On Nov 28, 2010, at 3:58 PM, Jeff Schmitz wrote: > > > It doesn't find the generated URL of: > > https://localhost/netBrackets/-9999/wa/poolLogin > > but if I just remove the 's' from https, it finds the page: > > http://localhost/netBrackets/-9999/wa/poolLogin > > I'm thinking it has to do with the secure port not being generated correctly. > Shouldn't :443 be specified as part of the https url? >
(You don;t a need a :443 for https the same way you don't need a :80 for http, they are the default ports for those protocols.) On the httpd-ssl.conf could you try changing the ServerName to localhost:443? Like these: ServerName localhost:443 Henrique Gomes > > On Nov 28, 2010, at 8:08 AM, Henrique Gomes wrote: > >> >> What's the URL that's not found? What code or bindings are you using to >> generate the hyperlink to the secure page? >> >> Henrique Gomes >> >> >> On Nov 28, 2010, at 2:51 PM, Jeff Schmitz wrote: >> >>> Thanks, >>> >>> That gets me closer. Apache is now running when I restart it, and when I >>> click on the secure WOHyperlink it's creating a https URL, and it picks up >>> the certificate, but then when I accept the certificate I get the >>> "requested URL not found" error. If I simply change the url to be a >>> http:// URL, the page comes up with no other changes to the generated URL. >>> Looks like webobjects is not liking any https URL. Is there something I've >>> forgotten to do? >>> >>> Thanks >>> Jeff >>> On Nov 26, 2010, at 12:11 PM, Henrique Gomes wrote: >>> >>>> The wiki is more complicated than what it's need on a recent system: >>>> >>>> After generating the certificate, just put the certificate and key as >>>> server.crt and server.key in /etc/apache2 >>>> >>>> The only change needed to the conf files is to uncomment the line in >>>> httpd.conf to include the ssl conf. I just left this at it was, included >>>> below: >>>> (I believe it's just like snow leopard installed it.) >>>> <httpd-ssl.conf> >>>> >>>> Make sure the cert and key are readable to everyone or to the apache user. >>>> (on a production environment you should be more careful about the key file) >>>> >>>> >>>> Henrique Gomes >>>> >>>> >>>> On Nov 26, 2010, at 2:31 PM, Jeff Schmitz wrote: >>>> >>>>> >>>>> On Nov 26, 2010, at 6:34 AM, Henrique Gomes wrote: >>>>> >>>>>> >>>>>> On Nov 26, 2010, at 4:25 AM, Jeff Schmitz wrote: >>>>>> >>>>>>> Hello, >>>>>>> I'm following the directions at the below link to add ssl support... >>>>>>> >>>>>>> http://wiki.objectstyle.org/confluence/display/WO/Development-SSL+requests+via+https+protocol?showComments=true&showCommentArea=true#addcomment >>>>>>> >>>>>>> but after adding the following Include to the httpd.conf file... >>>>>>> >>>>>>> Include /private/etc/apache2/extra/httpd-ssl.conf >>>>>> >>>>>> Whats in that file? Did you edit it? >>>>> >>>>> Didn't edit it. It's pasted below. >>>>> >>>>> >>>>> >>>>>> >>>>>>> >>>>>>> When I restart apache and try to open http://localhost I get the cannot >>>>>>> connect to server error page. Looking in /var/log/apache there are no >>>>>>> error messages, and according to the Systems Preferences panel apache >>>>>>> is running. If I comment it out again and restart apache, it starts >>>>>>> serving pages again. >>>>>>> >>>>>> >>>>>> http? or https? if http://localhost doesn't work, either apache is not >>>>>> running or some thing really strange is wrong with your setup. >>>>> >>>>> Neither works. But as soon as I comment out that line and restart, it >>>>> starts serving http://localhost, but still not https://localhost >>>>> >>>>> I did notice when restarting this morning with the Include line commented >>>>> out, I get the following warnings/notices: >>>>> >>>>> [Fri Nov 26 08:19:00 2010] [warn] Init: Session Cache is not configured >>>>> [hint: SSLSessionCache] >>>>> [Fri Nov 26 08:19:00 2010] [notice] Digest: generating secret for digest >>>>> authentication ... >>>>> [Fri Nov 26 08:19:00 2010] [notice] Digest: done >>>>> [Fri Nov 26 08:19:00 2010] [notice] Apache/2.2.15 (Unix) mod_ssl/2.2.15 >>>>> OpenSSL/0.9.8l DAV/2 configured -- resuming normal operations >>>>> [Fri Nov 26 08:19:03 