Re: Netscape gave error on SSL
Bab S wrote: Hi mod_ssl users, After starting SSL htps://servername.com,I tried on IE and netscape. With IE it works fine but with Netscape Browser version 6 it gives me an error : Netscape and this server cannot communicate securly because they have no common Encryption Algorthims. I've never seen this error but it seems fairly self-explanatory. The browser and server have to decide on a common scheme to use for encryption. In the case of NS6, it doesn't have a scheme in common with the server so they can't communicate. On the server side, the schemes allowed are defined by the SSLCipherSuite directive. Check your entry to see if it is unusually restrictive (e.g. only one scheme defined). For comparison, my entry looks like this: SSLCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSI vs CGI
Hi! On Sun, Feb 03, 2002 at 12:02:12AM +0200, Zvi Har'El wrote: In an HTTPS virtual host, there are many variables that are exported one method and not the other: More specifically, all the variables starting with SSL_ (e.g., SSL_CIPHER, SSL_SESSION_ID, etc.), are exported to the CGI script, but are not printed by the printenv SSI. This is in Apache/2.0.32-dev (Unix) mod_ssl/3.0a0 OpenSSL/0.9.6b (which I compiled from the latest CVS). Take a look in the F.A.Q.: http://www.modssl.org/docs/2.8/ssl_faq.html#ToC22 Ciao Thomas -- There's no time like the pleasant. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
http to https redirect configuration question
I am having a difficult time solving the following: I want our apache non-secure http:// server to redirect to the secure https:// server whenever the non-secure server encounters a .htaccess file in any directory? I do not want to redirect entire directories or the server itself, only those that contain a .htaccess file. The standard apache Redirect or RedirctMatch cannot do this because the .htaccess file is not typically specified by the user. You run into a looping problem if you specify a redirect in the .htaccess file itself. I was hoping there is some switch at the server level to do this. I of course searched all the docs and mailing archives for a solution. There is a solution using javascript in the index.html file that can do a redirect but this would have to be placed in everyone's .index file and there is no guarantee users will do this. Any solutions would be appreciated. Thanks. -- John W. Sopko Jr. University of North Carolina email: [EMAIL PROTECTED] Computer Science Dept., CB 3175 Phone: 919-962-1844 Sitterson Hall; Room 135 Fax: 919-962-1799 Chapel Hill, NC 27599-3175 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
mod_ssl problems
Hello there, i am trying to implement the mod_ssl. I am following exactly the directions as was found in the official site. When i use the command nmake /f ms\ntdll.mak i have the following error: NMAKE: fatal error U1073: don't know how to make '.\crypto\cryptlib.h' stop. Could anyone help me? Thanks a lot.
message headers
Can this list implement a default header in the subject of all messages that reads like [modssl-users] and THEN the subject? I'm spending enough time sorting my mail box out already. If the list admin cannot, oh well... Thanks anyway :) ___ Eduardo Gomez Innerlab Productions www.innerlab.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: http to https redirect configuration question
We have from time to time the following traces in our Apache logs : [Mon Feb 4 08:17:24 2002] [error] mod_ssl: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] (System error follows) [Mon Feb 4 08:17:24 2002] [error] System: Connection reset by peer (errno: 104) Can anyone help us finding what can the problem be related to ? Our apache is 1.3.20 mod_ssl 2.8.4 OpenSSL 0.9.6b. Part of our configuration is : IfModule mod_ssl.c # Pass Phrase Dialog: # Configure the pass phrase gathering process. # The filtering dialog program (`builtin' is a internal # terminal dialog) has to provide the pass phrase on stdout. SSLPassPhraseDialog builtin # Adding that line because of info from mod_ssl mailing list to # make more stable Apache SSL. # To my understanding (and anyone who can correct me if I am wrong, please do), # some versions of Microsoft Internet Explorer (MSIE) have problems with using the # HTTP/1.1 protocol with SSL. What this command does is to turn off keepalive # facility and force HTTP/1.0 responses (rather than HTTP/1.1 responses) when the # browser (User-Agent) is a version of MSIE. If you would like more information on # this, you might try the following page from the mod_ssl FAQ: # # http://www.modssl.org/docs/2.8/ssl_faq.html#ToC49 # IfModule mod_setenvif.c #SetEnvIf User-Agent .