| Author |
|
Firas
Joined: 29 May 2006
Posts: 1
|
 Posted: Tue 30 May '06 0:13 Post subject: mod_ssl on Apache 2.2.2 won't start |
 |
|
Hi everybody,
Just downloaded httpd-2.2.2-win32-x86-ssl. But I can't get the mod_ssl to work: when the line containing 'SSLEngine on' directive is reached httpd just terminates. In Windows "Event Viewer" there's an entry for this error saying:
The Apache2 service terminated with service-specific error 1 (0x1).
If, however, mod_ssl is disabled, the server will function properly.
What could be the problem?
I'm running on WinXP SP2.
Thanks for your time. |
|
| Back to top |
|
abxccd
Joined: 02 Jul 2006
Posts: 5
|
| Posted: Sun 02 Jul '06 3:03 Post subject: |
|
|
I seem to have this problem too.
Has anyone got any solutions for this? |
|
| Back to top |
|
pnllan
Joined: 05 Dec 2005
Posts: 221
|
| Posted: Sun 02 Jul '06 7:31 Post subject: |
|
|
Do you have certificate and key files for SSL to use?
I created a 'self-signed' certifcate, and then edited the HTTPD-SSL.CONF appropriately. Then I created empty log files (error_ssl.log and access_ssl.log) as indicated below. My HTTPD-SSL.CONF looks something like this:
| Code: |
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:logs/ssl_scache(512000)
SSLSessionCacheTimeout 300
#
# other than SSLMutex type being changed to default
#
# the configuration is stock
#
SSLMutex default
<VirtualHost _default_:443>
DocumentRoot "c:/Apache2/htdocs"
ServerName localhost:443
ServerAdmin you@example.com
ErrorLog logs/error_ssl.log
TransferLog logs/access_ssl.log
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLProtocol all -SSLv2
SSLCertificateFile conf/my-server.crt
SSLCertificateKeyFile conf/my-server.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "c:/Apache2/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request.log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
|
Honestly, it worked for me without having to use any special voodoo or tricks.
..
. |
|
| Back to top |
|
abxccd
Joined: 02 Jul 2006
Posts: 5
|
| Posted: Sun 02 Jul '06 12:01 Post subject: |
|
|
hi pnllan,
Still can't get it working though. I have both my cert and key in my conf directory.
I have also switched over to your ssl.conf and edited it.
I can't find anything wrong with my httpd.conf
I do have these lines at the end of httpd.conf though:
| Code: | <IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule> |
Can't seem to find anything else that's wrong.
Here's an excerpt from error.log
| Code: | [Sun Jul 02 19:58:04 2006] [info] Init: Seeding PRNG with 136 bytes of entropy
[Sun Jul 02 19:58:04 2006] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Sun Jul 02 19:58:04 2006] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Sun Jul 02 19:58:04 2006] [info] Init: Initializing (virtual) servers for SSL
[Sun Jul 02 19:58:04 2006] [info] Server: Apache/2.2.2, Interface: mod_ssl/2.2.2, Library: OpenSSL/0.9.8b
[Sun Jul 02 19:58:05 2006] [info] Init: Seeding PRNG with 136 bytes of entropy
|
And heres one from SSLerror.log
| Code: | [Sun Jul 02 19:58:04 2006] [info] Loading certificate & private key of SSL-aware server
[Sun Jul 02 19:58:04 2006] [info] Configuring server for SSL protocol
[Sun Jul 02 19:58:05 2006] [info] Loading certificate & private key of SSL-aware server |
Seems to me that the server is going in a loop.
Is there anythign in httpd.conf I should have a look at?
cheers![/code] |
|
| Back to top |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU
|
| Posted: Sun 02 Jul '06 12:23 Post subject: |
|
|
I have commented out:
#SSLMutex default
Maybe you can try it.
