apachectl startssl started, but viewing https in browser does not

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

apachectl startssl started, but viewing https in browser does not

dmitrik
if apachectl startssl works, any idea how come
trying to open https://ipaddres:443/index.html cannot display the page?

the following log appears after trying

openssl s_client -connect IPAddress:443 -state -debug

No client certificate CA names sent
---
SSL handshake has read 2519 bytes and written 304 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 1024 bit
SSL-Session:
    Protocol  : TLSv1
    Cipher    : shows string here
    Session-ID: showsid here
    Session-ID-ctx:
    Master-Key: shows key here
    Key-Arg   : None
    Start Time: 1123688834
    Timeout   : 300 (sec)
    Verify return code: 7 (certificate signature failure)

What does code 7 indicate? Is that the reason the page cannot be seen?
Does something need to be added into the browser?
What will trigger the browser to ask the person to verify the certificate?

tia,
dk

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: apachectl startssl started, but viewing https in browser does not

Jorey Bump
[hidden email] wrote:
> if apachectl startssl works, any idea how come
> trying to open https://ipaddres:443/index.html cannot display the page?

It's redundant. The standard port for https is already 443, and some
browsers will simply remove it from the URL. The fact that the page
won't display is probably unrelated to this.

> the following log appears after trying
>
> openssl s_client -connect IPAddress:443 -state -debug
>
> No client certificate CA names sent
> ---
> SSL handshake has read 2519 bytes and written 304 bytes
> ---
> New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
> Server public key is 1024 bit
> SSL-Session:
>     Protocol  : TLSv1
>     Cipher    : shows string here
>     Session-ID: showsid here
>     Session-ID-ctx:
>     Master-Key: shows key here
>     Key-Arg   : None
>     Start Time: 1123688834
>     Timeout   : 300 (sec)
>     Verify return code: 7 (certificate signature failure)
>
> What does code 7 indicate? Is that the reason the page cannot be seen?
> Does something need to be added into the browser?
> What will trigger the browser to ask the person to verify the certificate?

It's not always easy to determine the exact cause of the problem from
the error message. Briefly, how did you create the certificate? What are
your SSLCertificate* settings in your conf file?
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: apachectl startssl started, but viewing https in browser does not

dmitrik
In reply to this post by dmitrik
These lines are from ssl.conf

 DocumentRoot "/opt/apache/CA"
SSLCertificateFile /opt/apache/CA/192.33.175.160.crt
SSLCertificateKeyFile /opt/apache/CA/192.33.175.160.key
SSLCertificateChainFile /opt/apache/CA/my-ca.crt
SSLCACertificateFile /opt/apache/CA/my-ca.crt

 <Directory "/opt/apache/CA">
     SSLOptions +StdEnvVars
  </Directory>


These are from httpd.conf

 ServerRoot "/usr/local/apache2"
 Listen 80
DocumentRoot "/opt/apache/htdocs" - This is a second DocumentRoot - the
httpd.conf includes the ssl.conf - could this be causing the problem?

changed htdocs to CA - still with problem

Do the .crt and .key files need be in CA?

The certificates were created by following the steps in this document.
http://www.vanemery.com/Linux/Apache/apache-SSL.html

tia,
dk






-----Original Message-----
From: Jorey Bump <[hidden email]>
Sent: Aug 10, 2005 1:53 PM
To: [hidden email]
Subject: Re: apachectl startssl started, but viewing https in browser does not

[hidden email] wrote:
> if apachectl startssl works, any idea how come
> trying to open https://ipaddres:443/index.html cannot display the page?

It's redundant. The standard port for https is already 443, and some
browsers will simply remove it from the URL. The fact that the page
won't display is probably unrelated to this.

> the following log appears after trying
>
> openssl s_client -connect IPAddress:443 -state -debug
>
> No client certificate CA names sent
> ---
> SSL handshake has read 2519 bytes and written 304 bytes
> ---
> New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
> Server public key is 1024 bit
> SSL-Session:
>     Protocol  : TLSv1
>     Cipher    : shows string here
>     Session-ID: showsid here
>     Session-ID-ctx:
>     Master-Key: shows key here
>     Key-Arg   : None
>     Start Time: 1123688834
>     Timeout   : 300 (sec)
>     Verify return code: 7 (certificate signature failure)
>
> What does code 7 indicate? Is that the reason the page cannot be seen?
> Does something need to be added into the browser?
> What will trigger the browser to ask the person to verify the certificate?

