| Author |
|
dreuzel
Joined: 30 Jan 2006
Posts: 16
|
 Posted: Sat 20 Oct '12 18:14 Post subject: Trying apache 2.4.3 ssl for days getting no -where |
 |
|
Trying to configure for days now trying every blog and forum whatever is written about it all fails.
run apache 2.4.3 binary build with ssl trying for days!!!!!! getting nowhere
Reading all random google information I COULD
Using the standard win32 BINARY generated APACHE SSL INCLUDED from apachelaunch (site locked up Apache not working ???)
My guess is the Apache config that is ill explained and full of obsuring technical slang
Nothing at all is working for ssl using virtualhost (I plan to have an identical responds from 3 web addresses (is not the issue here)
I suppose EVERY INDIVIDUAL trying this is bumping against the same limits.
I'm sorry for this outlet but it is hard to run into such problems after VERIFYING everything there is to read about ....
A) i had the need to install 2 modules (nowhere it is explained you need 2)
| Code: | #
# SSL
#
listen 443
LoadModule ssl_module modules/mod_ssl.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so <<<<<<<<<<<<<<<<<<
|
susspect after many searches the above is correct
B) Due to log file complaints I added the random seeds and session cash
| Code: | SSLRandomSeed startup auth/server/urandom 512
SSLRandomSeed connect auth/server/urandom 512
SSLRandomSeed startup auth/server/random 512
SSLRandomSeed connect auth/server/random 512
SSLSessionCache "shmcb:T:\install\Apache\logs\ssl_scache.dat(512000)"
|
c) i beleive I need a cyphersuite as in the book
| Code: | | SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 |
D) set up my certificats
in PEm FORM key included in the pem.file (created and signed bij a self signed cA exported using unix XCA)
want a wild domain certificat *.domain.com
| Code: | CN=domain.com
Subject alternative name:DNS:*.domain.com (1)
|
It is unclear if this is enough for a wild certificat ??? *.domain.com but this comes from EXAMPLES
all are signed by A server CA(2) that is by itself signed By a master CA(3)(Self singed)
All certificats are validated and signal valid
E) I've created a Virtual host :
| Code: | <VirtualHost *:433>
DocumentRoot "C:/internet/TEST"
ServerName DOMAIN.COM
SSLEngine on
# used cerificats and the private key
SSLCertificateFile "C:/server/domain.com.pem" (1)Key included
# SSLCertificateKeyFile "C:/server/key/domain.com.pem" with explicit Key or both does not work either
#
# Setup Ca Certificat
#
# SSLCACertificateFile "C/server/CA/Chain_CA.crt" (2) all certificats CHAINED seem to hace no impact
SSLCertificateChainFile "C:/server/CA/Chain_CA.crt" (2) all certificats CHAINED
# the file name should be the hash value of the certificat hashvalue.N
# SSLCertificateChainPath "C/server/CA/" not used
# SSLCACertificatePath "C/server/CA/" not used
CustomLog "C/log/apache/ssl_apache_access_ORG.log" COMMON
ErrorLog "C:/internet/log/apache/ssl_Serverlerror_ORG.log"
TransferLog "C:/internet/log/apache/ssl_Serveraccess_ORG.log"
ErrorLog C:/internet/log/apache/ssl_Serverproxyerror_ORG.log
<Directory />
Require all Granted
</Directory>
</VirtualHost> |
I receive virtual empty log files
google Cgrome : SSL Unable to make secure connection tot the server SSL connection error .
It may be requiring a client authentication certificat ????? comming from what parameter ?????
error 107 Net: ERR_SSL PROTOCOL_ERROR
| Code: | T:Apache\bin>openssl s_client -connect DOMAIN.COM:443 -state
Loading 'screen' into random state - done
CONNECTED(00000738)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:error in SSLv2/v3 read server hello A
660:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:.\ssl\s2
3_clnt.c:766:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 321 bytes
---
New, (NONE), Cipher is (NONE)[Why do Iadd SSLCiperSuite if it decides it to be null]
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
|
Test completly slang is as if browser is bad
Apache log file : so the firewall is passing things through
| Quote: | 109.131.14.172 - - [20/Oct/2012:17:11:43 +0200] "\x16\x03\x01" 400 226
109.131.14.172 - - [20/Oct/2012:17:11:43 +0200] "\x16\x03\x01" 400 226
109.131.14.172 - - [20/Oct/2012:17:11:43 +0200] "\x16\x03\x01" 400 226
109.131.14.172 - - [20/Oct/2012:17:11:43 +0200] "\x16\x03" 400 226
109.131.14.172 - - [20/Oct/2012:17:17:59 +0200] "\x16\x03\x01" 400 226
109.131.14.172 - - [20/Oct/2012:17:17:59 +0200] "\x16\x03\x01" 400 226
109.131.14.172 - - [20/Oct/2012:17:17:59 +0200] "\x16\x03\x01" 400 226
109.131.14.172 - - [20/Oct/2012:17:17:59 +0200] "\x16\x03" 400 226
109.131.14.172 - - [20/Oct/2012:17:18:00 +0200] "\x16\x03\x01" 400 226
109.131.14.172 - - [20/Oct/2012:17:18:00 +0200] "\x16\x03\x01" 400 226
