I finally had time to get back to this, and, with the advice of a colleague, got it working. Here is what I needed to do to get it working:
1) After extracting the Apache 2.0.35 source, I applied a five line patch from http://www.apachelabs.org/apache-mbox/200204.mbox/%3cPine.LNX.4.33.020406222 [EMAIL PROTECTED]%3e. 2) Modified modules/ssl/mod_ssl.h to force SSL_EXPERIMENTAL and SSL_ENGINE to be defined (since I couldn't get them to turn on with --enable-rule, or figure out what other option I might need to turn them on, and I needed them on to test the engine code). 3) Configured with the options --enable-ssl, --with-ssl, and --prefix (with appropriate directories for the latter two options). 4) Copied the conf/ssl.crt and conf/ssl.key directories from my old Apache 1.3 installation to get the certificate I needed. 5) Modified httpd.conf and ssl.conf to set the server name, specify an IP address for Listen, and set the ports to 8080 and 8443 since I didn't want to run the test as root. With this configuration, I ran a test on Linux 2.4.2-2 and one on HP UX 11.0 32-bit. The results were: Linux 2.4.2-2: SSL connections worked. I was able to run with all session caches (none, dbm, shmht, and shmcb), and successfully connect with show. I have not tested yet with a CryptoSwift card on this OS. HP UX 11.0 32-bit: SSL connections worked. I was able to use a CryptoSwift card, offload to the card (by adding an "SSLCryptoDevice cswift" line to ssl.conf, and, since HP UX still seems to involve odd ideas about where to look for libraries, copying libswift.sl from /usr/lib to the directory from which I was starting Apache), and accelerate my transactions. Both swamp and Rainbow's show program successfully connected to the server. However, the shmht and shmcb session caches did not work; if I set either of these, the Web server doesn't start. No error message is logged when the server fails to start, and I do get the "httpd started" message, just no process running. I am able to run with either no session cache or the dbm session cache. The tests were done with OpenSSL engine 0.9.6b on Linux and 0.9.6c on HP UX; based on earlier tests, I expect pre-release 0.9.7 would solve the problem of needing to copy or link the libswift.sl library on HP UX, since it has added a configuration option to specify where the engine library is. So, it appears that there is an HP specific shared memory session cache issue, but no problem with swamp or other load testing programs, once the five line patch to ssl_engine_io.c is applied. Lynn Gazis Rainbow Technologies -----Original Message----- From: Geoff Thorpe [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 17, 2002 6:42 AM To: [EMAIL PROTECTED] Cc: Lynn Gazis Subject: Re: Apache 2.0.35 with SSL - wont start Hi, On Wednesday 17 April 2002 04:16, Lynn Gazis wrote: > s_client doesn't handshake OK with it, Rainbow's show test program doesn't > handshake OK with it, and swamp doesn't handshake OK with it. I've been > wondering what load testing program *does* handshake properly with Apache > 2.0 (I really need to be able to test it, somehow, under load, and so far > I've only been able to make single connections from IE and Netscape). Ah, well then it would appear to be SSL/TLS weirdness with Apache 2.0. > Maybe your suggestion is right, and it doesn't like the "GET /\r/\n\r\n" > request string; I suppose that could explain why several different programs > would be able to send traffic to Apache 1.3 and not to Apache 2.0. If you can't get s_client to handshake with Apache 2, then it is rather irrelevant what request string you send through the SSL stream. It requires an SSL/TLS stream to be open to begin with. Quite weird really ... It's hard to tell right off the bat what this could be - but it sounds weird as I'm sure *someone* working on the SSL functionality in apache 2.0 must have tried hitting it with *something* built around openssl. How about konqueror, lynx, or some other browser whose SSL support comes from openssl? Otherwise, I think it would require a comment from someone dealing with Apache 2.0 - there seemed to be one or two people saying it was ready for production and that it was now time for the 1.3->2.0 switch ... surely one of these could clarify the situation? :-) Cheers, Geoff ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
