Full_Name: dave madden
Version: 2.4.6
OS: linux-2.3.18
Submission from: adsl-63-193-149-175.dsl.lsan03.pacbell.net (63.193.149.175)
With openssl-0.9.4, apache-1.3.9, and mod_ssl-2.4.6 on a RedHat-6.1
system (kernel 2.3.18 + mingo-H5) I'm seeing extended connect times
using Netscape-4.7 or connecting directly with openssl/s_client. The
initial connect happens immediately ("telnet localhost 443" connects
immediately, but fails for other reasons) but the negotiation seems
to take a long time.
I'll append my config file...PageScriptor is a module I wrote, but
I'm not using it yet. Running Netscape against openssl/s_server gives
immediate satisfaction, so I suspect mod_ssl misconfiguration rather
than openssl problems.
please respond to [EMAIL PROTECTED] as well as whatever lists you've got
going at modssl.org; thanks!
d.
##
## httpd.conf -- Apache HTTP server configuration file
##
### Section 1: Global Environment
#
ServerType standalone
ServerRoot "/usr/local/packages/apache-1.3.9"
LockFile /var/run/httpd/httpd.lock
PidFile /var/run/httpd.pid
ScoreBoardFile /var/run/httpd/httpd.scoreboard
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15
MinSpareServers 1
MaxSpareServers 1
StartServers 1
MaxClients 150
MaxRequestsPerChild 100
#Listen 3000
#Listen 12.34.56.78:80
BindAddress *
#
# Dynamic Shared Object (DSO) Support
#
<IfDefine SSL>
LoadModule ssl_module libexec/libssl.so
</IfDefine>
<IfDefine PAGESCRIPTOR>
LoadModule PageScriptor_module /usr/WWW/lib/pagescript-apache.so
</IfDefine>
# Reconstruction of the complete module list from all available modules
# (static and shared ones) to achieve correct module execution order.
# [WHENEVER YOU CHANGE THE LOADMODULE SECTION ABOVE UPDATE THIS, TOO]
ClearModuleList
AddModule mod_env.c
AddModule mod_log_config.c
AddModule mod_mime.c
AddModule mod_negotiation.c
AddModule mod_status.c
AddModule mod_include.c
AddModule mod_autoindex.c
AddModule mod_dir.c
AddModule mod_cgi.c
AddModule mod_asis.c
AddModule mod_imap.c
AddModule mod_actions.c
AddModule mod_userdir.c
AddModule mod_alias.c
AddModule mod_access.c
AddModule mod_auth.c
AddModule mod_so.c
AddModule mod_setenvif.c
<IfDefine SSL>
AddModule mod_ssl.c
</IfDefine>
<IfDefine PAGESCRIPTOR>
AddModule mod_pagescriptor.c
</IfDefine>
ExtendedStatus On
<IfDefine PAGESCRIPTOR>
PageScriptor server="/tmp/PageScriptor" \
persistent-dir="/var/www/persistent" \
cname="VheissuCookie" lifetime="2 weeks" \
ignore-ip="yes" DATABASE="vheissu.mersenne.com:1422" \
PSERV="vheissu.mersenne.com:1423"
</IfDefine>
#
### Section 2: 'Main' server configuration
#
## When we also provide SSL we have to listen to the
## standard HTTP port (see above) and to the HTTPS port
##
<IfDefine SSL>
Listen 80
Listen 443
</IfDefine>
User nobody
Group nobody
ServerName vheissu.mersenne.com
ServerAdmin [EMAIL PROTECTED]
DocumentRoot "/usr/local/html"
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory "/usr/local/html">
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
<IfDefine PAGESCRIPTOR>
<Directory /home/hotshit/dhm/public_html/todo>
PSOfferToken
SetHandler PageScriptor-Service
</Directory>
<Directory /home/hotshit/dhm/public_html/locked>
AuthUserFile /tmp/htpasswd
AuthName "Test Area"
AuthType Basic
require valid-user
PSOfferToken
SetHandler PageScriptor-Service
</Directory>
</IfDefine>
Alias /icons/ /usr/local/packages/apache-1.3.9/icons/
Alias /apache-docs/ /usr/local/packages/apache-1.3.9/htdocs/
Alias /kai/ /usr/local/KAI/KCC-3.3f-1/KCC_BASE/doc/
Alias /compile-service/ /home/hotshit/dhm/misc/rcx/legOS-0.1.7/server/
Alias /oracle/ /home/oracle/app/oracle/product/8.0.5/doc/
Alias /sybase/ /home/sybase/doc/html/
Alias /java/ /usr/local/packages/java/docs/
UserDir public_html
DirectoryIndex index.html
AccessFileName .htaccess
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>
UseCanonicalName On
TypesConfig /etc/mime.types
DefaultType text/plain
<IfModule mod_mime_magic.c>
MIMEMagicFile /usr/local/packages/apache-1.3.9/conf/magic
</IfModule>
HostnameLookups Off
ErrorLog /var/log/httpd/error
LogLevel warn
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
CustomLog /var/log/httpd/access common
CustomLog /var/log/httpd/referer referer
CustomLog /var/log/httpd/agent agent
#CustomLog /usr/local/packages/apache-1.3.9/logs/access_log combined
ServerSignature On
Alias /icons/ "/usr/local/packages/apache-1.3.9/icons/"
<Directory "/usr/local/packages/apache-1.3.9/icons">
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
ScriptAlias /cgi-bin/ "/usr/local/packages/apache-1.3.9/cgi-bin/"
<Directory "/usr/local/packages/apache-1.3.9/cgi-bin">
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>
IndexOptions FancyIndexing
AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip
AddIconByType (TXT,/icons/text.gif) text/*
AddIconByType (IMG,/icons/image2.gif) image/*
AddIconByType (SND,/icons/sound2.gif) audio/*
AddIconByType (VID,/icons/movie.gif) video/*
AddIcon /icons/binary.gif .bin .exe
AddIcon /icons/binhex.gif .hqx
AddIcon /icons/tar.gif .tar
AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
AddIcon /icons/a.gif .ps .ai .eps
AddIcon /icons/layout.gif .html .shtml .htm .pdf
AddIcon /icons/text.gif .txt
AddIcon /icons/c.gif .c
AddIcon /icons/p.gif .pl .py
AddIcon /icons/f.gif .for
AddIcon /icons/dvi.gif .dvi
AddIcon /icons/uuencoded.gif .uu
AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
AddIcon /icons/tex.gif .tex
AddIcon /icons/bomb.gif core
AddIcon /icons/back.gif ..