It's not always easy to determine the exact cause of the problem from
the error message. Briefly, how did you create the certificate? What are
your SSLCertificate* settings in your conf file?
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: apachectl startssl started, but viewing https in browser does not

Jorey Bump
[hidden email] wrote:
> These lines are from ssl.conf
>
>  DocumentRoot "/opt/apache/CA"

This configuration is simply insane. Sorry, but you really need to
disable SSL and get up to speed on basic apache administration. Don't
change settings without understanding what they do. Any server
administrators on this list are probably sitting in a corner shivering
after reading this post.

Start here:

  http://httpd.apache.org/docs/2.0/

Restore your original configuration files (you did make backups, didn't
you?).

> SSLCertificateFile /opt/apache/CA/192.33.175.160.crt
> SSLCertificateKeyFile /opt/apache/CA/192.33.175.160.key
> SSLCertificateChainFile /opt/apache/CA/my-ca.crt
> SSLCACertificateFile /opt/apache/CA/my-ca.crt
>
>  <Directory "/opt/apache/CA">
>      SSLOptions +StdEnvVars
>   </Directory>
>
>
> These are from httpd.conf
>
>  ServerRoot "/usr/local/apache2"
>  Listen 80
> DocumentRoot "/opt/apache/htdocs" - This is a second DocumentRoot - the
> httpd.conf includes the ssl.conf - could this be causing the problem?
>
> changed htdocs to CA - still with problem
>
> Do the .crt and .key files need be in CA?
>
> The certificates were created by following the steps in this document.
> http://www.vanemery.com/Linux/Apache/apache-SSL.html

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: apachectl startssl started, but viewing https in browser does not

dmitrik
In reply to this post by dmitrik
Is it possible to clarify some of the confusion with the configuration?
From what you wrote I don't really see what the issue is -
Any clarification would be appreciated.
The certificates were placed in a directory called CA.
How is this a problem?
Thank you.



-----Original Message-----
From: Jorey Bump <[hidden email]>
Sent: Aug 10, 2005 2:45 PM
To: [hidden email]
Subject: Re: apachectl startssl started, but viewing https in browser does not

[hidden email] wrote:
> These lines are from ssl.conf
>
>  DocumentRoot "/opt/apache/CA"

This configuration is simply insane. Sorry, but you really need to
disable SSL and get up to speed on basic apache administration. Don't
change settings without understanding what they do. Any server
administrators on this list are probably sitting in a corner shivering
after reading this post.

Start here:

  http://httpd.apache.org/docs/2.0/

Restore your original configuration files (you did make backups, didn't
you?).

> SSLCertificateFile /opt/apache/CA/192.33.175.160.crt
> SSLCertificateKeyFile /opt/apache/CA/192.33.175.160.key
> SSLCertificateChainFile /opt/apache/CA/my-ca.crt
> SSLCACertificateFile /opt/apache/CA/my-ca.crt
>
>  <Directory "/opt/apache/CA">
>      SSLOptions +StdEnvVars
>   </Directory>
>
>
> These are from httpd.conf
>
>  ServerRoot "/usr/local/apache2"
>  Listen 80
> DocumentRoot "/opt/apache/htdocs" - This is a second DocumentRoot - the
> httpd.conf includes the ssl.conf - could this be causing the problem?
>
> changed htdocs to CA - still with problem
>
> Do the .crt and .key files need be in CA?
>
> The certificates were created by following the steps in this document.
> http://www.vanemery.com/Linux/Apache/apache-SSL.html

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: apachectl startssl started, but viewing https in browser does not

dmitrik
In reply to this post by dmitrik
Is the method of certificate/key creation as specified in thsi document:
http://www.vanemery.com/Linux/Apache/apache-SSL.html
correct?


-----Original Message-----
From: Jorey Bump <[hidden email]>
Sent: Aug 10, 2005 2:45 PM
To: [hidden email]
Subject: Re: apachectl startssl started, but viewing https in browser does not

[hidden email] wrote:
> These lines are from ssl.conf
>
>  DocumentRoot "/opt/apache/CA"

This configuration is simply insane. Sorry, but you really need to
disable SSL and get up to speed on basic apache administration. Don't
change settings without understanding what they do. Any server
administrators on this list are probably sitting in a corner shivering
after reading this post.