Steffen |
|
| Back to top |
|
abxccd
Joined: 02 Jul 2006
Posts: 5
|
| Posted: Sun 02 Jul '06 13:42 Post subject: |
|
|
Tried commenting out SSLMutex, but apache still won't start.
New error messages though:
error.log
| Code: | [Sun Jul 02 21:38:10 2006] [notice] Parent: Received restart signal -- Restarting the server.
[Sun Jul 02 21:38:10 2006] [notice] Child 1048: Exit event signaled. Child process is ending.
[Sun Jul 02 21:38:11 2006] [info] Child 1048: Accept thread exiting.
[Sun Jul 02 21:38:11 2006] [notice] Child 1048: Released the start mutex
[Sun Jul 02 21:38:11 2006] [info] Child 1048: 250 threads blocked on the completion port
[Sun Jul 02 21:38:11 2006] [info] Init: Seeding PRNG with 136 bytes of entropy
[Sun Jul 02 21:38:12 2006] [notice] Child 1048: Waiting for 250 worker threads to exit.
[Sun Jul 02 21:38:12 2006] [notice] Child 1048: All worker threads have exited.
[Sun Jul 02 21:38:12 2006] [notice] Child 1048: Child process is exiting
[Sun Jul 02 21:38:12 2006] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Sun Jul 02 21:38:12 2006] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Sun Jul 02 21:38:12 2006] [info] Init: Initializing (virtual) servers for SSL
[Sun Jul 02 21:38:12 2006] [info] Server: Apache/2.2.2, Interface: mod_ssl/2.2.2, Library: OpenSSL/0.9.8b
[Sun Jul 02 21:38:12 2006] [notice] Apache/2.2.2 (Win32) mod_ssl/2.2.2 OpenSSL/0.9.8b PHP/5.2.0-dev configured -- resuming normal operations
[Sun Jul 02 21:38:12 2006] [notice] Server built: Apr 29 2006 18:32:31
[Sun Jul 02 21:38:12 2006] [notice] Parent: Created child process 216
[Sun Jul 02 21:38:13 2006] [info] Init: Seeding PRNG with 136 bytes of entropy
[Sun Jul 02 21:38:13 2006] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Sun Jul 02 21:38:13 2006] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Sun Jul 02 21:38:13 2006] [info] Init: Initializing (virtual) servers for SSL
[Sun Jul 02 21:38:13 2006] [info] Server: Apache/2.2.2, Interface: mod_ssl/2.2.2, Library: OpenSSL/0.9.8b
[Sun Jul 02 21:38:13 2006] [info] Init: Seeding PRNG with 136 bytes of entropy
[Sun Jul 02 21:38:14 2006] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Sun Jul 02 21:38:14 2006] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Sun Jul 02 21:38:14 2006] [info] Shared memory session cache initialised
[Sun Jul 02 21:38:14 2006] [info] Init: Initializing (virtual) servers for SSL
[Sun Jul 02 21:38:14 2006] [crit] master_main: create child process failed. Exiting.
[Sun Jul 02 21:38:14 2006] [notice] Parent: Forcing termination of child process 36
[Sun Jul 02 21:38:14 2006] [info] removed PID file C:/Apache Software Foundation/Apache2.2/logs/httpd.pid (pid=1804) |
sslerror.log
| Code: | [Sun Jul 02 21:38:12 2006] [info] Loading certificate & private key of SSL-aware server
[Sun Jul 02 21:38:12 2006] [info] Configuring server for SSL protocol
[Sun Jul 02 21:38:13 2006] [info] Loading certificate & private key of SSL-aware server
[Sun Jul 02 21:38:13 2006] [info] Configuring server for SSL protocol
[Sun Jul 02 21:38:14 2006] [info] Loading certificate & private key of SSL-aware server
[Sun Jul 02 21:38:14 2006] [info] Configuring server for SSL protocol
[Sun Jul 02 21:38:14 2006] [error] Unable to import RSA server private key
[Sun Jul 02 21:38:14 2006] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Sun Jul 02 21:38:14 2006] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
[Sun Jul 02 21:38:14 2006] [error] SSL Library Error: 218734605 error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib |
Any ideas?