AddIcon /icons/hand.right.gif README
AddIcon /icons/folder.gif ^^DIRECTORY^^
AddIcon /icons/blank.gif ^^BLANKICON^^
DefaultIcon /icons/unknown.gif
ReadmeName README
HeaderName HEADER
IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t
AddEncoding x-compress Z
AddEncoding x-gzip gz tgz
AddLanguage en .en
AddLanguage fr .fr
AddLanguage de .de
AddLanguage da .da
AddLanguage el .el
AddLanguage it .it
LanguagePriority en fr de
AddType application/x-tar .tgz
#AddHandler cgi-script .cgi
#AddType text/html .shtml
#AddHandler server-parsed .shtml
#AddHandler send-as-is asis
#AddHandler imap-file map
#ErrorDocument 404 /missing.html
BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0
<Location /server-status>
SetHandler server-status
Order deny,allow
Deny from all
Allow from .mersenne.com.
</Location>
<Location /server-info>
SetHandler server-info
Order deny,allow
Deny from all
Allow from .mersenne.com.
</Location>
#<Location /cgi-bin/phf*>
# Deny from all
# ErrorDocument 403 http://phf.apache.org/phf_abuse_log.cgi
#</Location>
### Section 3: Virtual Hosts
#
#
#NameVirtualHost 12.34.56.78:80
#NameVirtualHost 12.34.56.78
#<VirtualHost ip.address.of.host.some_domain.com>
# ServerAdmin [EMAIL PROTECTED]
# DocumentRoot /www/docs/host.some_domain.com
# ServerName host.some_domain.com
# ErrorLog logs/host.some_domain.com-error_log
# CustomLog logs/host.some_domain.com-access_log common
#</VirtualHost>
#<VirtualHost _default_:*>
#</VirtualHost>
##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##
#
# Some MIME-types for downloading Certificates and CRLs
#
<IfDefine SSL>
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
</IfDefine>
<IfModule mod_ssl.c>
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog builtin
# Inter-Process Session Cache:
# Configure the SSL Session Cache: First either `none'
# or `dbm:/path/to/file' for the mechanism to use and
# second the expiring timeout (in seconds).
SSLSessionCache dbm:/var/run/httpd/ssl_scache
SSLSessionCacheTimeout 300
# Semaphore:
# Configure the path to the mutual explusion semaphore the
# SSL engine uses internally for inter-process synchronization.
SSLMutex file:/var/run/httpd/ssl_mutex
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the
# SSL library. The seed data should be of good random quality.
# SSLRandomSeed startup builtin
# SSLRandomSeed connect builtin
SSLRandomSeed startup file:/dev/random 512
# SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect file:/dev/random 512
# SSLRandomSeed connect file:/dev/urandom 512
# Logging:
# The home of the dedicated SSL protocol logfile. Errors are
# additionally duplicated in the general error log file. Put
# this somewhere where it cannot be used for symlink attacks on
# a real server (i.e. somewhere where only root can write).
# Log levels are (ascending order: higher ones include lower ones):
# none, error, warn, info, trace, debug.
SSLLog /var/log/httpd/ssl
SSLLogLevel info
</IfModule>
<IfDefine SSL>
##
## SSL Virtual Host Context
##
<VirtualHost _default_:443>
# General setup for the virtual host
DocumentRoot "/usr/local/html"
ServerName vheissu.mersenne.com
ServerAdmin [EMAIL PROTECTED]
ErrorLog /var/log/httpd/error
TransferLog /var/log/httpd/access
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A test
# certificate can be generated with `make certificate' under
# built time.
SSLCertificateFile /etc/httpd/conf/server.crt
SSLCertificateKeyFile /etc/httpd/conf/server.key
# SSLCertificateChainFile /etc/httpd/conf/ca.crt
# SSLCACertificatePath /etc/httpd/conf/ssl.crt
# SSLCACertificateFile /etc/httpd/conf/ca-bundle.crt
# SSLCARevocationPath /etc/httpd/conf/ssl.crl
# SSLCARevocationFile /etc/httpd/conf/ca-bundle.crl
# SSLVerifyClient require
# SSLVerifyDepth 10
# Access Control:
#<Location />
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>
# SSL Engine Options:
# Set various options for the SSL engine.
# FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth/DBMAuth methods can be used for access control. The
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# CompatEnvVars:
# This exports obsolete environment variables for backward compatibility
# to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use this
# to provide compatibility to existing CGI scripts.
# StrictRequire:
# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
# under a "Satisfy any" situation, i.e. when it applies access is denied
# and no other module can change it.
# OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
SSLOptions +FakeBasicAuth +OptRenegotiate
# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is send or allowed to received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach where
# mod_ssl sends the close notify alert.
# ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is send and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
CustomLog /var/log/httpd/access.ssl \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
</IfDefine>
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