109.131.14.172 - - [20/Oct/2012:17:18:00 +0200] "\x16\x03\x01" 400 226
109.131.14.172 - - [20/Oct/2012:17:18:00 +0200] "\x16\x03" 400 226
109.131.14.172 - - [20/Oct/2012:17:18:04 +0200] "\x16\x03\x01" 400 226
109.131.14.172 - - [20/Oct/2012:17:18:04 +0200] "\x16\x03\x01" 400 226
109.131.14.172 - - [20/Oct/2012:17:18:04 +0200] "\x16\x03\x01" 400 226
109.131.14.172 - - [20/Oct/2012:17:18:04 +0200] "\x16\x03" 400 226
109.131.14.172 - - [20/Oct/2012:17:18:05 +0200] "\x16\x03\x01" 400 226
109.131.14.172 - - [20/Oct/2012:17:18:05 +0200] "\x16\x03\x01" 400 226
109.131.14.172 - - [20/Oct/2012:17:18:05 +0200] "\x16\x03\x01" 400 226
109.131.14.172 - - [20/Oct/2012:17:18:05 +0200] "\x16\x03" 400 226
109.131.14.172 - - [20/Oct/2012:17:18:06 +0200] "\x16\x03\x01" 400 226
109.131.14.172 - - [20/Oct/2012:17:18:06 +0200] "\x16\x03\x01" 400 226
109.131.14.172 - - [20/Oct/2012:17:18:06 +0200] "\x16\x03\x01" 400 226
109.131.14.172 - - [20/Oct/2012:17:18:06 +0200] "\x16\x03" 400 226
109.131.14.172 - - [20/Oct/2012:17:18:07 +0200] "\x16\x03\x01" 400 226
109.131.14.172 - - [20/Oct/2012:17:18:07 +0200] "\x16\x03\x01" 400 226
109.131.14.172 - - [20/Oct/2012:17:18:07 +0200] "\x16\x03\x01" 400 226
109.131.14.172 - - [20/Oct/2012:17:18:07 +0200] "\x16\x03" 400 226
81.242.41.67 - - [20/Oct/2012:17:18:26 +0200] "\x16\x03\x01\x01<\x01" 400 226
109.131.14.172 - - [20/Oct/2012:17:22:06 +0200] "\x16\x03\x01" 400 226
109.131.14.172 - - [20/Oct/2012:17:22:06 +0200] "\x16\x03\x01" 400 226
109.131.14.172 - - [20/Oct/2012:17:22:06 +0200] "\x16\x03\x01" 400 226
109.131.14.172 - - [20/Oct/2012:17:22:06 +0200] "\x16\x03" 400 226
109.131.14.172 - - [20/Oct/2012:17:22:08 +0200] "\x16\x03\x01" 400 226
109.131.14.172 - - [20/Oct/2012:17:22:08 +0200] "\x16\x03\x01" 400 226
109.131.14.172 - - [20/Oct/2012:17:22:08 +0200] "\x16\x03\x01" 400 226
109.131.14.172 - - [20/Oct/2012:17:22:08 +0200] "\x16\x03" 400 226
|
log file completely useless.No added value
THere is no other error or indication something is wrong Error LOGS ARE EMPTY
LOg files are useless but prove at least I'm getting through the firewall
PLease help me I'm getting killed by SSL !!!
I thought i made it simple enough to start But all seems to refuse
|
|
| Back to top |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU
|
| Posted: Sat 20 Oct '12 20:10 Post subject: |
|
|
There is a guide installing Apache with SSL here on the Additional Download page. It's for 2.2 but should work except you should add (you already had it):
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
SSLSessionCache shmcb:logs/ssl_scache(512000)
Also a good read: http://httpd.apache.org/docs/2.4/ssl/
Steffen |
|
| Back to top |
|
dreuzel
Joined: 30 Jan 2006
Posts: 16
|
| Posted: Sun 21 Oct '12 10:35 Post subject: |
|
|
Thanks i will reread them all
is there some reading stuff how to specify the certificat
i know about DNS:domain.com
and CN =*.domain.com
I would need combinations of both.. and as such
I need some references how to create the Certificat
meaning what CN, DNS fields are required and used
in the interpretation of the certificat content
(commands how to create,sign,convert are all over the web and are not the problem, its the usage conventions that are not known... |
|
| Back to top |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU
|
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg
|
| Posted: Mon 22 Oct '12 11:30 Post subject: Re: Trying apache 2.4.3 ssl for days getting no -where |
|
|
| dreuzel wrote: |
susspect after many searches the above is correct
B) Due to log file complaints I added the random seeds and session cash
| Code: | SSLRandomSeed startup auth/server/urandom 512
SSLRandomSeed connect auth/server/urandom 512
SSLRandomSeed startup auth/server/random 512
SSLRandomSeed connect auth/server/random 512
SSLSessionCache "shmcb:T:\install\Apache\logs\ssl_scache.dat(512000)"
|
|
auth/server/urandom does not exist in Windows! You have to use builtin and configure it only once 
[code]
SSLRandomSeed connect builtin
SSLRandomSeed startup builtin |
|
| Back to top |
|
tabestmaker
Joined: 18 Dec 2012
Posts: 4
Location: Ma
|
|
| Back to top |
|
imfriend4u
Joined: 15 Dec 2012
Posts: 2
Location: HR
|
| Posted: Sun 23 Dec '12 22:27 Post subject: |
|
|
Do you have Visual C++ 2008 redistributable installed on the httpd server?
Try the settings for the virtual host i posted here http://www.apachelounge.com/viewtopic.php?t=5085 I still have problems as described with xp sp3 client requesting webpage.
What are the settings for Directory here??: | Quote: | <Directory />
Require all Granted
</Directory> |
( on which directory you GRANT permission as you work on the Windows host?
The third option is you did something wrong during certificates creation. |
|
| Back to top |
|
