Can SSL work with IP Address instead of FQDN?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Can SSL work with IP Address instead of FQDN?

dmitrik
Trying to set up ssl for an intranet. There is no FQDN, just an IP address.

Is this possible?

I've create the certificate keys as X.X.X.X.key
instead of www.example.com.key

I'm able to run the startssl command (see below)
It asks for the pass phrase, and says it logs in, but the
error log (list below too), shows some problems which
I don't understand.

Any ideas?

tia,
dk


this is the log file after running:

nycupa4:/usr/local/bin >sudo /usr/local/apache2/bin/apachectl startssl
Apache/2.0.54 mod_ssl/2.0.54 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide us with the pass phrases.

Server 192.33.175.160:443 (RSA)
Enter pass phrase:

Ok: Pass Phrase Dialog successful.


log file below -  it shows Child 19200 returned a Fatal error
is there

207361 [Wed Aug 10 09:07:58 2005] [notice] Digest: generating secret for digest authentication ...
 207362 [Wed Aug 10 09:07:58 2005] [notice] Digest: done
 207363 [Wed Aug 10 09:08:00 2005] [warn] pid file /var/run/httpd.pid overwritten -- Unclean shutdown of previous Apache run?
 207364 [Wed Aug 10 09:08:00 2005] [alert] (22)Invalid argument: setgid: unable to set group id to Group 4294967295
 207365 [Wed Aug 10 09:08:00 2005] [alert] (22)Invalid argument: setgid: unable to set group id to Group 4294967295
 207366 [Wed Aug 10 09:08:00 2005] [alert] (22)Invalid argument: setgid: unable to set group id to Group 4294967295
 207367 [Wed Aug 10 09:08:00 2005] [alert] (22)Invalid argument: setgid: unable to set group id to Group 4294967295
 207368 [Wed Aug 10 09:08:00 2005] [notice] Apache/2.0.54 (Unix) mod_ssl/2.0.54 OpenSSL/0.9.7d DAV/2 configured -- resuming normal operations
 207369 [Wed Aug 10 09:08:00 2005] [alert] Child 19200 returned a Fatal error... Apache is exiting!
 207370 [Wed Aug 10 09:08:00 2005] [alert] (22)Invalid argument: setgid: unable to set group id to Group 4294967295

Is there a way to see which process might be Child 19200?
also looking into  (22)Invalid argument: setgid: unable to set group id to Group 4294967295


also the following command

openssl s_client -connect 193.44.23.34:443 -debug

returns

Connection Refused
Err= 146

Any ideas?
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Can SSL work with IP Address instead of FQDN?

Jorey Bump
[hidden email] wrote:
> Trying to set up ssl for an intranet. There is no FQDN, just an IP address.
>
> Is this possible?

Yes. The only important thing is that the hostname used by clients to
find your machine must match the Common Name in the certificate. So, if
your other machines use https://intranet.localdomain/ to view web pages,
the Common Name must be intranet.localdomain. The server itself doesn't
even need to know it's being called intranet.localdomain (unless you're
using name-based virtual hosts).

> I've create the certificate keys as X.X.X.X.key
> instead of www.example.com.key

The name of the key doesn't matter, it's just used in path
specifications (and of course, sometimes the OS gives the extension
special meaning)>

> I'm able to run the startssl command (see below)
> It asks for the pass phrase, and says it logs in, but the
> error log (list below too), shows some problems which
> I don't understand.
>
> Any ideas?

It looks like an apache configuration problem.

> this is the log file after running:
>
> nycupa4:/usr/local/bin >sudo /usr/local/apache2/bin/apachectl startssl
> Apache/2.0.54 mod_ssl/2.0.54 (Pass Phrase Dialog)
> Some of your private key files are encrypted for security reasons.
> In order to read them you have to provide us with the pass phrases.
>
> Server 192.33.175.160:443 (RSA)
> Enter pass phrase:
>
> Ok: Pass Phrase Dialog successful.

This isn't robust. Strip the passphrase from your key, and make it
readable by root only.