2010] [notice] caught SIGTERM, shutting down >>>>> [Fri Nov 26 08:19:03 2010] [warn] Init: Session Cache is not configured >>>>> [hint: SSLSessionCache] >>>>> [Fri Nov 26 08:19:03 2010] [notice] Digest: generating secret for digest >>>>> authentication ... >>>>> [Fri Nov 26 08:19:03 2010] [notice] Digest: done >>>>> [Fri Nov 26 08:19:03 2010] [notice] Apache/2.2.15 (Unix) mod_ssl/2.2.15 >>>>> OpenSSL/0.9.8l DAV/2 configured -- resuming normal operations >>>>> >>>>> But I get no messages when the Include line is included. >>>>> >>>>>> >>>>>> >>>>>>> Any ideas? >>>>>>> >>>>>>> Thanks, >>>>>>> Jeff >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Do not post admin requests to the list. They will be ignored. >>>>>>> Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) >>>>>>> Help/Unsubscribe/Update your Subscription: >>>>>>> http://lists.apple.com/mailman/options/webobjects-dev/lists%40farol.pt >>>>>>> >>>>>>> This email sent to li...@farol.pt >>>>>> >>>>> # >>>>> # This is the Apache server configuration file providing SSL support. >>>>> # It contains the configuration directives to instruct the server how to >>>>> # serve pages over an https connection. For detailing information about >>>>> these >>>>> # directives see <URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html> >>>>> # >>>>> # Do NOT simply read the instructions in here without understanding >>>>> # what they do. They're here only as hints or reminders. If you are >>>>> unsure >>>>> # consult the online docs. You have been warned. >>>>> # >>>>> >>>>> # >>>>> # Pseudo Random Number Generator (PRNG): >>>>> # Configure one or more sources to seed the PRNG of the SSL library. >>>>> # The seed data should be of good random quality. >>>>> # WARNING! On some platforms /dev/random blocks if not enough entropy >>>>> # is available. This means you then cannot use the /dev/random device >>>>> # because it would lead to very long connection times (as long as >>>>> # it requires to make more entropy available). But usually those >>>>> # platforms additionally provide a /dev/urandom device which doesn't >>>>> # block. So, if available, use this one instead. Read the mod_ssl User >>>>> # Manual for more details. >>>>> # >>>>> #SSLRandomSeed startup file:/dev/random 512 >>>>> #SSLRandomSeed startup file:/dev/urandom 512 >>>>> #SSLRandomSeed connect file:/dev/random 512 >>>>> #SSLRandomSeed connect file:/dev/urandom 512 >>>>> >>>>> >>>>> # >>>>> # When we also provide SSL we have to listen to the >>>>> # standard HTTP port (see above) and to the HTTPS port >>>>> # >>>>> # Note: Configurations that use IPv6 but not IPv4-mapped addresses need >>>>> two >>>>> # Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443" >>>>> # >>>>> Listen 443 >>>>> >>>>> ## >>>>> ## SSL Global Context >>>>> ## >>>>> ## All SSL configuration in this context applies both to >>>>> ## the main server and all SSL-enabled virtual hosts. >>>>> ## >>>>> >>>>> # >>>>> # Some MIME-types for downloading Certificates and CRLs >>>>> # >>>>> AddType application/x-x509-ca-cert .crt >>>>> AddType application/x-pkcs7-crl .crl >>>>> >>>>> # Pass Phrase Dialog: >>>>> # Configure the pass phrase gathering process. >>>>> # The filtering dialog program (`builtin' is a internal >>>>> # terminal dialog) has to provide the pass phrase on stdout. >>>>> SSLPassPhraseDialog builtin >>>>> >>>>> # Inter-Process Session Cache: >>>>> # Configure the SSL Session Cache: First the mechanism >>>>> # to use and second the expiring timeout (in seconds). >>>>> #SSLSessionCache "dbm:/private/var/run/ssl_scache" >>>>> SSLSessionCache "shmcb:/private/var/run/ssl_scache(512000)" >>>>> SSLSessionCacheTimeout 300 >>>>> >>>>> # Semaphore: >>>>> # Configure the path to the mutual exclusion semaphore the >>>>> # SSL engine uses internally for inter-process synchronization. >>>>> SSLMutex "file:/private/var/run/ssl_mutex" >>>>> >>>>> ## >>>>> ## SSL Virtual Host Context >>>>> ## >>>>> >>>>> <VirtualHost localhost:443> >>>>> >>>>> # General setup for the virtual host >>>>> DocumentRoot "/Library/WebServer/Documents" >>>>> ServerName localhost >>>>> ServerAdmin j...