Re: Apache and mod_ssl - refusing connections on https?
SSLEngine On? Glyn Astill wrote: Hi people, I'm new to this list, so hello. I've been trying to get https working with apache 2.0.59 on NetBSD 3.99 today, and it's beginning to make my face ache. Basically when I try to view a page via https I get connection refused. Apache is compiled with mod_ssl.c, I have openssl installed. This is what I've done so far: 1) Copied the example openssl cfg from examples to /etc/openssl/openssl.cnf 2)Generated my server key, then pem file then the csr and crt. 3)Then coppied them all into ssl.key (server.pem, server.key), ssl.csr (server.csr) and ssl.crt (server.crt). This is where my ssl.conf expects them. 4) Made sure ssl.conf is pointing to these files properly and is listening on port 443 (Listen ipaddress:443) 5) Made sure ssl.conf is included in httpd.conf properly 6) check that mod_ssl.c is compiled in with https -l 7) checked my apache access and error logs - nothing ! And still nothing, it can't be listening on 443. If I do the following: #openssl s_client -connect localhost:443 -state -debug I get: connect: Connection refused connect:errno=61 I've even tried copying all my virtual hosts and changing :80 to :443, still nothing. This is really the first time I've ever touched ssl, so I'm hoping I'm missing something really dumb. I've basically just got the standard ssl.conf example modified ever so slightly so that things point in the right place. ? Any ideas? Cheers Glyn ___ Yahoo! Mail is the world's favourite email. Don't settle for less, sign up for your free account today http://uk.rd.yahoo.com/evt=44106/*http://uk.docs.yahoo.com/mail/winter07.html __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] -- Omar W. Hannet http://www.allez-oop.net/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Ref : RE: Ref : RE: Ref : RE: SSL by Domain Name Error
Rob Archer wrote: No entry for https and domain name in the access.log and a Internet Explorer cannot display the webpage in ie when trying to get to the server. Do you have access to the openssl command line program? It would tell you whether you are making a connection, and possibly shed some light on the problem. Like this: openssl s_client -connect www.mydomain.com:443 -debug GET / -- Omar W. Hannet http://www.allez-oop.net/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: SSL by Domain Name Error
I'll bet you're right when you say your provider may not be forwarding https requests properly. I'd run this one past them and see what they have to say about it. Rob Archer wrote: When accessing it by ip address using the debug option of openssl it returns what you would expect (i.e. the text of the key certificate). When accessing by domain name it says :- Loading 'screen' into random state - done Connect: bad file descriptor Connect:errno=10060 I assume this is the equivalent of the Internet Explorer cannot display the webpage error in IE !!! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Omar W. Hannet Sent: 19 June 2007 17:07 To: modssl-users@modssl.org Subject: Re: Ref : RE: Ref : RE: Ref : RE: SSL by Domain Name Error Rob Archer wrote: No entry for https and domain name in the access.log and a Internet Explorer cannot display the webpage in ie when trying to get to the server. Do you have access to the openssl command line program? It would tell you whether you are making a connection, and possibly shed some light on the problem. Like this: openssl s_client -connect www.mydomain.com:443 -debug GET / __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Apache with mod_ssl
Are you quite certain that the LoadModule for mod_ssl has been commented out? The reason I ask: the output from 'apachectl start' which you provided below shows 'mod_ssl/2.2.4'. In the log file /opt/apache-2.2.4/logs/error_log, on lines that contain 'Apache/2.2.4' and 'configured -- resuming normal operations', do you see 'mod_ssl/2.2.4'? If so, it is still being loaded from somewhere in your configuration. Saikat Saha wrote: Sorry for late response on this one. This is what we have in httpd.conf which is generated at compile time. This problem does not go away even if I comment out last four lines and restart apache. Could you please advise what else could be leading apache to think it is https rather than http? # Secure (SSL/TLS) connections #Include conf/extra/httpd-ssl.conf # # Note: The following must must be present to support # starting without SSL on platforms with no /dev/random equivalent # but a statically compiled-in mod_ssl. # IfModule ssl_module SSLRandomSeed startup builtin SSLRandomSeed connect builtin /IfModule With above commented out, when I try to start apache, I get following passphrase prompt and apache does not start even after saying passphrase successful, no logs in logs directory although log level is debug ]# ./apachectl start httpd: Could not reliably determine the server's fully qualified domain name, using 10.3.110.109 for ServerName Apache/2.2.4 mod_ssl/2.2.4 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide the pass phrases. Server 10.3.110.109:443 (RSA) Enter pass phrase: OK: Pass Phrase Dialog successful. [EMAIL PROTECTED] bin]# Thanks you very much for your help. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Omar W. Hannet Sent: Monday, June 18, 2007 8:34 AM To: modssl-users@modssl.org Subject: Re: Apache with mod_ssl Do you have IfModule ssl_module tags surrounding all SSL directives in your configuration file? For example: IfModule ssl_module SSLPassPhraseDialog builtin # etc. /IfModule Saikat Saha wrote:_module Apache was compiled as below ./configure --with-ldap --enable-mods-shared=all ssl ldap cache proxy authn_alias mem_cache file_cache authnz_ldap charset_lite dav_lock disk_cache --prefix=/opt/apache-2.2.4 Httpd -l gives below [EMAIL PROTECTED] bin]# httpd -l Compiled in modules: core.c prefork.c http_core.c mod_so.c How do I compile so that it does not load mod_ssl automatically and loads only if httpd.conf is configured. Surprisingly there are no error logs even at debug level. Thank you so very much for the kind help. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Omar W. Hannet Sent: Friday, June 15, 2007 4:13 PM To: modssl-users@modssl.org Subject: Re: Apache with mod_ssl Saikat Saha wrote: We have apache 2.2.4 compiled with all modules but commented out all load modules. Do not have anything in httpd.conf file to state that this is https. But when I start apache, it tries to goto https and prompts for pass phrase. How does apache determine that this is https whereas this is actually a http server. Perhaps mod_ssl is a compiled-in module. Run 'httpd -l' to check this. After I enter a passphrase, it shows successful but the server never starts up. Can someone please help? The reason probably can be found in Apache's error_log file. Also can apache support both http and https at different ports at the same time? Yes. The defaults are port 80 for http and port 443 for https. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: SSL by Domain Name Error
Rob Archer wrote: Anybody have any suggestions ? Have created the key through open ssl and configured apache (using http://raibledesigns.com/wiki/Wiki.jsp?page=ApacheSSL instructions) and can access https via the IP address of the web server but not the domain name. When trying to get the to the webserver via the domain name through https it says internet explorer cannot display this web page. Using the normal http protocol I can get the It Works page through both IP address and domain name. Have tried to get around this by fiddling about with the virtual hosts settings but haven't found any solution. Can anyone help !!! You might try adding a NameVirtualHost directive: NameVirtualHost 1.2.3.4:443 (Your own IP address in place of '1.2.3.4'.) If that doesn't help, please show us the VirtualHost block for this domain in your current Apache configuration. -- Omar W. Hannet http://www.allez-oop.net/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: SSL by Domain Name Error
What's the result when you set ServerName to your domain name within the virtual host?: VirtualHost 1.2.3.4:443 ServerName example.com SSLEngine On SSLCertificateFile conf/ssl/server.crt SSLCertificateKeyFile conf/ssl/server.key /VirtualHost Rob Archer wrote: Thanks for the response, I'm using the following in the httpd.conf file:- IfModule ssl_module SSLMutex default SSLRandomSeed startup builtin SSLRandomSeed connect builtin SSLSessionCache none ErrorLog logs/ssl.log LogLevel info /IfModule VirtualHost 1.2.3.4:443 SSLEngine On SSLCertificateFile conf/ssl/server.crt SSLCertificateKeyFile conf/ssl/server.key /VirtualHost -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Omar W. Hannet Sent: 18 June 2007 16:13 To: modssl-users@modssl.org Subject: Re: SSL by Domain Name Error Rob Archer wrote: Anybody have any suggestions ? Have created the key through open ssl and configured apache (using http://raibledesigns.com/wiki/Wiki.jsp?page=ApacheSSL instructions) and can access https via the IP address of the web server but not the domain name. When trying to get the to the webserver via the domain name through https it says internet explorer cannot display this web page. Using the normal http protocol I can get the It Works page through both IP address and domain name. Have tried to get around this by fiddling about with the virtual hosts settings but haven't found any solution. Can anyone help !!! You might try adding a NameVirtualHost directive: NameVirtualHost 1.2.3.4:443 (Your own IP address in place of '1.2.3.4'.) If that doesn't help, please show us the VirtualHost block for this domain in your current Apache configuration. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Apache with mod_ssl
Saikat Saha wrote: We have apache 2.2.4 compiled with all modules but commented out all load modules. Do not have anything in httpd.conf file to state that this is https. But when I start apache, it tries to goto https and prompts for pass phrase. How does apache determine that this is https whereas this is actually a http server. Perhaps mod_ssl is a compiled-in module. Run 'httpd -l' to check this. After I enter a passphrase, it shows successful but the server never starts up. Can someone please help? The reason probably can be found in Apache's error_log file. Also can apache support both http and https at different ports at the same time? Yes. The defaults are port 80 for http and port 443 for https. -- Omar W. Hannet http://www.allez-oop.net/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: adding mod_ssl module to existing apache configuration
Lalit Kapoor wrote: Can you give me some idea if it possible to add mod_ssl in running configuration or do i need to recompile and install apache with mod_ssl. Have you tried 'yum install mod_ssl'? -- Omar W. Hannet http://www.allez-oop.net/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Am I using SSLCACertificateFile as intended?