Start here:

  http://httpd.apache.org/docs/2.0/

Restore your original configuration files (you did make backups, didn't
you?).

> SSLCertificateFile /opt/apache/CA/192.33.175.160.crt
> SSLCertificateKeyFile /opt/apache/CA/192.33.175.160.key
> SSLCertificateChainFile /opt/apache/CA/my-ca.crt
> SSLCACertificateFile /opt/apache/CA/my-ca.crt
>
>  <Directory "/opt/apache/CA">
>      SSLOptions +StdEnvVars
>   </Directory>
>
>
> These are from httpd.conf
>
>  ServerRoot "/usr/local/apache2"
>  Listen 80
> DocumentRoot "/opt/apache/htdocs" - This is a second DocumentRoot - the
> httpd.conf includes the ssl.conf - could this be causing the problem?
>
> changed htdocs to CA - still with problem
>
> Do the .crt and .key files need be in CA?
>
> The certificates were created by following the steps in this document.
> http://www.vanemery.com/Linux/Apache/apache-SSL.html

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: apachectl startssl started, but viewing https in browser does not

Jorey Bump
In reply to this post by dmitrik
[hidden email] wrote:
> Is it possible to clarify some of the confusion with the configuration?
>>From what you wrote I don't really see what the issue is -
> Any clarification would be appreciated.
> The certificates were placed in a directory called CA.
> How is this a problem?
> Thank you.

What you're doing is the equivalent of filling your car with gasoline. I
mean, literally, opening the window of your automobile and dispensing
petrol into the backseat. The problem is that if you don't understand
what is meant by "fill it up" it's hard to determine where to begin with
your instruction, other than from the very beginning. When you do this
as a gas station attendant, it's very frightening, indeed.

>> DocumentRoot "/opt/apache/CA"

Your web pages go in DocumentRoot. This is very, very basic.

>>SSLCertificateFile /opt/apache/CA/192.33.175.160.crt
>>SSLCertificateKeyFile /opt/apache/CA/192.33.175.160.key
>>SSLCertificateChainFile /opt/apache/CA/my-ca.crt
>>SSLCACertificateFile /opt/apache/CA/my-ca.crt

This could be an appropriate configuration.

>> <Directory "/opt/apache/CA">
>>     SSLOptions +StdEnvVars
>>  </Directory>

Makes no sense whatsoever.

>>DocumentRoot "/opt/apache/htdocs" - This is a second DocumentRoot - the

This is just where your default web pages are. An SSL virtual host can
have its own DocumentRoot or share another.

>>httpd.conf includes the ssl.conf - could this be causing the problem?

It's not unusual to include other conf files into httpd.conf to keep it
manageable.

>>changed htdocs to CA - still with problem

Please. Make it stop! You're grasping at straws, here. You must read the
documentation.

>>Do the .crt and .key files need be in CA?

They need to be handled securely. They need to be where apache can find
them. They certainly don't belong in your DocumentRoot (not the key,
anyway).

>>The certificates were created by following the steps in this document.
>>http://www.vanemery.com/Linux/Apache/apache-SSL.html

This document is not the cause of your problem. I do things my own way,
but a quick glance at the page raises no flags.

Your problem is that you have no grasp of basic apache administration
concepts. This isn't an SSL issue, anymore. You could put your server at
risk by making more of these misguided errors.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: apachectl startssl started, but viewing https in browser does not

dmitrik
In reply to this post by dmitrik
Thanks for the response. Also this is a development server.

the how-to document placed the .crt and .key files
in the following directories.

cp mars-server.crt /etc/httpd/conf/ssl.crt
cp mars-server.key /etc/httpd/conf/ssl.key
cp my-ca.crt /etc/httpd/conf/ssl.crt

These directories do not exist on this pc.

Is there a default location under Apache2 where
.crt and .key files need to be placed?