*MSIE.* nokeepalive \ ssl-unclean-shutdown downgrade-1.0 \ force-response-1.0 SetEnvIf User-Agent MSIE [1-4] nokeepalive \ ssl-unclean-shutdown downgrade-1.0 \ force-response-1.0 SetEnvIf User-Agent MSIE [5-9] ssl-unclean-shutdown /IfModule # # Inter-Process Session Cache: # Configure the SSL Session Cache: First either `none' # or `dbm:/path/to/file' for the mechanism to use and # second the expiring timeout (in seconds). #SSLSessionCachenone #SSLSessionCacheshm:/opt/apache/logs/ssl_scache(512000) SSLSessionCache dbm:/opt/apache/logs/ssl_scache SSLSessionCacheTimeout 300 # Semaphore: # Configure the path to the mutual explusion semaphore the # SSL engine uses internally for inter-process synchronization. SSLMutex file:/opt/apache/logs/ssl_mutex # Pseudo Random Number Generator (PRNG): # Configure one or more sources to seed the PRNG of the # SSL library. The seed data should be of good random quality. # WARNING! On some platforms /dev/random blocks if not enough entropy # is available. This means you then cannot use the /dev/random device # because it would lead to very long connection times (as long as # it requires to make more entropy available). But usually those # platforms additionally provide a /dev/urandom device which doesn't # block. So, if available, use this one instead. Read the mod_ssl User # Manual for more details. SSLRandomSeed startup builtin SSLRandomSeed connect builtin #SSLRandomSeed startup file:/dev/random 512 #SSLRandomSeed startup file:/dev/urandom 512 #SSLRandomSeed connect file:/dev/random 512 #SSLRandomSeed connect file:/dev/urandom 512 SSLEngine on SSLCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL # The certificate files are now located under /opt/apache/conf SSLCertificateFile /opt/apache/conf/XXX.crt SSLCertificateKeyFile /opt/apache/conf/XXX.key __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: http to https redirect configuration question
Take a look at the mod_rewrite docos. I remember seeing some test to see if a file exists (-f operator?). You could parse the URL's path to infer the physical directory and check to see if an .htaccess file exists there, and redirect appropriately to the SSL virtual server. Off the top of my head, a problem you might encounter is that you'd only have access to the virtual path (the URL's path), and not to the filesystem path, so you'd have to be very careful to take possible aliases into account. OTOH, if I had that need, I'd probably do something in a mod_perl handler (not a content handler, probably in an auth or access handler) because I'd have full access to the Apache API. Cheers... MZ -Original Message- From: John W. Sopko Jr. [mailto:[EMAIL PROTECTED]] Sent: Monday, February 04, 2002 10:49 To: [EMAIL PROTECTED] Subject: http to https redirect configuration question I am having a difficult time solving the following: I want our apache non-secure http:// server to redirect to the secure https:// server whenever the non-secure server encounters a .htaccess file in any directory? I do not want to redirect entire directories or the server itself, only those that contain a .htaccess file. The standard apache Redirect or RedirctMatch cannot do this because the .htaccess file is not typically specified by the user. You run into a looping problem if you specify a redirect in the .htaccess file itself. I was hoping there is some switch at the server level to do this. I of course searched all the docs and mailing archives for a solution. There is a solution using javascript in the index.html file that can do a redirect but this would have to be placed in everyone's .index file and there is no guarantee users will do this. Any solutions would be appreciated. Thanks. -- John W. Sopko Jr. University of North Carolina email: [EMAIL PROTECTED] Computer Science Dept., CB 3175 Phone: 919-962-1844 Sitterson Hall; Room 135 Fax: 919-962-1799 Chapel Hill, NC 27599-3175 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: message headers
