Hi arthur, > I think that works ! > Instead of > [ssl] # openssl s_client -connect localhost:443 -state -debug > I key in > [ssl] # openssl s_client -connect 192.168.100.10:443 -state -debug > and it worked, no SSL23_GET_SERVER_HELLO error, why is that ???
I looked at your conf and realize that the conf was OK. However, your were accessing to the localhost, which was different from your virtual host. You can have the SSL when you access to the virtual host directive in which you specify that the ssl engine is on. The error happends when you access to the location in which you do not specify that the ssl engine is on. Probably someone else can answer this better than I do. > I am still *VERY CONCERNED* that the output from TCPDUMP contains human > readible data (admittedly you won't be able to get much out of that ). > Its nothing like the plain text http transmission, try it out ! I am not sure which data you are talking about. Transmission data is encrypted after the handshake stage completes. -Kiyoshi Kiyoshi Watanabe > > ----- Original Message ----- > From: "Kiyoshi Watanabe" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> > Cc: <[EMAIL PROTECTED]> > Sent: Friday, August 08, 2003 06:44 AM > Subject: Re: FRUSTRATION : SSL throws SSL23_GET_SERVER_HELLO error > > > > > > Hello, > > > > did you test the openssl command using your IP instead of localhost? > > > > openssl s_client -connect your-ip-here:443 -state -debug > > > > Or why don't you change the VirtualHohost to _default_ temporarily and > > see how it goes. > > > > -Kiyoshi > > Kiyoshi Watanabe > > > > > > > > > > Problem #1: your OpenSSL doesn't have the error messages loaded so > you're > > > > getting a rather non-descriptive error message. No big deal, it just > > > > means you have to look harder to find out what the error means. > > > How to I load them in order to get a more meaningful description ??? > > > I've recompiled Apache 2.0.40 several times from scratch with following > > > additional options: > > > > ./configure --with-mpm=worker --enable-so --enable-rewrite --enable-ssl --wi > > > th-ssl=/path/to/openssl --enable-proxy --auth_digest > > > > > > > > > > Problem #2: SSL23_GET_SERVER_HELLO:unknown protocol: - now I bet if > you > > > > looked at the debug dump you'd see something very similar to: > > > > 0000 - 3c 21 44 4f 43 54 59 <!DOCTY > > > > which was mentioned in one of those links the other guy sent you. > It's > > > > telling you that that's what it received from the server. You'll > notice > > > > that "<!DOCTY" is the first few bytes of a standard html page > unencrypted. > > > Indeed, this is the whole output : > > > CONNECTED(00000003) > > > write to 0809D018 [0809D060] (124 bytes => 124 (0x7C)) > > > 0000 - 80 7a 01 03 01 00 51 00-00 00 20 00 00 16 00 00 .z....Q... > ..... > > > 0010 - 13 00 00 0a 07 00 c0 00-00 66 00 00 05 00 00 04 > .........f...... > > > 0020 - 03 00 80 01 00 80 08 00-80 00 00 65 00 00 64 00 > ...........e..d. > > > 0030 - 00 63 00 00 62 00 00 61-00 00 60 00 00 15 00 00 > .c..b..a..`..... > > > 0040 - 12 00 00 09 06 00 40 00-00 14 00 00 11 00 00 08 > [EMAIL PROTECTED] > > > 0050 - 00 00 06 00 00 03 04 00-80 02 00 80 5c ec 7c 7c > ............\.|| > > > 0060 - 60 b1 2a 84 93 cf ba f5-87 dc 22 63 27 83 c7 16 > `.*......."c'... > > > 0070 - f0 68 eb 8b 33 43 57 05-e8 5e a1 ef .h..3CW..^.. > > > read from 0809D018 [080A25C0] (7 bytes => 7 (0x7)) > > > 0000 - 3c 21 44 4f 43 54 59 <!DOCTY > > > SSL_connect:error in SSLv2/v3 read server hello A > > > 1565:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown > > > protocol:s23_clnt.c:460: > > > > > > > So this tells you that your web server is in fact speaking plain HTTP > on > > > > port 443 rather than HTTPS. You probably do not have "SSLEngine on" > for > > > > that virtual host. > > > This defies purpose. Following is an excerpt from httpd.conf with only > those > > > bits that I believe are relevant . What I done that's wrong : > > > (httpd.conf) > > > > > > ServerName www.saysit.com.hk:80 > > > # > > > <IfModule mod_ssl.c> > > > # Some MIME-types for downloading Certificates and CRLs > > > AddType application/x-x509-ca-cert .crt > > > AddType application/x-pkcs7-crl .crl > > > SSLSessionCache dbm:logs/ssl_scache > > > SSLSessionCacheTimeout 300 > > > SSLMutex file:logs/mutex > > > SSLRandomSeed startup builtin > > > SSLRandomSeed connect builtin > > > </IfModule> > > > ### Section 3: Virtual Hosts > > > Listen 80 > > > Listen 443 > > > NameVirtualHost 192.168.1.3 > > > <VirtualHost 192.168.1.3:80> > > > ServerName www.saysit.com.hk > > > ServerAdmin [EMAIL PROTECTED] > > > DocumentRoot /var/www/html > > > ErrorLog /usr/local/apache2/logs/saysit_error.log > > > CustomLog /usr/local/apache2/logs/saysit_access.log common > > > SetEnvIf User-Agent ".MSIE.*"\ > > > nokeepalive ssl-unclean-shutdown \ > > > downgrade-1.0 force-response-1.0 > > > JkMount /saysit ajp13 > > > JkMount /saysit/* ajp13 > > > </VirtualHost> > > > # > > > <IfDefine SSL> > > > <VirtualHost 192.168.1.3:443> > > > ServerName demo.saysit.com.hk > > > ServerAdmin [EMAIL PROTECTED] > > > DocumentRoot /home/nicole/MyDocument/public_html > > > ErrorLog /usr/local/apache2/logs/nicole_error.log > > > CustomLog /usr/local/apache2/logs/nicole_access.log common > > > <IfModule mod_ssl.c> > > > SSLEngine on > > > SSLCipherSuite > > > ALL:!ADH:!EPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL > > > SSLCertificateFile /usr/share/ssl/server.crt > > > SSLCertificateKeyFile /usr/share/ssl/server.key > > > #### SSLVerifyClient require #### will prompt the client to select a > > > certificate when browsing demo.saysit > > > </IfModule> > > > JkExtractSSL on > > > JkHTTPSIndicator HTTPS > > > JkSESSIONIndicator SSL_SESSION_ID > > > JkCIPHERIndicator SSL_CIPHER > > > JkCERTSIndicator SSL_CLIENT_CERT > > > JkMount /saysit ajp13 > > > JkMount /saysit/* ajp13 > > > </VirtualHost> > > > </IfDefine> > > > > > > > > > > Problem #3: You mentioned trying to get name-based vhosts to work with > > > > SSL. You must realize that this doesn't work right in the general > case. > > > > Please see http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#vhosts2 . > > > Yes, I read that document and I do want to provide both http and https > on a > > > single server with one single IP address (I am NAT-ting on router with > one > > > external ip - does that matter?) > > > > > > > > > ______________________________________________________________________ > > > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > > > User Support Mailing List [EMAIL PROTECTED] > > > Automated List Manager [EMAIL PROTECTED] > > ______________________________________________________________________ > > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > > User Support Mailing List [EMAIL PROTECTED] > > Automated List Manager [EMAIL PROTECTED] > > ______________________________________________________________________ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
