence/O=Pelathe Center/CN=www.pelathe.org/[EMAIL PROTECTED] error 18 at 0 depth lookup:self signed certificate /C=US/ST=Kansas/L=Lawrence/O=Pelathe Center/CN=www.pelathe.org/[EMAIL PROTECTED] error 7 at 0 depth lookup:certificate signature failure What is an 'error 18 at depth 0' and an 'error 7 at depth 0'? Would this be a reason why my server cannot find the Private Key? Thank you everyone for all of your help so far. I really do appreciate it. I know I must sound pretty foolish with these questions, so thanks. I'd bake you all a cake if I could. On Thursday 06 March 2003 14:19, Ron Gedye wrote: How did you generate the CSR to get the cert? What key file did you use for this? The cert (crt) file perms look ok, (444 would be better) but who owns it? does this file exist? /etc/httpd/ssl.key/server.key (according to your conf) if so, the permissions should be -r- This file should be owned by root (in most all cases) and not the webserver account (nobody/apache). - Original Message - From: A. Putnam [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, March 07, 2003 4:20 PM Subject: Re: private key not found The permissions for the server.crt file are rw-r--r-- but it still cannot find the Private Key. On Thursday 06 March 2003 13:36, Ron Gedye wrote: Please check the permissions on your private key. They should be readable only by owner (400) (knee-jerk first guess reaction) Best of luck - Original Message - From: A. Putnam [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, March 07, 2003 3:42 PM Subject: private key not found I'm trying to get mod_ssl to work on my server, but each time I try to restart apache with mod_ssl activated, it gives me this error: /etc/init.d/apache start returned 7 (Program is not running.) Starting httpd [ Mailman PHP4 SSL ]Apache/1.3.26 mod_ssl/2.8.10 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide us with the pass phrases. Server matrix.pelathe.org:443 (RSA) Enter pass phrase: Apache:mod_ssl:Error: Private key not found. **Stopped stty: standard input: Inappropriate ioctl for device ..failed What I don't understand is how it can't find the Private key. The SSLCertificateKeyFile path in httpd.conf matches the location of the key in my directory. Isn't the SSLCertificateKeyFile the Private Key path? I'm including the Virtual Host code (sans the explination text and a passkey). I'm very new to this so I won't be surprised if there is a glaring error in here that I missed... VirtualHost _default_:443 DocumentRoot /srv/www/htdocs ServerName matrix.pelathe.org ServerAdmin [EMAIL PROTECTED] ErrorLog /var/log/httpd/error_log TransferLog /var/log/httpd/access_log SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /etc/httpd/ssl.crt/server.crt #SSLCertificateFile /etc/httpd/ssl.crt/server-dsa.crt SSLCertificateKeyFile /etc/httpd/ssl.key/server.key #SSLCertificateKeyFile /etc/httpd/ssl.key/server-dsa.key SSLCertificateChainFile /etc/httpd/ssl.crt/ca.crt #SSLCACertificatePath /etc/httpd/ssl.crt SSLCACertificateFile /etc/httpd/ssl.crt/ca-bundle.crt SSLCARevocationPath /etc/httpd/ssl.crl #SSLCARevocationFile /etc/httpd/ssl.crl/ca-bundle.crl SSLVerifyClient require SSLVerifyDepth 10 #Location / #SSLRequire (%{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ #and %{SSL_CLIENT_S_DN_O} eq Snake Oil, Ltd. \ #and %{SSL_CLIENT_S_DN_OU} in {Staff, CA, Dev} \ #and %{TIME_WDAY} = 1 and %{TIME_WDAY} = 5 \ #and %{TIME_HOUR} = 8 and %{TIME_HOUR} = 20 ) \ # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ #/Location #SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire Files ~ \.(cgi|shtml|phtml|php3?)$ SSLOptions +StdEnvVars /Files Directory /srv/www/cgi-bin SSLOptions +StdEnvVars /Directory
Re: private key not found
