mod_ssl errors
Sorry I couldn't be more specific with my subject. :) Anyhow, I've never worked with ssl certs before, and the only knowledge I have is from reading documenation and reference manuals. I got a cert from Verisign, installed Apache+mod_ssl, and configured it to use the cert I got back from Verisign using what I learned from the documentation. Getting errors, though. If I try to connect to the ssl server, I get the following in the ssl log: [28/Jan/2000 15:53:37 12885] [info] Init: Configuring server www.myhost.com:443 for SSL protocol [28/Jan/2000 15:54:03 12886] [info] Connection to child 0 established (server www.myhost.com:443, client 209.133.93.172) [28/Jan/2000 15:54:06 12886] [error] SSL handshake failed (server www.myhost.com:443, client 209.133.93.172) (OpenSSL library error follows) [28/Jan/2000 15:54:06 12886] [error] OpenSSL: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate [Hint: No CAs known to server for verification?] Here are the relevent entries I put into httpd.conf: SSLRandomSeed startup builtin SSLRandomSeed connect builtin SSLLog /usr/local/apache/logs/ssl_engine_log SSLLogLevel info ## there is only one ssl host on the machine, so this ## shouldn't be a problem ServerName www.myhost.com Port 443 ErrorLog /var/log/www/www.myhost.com/error.log TransferLog /var/log/www/www.myhost.com/access.log LogFormat"%{Referer}i -> %U" referer LogFormat"%{User-agent}i" agent CustomLog/var/log/www/www.myhost.com/referer.log referer CustomLog/var/log/www/www.myhost.com/agent.log agent ScriptAlias /cgi-bin/ /usr/local/www/www.myhost.com/cgi-bin/ Options +Includes ExecCGI SSLEngine on SSLCertificateFile /usr/local/apache/conf/ssl.crt/www.myhost.com.crt SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/www.myhost.com.key SSLCACertificateFile /usr/local/apache/conf/ssl.crt/ca-bundle.crt ### ^^^ the CA installed by mod_ssl/OpenSSL SSLLog /var/log/www/www.myhost.com/ssl.log SSLOptions +StdEnvVars SSLVerifyClient 2 SSLVerifyDepth 10 SSLLogLevel info What is the problem here? Thank you for any help. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
mod_ssl errors
Hi All, I switched my LogLevel to info and noticed this error in the logs: [client ::1] (70007)The timeout specified has expired: SSL input filter read failed. Furthermore, when I do a graceful restart, I get this error: [client ::1] SSL library error 1 in handshake (server localhost:443) SSL Library Error: 336027900 error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol speaking not SSL to HTTPS port!? [client ::1] Connection closed to child 9 with abortive shutdown (server localhost:443) I am using mod_ssl/2.2.11 compiled against Server: Apache/2.2.11, Library: OpenSSL/0.9.8h on OS X but I have also seen the problem on Linux as well. The setup I have is dead simple - I am setting up a virtual host on port 80 and on port 443, both serving static files from apache/htdocs. Does anybody have any ideas what could be causing these ssl errors? Thanks, Andres __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Re: mod_ssl errors
jay wrote: > > [28/Jan/2000 15:54:06 12886] [error] OpenSSL: error:140890C7:SSL >routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate [Hint: No CAs >known to server for verification?] Your browser does not present a client cert (at least no cert issued by a CA your server knows), but you enabled client verification. If you set "SSLVerifyClient none" in your httpd.conf, everything should work fine. If you really need client cert verification, you have to get||install a client cert in your browser. Eckard __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl errors
Hi - Does anyone on this list know what could be used to encrypt/decrypt streaming files on the fly? I understand that public key encryption could probably be used for encrypting a small key that would unlock the larger file. Regards, Jeff On Sat, 29 Jan 2000, Eckard Wille wrote: > jay wrote: > > > > [28/Jan/2000 15:54:06 12886] [error] OpenSSL: error:140890C7:SSL >routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate [Hint: No CAs >known to server for verification?] > > Your browser does not present a client cert (at least no cert issued > by a CA your server knows), but you enabled client verification. If > you set "SSLVerifyClient none" in your httpd.conf, everything should > work fine. If you really need client cert verification, you have to > get||install a client cert in your browser. > > Eckard > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl errors
- Original Message - From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, January 29, 2000 11:50 AM Subject: Re: mod_ssl errors > Hi - > > Does anyone on this list know what could be used to encrypt/decrypt > streaming files on the fly? I understand that public key encryption could > probably be used for encrypting a small key that would unlock the larger > file. > > Regards, Jeff > > On Sat, 29 Jan 2000, Eckard Wille wrote: > > > jay wrote: > > > > > > [28/Jan/2000 15:54:06 12886] [error] OpenSSL: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate [Hint: No CAs known to server for verification?] > > > > Your browser does not present a client cert (at least no cert issued > > by a CA your server knows), but you enabled client verification. If > > you set "SSLVerifyClient none" in your httpd.conf, everything should > > work fine. If you really need client cert verification, you have to > > get||install a client cert in your browser. > > > > Eckard > > __ > > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > > User Support Mailing List [EMAIL PROTECTED] > > Automated List Manager[EMAIL PROTECTED] > > > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > Since SSL is a session based protocol, it is difficult to use it for file encryption. It is based on a secret, that is established during the handshake phase. Once the session is terminated, the secret cannot be recovered. To encrypt files, s/mime surely can be used. Cheers Lin Geng __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
FW: Mod_SSL Errors
Trying to get SSL running for the first time. Using Apache 1.2.23, openssl-0.9.6c, mod_ssl-2.8.7-1.3.23. After creating the virtual host and restarting apache I get the following errors: [Mon Mar 18 09:22:56 2002] [error] mod_ssl: Init: (secure.raeinternet.com:443) U nable to configure verify locations for client authentication (OpenSSL library e rror follows) [Mon Mar 18 09:22:56 2002] [error] OpenSSL: error:0906D066:PEM routines:PEM_read_bio:bad end line [Mon Mar 18 09:22:56 2002] [error] OpenSSL: error:0B084009:x509 certificate routines:X509_load_cert_crl_file:missing asn1 eos [Mon Mar 18 09:23:04 2002] [error] mod_ssl: Init: (secure.raeinternet.com:443) Unable to configure verify locations for client authentication (OpenSSL library error follows) [Mon Mar 18 09:23:04 2002] [error] OpenSSL: error:0906D066:PEM routines:PEM_read_bio:bad end line I have seen other have found this error but I could not find a solution. Michael Katz RAE Internet 39 Carthage Road Scarsdale, NY 10583 ph. (914) 725-2370, (877)302-2027 fax (914) 725-2372 http://www.raeinternet.com US Distributor RAV Antivirus __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]