I think all you need to do is tighten up your SSLRequire rules.
Something like this (all on one line, omitting the backslash at line-end):
SSLRequire %{SSL_CIPHER_USEKEYSIZE} = 128 \
and %{SSL_CLIENT_I_DN} eq IssuingCA2
http://www.modssl.org/docs/2.8/ssl_reference.html#ToC23
Omar
[EMAIL PROTECTED] wrote:
Hi all --
I'm having some trouble configuring Apache/mod_ssl to do what I want.
Perhaps I have some misconceptions that need dispelled. Any help would be
grealy appreciated.
OVERVIEW/GOAL:
I'm retrofitting some Apache servers to require client certificates. Note
that these servers have certificates that are (temporarily) self-signed.
Our organization already has a PKI consisting of a self-signed RootCA and
two IssuingCAs. My goal here is to configure my Apache server to require
user certificates issued by IssuingCA2, and to refuse access to all
others.
Server version: Apache/2.2.3
Server built: Aug 10 2006 17:29:16
OpenSSL 0.9.8b 04 May 2006
THE PROBLEM:
The problem is that I've found only one configuration that will allow a
client to successfully load a page, and in this case, it will also allow
the use of user certificates issued by the other IssuingCA. I find this
baffling, since I haven't told Apache anything about this particular
IssuingCA.
I believe that my problems are centering around the SSLCACertificateFile
directive. See below for my SSL (scrubbed) conf file.
CASE 1:
If I use this invocation, Apache allows certificates from any issuing CA
that has been signed by our Root CA. Note that certchain.cer is a
concatenation of the PEM-encoded certificates for IssuingCA2 and the
RootCA (specifically, of IssuingCA2.cer and RootCA.cer mentioned in the
next two cases).
SSLCACertificateFile conf/ssl/certchain.cer
Here is the logfile exerpt for this case:
[Mon Apr 23 22:26:14 2007] [debug] ssl_engine_kernel.c(1190): Certificate
Verification: depth: 2, subject: [SNIP]Root CA, issuer: [SNIP]Root CA
[Mon Apr 23 22:26:14 2007] [debug] ssl_engine_kernel.c(1190): Certificate
Verification: depth: 1, subject: [SNIP]Issuing CA 1, issuer: [SNIP]Root CA
[Mon Apr 23 22:26:14 2007] [debug] ssl_engine_kernel.c(1190): Certificate
Verification: depth: 0, subject: /CN=[SNIP], issuer: [SNIP]Issuing CA 1
CASE 2:
If I use this invocation, Apache will run but will complain (whenever the
protected page is loaded) that it can't find the local issuer certificate.
I've tried setting SSLVerifyDepth to 1, but this didn't help anything.
The only good thing about this case is that the list of certificates
presented by the remote browser to the user only includes those directly
issued by IssuingCA2.
SSLCACertificateFile conf/ssl/IssuingCA2.cer
Here is the logfile exerpt for this case:
[Mon Apr 23 22:31:18 2007] [debug] ssl_engine_kernel.c(1190): Certificate
Verification: depth: 1, subject: [SNIP]Issuing CA 2, issuer: [SNIP]Root CA
[Mon Apr 23 22:31:18 2007] [error] Certificate Verification: Error (20):
unable to get local issuer certificate
CASE 3:
If I use this invocation, Apache won't even run. Note that the content of
RootCA.cer is exactly the same content that makes up an essential part of
certchain.cer (see above). AFAIK, this certificate should have format and
content readily useable by Apache. The only special thing about it, is
that it is a self-signed certificate (does that make a difference?)