> log file below -  it shows Child 19200 returned a Fatal error
> is there
>
> 207361 [Wed Aug 10 09:07:58 2005] [notice] Digest: generating secret for digest authentication ...
>  207362 [Wed Aug 10 09:07:58 2005] [notice] Digest: done
>  207363 [Wed Aug 10 09:08:00 2005] [warn] pid file /var/run/httpd.pid overwritten -- Unclean shutdown of previous Apache run?
>  207364 [Wed Aug 10 09:08:00 2005] [alert] (22)Invalid argument: setgid: unable to set group id to Group 4294967295
>  207365 [Wed Aug 10 09:08:00 2005] [alert] (22)Invalid argument: setgid: unable to set group id to Group 4294967295
>  207366 [Wed Aug 10 09:08:00 2005] [alert] (22)Invalid argument: setgid: unable to set group id to Group 4294967295
>  207367 [Wed Aug 10 09:08:00 2005] [alert] (22)Invalid argument: setgid: unable to set group id to Group 4294967295
>  207368 [Wed Aug 10 09:08:00 2005] [notice] Apache/2.0.54 (Unix) mod_ssl/2.0.54 OpenSSL/0.9.7d DAV/2 configured -- resuming normal operations
>  207369 [Wed Aug 10 09:08:00 2005] [alert] Child 19200 returned a Fatal error... Apache is exiting!
>  207370 [Wed Aug 10 09:08:00 2005] [alert] (22)Invalid argument: setgid: unable to set group id to Group 4294967295
>
> Is there a way to see which process might be Child 19200?

Not likely to matter.

> also looking into  (22)Invalid argument: setgid: unable to set group id to Group 4294967295

This is your real problem. Check your Group setting in your apache
configuration. You probably just need to get your permissions and
ownerships correct.

> also the following command
>
> openssl s_client -connect 193.44.23.34:443 -debug
>
> returns
>
> Connection Refused
> Err= 146
>
> Any ideas?

Can't work if apache's not running. ;)

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Can SSL work with IP Address instead of FQDN?

dmitrik
In reply to this post by dmitrik
> also looking into  (22)Invalid argument: setgid: unable to set group id to
Group 4294967295

This is your real problem. Check your Group setting in your apache
configuration. You probably just need to get your permissions and
ownerships correct.


Thanks very much for your response. Any idea what the Group setting needs to
be in httpd.conf?

this is how it looks now

 User nobody
 Group #-1

tia,
dk





-----Original Message-----
From: Jorey Bump <[hidden email]>
Sent: Aug 10, 2005 10:51 AM
To: [hidden email]
Subject: Re: Can SSL work with IP Address instead of FQDN?

[hidden email] wrote:
> Trying to set up ssl for an intranet. There is no FQDN, just an IP address.
>
> Is this possible?

Yes. The only important thing is that the hostname used by clients to
find your machine must match the Common Name in the certificate. So, if
your other machines use https://intranet.localdomain/ to view web pages,
the Common Name must be intranet.localdomain. The server itself doesn't
even need to know it's being called intranet.localdomain (unless you're
using name-based virtual hosts).

> I've create the certificate keys as X.X.X.X.key
> instead of www.example.com.key

The name of the key doesn't matter, it's just used in path
specifications (and of course, sometimes the OS gives the extension
special meaning)>

> I'm able to run the startssl command (see below)
> It asks for the pass phrase, and says it logs in, but the
> error log (list below too), shows some problems which
> I don't understand.
>
> Any ideas?

It looks like an apache configuration problem.

> this is the log file after running:
>
> nycupa4:/usr/local/bin >sudo /usr/local/apache2/bin/apachectl startssl
> Apache/2.0.54 mod_ssl/2.0.54 (Pass Phrase Dialog)
> Some of your private key files are encrypted for security reasons.
> In order to read them you have to provide us with the pass phrases.
>
> Server 192.33.175.160:443 (RSA)
> Enter pass phrase:
>
> Ok: Pass Phrase Dialog successful.

This isn't robust. Strip the passphrase from your key, and make it
readable by root only.

> log file below -  it shows Child 19200 returned a Fatal error
> is there
>
> 207361 [Wed Aug 10 09:07:58 2005] [notice] Digest: generating secret for digest authentication ...
>  207362 [Wed Aug 10 09:07:58 2005] [notice] Digest: done
>  207363 [Wed Aug 10 09:08:00 2005] [warn] pid file /var/run/httpd.pid overwritten -- Unclean shutdown of previous Apache run?
>  207364 [Wed Aug 10 09:08:00 2005] [alert] (22)Invalid argument: setgid: unable to set group id to Group 4294967295
>  207365 [Wed Aug 10 09:08:00 2005] [alert] (22)Invalid argument: setgid: unable to set group id to Group 4294967295
>  207366 [Wed Aug 10 09:08:00 2005] [alert] (22)Invalid argument: setgid: unable to set group id to Group 4294967295
>  207367 [Wed Aug 10 09:08:00 2005] [alert] (22)Invalid argument: setgid: unable to set group id to Group 4294967295
>  207368 [Wed Aug 10 09:08:00 2005] [notice] Apache/2.0.54 (Unix) mod_ssl/2.0.54 OpenSSL/0.9.7d DAV/2 configured -- resuming normal operations
>  207369 [Wed Aug 10 09:08:00 2005] [alert] Child 19200 returned a Fatal error... Apache is exiting!
>  207370 [Wed Aug 10 09:08:00 2005] [alert] (22)Invalid argument: setgid: unable to set group id to Group 4294967295
>
> Is there a way to see which process might be Child 19200?