There are backups of all of the conf files


-----Original Message-----
From: Jorey Bump <[hidden email]>
Sent: Aug 10, 2005 3:28 PM
To: [hidden email]
Subject: Re: apachectl startssl started, but viewing https in browser does not

[hidden email] wrote:
> Is it possible to clarify some of the confusion with the configuration?
>>From what you wrote I don't really see what the issue is -
> Any clarification would be appreciated.
> The certificates were placed in a directory called CA.
> How is this a problem?
> Thank you.

What you're doing is the equivalent of filling your car with gasoline. I
mean, literally, opening the window of your automobile and dispensing
petrol into the backseat. The problem is that if you don't understand
what is meant by "fill it up" it's hard to determine where to begin with
your instruction, other than from the very beginning. When you do this
as a gas station attendant, it's very frightening, indeed.

>> DocumentRoot "/opt/apache/CA"

Your web pages go in DocumentRoot. This is very, very basic.

>>SSLCertificateFile /opt/apache/CA/192.33.175.160.crt
>>SSLCertificateKeyFile /opt/apache/CA/192.33.175.160.key
>>SSLCertificateChainFile /opt/apache/CA/my-ca.crt
>>SSLCACertificateFile /opt/apache/CA/my-ca.crt

This could be an appropriate configuration.

>> <Directory "/opt/apache/CA">
>>     SSLOptions +StdEnvVars
>>  </Directory>

Makes no sense whatsoever.

>>DocumentRoot "/opt/apache/htdocs" - This is a second DocumentRoot - the

This is just where your default web pages are. An SSL virtual host can
have its own DocumentRoot or share another.

>>httpd.conf includes the ssl.conf - could this be causing the problem?

It's not unusual to include other conf files into httpd.conf to keep it
manageable.

>>changed htdocs to CA - still with problem

Please. Make it stop! You're grasping at straws, here. You must read the
documentation.

>>Do the .crt and .key files need be in CA?

They need to be handled securely. They need to be where apache can find
them. They certainly don't belong in your DocumentRoot (not the key,
anyway).

>>The certificates were created by following the steps in this document.
>>http://www.vanemery.com/Linux/Apache/apache-SSL.html

This document is not the cause of your problem. I do things my own way,
but a quick glance at the page raises no flags.

Your problem is that you have no grasp of basic apache administration
concepts. This isn't an SSL issue, anymore. You could put your server at
risk by making more of these misguided errors.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: apachectl startssl started, but viewing https in browser does not

Jorey Bump
[hidden email] wrote:

> Thanks for the response. Also this is a development server.
>
> the how-to document placed the .crt and .key files
> in the following directories.
>
> cp mars-server.crt /etc/httpd/conf/ssl.crt
> cp mars-server.key /etc/httpd/conf/ssl.key
> cp my-ca.crt /etc/httpd/conf/ssl.crt
>
> These directories do not exist on this pc.
> Is there a default location under Apache2 where
> .crt and .key files need to be placed?

You can organize your certificates as you see fit. I don't use those
locations, either, even if they are present. As I mentioned, the
important thing is that they are stored securely in a place accessible
by apache. This can vary from platform to platform, depending on the
type of access controls that are in place. I don't use Solaris, but  I
typically place all server certs/keys in a hierarchy under /etc/ssl/.
Some programs are picky about the format, but you can share a
key/certificate pair among many services, so I store them centrally.

I run my CA on a workstation as an ordinary user and transfer the
keys/certs as needed. Note that you don't need root privileges to run a
CA, just to install the keys/certs on the destination.

> There are backups of all of the conf files

Good man. :)


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: apachectl startssl started, but viewing https in browser does not

dmitrik
In reply to this post by dmitrik
Thanks for the response.

The .key and .crt file have been moved to the defaut directories in the ssl.conf files.
which are /usr/local/apache2/conf/ssl.crt and
/usr/local/apache2/conf/ssl.key

this document has instructions to manually connect to HTTPS
http://www.modssl.org/docs/2.8/ssl_faq.html#cert-ownca

(these are steps in doc above)

for simple testing the HTTP protocol of Apache, it's not such easy for HTTPS because of the SSL protocol between TCP and HTTP. But with the help of OpenSSL's s_client command you can do a similar check even for HTTPS:

$ openssl s_client -connect localhost:443 -state -debug
GET / HTTP/1.0

I ran this command and it displays the connection info from before.
It does say that verify failed. But if GET is typed,
it displays the contents of index.html

Does this indicate anything?

running netstat -na |grep LISTEN shows that 443 is open.