SSLCACertificateFile conf/ssl/RootCA.cer
Here is the logfile exerpt for this case:
[Mon Apr 23 22:02:13 2007] [info] Loading certificate private key of
SSL-aware server
[Mon Apr 23 22:02:13 2007] [debug] ssl_engine_pphrase.c(469): unencrypted
RSA private key - pass phrase not required
[Mon Apr 23 22:02:13 2007] [info] Configuring server for SSL protocol
[Mon Apr 23 22:02:13 2007] [debug] ssl_engine_init.c(405): Creating new
SSL context (protocols: SSLv2, TLSv1)
[Mon Apr 23 22:02:13 2007] [debug] ssl_engine_init.c(538): Configuring
client authentication
[Mon Apr 23 22:02:13 2007] [error] Unable to configure verify locations
for client authentication
[Mon Apr 23 22:02:13 2007] [error] SSL Library Error: 33558533
error:02001005:system library:fopen:Input/output error
[Mon Apr 23 22:02:13 2007] [error] SSL Library Error: 537317378
error:2006D002:BIO routines:BIO_new_file:system lib
[Mon Apr 23 22:02:13 2007] [error] SSL Library Error: 185090050
error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system
lib
HELP:
My expectation here was that I would need to provide the certificate chain
(issuing and root CA) required to authenticate the user certificate, and
that a user certificate issued by any other IssuingCA would fail because I
haven't given Apache the IssuingCA's certificate.
Instead, it seems like the server has gained access to the IssuingCA1
certificate (does it do this directly, or does the client send it?), and
is validating that certificate against the RootCA. This seems to happen
when I provided the RootCA in the SSLCACertificateFile, which (as I
Experimental per-directory CRL
I just noticed the SSL_EXPERIMENTAL_PERDIRCRL code was gone from mod_ssl since a couple of versions ago. Any chance of it ever coming back? -- Omar W. Hannet Allez-Oop Net http://www.allez-oop.net/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Action directive and client cert authentication
When I use an Action directive in a directory secured by client certificate authentication, the CGI output does not display. My server is Apache 1.3.33 with mod_ssl-2.8.22. My config.status looks like this: CFLAGS=-g -DSSL_EXPERIMENTAL -DSSL_EXPERIMENTAL_PROXY_IGNORE -DSSL_EXPERIMENTAL_ENGINE_IGNORE \ ./configure \ --with-layout=Apache \ --prefix=/usr/local/apache \ --enable-module=ssl \ $@ I have a directory htdocs/secure, which contains this .htaccess file: AddType application/test .test Action application/test /cgi-bin/test.pl SSLRequireSSL SSLVerifyClient require SSLCACertificateFile /usr/local/etc/ca.crt My Apache configuration contains: SSLPassPhraseDialog builtin SSLSessionCache dbm:/usr/local/apache/logs/ssl_scache SSLSessionCacheTimeout 300 SSLMutex file:/usr/local/apache/logs/ssl_mutex SSLRandomSeed startup builtin SSLRandomSeed connect builtin SSLLog /usr/local/apache/logs/ssl_engine_log SSLLogLevel trace SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /usr/local/apache/conf/server.crt SSLCertificateKeyFile /usr/local/apache/conf/server.key SSLCertificateChainFile /usr/local/apache/conf/equifax.crt SSLCACertificateFile /usr/local/apache/conf/ca.crt SSLVerifyDepth 10 The SSLCACertificateFile (ca.crt) is a self-signed CA which I created. I have added the CA to my browser, along with a client cert signed by that CA. The same CA is copied to /usr/local/etc/ca.crt, which is referenced by the SSLCACertificateFile directive in my .htaccess file. This CA is different from the one securing the web server itself. Within the htdocs/secure directory are files index.html and x.test. When I browse with HTTPS to /secure/index.html or to /cgi-bin/test.pl, the results are displayed just as they should be. However, when I access /secure/x.test, the CGI output does not appear at all. Instead, the following messages appear in ssl_engine_log: [06/Jan/2005 17:27:23 55592] [error] SSL error on reading data (OpenSSL library error follows) [06/Jan/2005 17:27:23 55592] [error] OpenSSL: error:0B07C065:x509 certificate routines:X509_STORE_add_cert:cert already in hash table [06/Jan/2005 17:27:23 55592] [error] OpenSSL: error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac Is this a bug in mod_ssl, or is there something I need do to differently to get my CGI output? Thanks -- Omar W. Hannet Allez-Oop Net http://www.allez-oop.net/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