I'm not too sure what you mean when you ask if the domain was transferred. What domain? All I know I did was that I generated the key/csr/crts and self-signed the CA. On Thursday 06 March 2003 14:03, Justin Williams wrote: was the domain moved over to your server, or did you generate key/csr/crt? I'm having the same difficulty with one where the domain, cert and key were transferred; all my others work properly... - Original Message - From: A. Putnam [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, March 07, 2003 5:20 PM Subject: Re: private key not found The permissions for the server.crt file are rw-r--r-- but it still cannot find the Private Key. On Thursday 06 March 2003 13:36, Ron Gedye wrote: Please check the permissions on your private key. They should be readable only by owner (400) (knee-jerk first guess reaction) Best of luck - Original Message - From: A. Putnam [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, March 07, 2003 3:42 PM Subject: private key not found I'm trying to get mod_ssl to work on my server, but each time I try to restart apache with mod_ssl activated, it gives me this error: /etc/init.d/apache start returned 7 (Program is not running.) Starting httpd [ Mailman PHP4 SSL ]Apache/1.3.26 mod_ssl/2.8.10 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide us with the pass phrases. Server matrix.pelathe.org:443 (RSA) Enter pass phrase: Apache:mod_ssl:Error: Private key not found. **Stopped stty: standard input: Inappropriate ioctl for device ..failed What I don't understand is how it can't find the Private key. The SSLCertificateKeyFile path in httpd.conf matches the location of the key in my directory. Isn't the SSLCertificateKeyFile the Private Key path? I'm including the Virtual Host code (sans the explination text and a passkey). I'm very new to this so I won't be surprised if there is a glaring error in here that I missed... VirtualHost _default_:443 DocumentRoot /srv/www/htdocs ServerName matrix.pelathe.org ServerAdmin [EMAIL PROTECTED] ErrorLog /var/log/httpd/error_log TransferLog /var/log/httpd/access_log SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /etc/httpd/ssl.crt/server.crt #SSLCertificateFile /etc/httpd/ssl.crt/server-dsa.crt SSLCertificateKeyFile /etc/httpd/ssl.key/server.key #SSLCertificateKeyFile /etc/httpd/ssl.key/server-dsa.key SSLCertificateChainFile /etc/httpd/ssl.crt/ca.crt #SSLCACertificatePath /etc/httpd/ssl.crt SSLCACertificateFile /etc/httpd/ssl.crt/ca-bundle.crt SSLCARevocationPath /etc/httpd/ssl.crl #SSLCARevocationFile /etc/httpd/ssl.crl/ca-bundle.crl SSLVerifyClient require SSLVerifyDepth 10 #Location / #SSLRequire (%{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ #and %{SSL_CLIENT_S_DN_O} eq Snake Oil, Ltd. \ #and %{SSL_CLIENT_S_DN_OU} in {Staff, CA, Dev} \ #and %{TIME_WDAY} = 1 and %{TIME_WDAY} = 5 \ #and %{TIME_HOUR} = 8 and %{TIME_HOUR} = 20 ) \ # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ #/Location #SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire Files ~ \.(cgi|shtml|phtml|php3?)$ SSLOptions +StdEnvVars /Files Directory /srv/www/cgi-bin SSLOptions +StdEnvVars /Directory SetEnvIf User-Agent .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog /var/log/httpd/ssl_request_log \ %t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \%r\ %b /VirtualHost Any help would be greatly appreciated. I'm using Apache 1.3.26 and Mod_SSL 2.8.10 on a SuSE 8.1 box. Thanks, -Andrew __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- A. Putnam Assistant IT Administrator Pelathe Community Resource Center __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: private key not found
I had a domain that was transferred to my server, and with it came the key and crt files from the old server. That particular domain the SSL is blowing up... More accurately, Apache refuses to start, with the same error you get, when I try to enable the SSL for that domain... - Original Message - From: A. Putnam [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, March 08, 2003 4:48 PM Subject: Re: private key not found I'm not too sure what you mean when you ask if the domain was transferred. What domain? All I know I did was that I generated the key/csr/crts and self-signed the CA. On Thursday 06 March 2003 14:03, Justin Williams wrote: was the domain moved over to your server, or did you generate key/csr/crt? I'm having the same difficulty with one where the domain, cert and key were transferred; all my others work properly... - Original Message - From: A. Putnam [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, March 07, 2003 5:20 PM Subject: Re: private key not found The permissions for the server.crt file are rw-r--r-- but it still cannot find the Private Key. On Thursday 06 March 2003 13:36, Ron Gedye wrote: Please check the permissions on your private key. They should be readable only by owner (400) (knee-jerk first guess reaction) Best of luck - Original Message - From: A. Putnam [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, March 