Not likely to matter.

> also looking into  (22)Invalid argument: setgid: unable to set group id to Group 4294967295

This is your real problem. Check your Group setting in your apache
configuration. You probably just need to get your permissions and
ownerships correct.

> also the following command
>
> openssl s_client -connect 193.44.23.34:443 -debug
>
> returns
>
> Connection Refused
> Err= 146
>
> Any ideas?

Can't work if apache's not running. ;)

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Can SSL work with IP Address instead of FQDN?

Jagannadha Bhattu
In reply to this post by Jorey Bump
4294967295 is -1. that means the previous API in the code returned -1
which was passed setgid. So instead of getting the group permissions
and ownerships correct, you may want to see the group name it self.
Probably that was wrong.

JB

On 8/10/05, Jorey Bump <[hidden email]> wrote:

> [hidden email] wrote:
> > Trying to set up ssl for an intranet. There is no FQDN, just an IP address.
> >
> > Is this possible?
>
> Yes. The only important thing is that the hostname used by clients to
> find your machine must match the Common Name in the certificate. So, if
> your other machines use https://intranet.localdomain/ to view web pages,
> the Common Name must be intranet.localdomain. The server itself doesn't
> even need to know it's being called intranet.localdomain (unless you're
> using name-based virtual hosts).
>
> > I've create the certificate keys as X.X.X.X.key
> > instead of www.example.com.key
>
> The name of the key doesn't matter, it's just used in path
> specifications (and of course, sometimes the OS gives the extension
> special meaning)>
>
> > I'm able to run the startssl command (see below)
> > It asks for the pass phrase, and says it logs in, but the
> > error log (list below too), shows some problems which
> > I don't understand.
> >
> > Any ideas?
>
> It looks like an apache configuration problem.
>
> > this is the log file after running:
> >
> > nycupa4:/usr/local/bin >sudo /usr/local/apache2/bin/apachectl startssl
> > Apache/2.0.54 mod_ssl/2.0.54 (Pass Phrase Dialog)
> > Some of your private key files are encrypted for security reasons.
> > In order to read them you have to provide us with the pass phrases.
> >
> > Server 192.33.175.160:443 (RSA)
> > Enter pass phrase:
> >
> > Ok: Pass Phrase Dialog successful.
>
> This isn't robust. Strip the passphrase from your key, and make it
> readable by root only.
>
> > log file below -  it shows Child 19200 returned a Fatal error
> > is there
> >
> > 207361 [Wed Aug 10 09:07:58 2005] [notice] Digest: generating secret for digest authentication ...
> >  207362 [Wed Aug 10 09:07:58 2005] [notice] Digest: done
> >  207363 [Wed Aug 10 09:08:00 2005] [warn] pid file /var/run/httpd.pid overwritten -- Unclean shutdown of previous Apache run?
> >  207364 [Wed Aug 10 09:08:00 2005] [alert] (22)Invalid argument: setgid: unable to set group id to Group 4294967295
> >  207365 [Wed Aug 10 09:08:00 2005] [alert] (22)Invalid argument: setgid: unable to set group id to Group 4294967295
> >  207366 [Wed Aug 10 09:08:00 2005] [alert] (22)Invalid argument: setgid: unable to set group id to Group 4294967295
> >  207367 [Wed Aug 10 09:08:00 2005] [alert] (22)Invalid argument: setgid: unable to set group id to Group 4294967295
> >  207368 [Wed Aug 10 09:08:00 2005] [notice] Apache/2.0.54 (Unix) mod_ssl/2.0.54 OpenSSL/0.9.7d DAV/2 configured -- resuming normal operations
> >  207369 [Wed Aug 10 09:08:00 2005] [alert] Child 19200 returned a Fatal error... Apache is exiting!
> >  207370 [Wed Aug 10 09:08:00 2005] [alert] (22)Invalid argument: setgid: unable to set group id to Group 4294967295
> >
> > Is there a way to see which process might be Child 19200?
>
> Not likely to matter.
>
> > also looking into  (22)Invalid argument: setgid: unable to set group id to Group 4294967295
>
> This is your real problem. Check your Group setting in your apache
> configuration. You probably just need to get your permissions and
> ownerships correct.
>
> > also the following command
> >
> > openssl s_client -connect 193.44.23.34:443 -debug
> >
> > returns
> >
> > Connection Refused
> > Err= 146
> >
> > Any ideas?
>
> Can't work if apache's not running. ;)
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Can SSL work with IP Address instead of FQDN?

