Hi all, I hope this is the correct list. First time posting.
I am getting a lot of customers complaining that they get "Page Cannot be
Displayed" errors when they connect to our SSL server. I cannot for the life
of me figure out if its my problem or theirs. Below is my SSL configuration
for my server. Can someone take a look and let me know if its OK? I have
also included results from an openssl s_client test
Thanks,
Doug
## SSL Global Context
<IfDefine SSL>
<IfDefine !NOSSL>
<IfModule mod_ssl.c>
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/lib/apache2/ssl_scache
SSLSessionCacheTimeout 600
SSLMutex sem
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
</IfDefine>
</IfDefine>
<VirtualHost 192.168.0.9:443>
ServerAdmin [EMAIL PROTECTED]
ServerName my.server.com:443
SuexecUserGroup dspam dspam
DocumentRoot /srv/www/vhosts/my.server.com/htdocs
SetEnvIf Remote_Addr "192\.168\.0" dontlog
SetEnvIf Remote_Addr "127\.0\.0\.1" dontlog
SetEnvIf Request_URI "^.*getsessiontime\.php.*$" dontlog
ErrorLog "|/usr/local/sbin/cronolog
/srv/www/vhosts/my.server.com/logs/%m-%Y/error.log"
CustomLog "|/usr/local/sbin/cronolog
/srv/www/vhosts/my.server.com/logs/%m-%Y/access.log" combined env=!dontlog
SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLOptions +StrictRequire
SSLCertificateFile /etc/apache2/ssl.crt/secure_essex3_com-new2.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/secure-essex3-com-new2.key
SSLCACertificatePath /etc/apache2/ssl.crt
SSLCACertificateFile /etc/apache2/ssl.crt/secure_essex3_com.ca-bundle
<Directory "/srv/www/vhosts/my.server.com/htdocs">
Options -Indexes FollowSymLinks
AllowOverride none
Order allow,deny
Allow from all
SSLRequireSSL
</Directory>
<Directory "/srv/www/vhosts/my.server.com/htdocs/xxx/xxx/admin">
Order allow,deny
Allow from 192.168.0
</Directory>
<Directory "/srv/www/vhosts/my.server.com/htdocs/zzz/vvv">
php_value register_globals 1
</Directory>
Alias /product/base.css /srv/www/htdocs/product/base.css
Alias /product/product-logo-small.gif
/srv/www/htdocs/product/product-logo-small.gif
ScriptAlias /product/ /srv/www/htdocs/product/
<directory "/srv/www/htdocs/product">
Options +ExecCGI
AuthName "PRODUCT Quarantine Area"
AuthType Basic
AuthShadow on
Require valid-user
Order Deny,allow
Allow from all
</directory>
<directory "/srv/www/vhosts/my.server.com/htdocs/yyy/admin">
Options +ExecCGI
AuthName "Restricted Site"
AuthType Basic
AuthShadow on
Require valid-user
Order Deny,allow
Allow from all
</directory>
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0
</VirtualHost>
openssl s_client -connect my.server.com:443 -state -reconnect
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
...
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
...
SSL handshake has read 3080 bytes and written 340 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
SSL-Session:
...
drop connection and then reconnect
SSL3 alert write:warning:close notify
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL_connect:SSLv3 read server hello A
SSL_connect:SSLv3 read finished A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
---
Reused, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
SSL-Session:
---
drop connection and then reconnect
SSL3 alert write:warning:close notify
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL_connect:SSLv3 read server hello A
SSL_connect:SSLv3 read finished A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
---
Reused, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
SSL-Session:
---
drop connection and then reconnect
SSL3 alert write:warning:close notify
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL_connect:SSLv3 read server hello A
SSL_connect:SSLv3 read finished A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
---
Reused, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
SSL-Session:
---
drop connection and then reconnect
SSL3 alert write:warning:close notify
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL_connect:SSLv3 read server hello A
SSL_connect:SSLv3 read finished A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
---
Reused, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
SSL-Session:
---
drop connection and then reconnect
SSL3 alert write:warning:close notify
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL_connect:SSLv3 read server hello A
SSL_connect:SSLv3 read finished A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
---
Reused, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
SSL-Session:
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
