trying to understand handshake in s23_srvr.c apache 1.3.14 + openssl 0.9.6 solutions

Sat, 03 Feb 2001 19:03:34 -0800 

OK - I think I found it.

For anyone trying to configure this there are aome pointers.

1)  The httpsd.conf file found in the apache directory, typically in 
/usr/local/apache_1.3.14/conf  is not used.  The server instead looks for
httpd.conf.  You can grab the one Ben Laurie created and mofify it heavily.  Pay 
careful attention to the paths where things are found.

2)  Ben has set up heap as his virtual machine.  The server seems to key on the port 
number as follows:

  - standard http port is 80
  - secure https port is 443

  - you typically want the server to listen to both ports  (and you can use Ben's 8887 
and 8888 for testing if you wish)

  - Apache is dumb as a brick and does NOT KNOW which protocol is running on which 
port.  You need to tell it like this.

Port 80
Listen 80
Listen 443

NameVirtualHost www.mydomain.com

<VirtualHost www.mydomain.com:80>
ServerAdmin [EMAIL PROTECTED]
DocumentRoot /webroot/
ServerName www.mydomain.com
ServerPath /mydomain
ErrorLog logs/error-log-mydomin
TransferLog logs/access-log-mydomin
SSLDisable
</VirtualHost>

When the http requst comes in on port 80 it is directed to a virtual host which does 
NOT run https.  If you do not do this then apache will fire the handshake into the 
openSSL code and it will result in a trap in routine s23_srvr.c around line 285 or so. 
 Of course the error message will not clue you in to the fact that apache is trying to 
feed http protocol into https code.

3)  Debugging output is enabled in the code.  Before you put it into production you 
will probably want to disable it and recompile.

4)  There is a LOT of configuration that you need to do.  

5)  Note: the above example has somne special directives that are designed for Name 
Based Virtual Hosting.  In particular the ServerPath directive allows you some support 
for brain dead old browsers such the one shipped in OS/2.  Read all about it in the 
apache docs.  It really does not belong in here but there's a tip anyway.

6)  You do not seem to have to do any patching to openSSL 0.9.6 (0.9.5a does require 
the patch)

If peeople want I'll document all this and put it up on my website.  Just let me know.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to