Thanks! |
|
| Back to top |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU
|
| Posted: Sun 02 Jul '06 13:47 Post subject: |
|
|
I see errors:
[error] Unable to import RSA server private key
[error] SSL Library Error: 218529960
Follow the suggestion of pnllan:... I created a 'self-signed' certifcate ...
And see if that goes. |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Sun 02 Jul '06 14:17 Post subject: |
|
|
Hm, found a batch file that will create those files placed in the apache folder. Needs openssl.exe,libeay32.dll, ssleay32.dll in apache\bin folder
| Code: |
@echo off
set OPENSSL_CONF=./bin/openssl.cnf
if not exist .\conf\ssl.crt mkdir .\conf\ssl.crt
if not exist .\conf\ssl.key mkdir .\conf\ssl.key
bin\openssl req -new -out server.csr
bin\openssl rsa -in privkey.pem -out server.key
bin\openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365
set OPENSSL_CONF=
del .rnd
del privkey.pem
del server.csr
move /y server.crt .\conf\ssl.crt
move /y server.key .\conf\ssl.key
echo.
echo -----
echo Das Zertifikat wurde erstellt.
echo The certificate was provided.
echo.
pause
|
inside httpd.conf
| Code: |
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache dbm:logs/ssl.scache
SSLSessionCacheTimeout 300
SSLMutex default
<VirtualHost _default_:443>
# General setup for the virtual host
DocumentRoot "/xampp/htdocs"
ServerName localhost:443
ServerAdmin admin@localhost
ErrorLog logs/error.log
<IfModule log_config_module>
CustomLog logs/access.log combined
</IfModule>
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile conf/ssl.crt/server.crt
SSLCertificateKeyFile conf/ssl.key/server.key
<Location />
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
</Location>
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<FilesMatch "\.(cgi|shtml|phtml|php|php5|php4|php3)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/xampp/apache/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
<IfModule setenvif_module>
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</IfModule>
<IfModule log_config_module>
CustomLog logs/ssl_request.log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</IfModule>
</VirtualHost>
|
Hope there is no error in this sample config
openssl.cnf
| Code: |
HOME = .
RANDFILE = $ENV::HOME/.rnd
oid_section = new_oids
[ new_oids ]
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
dir = ./demoCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha1 # which md to use.
preserve = no # keep passed DN ordering
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
string_mask = nombstr
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = AU
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Some-State
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Internet Widgits Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
basicConstraints=CA:FALSE
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true
[ crl_ext ]
authorityKeyIdentifier=keyid:always,issuer:always
[ proxy_cert_ext ]
basicConstraints=CA:FALSE
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
|
|
|
| Back to top |
|
abxccd
Joined: 02 Jul 2006
Posts: 5
|
| Posted: Mon 03 Jul '06 2:56 Post subject: |
|
|
Ok, here's what I did.
I regenerated my .crt and .key and placed them in /conf/ssl/
Here are my errors now:
error.log
| Code: | [Mon Jul 03 10:53:28 2006] [info] Init: Seeding PRNG with 136 bytes of entropy
[Mon Jul 03 10:53:28 2006] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Mon Jul 03 10:53:28 2006] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Mon Jul 03 10:53:28 2006] [info] Init: Initializing (virtual) servers for SSL
[Mon Jul 03 10:53:28 2006] [info] Server: Apache/2.2.2, Interface: mod_ssl/2.2.2, Library: OpenSSL/0.9.8b
[Mon Jul 03 10:53:29 2006] [info] Init: Seeding PRNG with 136 bytes of entropy |
sslerror.log
| Code: | [Mon Jul 03 10:53:28 2006] [info] Loading certificate & private key of SSL-aware server
[Mon Jul 03 10:53:28 2006] [info] Configuring server for SSL protocol
[Mon Jul 03 10:53:29 2006] [info] Loading certificate & private key of SSL-aware server |
It seems like httpd-ssl.conf does not like relative paths. E.g. all paths to files must be "C:/x/x/x.file"
Server still won't start, and apache's test configuration passes all my confs.
