Problem with Global Server ID - SGC
Hi ! I am facing a problem while configuring Global server certificate - SGC support ! 1> I got a verisign Global Serv ID(for SGC) : gsid.crt 2> specified the gsid.crt under SSLCertificateFile 3> specified the key file 4> Got the intermediate verisign CA root(gsid_ca.crt) and specified the same under SSLCertificateChainFile. 5> started apache: apachectl startssl I installed 4.08 netscape browser with SCG support. Selected the cipher - "RC4 encryption with a 128-bit key and an MD5 MAC (When permitted)" ! I unselected every other cipher from the browser.i expected a step-up. The browser gave an error when connecting to apache server. "You cannot connect to an encrypted website because SSL has been disabled. you can enable SSL from security->navigator option...etc" Whereas if i select a cipher "RC4 encryption with a 40-bit key and an MD5 MAC" then the connection goes thru fine. This means still the stepup doesnt work! The ssl_engine_log file says... ... OpenSSL: read 0/7 bytes from BIO#00159AF0 [mem:00175048] (BIO dump follows) +---+ +---+ Spurious SSL handshake interrupt[Hint: Usually one of those OpenSSL confusions] The verisign customer support says "install Intermediate Cert first and then the SGC(Globas server) cert later.." but i could not understand how you can do that..afterall, if i dont specify the SSLcertificateFile when the SSLEngine is ON i wont be able to start the server at all. Can someone help me on this ? Thanks a lot Vijay __ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: No response after starting apache1.3.11-modssl2.5.0 in WinNT
cheung, The server prompts for the passphrase once on my NT installation, but i went ahead and typed the passphrase again eventhoug it didnt prompt for it.(it was seeming to be hanging, but still i typed my password) and there you go, evreything started to work fine. Even the log file(when you set debug logtype option in httpd.conf) has log messages that say the server is waiting for the second try for passphrase. seems like there is no explicit prompt message but the program is still waiting for the passphrase ? and until i type it, i see from openssl command tool(s_client option) that the client is waiting for "Server Hello". once typed i could see the handshake go thru fine! -vijay --- Cheung Chun Ho <[EMAIL PROTECTED]> wrote: > Hi, > > We are able to build openssl-0.9.4, apache-1.3.11 > with modssl-2.5.0's > patch applied in Win98 and run the SSL webserver > successfully. > > We do similar build in WinNT server 4.0 and use > similar httpd.conf. We > start the server by "apache -D SSL". Unlike in > Win98, the server prompt > the pass phase once, instead of twice. The server > seems to be hanged > afterward and both netscape and IE fail to connect > to it, whether using > http or https. The same problem occurs with the > opensa-0.20 package. If > the server key is not pass-phase protected, both > netscape and IE can > connect to it using http and https, unless when we > are doing SSL client > authentication. > > I wonder if anyone encounters similar problem and > knows the solution for > it. > > thanks and regards, > Ho > __ > Apache Interface to OpenSSL (mod_ssl) >www.modssl.org > User Support Mailing List > [EMAIL PROTECTED] > Automated List Manager > [EMAIL PROTECTED] > __ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: modssl on NT
Eventhough the openssl tool complains for the certificate, it doesnt seem to to mean much. Because i tried the same certificate on my Unix installation(same setup:apache/modssl/bsafe) it worked very fine. And still the openssl tool on unix complained. probably the error shown by the tool is not related to the problem i am seeing. The fact that the dummy certs work fine but not verisign certs should give some lead to which component the problem could lie in. (could it be in mod_ssl/openssl/bsafe patch?) Any guesses? thanks vijay --- vijay karthik <[EMAIL PROTECTED]> wrote: > > Hi ! > > The apache server is working with the > dummy certs but not the verisign cert. > > I ran the command, > openssl verify > > i got the following error > verisign.crt: > /C=US/ST=california/L=location/O=xyzInc/OU=test/CN=Mypc > .xyz.com > error 20 at 0 depth lookup:unable to get local > issuer > certificate __ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: modssl on NT
The httpd.conf was taken from unix and was failing hence the modules were not getting loaded. I removed the IfDefine from httpd.conf. (thats the reason we give -DSSL in commandline to start httpd on Unix ?) Now the apache with modssl/openssl is running when i start apache.exe. Eventhough the apache server is now listening on SSL port i dont get any response back!(no failures in ssl_error_log file) The browser hangs with "contacted: waiting for reply" message! any pointers on what to check to find out the problem? thanks vijay --- vijay karthik <[EMAIL PROTECTED]> wrote: > I forgot to mention that i am using > bsafe library instead of rsaref. > (apache1.3.9+modssl+openssl+bsafe+NT) > > thanks > vijay > > > Hi ! > > > > I am trying to run apache+modssl+openssl on NT. > > I was able to build the openssl libraries. > > I had my apache source tree extended with > > modssl modules on my unix machine. I copied it > > over to my NT box and compiled it. Everything > > went thru fine and i installed apache from the > > Build. > > > > I ran the binary "Apache.exe" and i see the apache > > server listeneing on normal port(8080).(I see no > > error message while startup) But i dont see > > the SSL-aware Apache server(port#8443) up! > > There are no ssl related error logs in the > > logs directory ! > __ > Do You Yahoo!? > Talk to your friends online with Yahoo! Messenger. > http://im.yahoo.com > __ > Apache Interface to OpenSSL (mod_ssl) >www.modssl.org > User Support Mailing List > [EMAIL PROTECTED] > Automated List Manager > [EMAIL PROTECTED] > __ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: modssl on NT
okay,
I believe "LoadModule" has no effect on NT.