07, 2003 3:42 PM Subject: private key not found I'm trying to get mod_ssl to work on my server, but each time I try to restart apache with mod_ssl activated, it gives me this error: /etc/init.d/apache start returned 7 (Program is not running.) Starting httpd [ Mailman PHP4 SSL ]Apache/1.3.26 mod_ssl/2.8.10 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide us with the pass phrases. Server matrix.pelathe.org:443 (RSA) Enter pass phrase: Apache:mod_ssl:Error: Private key not found. **Stopped stty: standard input: Inappropriate ioctl for device ..failed What I don't understand is how it can't find the Private key. The SSLCertificateKeyFile path in httpd.conf matches the location of the key in my directory. Isn't the SSLCertificateKeyFile the Private Key path? I'm including the Virtual Host code (sans the explination text and a passkey). I'm very new to this so I won't be surprised if there is a glaring error in here that I missed... VirtualHost _default_:443 DocumentRoot /srv/www/htdocs ServerName matrix.pelathe.org ServerAdmin [EMAIL PROTECTED] ErrorLog /var/log/httpd/error_log TransferLog /var/log/httpd/access_log SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /etc/httpd/ssl.crt/server.crt #SSLCertificateFile /etc/httpd/ssl.crt/server-dsa.crt SSLCertificateKeyFile /etc/httpd/ssl.key/server.key #SSLCertificateKeyFile /etc/httpd/ssl.key/server-dsa.key SSLCertificateChainFile /etc/httpd/ssl.crt/ca.crt #SSLCACertificatePath /etc/httpd/ssl.crt SSLCACertificateFile /etc/httpd/ssl.crt/ca-bundle.crt SSLCARevocationPath /etc/httpd/ssl.crl #SSLCARevocationFile /etc/httpd/ssl.crl/ca-bundle.crl SSLVerifyClient require SSLVerifyDepth 10 #Location / #SSLRequire (%{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ #and %{SSL_CLIENT_S_DN_O} eq Snake Oil, Ltd. \ #and %{SSL_CLIENT_S_DN_OU} in {Staff, CA, Dev} \ #and %{TIME_WDAY} = 1 and %{TIME_WDAY} = 5 \ #and %{TIME_HOUR} = 8 and %{TIME_HOUR} = 20 ) \ # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ #/Location #SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire Files ~ \.(cgi|shtml|phtml|php3?)$ SSLOptions +StdEnvVars /Files Directory /srv/www/cgi-bin SSLOptions +StdEnvVars /Directory SetEnvIf User-Agent .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog /var/log/httpd/ssl_request_log \ %t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \%r\ %b /VirtualHost Any help would be greatly appreciated. I'm using Apache 1.3.26 and Mod_SSL 2.8.10 on a SuSE 8.1 box. Thanks, -Andrew __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- A. Putnam Assistant IT Administrator Pelathe Community Resource
Re: private key not found
Oh, I see now. Well, it's nothing like that. Pelathe has had its domain since '98. We've had a sever that died and had to transfer everything to a new Linux box, but this is the first time we've ever tried to make a ssl server, so I don't think that would make a difference. It's really strange that the crt for your transferred domain won't work though. Maybe there is some fundamental difference between the two servers that would cause problems? Can you just make new keys for the domain instead? Or is that not how it works? On Friday 07 March 2003 13:38, Justin Williams wrote: I had a domain that was transferred to my server, and with it came the key and crt files from the old server. That particular domain the SSL is blowing up... More accurately, Apache refuses to start, with the same error you get, when I try to enable the SSL for that domain... - Original Message - From: A. Putnam [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, March 08, 2003 4:48 PM Subject: Re: private key not found I'm not too sure what you mean when you ask if the domain was transferred. What domain? All I know I did was that I generated the key/csr/crts and self-signed the CA. On Thursday 06 March 2003 14:03, Justin Williams wrote: was the domain moved over to your server, or did you generate key/csr/crt? I'm having the same difficulty with one where the domain, cert and key were transferred; all my others work properly... - Original Message - From: A. Putnam [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, March 07, 2003 5:20 PM Subject: Re: private key not found The permissions for the server.crt file are rw-r--r-- but it still cannot find the Private Key. On Thursday 06 March 2003 13:36, Ron Gedye wrote: Please check the