I am also using James Blond's httpd-ssl.conf.
any ideas?
thanks! |
|
| Back to top |
|
mphare
Joined: 12 May 2006
Posts: 43
Location: Texas
|
| Posted: Wed 19 Jul '06 19:22 Post subject: |
|
|
Excellant!
Thanks for this info! I now have a self-certified https running on my test server. |
|
| Back to top |
|
ali_fareed
Joined: 04 Jul 2006
Posts: 61
Location: Bahrain
|
| Posted: Thu 20 Jul '06 22:43 Post subject: |
|
|
| why use a self signed certificate when you can create your own ca with openssl using the ca.pl script. I used this script to create my own CA and I am using client side certificates for authentication and I can be sure I'm not being under a man in the middle attack just generate your CA and install it in your pc very easy. |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Fri 21 Jul '06 8:53 Post subject: |
|
|
| ali_fareed wrote: | | why use a self signed certificate when you can create your own ca with openssl using the ca.pl script. |
First: if you have read the content from the batch script you might have seen, that I uses openssl to generate the certificate.
Secondly: Not all win32 users have installed perl. But the batch solution runs on every win32 based system. |
|
| Back to top |
|
ali_fareed
Joined: 04 Jul 2006
Posts: 61
Location: Bahrain
|
| Posted: Fri 21 Jul '06 18:15 Post subject: |
|
|
| openssl is included with most apache builds and you must compile it to use mod_ssl and most people who have apache use perl for cgi and even the test cgi printenv in the cgi-bin is a perl script and the ca.pl script uses openssl actually it is included with the openssl source check the apps folder in the source |
|
| Back to top |
|
pnllan
Joined: 05 Dec 2005
Posts: 221
|
| Posted: Fri 21 Jul '06 18:36 Post subject: |
|
|
Whatever works for who ever - Does it really matter?
The point is: having the requistes to run SSL to begin with.
Let's not let this turn into a pissing battle - geeeeeez  |
|
| Back to top |
|
pnllan
Joined: 05 Dec 2005
Posts: 221
|
| Posted: Fri 21 Jul '06 19:05 Post subject: |
|
|
Ali,
Please, Post a tutorial or provide a link on how to build your own CA. It might be of interest to some. |
|
| Back to top |
|
ali_fareed
Joined: 04 Jul 2006
Posts: 61
Location: Bahrain
|
| Posted: Sun 23 Jul '06 22:00 Post subject: |
|
|
to create a ca you must first configure openssl by editing the openssl.cnf file the extension is used for speed dial so you wont be able to open I straight away so opent it with a text editor and edit the ca and ca_default sections edit the directories you want your ca to be created in where your certs are placed and such. Change default_days to choose how many days your certificates will be valid the default is one year. Now you can use the ca.pl or if you have cygwin's sh.exe ca.sh you can find them in the apps directory in the openssl source you can build a ca without them but they will make your work easier I will be using the ca.pl file first edit the script and change the variables $CATOP, $CAKEY, $CAREQ, $CACERT, to whatever you configured the openssl.cnf file so if you chose directory to be ./democa change the $catop variable to ./democa now you can build your CA start ca.pl with:
CA.pl –newca
And this will generate your CA's private key and create your cert choose a good passphrase for your private key now you created your CA you must now install the CA in your pc just copy don't move your ca cert which you can find in your ca directory and change its extension from .pem to .crt now double click the ca cert and click on "install certificate" choose "place certificate in the following store" browse and choose "trusted root certification authority" now your ca is installed and trusted on your pc you must install it in every pc or if you are using pkcs12 files your ca will automatically be installed now it's time to issue your certs. You must first generate a certificate request you do this with the ca.pl script:
Ca.pl –newreq
Or for an unprotected key
Ca.pl –newreq-nodes
This will generate a private key and a certificate request you must enter a wildcard of your domain in the common name field so if your site is apachelounge.com you must enter *.apachelounge.com otherwise you will get a warning in your browser now your certificate request must be signed by your ca you can also do that with the ca.pl script:
CA.pl –sign
Or to create another intermediate CA
Ca.pl –signca
Enter your ca private key passphrase and issue the cert.