Jorey Bump
In reply to this post by dmitrik
[hidden email] wrote:

>>also looking into  (22)Invalid argument: setgid: unable to set group id to
>
> Group 4294967295
>
> This is your real problem. Check your Group setting in your apache
> configuration. You probably just need to get your permissions and
> ownerships correct.
>
> Thanks very much for your response. Any idea what the Group setting needs to
> be in httpd.conf?

In theory, only you know this. :)

What's your platform? The de facto standard varies, and it's anyone's
guess if you compiled apache yourself.

> this is how it looks now
>
>  User nobody
>  Group #-1

Try:

  Group nobody

Of course, you need to have the nobody group on your system (many
already do). Another popular choice for User/Group is apache (again, it
must be present, don't mess with this until you understand the
implications of creating a special user for Apache).

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Can SSL work with IP Address instead of FQDN?

JoelKatz
In reply to this post by dmitrik

> Thanks very much for your response. Any idea what the Group
> setting needs to
> be in httpd.conf?
>
> this is how it looks now
>
>  User nobody
>  Group #-1
>
> tia,
> dk

        It depends what group you want apache to run under. If you have a "nobody"
group, that's probably what you want.

        DS


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Can SSL work with IP Address instead of FQDN?

dmitrik
In reply to this post by dmitrik
Try:

  Group nobody

Of course, you need to have the nobody group on your system (many
already do). Another popular choice for User/Group is apache (again, it
must be present, don't mess with this until you understand the
implications of creating a special user for Apache).

again, thanks very much for the response.

I believe it is unix/solaris system. The unix admin compiled apache.
Is there a way to check users and groups?  Are these groups and
users unix accounts, or accounts under apache? Before trying to
implement ssl (when there was no ssl.conf and a smaller version of
httpd.conf was used, the apache server worked correctly (using apachectl start not startssl - is apachectl startssl the correct way to start the server?). Since then,
an upgrade was performed from apache 1.3 to apache2 - some libraries
were missing, and they were patched, but there may still be missing
libraries.

The Group was changed to nobody, and the error_log still produced:

207401 [Wed Aug 10 11:11:10 2005] [notice] Digest: generating secret for digest authentication ...
 207402 [Wed Aug 10 11:11:10 2005] [notice] Digest: done
 207403 [Wed Aug 10 11:11:13 2005] [warn] pid file /var/run/httpd.pid overwritten -- Unclean shutdown of previous Apache run?
 207404 [Wed Aug 10 11:11:13 2005] [alert] (22)Invalid argument: setgid: unable to set group id to Group 4294967295
 207405 [Wed Aug 10 11:11:13 2005] [alert] (22)Invalid argument: setgid: unable to set group id to Group 4294967295
 207406 [Wed Aug 10 11:11:13 2005] [alert] (22)Invalid argument: setgid: unable to set group id to Group 4294967295
 207407 [Wed Aug 10 11:11:13 2005] [alert] (22)Invalid argument: setgid: unable to set group id to Group 4294967295
 207408 [Wed Aug 10 11:11:13 2005] [notice] Apache/2.0.54 (Unix) mod_ssl/2.0.54 OpenSSL/0.9.7d DAV/2 configured -- resuming normal operations
 207409 [Wed Aug 10 11:11:13 2005] [alert] Child 22341 returned a Fatal error... Apache is exiting!
 207410 [Wed Aug 10 11:11:13 2005] [alert] (22)Invalid argument: setgid: unable to set group id to Group 4294967295


tia,
dk




-----Original Message-----
From: Jorey Bump <[hidden email]>
Sent: Aug 10, 2005 11:07 AM
To: [hidden email]
Subject: Re: Can SSL work with IP Address instead of FQDN?

[hidden email] wrote:

>>also looking into  (22)Invalid argument: setgid: unable to set group id to
>
> Group 4294967295
>
> This is your real problem. Check your Group setting in your apache
> configuration. You probably just need to get your permissions and
> ownerships correct.
>
> Thanks very much for your response. Any idea what the Group setting needs to
> be in httpd.conf?