permissions on your private key. They should be readable only by owner (400) (knee-jerk first guess reaction) Best of luck - Original Message - From: A. Putnam [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, March 07, 2003 3:42 PM Subject: private key not found I'm trying to get mod_ssl to work on my server, but each time I try to restart apache with mod_ssl activated, it gives me this error: /etc/init.d/apache start returned 7 (Program is not running.) Starting httpd [ Mailman PHP4 SSL ]Apache/1.3.26 mod_ssl/2.8.10 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide us with the pass phrases. Server matrix.pelathe.org:443 (RSA) Enter pass phrase: Apache:mod_ssl:Error: Private key not found. **Stopped stty: standard input: Inappropriate ioctl for device ..failed What I don't understand is how it can't find the Private key. The SSLCertificateKeyFile path in httpd.conf matches the location of the key in my directory. Isn't the SSLCertificateKeyFile the Private Key path? I'm including the Virtual Host code (sans the explination text and a passkey). I'm very new to this so I won't be surprised if there is a glaring error in here that I missed... VirtualHost _default_:443 DocumentRoot /srv/www/htdocs ServerName matrix.pelathe.org ServerAdmin [EMAIL PROTECTED] ErrorLog /var/log/httpd/error_log TransferLog /var/log/httpd/access_log SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /etc/httpd/ssl.crt/server.crt #SSLCertificateFile /etc/httpd/ssl.crt/server-dsa.crt SSLCertificateKeyFile /etc/httpd/ssl.key/server.key #SSLCertificateKeyFile /etc/httpd/ssl.key/server-dsa.key SSLCertificateChainFile /etc/httpd/ssl.crt/ca.crt #SSLCACertificatePath /etc/httpd/ssl.crt SSLCACertificateFile /etc/httpd/ssl.crt/ca-bundle.crt SSLCARevocationPath /etc/httpd/ssl.crl #SSLCARevocationFile /etc/httpd/ssl.crl/ca-bundle.crl SSLVerifyClient require SSLVerifyDepth 10 #Location / #SSLRequire (%{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ #and %{SSL_CLIENT_S_DN_O} eq Snake Oil, Ltd. \ #and %{SSL_CLIENT_S_DN_OU} in {Staff, CA, Dev} \ #and %{TIME_WDAY} = 1 and %{TIME_WDAY} = 5 \ #and %{TIME_HOUR} = 8 and %{TIME_HOUR} = 20 ) \ # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ #/Location #SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire Files ~ \.(cgi|shtml|phtml|php3?)$ SSLOptions +StdEnvVars /Files Directory /srv/www/cgi-bin SSLOptions +StdEnvVars /Directory SetEnvIf User-Agent .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog /var/log/httpd/ssl_request_log \ %t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \%r\ %b /VirtualHost Any help would be greatly
Re: private key not found
don't think you can make a key from a crt... only works the other way around... Tempted to do that, though... - Original Message - From: A. Putnam [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, March 08, 2003 6:01 PM Subject: Re: private key not found Oh, I see now. Well, it's nothing like that. Pelathe has had its domain since '98. We've had a sever that died and had to transfer everything to a new Linux box, but this is the first time we've ever tried to make a ssl server, so I don't think that would make a difference. It's really strange that the crt for your transferred domain won't work though. Maybe there is some fundamental difference between the two servers that would cause problems? Can you just make new keys for the domain instead? Or is that not how it works? On Friday 07 March 2003 13:38, Justin Williams wrote: I had a domain that was transferred to my server, and with it came the key and crt files from the old server. That particular domain the SSL is blowing up... More accurately, Apache refuses to start, with the same error you get, when I try to enable the SSL for that domain... - Original Message - From: A. Putnam [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, March 08, 2003 4:48 PM Subject: Re: private key not found I'm not too sure what you mean when you ask if the domain was transferred. What domain? All I know I did was that I generated the key/csr/crts and self-signed the CA. On Thursday 06 March 2003 14:03, Justin Williams wrote: was the domain moved over to your server, or did you generate key/csr/crt? I'm having the same difficulty with one where the domain, cert and key were transferred; all my others work properly... - Original Message - From: A. Putnam [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, March 07, 2003 5:20 PM Subject: Re: private key not found The permissions for the server.crt file are rw-r--r-- but it still cannot find the Private Key. On Thursday 06 March 2003 13:36, Ron Gedye wrote: Please check the permissions on your private key. They should be readable only by owner (400) (knee-jerk first guess reaction) Best of luck - Original Message - From: A. Putnam [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, March 07, 2003 3:42 PM Subject: private key not found I'm trying to get mod_ssl to work on my server, but each time I try to restart apache with mod_ssl activated, it gives me this error: /etc/init.d/apache start returned 7 (Program is not running.) Starting httpd [ Mailman PHP4 SSL ]Apache/1.3.26 mod_ssl/2.8.10 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide us with the pass phrases. Server matrix.pelathe.org:443 (RSA) Enter pass phrase: Apache:mod_ssl:Error: Private key not found. **Stopped stty: standard input: Inappropriate ioctl for device ..failed What I don't understand is how it can't find the Private key. The SSLCertificateKeyFile path in httpd.conf matches the location of the key in my directory. Isn't the SSLCertificateKeyFile the Private Key path? I'm including the Virtual Host code (sans the explination text and a passkey). I'm very new to this so I won't be surprised if there is a glaring error in here that I missed... VirtualHost _default_:443 DocumentRoot /srv/www/htdocs ServerName matrix.pelathe.org ServerAdmin [EMAIL PROTECTED] ErrorLog /var/log/httpd/error_log TransferLog /var/log/httpd/access_log SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /etc/httpd/ssl.crt/server.crt #SSLCertificateFile /etc/httpd/ssl.crt/server-dsa.crt SSLCertificateKeyFile /etc/httpd/ssl.key/server.key #SSLCertificateKeyFile /etc/httpd/ssl.key/server-dsa.key SSLCertificateChainFile /etc/httpd/ssl.crt/ca.crt #SSLCACertificatePath /etc/httpd/ssl.crt SSLCACertificateFile /etc/httpd/ssl.crt/ca-bundle.crt SSLCARevocationPath /etc/httpd/ssl.crl #SSLCARevocationFile /etc/httpd/ssl.crl/ca-bundle.crl SSLVerifyClient require SSLVerifyDepth 10 #Location / #SSLRequire (%{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ #and %{SSL_CLIENT_S_DN_O} eq Snake Oil, Ltd. \ #and %{SSL_CLIENT_S_DN_OU} in {Staff, CA, Dev} \ #and %{TIME_WDAY} = 1 and %{TIME_WDAY} = 5 \ #and %{TIME_HOUR} = 8 and %{TIME_HOUR} = 20 ) \ # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ #/Location #SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire Files ~ \.(cgi|shtml|phtml|php3?)$ SSLOptions +StdEnvVars /Files Directory /srv/www/cgi-bin SSLOptions +StdEnvVars /Directory SetEnvIf
Re: private key not found
On Fri, 7 Mar 2003, Justin Williams wrote: don't think you can make a key from a crt... only works the other way around... Tempted to do that, though... You're right, it doesn't work the other way around. otherwise SSL would be worthless... It seems to me that your keys might be corrupted, my guess is that the other server was a windows box and this one is unix (or the other way around, but I doubt it), so you have all the end of lines messed up (with a bunch of ^M at the end of each line or similar). Carlos __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: private key not found
oh goody... LOL The CA tells me it was on an Apache server, and the owner tells me it was on a *nix system, but, with them downloading the file and tinkering, maybe something got tinkered the wrong way... - Original Message - From: Carlos Villegas [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, March 07, 2003 4:57 PM Subject: Re: private key not found On Fri, 7 Mar 2003, Justin Williams wrote: don't think you can make a key from a crt... only works the other way around... Tempted to do that, though... You're right, it doesn't work the other way around. otherwise SSL would be worthless... It seems to me that your keys might be corrupted, my guess is that the other server was a windows box and this one is unix (or the other way around, but I doubt it), so you have all the end of lines messed up (with a bunch of ^M at the end of each line or similar). Carlos __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Apache 2.0.44 with Openssl -0.9.7
