queuebert
(new user )
Mon Mar 14 2005 04:11 AM
Apache 2 and SSL

Hi all,

I am trying to implement SSL on my Apache2 configuration. I took all the steps but I apparently did something wrong and am having difficulty tracking it down.

Facts:
- openssl is downloaded and when I run "apache2ctl startssl", it gives me no errors.
- I know it is passing the <IfDefine SSL> test because if I put jibberish within that section, it tells me about it whereas it used to not tell me.
- I have generated temporary .csr, .crt, and .key files, all of which Apache 2 appears to be reading.
- I have listen.conf set with NameVirtualHost *, and a virtual host to match, *:443.
- I have port 443 open on my firewall

Problem:
When I try to visit https://secure.host.com, Firefox tells me "The Connection to secure.host.com has terminated unexpectedly. Some data may have been transferred." Internet Explorer tells me "You are about to view data over a secure connection blah blah blah" and then when I click OK, it takes me to the built-in "Server not found" page.

If anyone could give me any suggestions or advice, or point me to a more appropriate forum, I would greatly appreciate it!

Thanks,
Sean Noble


MarkRound111
(new user)
Mon Mar 14 2005 01:42 PM
Re: Apache 2 and SSL

What does the configuration look like for the vhost on port 443 ?


queuebert
(new user )
Mon Mar 14 2005 07:45 PM
Re: Apache 2 and SSL

Here it is...

<IfDefine SSL>
<VirtualHost 10.0.2.121:443>
ServerAdmin secure@host.com
DocumentRoot /var/www/htdocs/secure.host.com/
ServerName secure.host.com
SSLEngine on
SSLCertificateFile /etc/apache2/ssl.crt/host.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/host.pem
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
CustomLog /var/www/log/host_ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
</IfDefine>

Also a note I forgot to mention before, it's not getting to the point where anything is written to the log file.

Further, I was mistaken about the SSL-enabled virtual host being *:443, it is in fact 10.0.2.121:443. When I use *:443 it says that the results could be unpredictable.

queuebert
(new user )
Tue Mar 15 2005 11:06 AM
Re: Apache 2 and SSL

Nevermind, I figured it out. I appreciate the interest in helping, though. :-) Thanks!


hard_format
(new user)
Thu Jul 07 2005 03:57 PM
Re: Apache 2 and SSL

I am having the same, or atleast a similiar problem with getting SSL to work with apache 2, how did you end up resolving your problem?

Thanks in advance.


TheFatControlleRAdministrator
(Forum Admin)
Thu Jul 07 2005 10:10 PM
Re: Apache 2 and SSL

Hi hard_format - Welcome to the forum!

Unfortunately, I doubt you'll get an answer to that. This thread is nigh on 4 months old and queuebert appears to be one of those folk who don't help others by reporting back with their solution.

Try posting your query in full, in a new thread.
TFC
'The power of accurate observation is frequently called cynicism by those who don't have it.' - George Bernard Shaw
hard_format
(new user)
Fri Jul 15 2005 07:20 PM
Re: Apache 2 and SSL

Actually, I did end up finding a solution myself. I had been trying to verify that the apache was actually handing the traffic on port 443 over to SSL and that everything was getting through my firewalls to where it needed to be.
'openssl s_client -connect localhost:443'
Proved that traffic was getting through on port 443 but apache was trying to deal with the traffic itself instead of sending it through SSL.
As it turned out the problem was a series of little things with apache itself and all my futzing with certificates was pointless. First problem was the stupidest, I was starting apache with './apachectl start' instead of './apachectl startssl', then there were also some problems with my httpd.conf.

I had to alter my 'NameVirtualHost' line to include the port 80, and make a duplicate for port 443. Finally I had to duplicate all of my 'VirtualHost' blocks to have one standard port 80 version, and one SSL configured port 443 version.

Just for fun and to make everything look a little better I put all the SSL 'VirtualHost' blocks and the extra 'NameVirtualHost' statement inside an '<IfDefine SSL></IfDefine>' block.

And hooray, SSL works! only problem now is that I've discovered that you can only have one SSL certificate per IP. So the only way to have multiple virtualhosts each with their own cert is to use IP based virtualhosting instead of the name based setup I've got now.


Here's a modified version of the relevant portion of my httpd.conf, hope this clears up any of the muck from above.