If it is open, what might be the reason that https://ipaddress does not show up?

 SSLVerifyClient require
 SSLVerifyDepth  10

these are both commented out in ssl.conf.

Do they need to be set?


The other document changed this line ssl.conf
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

to

SSLCipherSuite HIGH:MEDIUM

any suggestions on setting this?

-----Original Message-----
From: Jorey Bump <[hidden email]>
Sent: Aug 10, 2005 4:03 PM
To: [hidden email]
Subject: Re: apachectl startssl started, but viewing https in browser does not

[hidden email] wrote:

> Thanks for the response. Also this is a development server.
>
> the how-to document placed the .crt and .key files
> in the following directories.
>
> cp mars-server.crt /etc/httpd/conf/ssl.crt
> cp mars-server.key /etc/httpd/conf/ssl.key
> cp my-ca.crt /etc/httpd/conf/ssl.crt
>
> These directories do not exist on this pc.
> Is there a default location under Apache2 where
> .crt and .key files need to be placed?

You can organize your certificates as you see fit. I don't use those
locations, either, even if they are present. As I mentioned, the
important thing is that they are stored securely in a place accessible
by apache. This can vary from platform to platform, depending on the
type of access controls that are in place. I don't use Solaris, but  I
typically place all server certs/keys in a hierarchy under /etc/ssl/.
Some programs are picky about the format, but you can share a
key/certificate pair among many services, so I store them centrally.

I run my CA on a workstation as an ordinary user and transfer the
keys/certs as needed. Note that you don't need root privileges to run a
CA, just to install the keys/certs on the destination.

> There are backups of all of the conf files

Good man. :)


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: apachectl startssl started, but viewing https in browser does not

Jorey Bump
[hidden email] wrote:
> Thanks for the response.
>
> The .key and .crt file have been moved to the defaut directories in the ssl.conf files.
> which are /usr/local/apache2/conf/ssl.crt and
> /usr/local/apache2/conf/ssl.key

That's better.

> $ openssl s_client -connect localhost:443 -state -debug
> GET / HTTP/1.0
>
> I ran this command and it displays the connection info from before.
> It does say that verify failed. But if GET is typed,
> it displays the contents of index.html
>
> Does this indicate anything?

Something is working. :) Don't expect completely successful verification
with self-signed certs. You need to satisfy a lot of requirements. It
doesn't necessarily mean that you're not getting encryption.

> running netstat -na |grep LISTEN shows that 443 is open.

Good.

> If it is open, what might be the reason that https://ipaddress does not show up?

You may need a trailing slash:

  https://ipaddress/

If that doesn't work, check your logs for error messages. It might be
related to how you've configured your VirtualHost. Or maybe your browser
is crap.

>  SSLVerifyClient require
>  SSLVerifyDepth  10
>
> these are both commented out in ssl.conf.
>
> Do they need to be set?

Do *you* require this? If you don't know the answer, you probably don't.

> The other document changed this line ssl.conf
> SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>
> to
>
> SSLCipherSuite HIGH:MEDIUM
>
> any suggestions on setting this?

Well, I, umm, sometimes put things back together and have a few leftover
screws, so the answer is... 12?

But, seriously, this setting affects the security of your server, so
read up:

  http://httpd.apache.org/docs/2.0/ko/mod/mod_ssl.html#sslciphersuite

then back away slowly...
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: apachectl startssl started, but viewing https in browser does not

dmitrik
In reply to this post by dmitrik
Thanks for the response.

Not sure if this post issue is similar - but once the connect works, https works

http://groups-beta.google.com/group/alt.apache.configuration/browse_thread/thread/e2ce8cc2db458885/3337e78d29ad78db?lnk=st&q=how+to+set+up+apache2+ssl.conf&rnum=2&hl=en#3337e78d29ad78db

Something is working. :) Don't expect completely successful verification
with self-signed certs. You need to satisfy a lot of requirements. It
doesn't necessarily mean that you're not getting encryption.

is there a bare bones list of requirements?

the access_log and ssl_request_log only seem to be written too when
using a openssl connect command.

Nothing happens within the browser

Ifmight be
related to how you've configured your VirtualHost.

Could you say a little more about how the Virutal host needs to be set?