Good. Now what is the configuration file for OpenSSL? On Fri, 7 Mar 2003, Yu, Ming wrote: I use the following switches to compile APACHE 2.0.44 with OpenSSL 0.9.7 ../configure --enable-layout=TEST \ --enable-ssl \ --with-ssl=/usr/local/ssl \ --enable-mods-shared=max \ --enable-modules=most \ --with-mpm=worker It went through the installation process. Thanks - Ming Yu -Original Message- From: Ted Rolle [mailto:[EMAIL PROTECTED] Sent: Friday, March 07, 2003 10:36 AM To: [EMAIL PROTECTED] Subject: Re: Apache 2.0.44 with Openssl -0.9.7 YOU GOT Apache-2.0.44 and OpenSSL-0.9.7 WORKING??? What are your ./configure files like? I keep getting the dreaded can't find X509_free message. On Fri, 7 Mar 2003, Ian Miller wrote: Did you uncomment out the entropy lines in the ssl.conf file? I am running it with 0.9.7a and it works fine -Ian Quoting Yu, Ming [EMAIL PROTECTED]: Does anyone have problem with apache 2.0.44 and Openssl 0.9.7. I installed the server, no problem. Then I wanted to start the httpd server, even without mod_ssl. ./apachectl -k start There is no message on the screen, but an error message in the log file. The apache engine did not start. [warn] Init: PRNG still contains insufficient entropy! [error] Init: Failed to generate temporary 512 bit RSA private key Configuration Failed Any suggestions. - Ming Yu __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- Ian Miller Sr. Systems Engineer University of Chicago [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Apache 2.0.44 with Openssl -0.9.7
Yes, this is true. But DSO should work too. On Fri, 7 Mar 2003, apachep2 wrote: Of course. When you build mod_ssl into apache (that is STATIC), you won't encounter X509_free issue. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yu, Ming Sent: March 7, 2003 10:57 AM To: '[EMAIL PROTECTED]' Subject: RE: Apache 2.0.44 with Openssl -0.9.7 I use the following switches to compile APACHE 2.0.44 with OpenSSL 0.9.7 ../configure --enable-layout=TEST \ --enable-ssl \ --with-ssl=/usr/local/ssl \ --enable-mods-shared=max \ --enable-modules=most \ --with-mpm=worker It went through the installation process. Thanks - Ming Yu -Original Message- From: Ted Rolle [mailto:[EMAIL PROTECTED] Sent: Friday, March 07, 2003 10:36 AM To: [EMAIL PROTECTED] Subject: Re: Apache 2.0.44 with Openssl -0.9.7 YOU GOT Apache-2.0.44 and OpenSSL-0.9.7 WORKING??? What are your ./configure files like? I keep getting the dreaded can't find X509_free message. On Fri, 7 Mar 2003, Ian Miller wrote: Did you uncomment out the entropy lines in the ssl.conf file? I am running it with 0.9.7a and it works fine -Ian Quoting Yu, Ming [EMAIL PROTECTED]: Does anyone have problem with apache 2.0.44 and Openssl 0.9.7. I installed the server, no problem. Then I wanted to start the httpd server, even without mod_ssl. ./apachectl -k start There is no message on the screen, but an error message in the log file. The apache engine did not start. [warn] Init: PRNG still contains insufficient entropy! [error] Init: Failed to generate temporary 512 bit RSA private key Configuration Failed Any suggestions. - Ming Yu __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Ian Miller Sr. Systems Engineer University of Chicago [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
mod_ssl/mod_jk failure with client authentication on
Hi, I apologise for cross-posting - I'm really not sure which component is at fault, looks like mod_ssl but possibly mod_jk. BTW, is there a list (or some other venue) dedicated to mod_jk? My environment is Apache 1.3.22, mod_ssl 2.8.5, OpenSSL 0.9.6b, tomcat 4.0.3. I have a servlet mounted like this JkMount /app/servlet/* ajp13 JkMount /app/*.jsp ajp13 Location /app/ SSLVerifyClient require SSLVerifyDepth 4 /Location When SSLVerifyClient is set to 'none' all works fine, but when I set it as above, to 'require', it seems that the SSL connection is repetedly renegotiated. The mod_jk log stop at this line (I edited out log entry headers for clarity): Attempting to map URI '/app/servlet/ApplicationProxyServlet' jk_uri_worker_map_t::map_uri_to_worker, Found a context match ajp13 - /app/servlet/ whilst the ssl engine log shows this Connection to child 3 established (server www-sps.sps.fms.treas.gov:443, client 164.95.119.43) Seeding PRNG with 1160 bytes of entropy OpenSSL: Handshake: start OpenSSL: Loop: before/accept initialization Inter-Process Session Cache: request=GET status=FOUND id=7A2A7121DDC60F144CA9F233A19E7BD7D88F0DCA06AEB588165EB9F01CA276DE (session reuse) OpenSSL: Loop: SSLv3 read client hello A OpenSSL: Loop: SSLv3 write server hello A OpenSSL: Loop: SSLv3 write change cipher spec A OpenSSL: Loop: SSLv3 write finished A OpenSSL: Loop: SSLv3 flush data OpenSSL: Loop: SSLv3 read finished A OpenSSL: Handshake: done Connection: Client IP: 164.95.119.43, Protocol: SSLv3, Cipher: EXP1024-RC4-SHA (56/128 bits) Initial (No.1) HTTPS request received for child 3 (server www-sps.sps.fms.treas.gov:443) OpenSSL: Write: SSL negotiation finished successfully Connection to child 3 closed with standard shutdown (server www-sps.sps.fms.treas.gov:443, client 164.95.119.43) Connection to child 4 established (server www-sps.sps.fms.treas.gov:443, client 164.95.119.43) Seeding PRNG with 1160 bytes of entropy OpenSSL: Handshake: start OpenSSL: Loop: before/accept initialization [Connection to child 5 established (server www-sps.sps.fms.treas.gov:443, client 164.95.119.43) Seeding PRNG with 1160 bytes of entropy OpenSSL: Handshake: start OpenSSL: Loop: before/accept initialization OpenSSL: Loop: SSLv3 read client hello A OpenSSL: Loop: SSLv3 write server hello A OpenSSL: Loop: SSLv3 write certificate A OpenSSL: Loop: SSLv3 write key exchange A OpenSSL: Loop: SSLv3 write server done A OpenSSL: Loop: SSLv3 flush data OpenSSL: Loop: SSLv3 read client key exchange A OpenSSL: Loop: SSLv3 read finished A OpenSSL: Loop: SSLv3 write change cipher spec A OpenSSL: Loop: SSLv3 write finished A OpenSSL: Loop: SSLv3 flush data In contrast, when SSLVerifyClient is 'none', mod_jk log shows Attempting to map URI '/app/servlet/ApplicationProxyServlet' jk_uri_worker_map_t::map_uri_to_worker, Found a context match ajp13 - /app/servlet/ Into wc_get_worker_for_name ajp13 wc_get_worker_for_name, done found a worker Into jk_worker_t::get_endpoint In jk_endpoint_t::ajp_get_endpoint, time elapsed since last request = 534 seconds Into jk_endpoint_t::service Into ajp_marshal_into_msgb ajp_marshal_into_msgb - Done sending to ajp13 #261 ajp_send_request 2: request body to send 4708 - request body to resend 0 sending to ajp13 #4714 received from ajp13 #3 sending to ajp13 #4 received from ajp13 #3 sending to ajp13 #4 received from ajp13 #49 ajp_unmarshal_response: status = 200 ajp_unmarshal_response: Number of headers is = 2 ajp_unmarshal_response: Header[0] [Content-Type] = [application/octet-stream] ajp_unmarshal_response: Header[1] [Content-Length] = [17776] received from ajp13 #1028 received from ajp13 #1028 received from ajp13 #1028 received from ajp13 #1028 received from ajp13 #1028 received from ajp13 #1028 received from ajp13 #1028 received from ajp13 #1028 received from ajp13 #1028 ... and the SSL engine log shows Connection to child 1 established (server www-sps.sps.fms.treas.gov:443, client 164.95.119.43) Seeding PRNG with 1160 bytes of entropy OpenSSL: Handshake: start OpenSSL: Loop: before/accept initialization OpenSSL: Loop: SSLv3 read client hello A OpenSSL: Loop: SSLv3 write server hello A OpenSSL: Loop: SSLv3 write certificate A OpenSSL: Loop: SSLv3 write key exchange A OpenSSL: Loop: SSLv3 write server done A OpenSSL: Loop: SSLv3 flush data OpenSSL: Loop: SSLv3 read client key exchange A OpenSSL: Loop: SSLv3 read finished A OpenSSL: Loop: SSLv3 write change cipher spec A OpenSSL: Loop: SSLv3 write finished A OpenSSL: Loop: SSLv3 flush data Inter-Process Session Cache: request=SET status=OK id=7D883EF0B18F9E84BC57C4F02C6E34ADF6FF049BB7091F16B303B79AC906832B timeout=295s (session caching) OpenSSL: Handshake: done Connection: Client IP: 164.95.119.43, Protocol: TLSv1, Cipher: EDH-RSA-DES-CBC3-SHA (168/168 bits) Initial (No.1) HTTPS request received for child 1 (server www-sps.sps.fms.treas.gov:443) OpenSSL: Write: SSL negotiation finished successfully Connection to child 1 closed with standard shutdown
Re: mod_ssl/mod_jk failure with client authentication on