In theory, only you know this. :)

What's your platform? The de facto standard varies, and it's anyone's
guess if you compiled apache yourself.

> this is how it looks now
>
>  User nobody
>  Group #-1

Try:

  Group nobody

Of course, you need to have the nobody group on your system (many
already do). Another popular choice for User/Group is apache (again, it
must be present, don't mess with this until you understand the
implications of creating a special user for Apache).

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Can SSL work with IP Address instead of FQDN?

Jagannadha Bhattu
Hope you have created a group called nobody. You can try ltrace and
try to see what is going wrong.

JB

On 8/10/05, [hidden email] <[hidden email]> wrote:

> Try:
>
>  Group nobody
>
> Of course, you need to have the nobody group on your system (many
> already do). Another popular choice for User/Group is apache (again, it
> must be present, don't mess with this until you understand the
> implications of creating a special user for Apache).
>
> again, thanks very much for the response.
>
> I believe it is unix/solaris system. The unix admin compiled apache.
> Is there a way to check users and groups?  Are these groups and
> users unix accounts, or accounts under apache? Before trying to
> implement ssl (when there was no ssl.conf and a smaller version of
> httpd.conf was used, the apache server worked correctly (using apachectl start not startssl - is apachectl startssl the correct way to start the server?). Since then,
> an upgrade was performed from apache 1.3 to apache2 - some libraries
> were missing, and they were patched, but there may still be missing
> libraries.
>
> The Group was changed to nobody, and the error_log still produced:
>
> 207401 [Wed Aug 10 11:11:10 2005] [notice] Digest: generating secret for digest authentication ...
>  207402 [Wed Aug 10 11:11:10 2005] [notice] Digest: done
>  207403 [Wed Aug 10 11:11:13 2005] [warn] pid file /var/run/httpd.pid overwritten -- Unclean shutdown of previous Apache run?
>  207404 [Wed Aug 10 11:11:13 2005] [alert] (22)Invalid argument: setgid: unable to set group id to Group 4294967295
>  207405 [Wed Aug 10 11:11:13 2005] [alert] (22)Invalid argument: setgid: unable to set group id to Group 4294967295
>  207406 [Wed Aug 10 11:11:13 2005] [alert] (22)Invalid argument: setgid: unable to set group id to Group 4294967295
>  207407 [Wed Aug 10 11:11:13 2005] [alert] (22)Invalid argument: setgid: unable to set group id to Group 4294967295
>  207408 [Wed Aug 10 11:11:13 2005] [notice] Apache/2.0.54 (Unix) mod_ssl/2.0.54 OpenSSL/0.9.7d DAV/2 configured -- resuming normal operations
>  207409 [Wed Aug 10 11:11:13 2005] [alert] Child 22341 returned a Fatal error... Apache is exiting!
>  207410 [Wed Aug 10 11:11:13 2005] [alert] (22)Invalid argument: setgid: unable to set group id to Group 4294967295
>
>
> tia,
> dk
>
>
>
>
> -----Original Message-----
> From: Jorey Bump <[hidden email]>
> Sent: Aug 10, 2005 11:07 AM
> To: [hidden email]
> Subject: Re: Can SSL work with IP Address instead of FQDN?
>
> [hidden email] wrote:
> >>also looking into  (22)Invalid argument: setgid: unable to set group id to
> >
> > Group 4294967295
> >
> > This is your real problem. Check your Group setting in your apache
> > configuration. You probably just need to get your permissions and
> > ownerships correct.
> >
> > Thanks very much for your response. Any idea what the Group setting needs to
> > be in httpd.conf?
>
> In theory, only you know this. :)
>
> What's your platform? The de facto standard varies, and it's anyone's
> guess if you compiled apache yourself.
>
> > this is how it looks now
> >
> >  User nobody
> >  Group #-1
>
> Try:
>
>  Group nobody
>
> Of course, you need to have the nobody group on your system (many
> already do). Another popular choice for User/Group is apache (again, it
> must be present, don't mess with this until you understand the
> implications of creating a special user for Apache).
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Can SSL work with IP Address instead of FQDN?

dmitrik
In reply to this post by dmitrik
reverse that - accidently changed the wrong file -
changing the group to nobody stopped the error_log errors

Many Thanks!

