Re: Apache with mod_ssl
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Even more revealing was the passphrase prompt, not required for plain httpd... Thanks, Ron DuFresne On Tue, 19 Jun 2007, Omar W. Hannet wrote: Are you quite certain that the LoadModule for mod_ssl has been commented out? The reason I ask: the output from 'apachectl start' which you provided below shows 'mod_ssl/2.2.4'. In the log file /opt/apache-2.2.4/logs/error_log, on lines that contain 'Apache/2.2.4' and 'configured -- resuming normal operations', do you see 'mod_ssl/2.2.4'? If so, it is still being loaded from somewhere in your configuration. Saikat Saha wrote: Sorry for late response on this one. This is what we have in httpd.conf which is generated at compile time. This problem does not go away even if I comment out last four lines and restart apache. Could you please advise what else could be leading apache to think it is https rather than http? # Secure (SSL/TLS) connections #Include conf/extra/httpd-ssl.conf # # Note: The following must must be present to support # starting without SSL on platforms with no /dev/random equivalent # but a statically compiled-in mod_ssl. # SSLRandomSeed startup builtin SSLRandomSeed connect builtin With above commented out, when I try to start apache, I get following passphrase prompt and apache does not start even after saying passphrase successful, no logs in logs directory although log level is "debug" ]# ./apachectl start httpd: Could not reliably determine the server's fully qualified domain name, using 10.3.110.109 for ServerName Apache/2.2.4 mod_ssl/2.2.4 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide the pass phrases. Server 10.3.110.109:443 (RSA) Enter pass phrase: OK: Pass Phrase Dialog successful. [EMAIL PROTECTED] bin]# Thanks you very much for your help. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Omar W. Hannet Sent: Monday, June 18, 2007 8:34 AM To: modssl-users@modssl.org Subject: Re: Apache with mod_ssl Do you have tags surrounding all SSL directives in your configuration file? For example: SSLPassPhraseDialog builtin # etc. Saikat Saha wrote:_module> Apache was compiled as below ./configure --with-ldap --enable-mods-shared="all ssl ldap cache proxy authn_alias mem_cache file_cache authnz_ldap charset_lite dav_lock disk_cache" --prefix=/opt/apache-2.2.4 Httpd -l gives below [EMAIL PROTECTED] bin]# httpd -l Compiled in modules: core.c prefork.c http_core.c mod_so.c How do I compile so that it does not load mod_ssl automatically and loads only if httpd.conf is configured. Surprisingly there are no error logs even at debug level. Thank you so very much for the kind help. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Omar W. Hannet Sent: Friday, June 15, 2007 4:13 PM To: modssl-users@modssl.org Subject: Re: Apache with mod_ssl Saikat Saha wrote: We have apache 2.2.4 compiled with all modules but commented out all load modules. Do not have anything in httpd.conf file to state that this is https. But when I start apache, it tries to goto https and prompts for pass phrase. How does apache determine that this is https whereas this is actually a http server. Perhaps mod_ssl is a compiled-in module. Run 'httpd -l' to check this. After I enter a passphrase, it shows successful but the server never starts up. Can someone please help? The reason probably can be found in Apache's error_log file. Also can apache support both http and https at different ports at the same time? Yes. The defaults are port 80 for http and port 443 for https. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] - -- ~~ admin & senior security consultant: sysinfo.com http://sysinfo.com Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629 ...We waste time looking for the perfect lover instead of creating the perfect love. -Tom Robbins -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFGer+zst+vzJSwZikRAlhnAJ4rLby4nNIlTNYwr0Vq2bQdI1TGmwCgwn1e itrUfe7Vl+cuoIdY3KOVw8M= =LeZD -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: SSL by Domain Name Error