Code:

NameVirtualHost 192.168.1.2:80
<IfModule mod_ssl.c>
  SSLRandomSeed startup builtin
  SSLRandomSeed connect builtin

  NameVirtualHost 192.168.1.2:443
</IfModule>
Listen *:80
ServerName my.servername.example.com


<IfDefine SSL>
    Listen *:443

    AddType application/x-x509-ca-cert .crt
    AddType application/x-pkcs7-crl    .crl

    SSLPassPhraseDialog  builtin
    
    SSLSessionCache         dbm:/usr/local/apache2/logs/ssl_scache
    SSLSessionCacheTimeout  300

    SSLMutex  file:/usr/local/apache2/logs/ssl_mutex
    <VirtualHost 192.168.1.2:443>
        ServerAdmin admin@example.com
        DocumentRoot /usr/local/apache2/htdocs
        ServerName my.servername.example.com
        ErrorLog logs/my.servername.example.com-error_log-ssl
        TransferLog logs/my.servername.example.com-access_log-ssl
        ScriptAlias /cgi-bin/ /usr/local/apache2/cgi-bin/

        SSLEngine on
        SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
        SSLCertificateFile /usr/local/apache2/conf/ssl/www.crt
        SSLCertificateKeyFile /usr/local/apache2/conf/ssl/www.pem
        <Files ~ "\.(cgi|shtml|phtml|php3?)$">
            SSLOptions +StdEnvVars
        </Files>
        <Directory "/usr/local/apache2/cgi-bin">
            SSLOptions +StdEnvVars
        </Directory>

        SetEnvIf User-Agent ".*MSIE.*" \
                 nokeepalive ssl-unclean-shutdown \
                 downgrade-1.0 force-response-1.0
    </VirtualHost>
    
    <VirtualHost 192.168.1.2:443>
        ServerAdmin admin@example.com
        DocumentRoot /home/vhost2/public_html
        ServerName vhost2.servername.example.com
        ErrorLog logs/vhost2.servername.example.com-error_log-ssl
        TransferLog logs/vhost2.servername.example.com-access_log-ssl
        ScriptAlias /cgi-bin/ /usr/local/apache2/cgi-bin/

        SSLEngine on
        SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
        SSLCertificateFile /usr/local/apache2/conf/ssl/vhost2.crt
        SSLCertificateKeyFile /usr/local/apache2/conf/ssl/vhost2.pem
        <Files ~ "\.(cgi|shtml|phtml|php3?)$">
            SSLOptions +StdEnvVars
        </Files>
        <Directory "/usr/local/apache2/cgi-bin">
            SSLOptions +StdEnvVars
        </Directory>

        SetEnvIf User-Agent ".*MSIE.*" \
                 nokeepalive ssl-unclean-shutdown \
                 downgrade-1.0 force-response-1.0
    </VirtualHost>
    
    <VirtualHost 192.168.1.2:443>
        ServerAdmin admin@example.com
        DocumentRoot /home/vhost3/public_html
        ServerName vhost3.servername.example.com
        ErrorLog logs/vhost3.servername.example.com-error_log-ssl
        TransferLog logs/vhost3.servername.example.com-access_log-ssl
        ScriptAlias /cgi-bin/ /usr/local/apache2/cgi-bin/

        SSLEngine on
        SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
        SSLCertificateFile /usr/local/apache2/conf/ssl/vhost3.crt
        SSLCertificateKeyFile /usr/local/apache2/conf/ssl/vhost3.pem
        <Files ~ "\.(cgi|shtml|phtml|php3?)$">
            SSLOptions +StdEnvVars
        </Files>
        <Directory "/usr/local/apache2/cgi-bin">
            SSLOptions +StdEnvVars
        </Directory>

        SetEnvIf User-Agent ".*MSIE.*" \
                 nokeepalive ssl-unclean-shutdown \
                 downgrade-1.0 force-response-1.0

        Options Includes MultiViews
    </VirtualHost>
</IfDefine>


<VirtualHost 192.168.1.2:80>
    ServerAdmin admin@example.com
    DocumentRoot /usr/local/apache2/htdocs
    ServerName my.servername.example.com
    ErrorLog logs/my.servername.example.com-error_log
    TransferLog logs/my.servername.example.com-access_log
    ScriptAlias /cgi-bin/ /usr/local/apache2/cgi-bin/
    Options Includes MultiViews
</VirtualHost>

<VirtualHost 192.168.1.2:80>
    ServerAdmin admin@example.com
    DocumentRoot /home/vhost2/public_html
    ServerName vhost2.servername.example.com
    ErrorLog logs/vhost2.servername.example.com-error_log
    TransferLog logs/vhost2.servername.example.com-access_log
</VirtualHost>

<VirtualHost vhost3.servername.example.com:80>
    ServerAdmin admin@example.com
    DocumentRoot /home/vhost3/public_html
    ServerName vhost3.servername.example.com
    ErrorLog logs/vhost3.servername.example.com-error_log
    TransferLog logs/vhost3.servername.example.com-access_log
</VirtualHost>

Contact Us | Privacy statement Main website
Hitwise Top 10 Award Winner - Jan-Mar 2005

About us | Contact us | Link to us | Terms & Conditions | Privacy Policy
© Copyright IPC Media Limited, All rights reserved