Thanks to Mads' suggestion and following the FAQ, I prepared a CSR and
submitted it to freecerts.entrust.com. I obtained the signed crt file as
well as the CA crt. I imported the CA crt file into my browser as a trusted
root. Finally, I installed the server crt into my OpenSA Apache config.
After several hours of experimentation, I discover the following problem-
when I use the encrypted server key file and enter the passphrase in the
Apache startup console window, Apache does not respond to ANY requests at
all (HTTP or HTTPS). However, when I create an unencrypted server key file,
all works perfectly! The ONLY change between the two runs is to change the
filename in my SSLCertificateKeyFile directive.
(As an aside for OpenSA users, the distribution does not include the
openssl.cnf file needed for generating the CSR. I obtained this by
downloading the OpenSSL tarball and extracting this file).
Since I'm only in development mode, I'm happy to continue on this way for
now. However, in order to help uncover a potential problem, I submit the
following info. I'd be happy to cooperate in any investigation. I think
that when I want to go into production, I'd better build Apache and mod_ssl
from the source tree so as to be able to debug problems in the code. That
said, I still believe that the OpenSA project has real value for Win32.
In addition, I do think that there is an IE4 Y2K issue with the snakeoil
certs, which have date ranges starting in 1999 and ending in 2000+. When I
display them with openssl all looks good, but IE still complains about
invalid/expired dates. The freecert certs have start/end dates in 2000, and
IE likes them. Therefore, I'd suggest that the standard distribution have
regenerated certs with a start validity date in 2000.
a) The screen image of the startup:
[Wed Apr 26 11:21:12 2000] [warn] Loaded DSO
modules/ApacheModuleServletExec.dll
uses plain Apache 1.3 API, this module might crash under EAPI! (please
recompil
e it with -DEAPI)
OpenSA/0.20 Apache/1.3.12 mod_ssl/2.6.2 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide us with the pass phrases.
Server kbenson.:443 (RSA)
Enter pass phrase:
Ok: Pass Phrase Dialog successful.
OpenSA/0.20 Apache/1.3.12 (Win32) mod_ssl/2.6.2 OpenSSL/0.9.5 running...
b) The engine.log for the "bad" config:
[26/Apr/2000 11:21:12 00301] [info] Server: OpenSA/0.20 Apache/1.3.12,
Interface: mod_ssl/2.6.2, Library: OpenSSL/0.9.5
[26/Apr/2000 11:21:12 00301] [warn] You are using mod_ssl under Win32. This
combination is *NOT* officially supported. Use it at your own risk!
[26/Apr/2000 11:21:12 00301] [info] Init: 1st startup round (still not
detached)
[26/Apr/2000 11:21:12 00301] [info] Init: Initializing OpenSSL library
[26/Apr/2000 11:21:12 00301] [info] Init: Loading certificate & private key
of SSL-aware server kbenson.:443
[26/Apr/2000 11:21:12 00301] [info] Init: Requesting pass phrase via
builtin terminal dialog
[26/Apr/2000 11:21:16 00301] [info] Init: Wiped out the queried pass
phrases from memory
[26/Apr/2000 11:21:16 00301] [info] Init: Seeding PRNG with 136 bytes of
entropy
[26/Apr/2000 11:21:16 00301] [info] Init: Generating temporary RSA private
keys (512/1024 bits)
[26/Apr/2000 11:21:17 00301] [info] Init: Configuring temporary DH
parameters (512/1024 bits)
[26/Apr/2000 11:21:17 00301] [info] Init: Seeding PRNG with 136 bytes of
entropy
[26/Apr/2000 11:21:17 00301] [info] Init: Configuring temporary RSA private
keys (512/1024 bits)
[26/Apr/2000 11:21:17 00301] [info] Init: Configuring temporary DH
parameters (512/1024 bits)
[26/Apr/2000 11:21:17 00301] [info] Init: Initializing (virtual) servers
for SSL
[26/Apr/2000 11:21:17 00301] [info] Init: Configuring server kbenson.:443
for SSL protocol
[26/Apr/2000 11:21:17 00301] [warn] Init: (kbenson.:443) RSA server
certificate CommonName (CN) `kbenson' does NOT match server name!?
[26/Apr/2000 11:21:18 00301] [info] Init: 2nd startup round (already
detached)
[26/Apr/2000 11:21:18 00301] [info] Init: Reinitializing OpenSSL library
[26/Apr/2000 11:21:18 00301] [info] Init: Seeding PRNG with 136 bytes of
entropy
[26/Apr/2000 11:21:18 00301] [info] Init: Configuring temporary RSA private
keys (512/1024 bits)
[26/Apr/2000 11:21:18 00301] [info] Init: Configuring temporary DH
parameters (512/1024 bits)
[26/Apr/2000 11:21:18 00301] [info] Init: Initializing (virtual) servers
for SSL
[26/Apr/2000 11:21:18 00301] [info] Init: Configuring server kbenson.:443
for SSL protocol
[26/Apr/2000 11:21:18 00301] [warn] Init: (kbenson.:443) RSA server
certificate CommonName (CN) `kbenson' does NOT match server name!?
[26/Apr/2000 11:21:18 00271] [info] Server: OpenSA/0.20 Apache/1.3.12,
Interface: mod_ssl/2.6.2, Library: OpenSSL/0.9.5
[26/Apr/2000 11:21:18 00271] [warn] You are using mod_ssl under Win32. This
combination is *NOT* officially supported. Use it at your own risk!
[26/Apr/2000 11:21:18 00271] [info] Init: 1st startup round (still not
detached)
[26/Apr/2000 11:21:18 00271] [info] Init: Initializing OpenSSL library
[26/Apr/2000 11:21:18 00271] [info] Init: Loading certificate & private key
of SSL-aware server kbenson.:443
[26/Apr/2000 11:21:18 00271] [info] Init: Requesting pass phrase via
builtin terminal dialog
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