Hi Eduardo! On 4 Feb 02 at 12:12 you wrote: Can this list implement a default header in the subject of all messages that reads like [modssl-users] and THEN the subject? I prefer it the way it is. I'm spending enough time sorting my mail box out already. Why? Most modern mail clients let you sort the incoming mail into folders automatically. -- Toomas Aas | [EMAIL PROTECTED] | http://www.raad.tartu.ee/~toomas/ * I think, therefore I am overqualified. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: ssl no response
Alright, I've managed to establish an ssl conenction, but the session hangs begore presenting me with a login prompt. I get an insecure prompt to the directory in question if I use port 80. This is the portion of the log from ssl_engine_log during the negotiation. Using Opera 6.x the connection hangs. Using IE 5.x it asks me to select a certificate, and lists none for me to use. Can someone describe what is happening? VirtualHost ssl.domain.net:443 SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key ServerAdmin [EMAIL PROTECTED] DocumentRoot /www//ssl ServerName domain.net ErrorLog logs/443error_log CustomLog logs/443access_log common ScriptAlias /cgi-bin/ /usr/local/apache/cgi-bin/ Group users Directory /www//ssl AuthName ssl AuthType Basic AuthUserFile auth/.htpasswd Require user aodhan SSLVerifyClient require SSLVerifyDepth 1 SSLRequireSSL /Directory /VirtualHost tail -f logs/ssl_engine_log [04/Feb/2002 09:44:06 13354] [info] Initial (No.1) HTTPS request received for child 5 (server domain.net:443) [04/Feb/2002 09:44:06 13354] [info] Requesting connection re-negotiation [04/Feb/2002 09:44:06 13354] [info] Awaiting re-negotiation handshake [04/Feb/2002 09:44:06 13354] [error] Re-negotiation handshake failed: Not accepted by client!? [04/Feb/2002 09:44:06 13354] [error] SSL error on writing data (OpenSSL library error follows) [04/Feb/2002 09:44:06 13354] [error] OpenSSL: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate [Hint: No CAs known to server for verification?] [04/Feb/2002 09:44:06 13354] [info] Connection to child 5 closed with standard shutdown (server domain.net:443, client 66.35.239.94) [04/Feb/2002 09:44:07 13353] [info] Connection to child 4 established (server terran.net:443, client 66.35.239.94) [04/Feb/2002 09:44:07 13353] [info] Seeding PRNG with 1160 bytes of entropy [04/Feb/2002 09:44:07 13353] [info] Connection: Client IP: 66.35.239.94, Protocol: SSLv3, Cipher: RC4-SHA (128/128 bits) [04/Feb/2002 09:48:38 13353] [info] Connection to child 4 closed with standard shutdown (server domain.net:443, client 66.35.239.94) -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Aodhan H. - - - - - - - - - - - - - - - - Ad Astra per Aspera A Rough Road Leads To The Stars - - - - - - - - - - - - - - - - Freedom is something you have, not something you're given. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
ssl virtual host IP's
I've been looking thru the mod_ssl users archives and have learned that I can't do SSL on Virtual Hosts that are name based. I've seen that it is possible to use it on Virtual Hosts with IP based. Are these IP based hosts separate computers or can they be Virtual IP's all pointing to the same computer? What I want to do is have two domain names routed to my Linux Web Server and have them both have separate certs. However, I have no clue how I'd go about setting up two IP's that point to the same box... doesn't make sense to me so I'm guessing it's not possible... but would love it if it does. thanks for bearing with me, Jeff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: message headers
No way, thats something that problems me also. Not every emailer has filtering, esp web email. Also it is standard practice to have a small key in the subject for visually filtering what's what. It doesnt have to be big, something like [modu], and would not invade those with filters but allow those without or not using them to have something of use. Thanks, Nick Quoting Toomas Aas [EMAIL PROTECTED]: Hi Eduardo! On 4 Feb 02 at 12:12 you wrote: Can this list implement a default header in the subject of all messages that reads like [modssl-users] and THEN the subject? I prefer it the way it is. I'm spending enough time sorting my mail box out already. Why? Most modern mail clients let you sort the incoming mail into folders automatically. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: message headers
