Hi Kirst,
thanks for your assistance.
I exported the keystore file on remoteserver:
keytool -export -alias tomcat -rfc > tomcat.pem
I then ftp'ed tomcat.pem to proxy server (apache) to run c_rehash as root on
the ssl/ directory.
A link was created:
cc5d41ae.0 -> tomcat.pem
When doing
openssl s_client -CApath /path/to/ca/certificates -connect remoteserver:8443
The CN displays the remoteserver
CONNECTED(00000004)
…
---
Certificate chain
…
---
Server certificate
-----BEGIN CERTIFICATE-----
..
---
No client certificate CA names sent
---
SSL handshake has read 1136 bytes and written 282 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : EDH-RSA-DES-CBC3-SHA
Session-ID: 480357285859DB7A420754C6062AE334E398F8C90064E0B8E39F6C7F21753DB4
Session-ID-ctx:
Master-Key:
BDD6FAE6136A55CE4AA4F5050ED22E318131264E2857E37D917CEF28C51094280768177BE7EC9C1044109670B44CCE61
Key-Arg : None
Start Time: 1208178472
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
But When I GET the page, nothing is returned.
Any idea?
thanks
--- On Mon, 14/4/08, Krist van Besien <[EMAIL PROTECTED]> wrote:
> From: Krist van Besien <[EMAIL PROTECTED]>
> Subject: Re: [EMAIL PROTECTED] url proxying
> To: users@httpd.apache.org, [EMAIL PROTECTED]
> Date: Monday, 14 April, 2008, 1:47 PM
> On Sun, Apr 13, 2008 at 11:32 PM, Melanie Pfefer
> <[EMAIL PROTECTED]> wrote:
> > hi Kirst, all,
> >
> > To use c_rehash, I must have .pem and .crt files.
> Correct me if I am worong please. The remote server has a
> self-signed certificate that was generated using keytool
> (http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html) so
> the file generated is .keytool. Should I generate .pem and
> .crt files to run c_rehash? If so, how?
>
> You can export your certificate using keytool, like this:
>
> keytool -export -alias tomcat -rfc > tomcat.pem
>
> The "-rfc" option is important, as this exports a
> PEM certicate.
> If your keystore is in a different location you need to add
> the
> -keystore <keystorefile> option. If your tomcat
> server uses a
> certificate with a different alias modify the -alias
> parameter.
>
> For proxying via apache to work it is important that the
> certicate
> passes all the tests. Normally when you connectyour browser
> to a https
> server with a self signed certificate, or when something
> else is wrong
> a dialog will pop up telling you what is wrong and giving
> you the
> option to go ahead and connect anyway. You must understand
> that since
> apache will connect to the https server in an
> non-interactive way
> there is no-one to confirm apache it is ook to proceed.
> Therefore the
> certificate must pass all the test.
> 1) The common name of the certificate must be identical to
> the name
> used in the URL.
> 2) The certificate must still be valid.
> 3) The signature must verify as OK.
>
> 1 &2 you take care of when you generate the
> certificate. 3) you take
> care of on the apache side, by putting the self signed cert
> in the
> cacerts dir.
>
> > On another front, I understand from you that I can
> having apache as a proxy server that talks SSL witht the
> backend and non-ssl with the end user (in URL, the user
> puts http not https even if the backend server is accessed
> via https). Correct me if I am wrong please.
>
> You can indeed do this. I have one server who does exactly
> this.
>
> Krist
>
>
> --
> [EMAIL PROTECTED]
> [EMAIL PROTECTED]
> Bremgarten b. Bern, Switzerland
> --
> A: It reverses the normal flow of conversation.
> Q: What's wrong with top-posting?
> A: Top-posting.
> Q: What's the biggest scourge on plain text email
> discussions?
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for
> more info.
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> " from the digest:
> [EMAIL PROTECTED]
> For additional commands, e-mail:
> [EMAIL PROTECTED]
___________________________________________________________
Yahoo! For Good helps you make a difference
http://uk.promotions.yahoo.com/forgood/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