Or maybe your browser
is crap.

how could one tell? Anything ssl specific?

does this doc make sense?
http://docdb.fnal.gov/doc/sslconf.html

Is it possible to set the ssl.conf file initially will as little security as possible just to
see https working?



-----Original Message-----
From: Jorey Bump <[hidden email]>
Sent: Aug 10, 2005 5:43 PM
To: [hidden email]
Subject: Re: apachectl startssl started, but viewing https in browser does not

[hidden email] wrote:
> Thanks for the response.
>
> The .key and .crt file have been moved to the defaut directories in the ssl.conf files.
> which are /usr/local/apache2/conf/ssl.crt and
> /usr/local/apache2/conf/ssl.key

That's better.

> $ openssl s_client -connect localhost:443 -state -debug
> GET / HTTP/1.0
>
> I ran this command and it displays the connection info from before.
> It does say that verify failed. But if GET is typed,
> it displays the contents of index.html
>
> Does this indicate anything?

Something is working. :) Don't expect completely successful verification
with self-signed certs. You need to satisfy a lot of requirements. It
doesn't necessarily mean that you're not getting encryption.

> running netstat -na |grep LISTEN shows that 443 is open.

Good.

> If it is open, what might be the reason that https://ipaddress does not show up?

You may need a trailing slash:

  https://ipaddress/

If that doesn't work, check your logs for error messages. It might be
related to how you've configured your VirtualHost. Or maybe your browser
is crap.

>  SSLVerifyClient require
>  SSLVerifyDepth  10
>
> these are both commented out in ssl.conf.
>
> Do they need to be set?

Do *you* require this? If you don't know the answer, you probably don't.

> The other document changed this line ssl.conf
> SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>
> to
>
> SSLCipherSuite HIGH:MEDIUM
>
> any suggestions on setting this?

Well, I, umm, sometimes put things back together and have a few leftover
screws, so the answer is... 12?

But, seriously, this setting affects the security of your server, so
read up:

  http://httpd.apache.org/docs/2.0/ko/mod/mod_ssl.html#sslciphersuite

then back away slowly...
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: apachectl startssl started, but viewing https in browser does not

dmitrik
In reply to this post by dmitrik
CA.pl -sign finally worked. - the other method's of making certificates seemed to work,
but I'm not sure if they were actually good certificates.

When CA.pl -sign finally worked, the https did too.

Thanks for all the helpful responses.



-----Original Message-----
From: Jorey Bump <[hidden email]>
Sent: Aug 10, 2005 5:43 PM
To: [hidden email]
Subject: Re: apachectl startssl started, but viewing https in browser does not

[hidden email] wrote:
> Thanks for the response.
>
> The .key and .crt file have been moved to the defaut directories in the ssl.conf files.
> which are /usr/local/apache2/conf/ssl.crt and
> /usr/local/apache2/conf/ssl.key

That's better.

> $ openssl s_client -connect localhost:443 -state -debug
> GET / HTTP/1.0
>
> I ran this command and it displays the connection info from before.
> It does say that verify failed. But if GET is typed,
> it displays the contents of index.html
>
> Does this indicate anything?

Something is working. :) Don't expect completely successful verification
with self-signed certs. You need to satisfy a lot of requirements. It
doesn't necessarily mean that you're not getting encryption.

> running netstat -na |grep LISTEN shows that 443 is open.

Good.

> If it is open, what might be the reason that https://ipaddress does not show up?

You may need a trailing slash:

  https://ipaddress/

If that doesn't work, check your logs for error messages. It might be
related to how you've configured your VirtualHost. Or maybe your browser
is crap.

>  SSLVerifyClient require
>  SSLVerifyDepth  10
>
> these are both commented out in ssl.conf.
>
> Do they need to be set?

Do *you* require this? If you don't know the answer, you probably don't.

> The other document changed this line ssl.conf
> SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>
> to
>
> SSLCipherSuite HIGH:MEDIUM
>
> any suggestions on setting this?

Well, I, umm, sometimes put things back together and have a few leftover
screws, so the answer is... 12?

But, seriously, this setting affects the security of your server, so
read up:

  http://httpd.apache.org/docs/2.0/ko/mod/mod_ssl.html#sslciphersuite

then back away slowly...
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]