filter on this: To: [EMAIL PROTECTED] Thanks, Ron DuFresne On Tue, 5 Feb 2002, NickM wrote: No way, thats something that problems me also. Not every emailer has filtering, esp web email. Also it is standard practice to have a small key in the subject for visually filtering what's what. It doesnt have to be big, something like [modu], and would not invade those with filters but allow those without or not using them to have something of use. Thanks, Nick Quoting Toomas Aas [EMAIL PROTECTED]: Hi Eduardo! On 4 Feb 02 at 12:12 you wrote: Can this list implement a default header in the subject of all messages that reads like [modssl-users] and THEN the subject? I prefer it the way it is. I'm spending enough time sorting my mail box out already. Why? Most modern mail clients let you sort the incoming mail into folders automatically. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Connection hangs when using SSL
Title: Connection hangs when using SSL I'm trying to get Apache up and running on WinNT, with SSL I'm using Apache/1.3.19 (Win32) mod_ssl/2.8.3 OpenSSL/0.9.6a My Apache config is as follows ... SSLMutex sem SSLRandomSeed startup builtin SSLRandomSeed connect builtin SSLSessionCache none SSLLog logs/SSL.log SSLLogLevel debug VirtualHost MY_HOST:443 ServerName MY_HOST SSLEngine on SSLCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile D:/apache/ssl/my-server.cert SSLCertificateKeyFile D:/apache/ssl/my-server.key SetEnvIf User-Agent .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog logs/ssl_request_log combined /VirtualHost My problem is that when I issue https://MY_HOST through the browser the browser simply hangs - there's no response from apache. If I try and connect to 443 directly using openssl I get $ openssl s_client -connect MY_HOST:443 -state -debug CONNECTED(0003) SSL_connect:before/connect initialization write to 0A01ED48 [0A01F788] (130 bytes = 130 (0x82)) - 80 80 01 03 01 00 57 00-00 00 20 00 00 16 00 00 ..W... . 0010 - 13 00 00 0a 07 00 c0 00-00 66 00 00 07 00 00 05 .f.. 0020 - 00 00 04 05 00 80 03 00-80 01 00 80 08 00 80 00 0030 - 00 65 00 00 64 00 00 63-00 00 62 00 00 61 00 00 .e..d..c..b..a.. 0040 - 60 00 00 15 00 00 12 00-00 09 06 00 40 00 00 14 `...@... 0050 - 00 00 11 00 00 08 00 00-06 00 00 03 04 00 80 02 0060 - 00 80 46 fe 76 0c 2a 63-8a 04 72 25 77 e3 3c 15 ..F.v.*c..r%w.. 0070 - 22 77 46 a4 69 b9 20 85-03 7d 7b ad 85 b9 db ed wF.i. ..}{. 0080 - b6 1c .. SSL_connect:SSLv2/v3 write client hello A ... and nothing more. I've tried using the -ssl2 and -ssl3 flags, but get the same result. I've tried connecting using telnet and trying to speak http to the port and that doesn't work so that's not the issue. Furthermore, when I try and connect I get an entry in my ssl.log ... [04/Feb/2002 17:01:01 00193] [info] Connection to child 4 established (server MY_HOST:443, client MY_IP) Any suggestions gratefully received Regards Ken Tune
Re: Connection hangs when using SSL
Please refer to this tutorial. http://tud.at/programm/apache-ssl-win32-howto.php3 I got it working yesterday doing as it says. Try starting Apache as a service by typing apache -i from command prompt and see if it throws any error messages. I had the same setup as yours. Suchit --- Ken Tune [EMAIL PROTECTED] wrote: I'm trying to get Apache up and running on WinNT, with SSL I'm using Apache/1.3.19 (Win32) mod_ssl/2.8.3 OpenSSL/0.9.6a My Apache config is as follows ... SSLMutex sem SSLRandomSeed startup builtin SSLRandomSeed connect builtin SSLSessionCache none SSLLog logs/SSL.log SSLLogLevel debug VirtualHost MY_HOST:443 ServerName MY_HOST SSLEngine on SSLCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile D:/apache/ssl/my-server.cert SSLCertificateKeyFile D:/apache/ssl/my-server.key SetEnvIf User-Agent .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog logs/ssl_request_log combined /VirtualHost My problem is that when I issue https://MY_HOST through the browser the browser simply hangs - there's no response from apache. If I try and connect to 443 directly using openssl I get $ openssl s_client -connect MY_HOST:443 -state -debug CONNECTED(0003) SSL_connect:before/connect initialization write to 0A01ED48 [0A01F788] (130 bytes = 130 (0x82)) - 80 80 01 03 01 00 57 00-00 00 20 00 00 16 00 00 ..W... . 0010 - 13 00 00 0a 07 00 c0 00-00 66 00 00 07 00 00 05 .f.. 0020 - 00 00 04 05 00 80 03 00-80 01 00 80 08 00 80 00 0030 - 00 65 00 00 64 00 00 63-00 00 62 00 00 61 00 00 .e..d..c..b..a.. 0040 - 60 00 00 15 00 00 12 00-00 09 06 00 40 00 00 14 `...@... 0050 - 00 00 11 00 00 08 00 00-06 00 00 03 04 00 80 02 0060 - 00 80 46 fe 76 0c 2a 63-8a 04 72 25 77 e3 3c 15 ..F.v.*c..r%w.. 0070 - 22 77 46 a4 69 b9 20 85-03 7d 7b ad 85 b9 db ed wF.i. ..