i removed the LoadModule line from the conf
file.
let me know if you have any idea about how i
should proceed debugging this problem.
i have attached the httpd.conf file which i am
using.
thanks
vijay
##
## httpd.conf -- Apache HTTP server configuration file
##
ServerType standalone
ServerRoot "c:\apache"
PidFile c:\apache\logs\httpd.pid
ClearModuleList
AddModule mod_env.c
AddModule mod_log_config.c
AddModule mod_mime.c
AddModule mod_negotiation.c
#AddModule mod_status.c
AddModule mod_include.c
AddModule mod_autoindex.c
AddModule mod_dir.c
AddModule mod_cgi.c
AddModule mod_asis.c
AddModule mod_imap.c
AddModule mod_actions.c
AddModule mod_userdir.c
AddModule mod_alias.c
AddModule mod_access.c
AddModule mod_auth.c
AddModule mod_so.c
AddModule mod_setenvif.c
AddModule mod_ssl.c
Port 8080
Listen 8080
Listen 8443
DocumentRoot "c:\apache\htdocs"
ErrorLog c:\apache\logs\error_log
LogLevel warn
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\"
\"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
CustomLog c:\apache\logs\access_log common
ServerSignature On
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl.crl
SSLPassPhraseDialog builtin
SSLSessionCacheTimeout 300
SSLMutex file:c:\apache\logs\ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLLog c:\apache\logs\ssl_engine_log
SSLLogLevel info
DocumentRoot "c:\apache\htdocs"
ServerName dummypc.xyz.com
ServerAdmin [EMAIL PROTECTED]
ErrorLog c:\apache\logs\error_log
TransferLog c:\apache\logs\access_log
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
SSLCertificateFile c:\apache\conf\ssl.crt\verisign.crt
SSLCertificateKeyFile
c:\apache\conf\ssl.key\verisign.key
CustomLog c:\apache\logs\ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
__
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: modssl on NT
I forgot to mention that i am using bsafe library instead of rsaref. (apache1.3.9+modssl+openssl+bsafe+NT) thanks vijay > Hi ! > > I am trying to run apache+modssl+openssl on NT. > I was able to build the openssl libraries. > I had my apache source tree extended with > modssl modules on my unix machine. I copied it > over to my NT box and compiled it. Everything > went thru fine and i installed apache from the > Build. > > I ran the binary "Apache.exe" and i see the apache > server listeneing on normal port(8080).(I see no > error message while startup) But i dont see > the SSL-aware Apache server(port#8443) up! > There are no ssl related error logs in the > logs directory ! __ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
modssl on NT
Hi ! I am trying to run apache+modssl+openssl on NT. I was able to build the openssl libraries. I had my apache source tree extended with modssl modules on my unix machine. I copied it over to my NT box and compiled it. Everything went thru fine and i installed apache from the Build. I ran the binary "Apache.exe" and i see the apache server listeneing on normal port(8080).(I see no error message while startup) But i dont see the SSL-aware Apache server(port#8443) up! There are no ssl related error logs in the logs directory ! or Is there someother way of starting ssl apache ? (like on unix: -DSSL) When i access the normal port thru browser it shows the normal installation success page: "The SSL/TLS-aware Apache webserver was successfully installed on this website ... .. " I have got a certificate and the location of the cert file is correctly specified in httpd.conf. The error_log is clean. I have added the line LoadModule ssl_module c:\apache\modules\ ApacheModuleSSL.dll Any other changes that need to be done in httpd.conf ? Can someone tell me where the problem could be ? What should i be checking to find out the problem area ? Thanks Vijay __ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