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 more likely www.mydomain.com is not in DNS, perhaps trying this works: https://mydomain.com If that works it is DNS issues. Thanks, Ron DuFresne On Tue, 19 Jun 2007, Omar W. Hannet wrote: I'll bet you're right when you say your provider may not be forwarding https requests properly. I'd run this one past them and see what they have to say about it. Rob Archer wrote: When accessing it by ip address using the debug option of openssl it returns what you would expect (i.e. the text of the key certificate). When accessing by domain name it says :- Loading 'screen' into random state - done Connect: bad file descriptor Connect:errno=10060 I assume this is the equivalent of the "Internet Explorer cannot display the webpage" error in IE !!! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Omar W. Hannet Sent: 19 June 2007 17:07 To: modssl-users@modssl.org Subject: Re: Ref : RE: Ref : RE: Ref : RE: SSL by Domain Name Error Rob Archer wrote: No entry for https and domain name in the access.log and a "Internet Explorer cannot display the webpage" in ie when trying to get to the server. Do you have access to the openssl command line program? It would tell you whether you are making a connection, and possibly shed some light on the problem. Like this: openssl s_client -connect www.mydomain.com:443 -debug GET / __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] - -- ~~ admin & senior security consultant: sysinfo.com http://sysinfo.com Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629 ...We waste time looking for the perfect lover instead of creating the perfect love. -Tom Robbins -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFGer8Qst+vzJSwZikRAqLUAKDUuvO8OPDrUqBCSRcVBzIMqQqD3QCgkknb OfdmiAQeSnhLiCJFg4hsVlQ= =ItZS -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
RE: TLS 1.0 Backing Down to SSL 3.0
> > Hi Richard, > > if no config rules work maybe the fastest way to achive your goal are > redirects depending on the current client protocol spoken. For > example, redirecting every browser not communicating via TLS to an > extra error page: > > SSLOptions +StdEnvVars > RewriteEngine on > RewriteCond %{SSL:SSL_PROTOCOL} !TLSv1 > RewriteCond %{REQUEST_URI} !^/error/.*$ > RewriteRule .* /error/no_tls_encryption.html [R,L] > > Did not test this myself, see further details on > http://www.modssl.org/docs/2.8/ssl_reference.html#ToC25 and > http://httpd.apache.org/docs/2.2/de/mod/mod_rewrite.html#rewritecond > > Greetings from Germany, > Eckard > __ Eckard, Thanks for the excellent suggestion but I found the solution. I was focusing on SSLCipherSuite so much that I completely missed the SSLProtocol directive. It is not included in the default config and thus apparently defaults to all. Setting this to TLSv1 only yields the expected results - clients are not allowed to connect. Your solution does present a more elegant result in that this page can be used to inform the user that they need to enable TLSv1 in their browser, or use one that supports TLS. Regards, Rich __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0 + mod_ssl problems with IE6 on XP (no SP2)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, 11 Jun 2007, Mark Beiley wrote: I've learned that I can fix this problem by not using an external style sheet. This only affects IE6 on XP without SP2. Everyone else seems to be able to view my pages fine, and even these problematic IE6/XP customers can view pages with external style sheets that are not using HTTPS. There are really idiots using XP without SP2? Damn! Thanks, Ron DuFresne - -- ~~ admin & senior security consultant: sysinfo.com http://sysinfo.com Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629 ...We waste time looking for the perfect lover instead of creating the perfect love. -Tom Robbins -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFGeoxqst+vzJSwZikRAimeAJ9TaRtg2S4RYPSGjsho9oI+DIkp9QCfZLgv L0UtGwP46PoAop7cqTs6G+E= =N1Ne -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: TLS 1.0 Backing Down to SSL 3.0
Fought, Richard schrieb: > I'm trying to configure my Apache 2.0.59 server w/ mod_ssl to use TLS > 1.0 only. I have set the SSLCipherSuite accordingly, however when I > connect with IE6 with SSLv3 enabled and TLSv1 disabled, I still get > through because of the TLS ability to back down to SSL 3.0. Is there a > way to disable this behavior in the configuration? Hi Richard, if no config rules work maybe the fastest way to achive your goal are redirects depending on the current client protocol spoken. For example, redirecting every browser not communicating via TLS to an extra error page: SSLOptions +StdEnvVars RewriteEngine on RewriteCond %{SSL:SSL_PROTOCOL} !TLSv1 RewriteCond %{REQUEST_URI} !^/error/.*$ RewriteRule .* /error/no_tls_encryption.html [R,L] Did not test this myself, see further details on http://www.modssl.org/docs/2.8/ssl_reference.html#ToC25 and http://httpd.apache.org/docs/2.2/de/mod/mod_rewrite.html#rewritecond Greetings from Germany, Eckard __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]