@netbrackets.com >>>>> ErrorLog "/private/var/log/apache2/error_log" >>>>> TransferLog "/private/var/log/apache2/access_log" >>>>> >>>>> # SSL Engine Switch: >>>>> # Enable/Disable SSL for this virtual host. >>>>> SSLEngine on >>>>> >>>>> # SSL Cipher Suite: >>>>> # List the ciphers that the client is permitted to negotiate. >>>>> # See the mod_ssl documentation for a complete list. >>>>> SSLCipherSuite >>>>> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL >>>>> >>>>> # Server Certificate: >>>>> # Point SSLCertificateFile at a PEM encoded certificate. If >>>>> # the certificate is encrypted, then you will be prompted for a >>>>> # pass phrase. Note that a kill -HUP will prompt again. Keep >>>>> # in mind that if you have both an RSA and a DSA certificate you >>>>> # can configure both in parallel (to also allow the use of DSA >>>>> # ciphers, etc.) >>>>> SSLCertificateFile "/private/etc/apache2/devsslcerts/localhost_server.crt" >>>>> #SSLCertificateFile "/private/etc/apache2/server-dsa.crt" >>>>> >>>>> # Server Private Key: >>>>> # If the key is not combined with the certificate, use this >>>>> # directive to point at the key file. Keep in mind that if >>>>> # you've both a RSA and a DSA private key you can configure >>>>> # both in parallel (to also allow the use of DSA ciphers, etc.) >>>>> SSLCertificateKeyFile >>>>> "/private/etc/apache2/dvsslcerts/localhost_server.key" >>>>> #SSLCertificateKeyFile "/private/etc/apache2/server-dsa.key" >>>>> >>>>> # Server Certificate Chain: >>>>> # Point SSLCertificateChainFile at a file containing the >>>>> # concatenation of PEM encoded CA certificates which form the >>>>> # certificate chain for the server certificate. Alternatively >>>>> # the referenced file can be the same as SSLCertificateFile >>>>> # when the CA certificates are directly appended to the server >>>>> # certificate for convinience. >>>>> #SSLCertificateChainFile "/private/etc/apache2/server-ca.crt" >>>>> >>>>> # Certificate Authority (CA): >>>>> # Set the CA certificate verification path where to find CA >>>>> # certificates for client authentication or alternatively one >>>>> # huge file containing all of them (file must be PEM encoded) >>>>> # Note: Inside SSLCACertificatePath you need hash symlinks >>>>> # to point to the certificate files. Use the provided >>>>> # Makefile to update the hash symlinks after changes. >>>>> #SSLCACertificatePath "/private/etc/apache2/ssl.crt" >>>>> #SSLCACertificateFile "/private/etc/apache2/ssl.crt/ca-bundle.crt" >>>>> >>>>> # Certificate Revocation Lists (CRL): >>>>> # Set the CA revocation path where to find CA CRLs for client >>>>> # authentication or alternatively one huge file containing all >>>>> # of them (file must be PEM encoded) >>>>> # Note: Inside SSLCARevocationPath you need hash symlinks >>>>> # to point to the certificate files. Use the provided >>>>> # Makefile to update the hash symlinks after changes. >>>>> #SSLCARevocationPath "/private/etc/apache2/ssl.crl" >>>>> #SSLCARevocationFile "/private/etc/apache2/ssl.crl/ca-bundle.crl" >>>>> >>>>> # Client Authentication (Type): >>>>> # Client certificate verification type and depth. Types are >>>>> # none, optional, require and optional_no_ca. Depth is a >>>>> # number which specifies how deeply to verify the certificate >>>>> # issuer chain before deciding the certificate is not valid. >>>>> #SSLVerifyClient require >>>>> #SSLVerifyDepth 10 >>>>> >>>>> # Access Control: >>>>> # With SSLRequire you can do per-directory access control based >>>>> # on arbitrary complex boolean expressions containing server >>>>> # variable checks and other lookup directives. The syntax is a >>>>> # mixture between C and Perl. See the mod_ssl documentation >>>>> # for more details. >>>>> #<Location /> >>>>> #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ >>>>> # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ >>>>> # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ >>>>> # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ >>>>> # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ >>>>> # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ >>>>> #</Location> >>>>> >>>>> # SSL Engine Options: >>>>> # Set various options for the SSL engine. >>>>> # o FakeBasicAuth: >>>>> # Translate the client X.509 into a Basic Authorisation. This means >>>>> that >>>>> # the standard Auth/DBMAuth methods can be used for access control. >>>>> The >>>>> # user name is the `one line' version of the client's X.509 >>>>> certificate. >>>>> # Note that no password is obtained from the user. Every entry in the >>>>> user >>>>> # file needs this password: `xxj31ZMTZzkVA'. >>>>> # o ExportCertData: >>>>> # This exports two additional environment variables: SSL_CLIENT_CERT >>>>> and >>>>> # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the >>>>> # server (always existing) and the client (only existing when client >>>>> # authentication is used). This can be used to import the certificates >>>>> # into CGI scripts. >>>>> # o StdEnvVars: >>>>> # This exports the standard SSL/TLS related `SSL_*' environment >>>>> variables. >>>>> # Per default this exportation is switched off for performance >>>>> reasons, >>>>> # because the extraction step is an expensive operation and is usually >>>>> # useless for serving static content. So one usually enables the >>>>> # exportation for CGI and SSI requests only. >>>>> # o StrictRequire: >>>>> # This denies access when "SSLRequireSSL" or "SSLRequire" applied even >>>>> # under a "Satisfy any" situation, i.e. when it applies access is >>>>> denied >>>>> # and no other module can change it. >>>>> # o OptRenegotiate: >>>>> # This enables optimized SSL connection renegotiation handling when >>>>> SSL >>>>> # directives are used in per-directory context. >>>>> #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire >>>>> <FilesMatch "\.(cgi|shtml|phtml|php)$"> >>>>> SSLOptions +StdEnvVars >>>>> </FilesMatch> >>>>> <Directory "/Library/WebServer/CGI-Executables"> >>>>> SSLOptions +StdEnvVars >>>>> </Directory> >>>>> >>>>> # SSL Protocol Adjustments: >>>>> # The safe and default but still SSL/TLS standard compliant shutdown >>>>> # approach is that mod_ssl sends the close notify alert but doesn't >>>>> wait for >>>>> # the close notify alert from client. When you need a different shutdown >>>>> # approach you can use one of the following variables: >>>>> # o ssl-unclean-shutdown: >>>>> # This forces an unclean shutdown when the connection is closed, i.e. >>>>> no >>>>> # SSL close notify alert is send or allowed to received. This >>>>> violates >>>>> # the SSL/TLS standard but is needed for some brain-dead browsers. Use >>>>> # this when you receive I/O errors because of the standard approach >>>>> where >>>>> # mod_ssl sends the close notify alert. >>>>> # o ssl-accurate-shutdown: >>>>> # This forces an accurate shutdown when the connection is closed, >>>>> i.e. a >>>>> # SSL close notify alert is send and mod_ssl waits for the close >>>>> notify >>>>> # alert of the client. This is 100% SSL/TLS standard compliant, but in >>>>> # practice often causes hanging connections with brain-dead browsers. >>>>> Use >>>>> # this only for browsers where you know that their SSL implementation >>>>> # works correctly. >>>>> # Notice: Most problems of broken clients are also related to the HTTP >>>>> # keep-alive facility, so you usually additionally want to disable >>>>> # keep-alive for those clients, too. Use variable "nokeepalive" for >>>>> this. >>>>> # Similarly, one has to force some clients to use HTTP/1.0 to workaround >>>>> # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" >>>>> and >>>>> # "force-response-1.0" for this. >>>>> BrowserMatch ".*MSIE.*" \ >>>>> nokeepalive ssl-unclean-shutdown \ >>>>> downgrade-1.0 force-response-1.0 >>>>> >>>>> # Per-Server Logging: >>>>> # The home of a custom SSL log file. Use this when you want a >>>>> # compact non-error SSL logfile on a virtual host basis. >>>>> CustomLog "/private/var/log/apache2/ssl_request_log" \ >>>>> "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" >>>>> >>>>> </VirtualHost> >>>>> >>>> >>> >> > _______________________________________________ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