Now your done your private key should be called newkey.pem and your certificate should be called newcert.pem just copy them and rename them to whatever you like now your certs are signed by your ca if you would like to install a client side certificate it is easier to use pkcs12 files just use ca.pl script:
Ca.pl –pkcs12
This creates a pkcs12 file which contains your ca cert the cert in the newcert.pem file and the key in the nekey.pem file .
for more information you can go to these links
http://www.openssl.org/docs/apps/CA.pl.html
http://www.aet.tu-cottbus.de/personen/jaenicke/pfixtls/doc/myownca.html |
|
| Back to top |
|
pnllan
Joined: 05 Dec 2005
Posts: 221
|
| Posted: Mon 24 Jul '06 2:21 Post subject: |
|
|
Ali,
Looks to be a good post, I'll give it a try.
Thanks!
..
.
Edit: It works and it's nice to be able to issue certificates in various ways. |
|
| Back to top |
|
feichangtaoqi
Joined: 01 Aug 2006
Posts: 1
|
| Posted: Tue 01 Aug '06 7:02 Post subject: I meet the same problem of "Unable to import RSA server |
|
|
38 2006] [error] Unable to import RSA server private key
[Tue Aug 01 12:51:38 2006] [error] SSL Library Error: 218570875 error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long
[Tue Aug 01 12:51:38 2006] [error] SSL Library Error: 218529894 error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object header
[Tue Aug 01 12:51:38 2006] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
[Tue Aug 01 12:51:38 2006] [error] SSL Library Error: 218734605 error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib
I set up the ssl.cnf as follows:
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:logs/ssl_scache(512000)
SSLSessionCacheTimeout 300
#
# other than SSLMutex type being changed to default
#
# the configuration is stock
#
SSLMutex default
<VirtualHost _default_:443>
DocumentRoot "c:/Program Files/Apache Group/Apache2/htdocs"
ServerName localhost:443
ServerAdmin you@example.com
ErrorLog logs/error_ssl.log
TransferLog logs/access_ssl.log
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLProtocol all -SSLv2
SSLCertificateFile conf/ssl/my-server.crt
SSLCertificateKeyFile conf/ssl/my-server.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "c:/Program Files/Apache Group/Apache2/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request.log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
and the ssl.bat as:
bin\openssl req -config bin\openssl.cnf -new -out my-server.csr
bin\openssl rsa -in privkey.pem -out my-server.key
bin\openssl x509 -in my-server.csr -out my-server.crt -req -signkey my-server.key -days 4000
and copyed the
my-server.crt
my-server.key
privkey.pem
my-server.csr
to the conf/ssl directory
well,it does not work !
admin edit (pnllan): Please note forum rules - and easy with your tone |
|
| Back to top |
|
ali_fareed
Joined: 04 Jul 2006
Posts: 61
Location: Bahrain
|
| Posted: Tue 01 Aug '06 19:15 Post subject: |
|
|
I dont what you did but you have two keys one certificate request and one certificate one of the keys is corrupt . try doing this to create a key and a self-signed cert first you need to create the key:
openssl genrsa -out privkey.pem 2048
then you need to create a self-signed cert:
openssl req -new -x509 -key privkey.pem -out cert.pem -days 1095
fill the form and now you have a sel-signed certificate in cert.pem and a private key in privkey.pem copy the and edit the configuration in apache pont SSLCertificateFile to your certificate and SSLCertificateKeyFile to your key now it should work. |
|
| Back to top |
|