}{. 0080 - b6 1c .. SSL_connect:SSLv2/v3 write client hello A ... and nothing more. I've tried using the -ssl2 and -ssl3 flags, but get the same result. I've tried connecting using telnet and trying to speak http to the port and that doesn't work so that's not the issue. Furthermore, when I try and connect I get an entry in my ssl.log ... [04/Feb/2002 17:01:01 00193] [info] Connection to child 4 established (server MY_HOST:443, client MY_IP) Any suggestions gratefully received Regards Ken Tune __ Do You Yahoo!? Send FREE Valentine eCards with Yahoo! Greetings! http://greetings.yahoo.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: message headers
As just said, I do not have filtering!! The list is not high traffic enough to concern me terribly, but would be nice. Quoting R. DuFresne [EMAIL PROTECTED]: filter on this: To: [EMAIL PROTECTED] Thanks, Ron DuFresne On Tue, 5 Feb 2002, NickM wrote: No way, thats something that problems me also. Not every emailer has filtering, esp web email. Also it is standard practice to have a small key in the subject for visually filtering what's what. It doesnt have to be big, something like [modu], and would not invade those with filters but allow those without or not using them to have something of use. Thanks, Nick __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: message headers
Thats a shortcoming on your part though, a proper mail reader can accomplish this chore. Thanks, Ron DuFresne On Tue, 5 Feb 2002, NickM wrote: As just said, I do not have filtering!! The list is not high traffic enough to concern me terribly, but would be nice. Quoting R. DuFresne [EMAIL PROTECTED]: filter on this: To: [EMAIL PROTECTED] Thanks, Ron DuFresne On Tue, 5 Feb 2002, NickM wrote: No way, thats something that problems me also. Not every emailer has filtering, esp web email. Also it is standard practice to have a small key in the subject for visually filtering what's what. It doesnt have to be big, something like [modu], and would not invade those with filters but allow those without or not using them to have something of use. Thanks, Nick __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
AW: Connection hangs when using SSL
habe you set Listen 443 in your conf? -Ursprungliche Nachricht- Von: Ken Tune [mailto:[EMAIL PROTECTED]] Gesendet: Montag, 4. Februar 2002 19:03 An: '[EMAIL PROTECTED]' Betreff: Connection hangs when using SSL I'm trying to get Apache up and running on WinNT, with SSL I'm using Apache/1.3.19 (Win32) mod_ssl/2.8.3 OpenSSL/0.9.6a My Apache config is as follows ... SSLMutex sem SSLRandomSeed startup builtin SSLRandomSeed connect builtin SSLSessionCache none SSLLog logs/SSL.log SSLLogLevel debug VirtualHost MY_HOST:443 ServerName MY_HOST SSLEngine on SSLCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile D:/apache/ssl/my-server.cert SSLCertificateKeyFile D:/apache/ssl/my-server.key SetEnvIf User-Agent .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog logs/ssl_request_log combined /VirtualHost My problem is that when I issue https://MY_HOST through the browser the browser simply hangs - there's no response from apache. If I try and connect to 443 directly using openssl I get $ openssl s_client -connect MY_HOST:443 -state -debug CONNECTED(0003) SSL_connect:before/connect initialization write to 0A01ED48 [0A01F788] (130 bytes = 130 (0x82)) - 80 80 01 03 01 00 57 00-00 00 20 00 00 16 00 00 ..W... . 0010 - 13 00 00 0a 07 00 c0 00-00 66 00 00 07 00 00 05 .f.. 0020 - 00 00 04 05 00 80 03 00-80 01 00 80 08 00 80 00 0030 - 00 65 00 00 64 00 00 63-00 00 62 00 00 61 00 00 .e..d..c..b..a.. 0040 - 60 00 00 15 00 00 12 00-00 09 06 00 40 00 00 14 `...@... 0050 - 00 00 11 00 00 08 00 00-06 00 00 03 04 00 80 02 0060 - 00 80 46 fe 76 0c 2a 63-8a 04 72 25 77 e3 3c 15 ..F.v.*c..r%w.. 0070 - 22 77 46 a4 69 b9 20 85-03 7d 7b ad 85 b9 db ed wF.i. ..}{. 0080 - b6 1c .. SSL_connect:SSLv2/v3 write client hello A ... and nothing more. I've tried using the -ssl2 and -ssl3 flags, but get the same result. I've tried connecting using telnet and trying to speak http to the port and that doesn't work so that's not the issue. Furthermore, when I try and connect I get an entry in my ssl.log ... [04/Feb/2002 17:01:01 00193] [info] Connection to child 4 established (server MY_HOST:443, client MY_IP) Any suggestions gratefully received Regards Ken Tune __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]