I realised that I included irrelevant log snipet from the SSL log. Please see the correction below. Aaron Stromas said: Hi, I apologise for cross-posting - I'm really not sure which component is at fault, looks like mod_ssl but possibly mod_jk. BTW, is there a list (or some other venue) dedicated to mod_jk? My environment is Apache 1.3.22, mod_ssl 2.8.5, OpenSSL 0.9.6b, tomcat 4.0.3. I have a servlet mounted like this JkMount /app/servlet/* ajp13 JkMount /app/*.jsp ajp13 Location /app/ SSLVerifyClient require SSLVerifyDepth 4 /Location When SSLVerifyClient is set to 'none' all works fine, but when I set it as above, to 'require', it seems that the SSL connection is repetedly renegotiated. The mod_jk log stop at this line (I edited out log entry headers for clarity): Attempting to map URI '/app/servlet/ApplicationProxyServlet' jk_uri_worker_map_t::map_uri_to_worker, Found a context match ajp13 - /app/servlet/ whilst the ssl engine log shows this Connection to child 3 established (server www-sps.sps.fms.treas.gov:443, client 164.95.119.43) Seeding PRNG with 1160 bytes of entropy OpenSSL: Handshake: start OpenSSL: Loop: before/accept initialization Inter-Process Session Cache: request=GET status=FOUND id=7A2A7121DDC60F144CA9F233A19E7BD7D88F0DCA06AEB588165EB9F01CA276DE (session reuse) OpenSSL: Loop: SSLv3 read client hello A OpenSSL: Loop: SSLv3 write server hello A OpenSSL: Loop: SSLv3 write change cipher spec A OpenSSL: Loop: SSLv3 write finished A OpenSSL: Loop: SSLv3 flush data OpenSSL: Loop: SSLv3 read finished A OpenSSL: Handshake: done Connection: Client IP: 164.95.119.43, Protocol: SSLv3, Cipher: EXP1024-RC4-SHA (56/128 bits) Initial (No.1) HTTPS request received for child 3 (server www-sps.sps.fms.treas.gov:443) OpenSSL: Write: SSL negotiation finished successfully Connection to child 3 closed with standard shutdown (server www-sps.sps.fms.treas.gov:443, client 164.95.119.43) Connection to child 4 established (server www-sps.sps.fms.treas.gov:443, client 164.95.119.43) Seeding PRNG with 1160 bytes of entropy OpenSSL: Handshake: start OpenSSL: Loop: before/accept initialization [Connection to child 5 established (server www-sps.sps.fms.treas.gov:443, client 164.95.119.43) Seeding PRNG with 1160 bytes of entropy OpenSSL: Handshake: start OpenSSL: Loop: before/accept initialization OpenSSL: Loop: SSLv3 read client hello A OpenSSL: Loop: SSLv3 write server hello A OpenSSL: Loop: SSLv3 write certificate A OpenSSL: Loop: SSLv3 write key exchange A OpenSSL: Loop: SSLv3 write server done A OpenSSL: Loop: SSLv3 flush data OpenSSL: Loop: SSLv3 read client key exchange A OpenSSL: Loop: SSLv3 read finished A OpenSSL: Loop: SSLv3 write change cipher spec A OpenSSL: Loop: SSLv3 write finished A OpenSSL: Loop: SSLv3 flush data [ more SSL handshake] OpenSSL: Handshake: done Connection: Client IP: 164.95.119.43, Protocol: TLSv1, Cipher: EDH-RSA-DES-CBC3-SHA (168/168 bits) Initial (No.1) HTTPS request received for child 1 (server www-sps.sps.fms.treas.gov:443) Changed client verification type will force renegotiation Requesting connection re-negotiation Performing full renegotiation: complete handshake protocol OpenSSL: Write: SSL negotiation finished successfully Connection to child 0 closed with standard shutdown (server www-sps.sps.fms.treas.gov:443, client 164.95.119.43) I/O: sucked 4708 bytes of input data from SSL/TLS I/O layer for delayed injection into Apache I/O layer OpenSSL: Handshake: start OpenSSL: Loop: SSL renegotiate ciphers OpenSSL: Loop: SSLv3 write hello request A OpenSSL: Loop: SSLv3 flush data Awaiting re-negotiation handshake OpenSSL: Handshake: start OpenSSL: Loop: before accept initialization Inter-Process Session Cache: request=REM status=OK id=38B1D98C2B4A6384FA080BDD4374ACE13881B23AD58834437874A1F03733FCFE (session dead) Write: SSLv3 read client hello B OpenSSL: Exit: error in SSLv3 read client hello B Re-negotiation handshake failed: Not accepted by client!? I/O: injecting 4708 bytes of pre-sucked data into Apache I/O layer OpenSSL: Write: SSLv3 read client hello B OpenSSL: Exit: error in SSLv3 read client hello B SSL error on writing data (OpenSSL library error follows) OpenSSL: error:140940F5:SSL routines:SSL3_READ_BYTES:unexpected record Connection to child 1 closed with standard shutdown (server www-sps.sps.fms.treas.gov:443, client 164.95.119.43) In contrast, when SSLVerifyClient is 'none', mod_jk log shows Attempting to map URI '/app/servlet/ApplicationProxyServlet' jk_uri_worker_map_t::map_uri_to_worker, Found a context match ajp13 - /app/servlet/ Into wc_get_worker_for_name ajp13 wc_get_worker_for_name, done found a worker Into jk_worker_t::get_endpoint In jk_endpoint_t::ajp_get_endpoint, time elapsed since last request = 534 seconds Into jk_endpoint_t::service Into ajp_marshal_into_msgb ajp_marshal_into_msgb - Done sending to ajp13 #261 ajp_send_request 2: request body