What is next required to see https://ipaddress:443/index.html ?

using netstat -na |grep LISTEN

displays  443

when typing  https://ipaddress:443/index.html  into a browser
it cannot find the page and goes back to

https://ipaddress

When trying this command:

openssl s_client -connect ipaddress:443 -state -debug -bugs

it seems to write out the certificate and then:

---
No client certificate CA names sent
---
SSL handshake has read 2519 bytes and written 304 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 1024 bit
SSL-Session:
    Protocol  : TLSv1
    Cipher    : shows string here
    Session-ID: showsid here
    Session-ID-ctx:
    Master-Key: shows key here
    Key-Arg   : None
    Start Time: 1123688834
    Timeout   : 300 (sec)
    Verify return code: 7 (certificate signature failure)

any ideas?

tia,
dk





-----Original Message-----
From: [hidden email]
Sent: Aug 10, 2005 11:28 AM
To: [hidden email]
Subject: Re: Can SSL work with IP Address instead of FQDN?

Try:

  Group nobody

Of course, you need to have the nobody group on your system (many
already do). Another popular choice for User/Group is apache (again, it
must be present, don't mess with this until you understand the
implications of creating a special user for Apache).

again, thanks very much for the response.

I believe it is unix/solaris system. The unix admin compiled apache.
Is there a way to check users and groups?  Are these groups and
users unix accounts, or accounts under apache? Before trying to
implement ssl (when there was no ssl.conf and a smaller version of
httpd.conf was used, the apache server worked correctly (using apachectl start not startssl - is apachectl startssl the correct way to start the server?). Since then,
an upgrade was performed from apache 1.3 to apache2 - some libraries
were missing, and they were patched, but there may still be missing
libraries.

The Group was changed to nobody, and the error_log still produced:

207401 [Wed Aug 10 11:11:10 2005] [notice] Digest: generating secret for digest authentication ...
 207402 [Wed Aug 10 11:11:10 2005] [notice] Digest: done
 207403 [Wed Aug 10 11:11:13 2005] [warn] pid file /var/run/httpd.pid overwritten -- Unclean shutdown of previous Apache run?
 207404 [Wed Aug 10 11:11:13 2005] [alert] (22)Invalid argument: setgid: unable to set group id to Group 4294967295
 207405 [Wed Aug 10 11:11:13 2005] [alert] (22)Invalid argument: setgid: unable to set group id to Group 4294967295
 207406 [Wed Aug 10 11:11:13 2005] [alert] (22)Invalid argument: setgid: unable to set group id to Group 4294967295
 207407 [Wed Aug 10 11:11:13 2005] [alert] (22)Invalid argument: setgid: unable to set group id to Group 4294967295
 207408 [Wed Aug 10 11:11:13 2005] [notice] Apache/2.0.54 (Unix) mod_ssl/2.0.54 OpenSSL/0.9.7d DAV/2 configured -- resuming normal operations
 207409 [Wed Aug 10 11:11:13 2005] [alert] Child 22341 returned a Fatal error... Apache is exiting!
 207410 [Wed Aug 10 11:11:13 2005] [alert] (22)Invalid argument: setgid: unable to set group id to Group 4294967295


tia,
dk




-----Original Message-----
From: Jorey Bump <[hidden email]>
Sent: Aug 10, 2005 11:07 AM
To: [hidden email]
Subject: Re: Can SSL work with IP Address instead of FQDN?

[hidden email] wrote:

>>also looking into  (22)Invalid argument: setgid: unable to set group id to
>
> Group 4294967295
>
> This is your real problem. Check your Group setting in your apache
> configuration. You probably just need to get your permissions and
> ownerships correct.
>
> Thanks very much for your response. Any idea what the Group setting needs to
> be in httpd.conf?

In theory, only you know this. :)

What's your platform? The de facto standard varies, and it's anyone's
guess if you compiled apache yourself.

> this is how it looks now
>
>  User nobody
>  Group #-1

Try:

  Group nobody

Of course, you need to have the nobody group on your system (many
already do). Another popular choice for User/Group is apache (again, it
must be present, don't mess with this until you understand the
implications of creating a special user for Apache).

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Can SSL work with IP Address instead of FQDN?

Alan Buxey
Hi,

> when typing  https://ipaddress:443/index.html  into a browser
> it cannot find the page and goes back to
>
> https://ipaddress

port 443 *IS* https. the browser sees the one and same.

alan
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Can SSL work with IP Address instead of FQDN?

PJ-7

Hi all,

How can a self signed certificate in X509 format be distinguished from a
bought one?
 

--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.338 / Virus Database: 267.10.12/75 - Release Date: 17/08/2005
 

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]