Apache and MOD_SSL

Hello everyone.

I apologize for disturbing with this request, but I am a little
stumped.

I have Linux Slackware 2.4 on a Duron 700 with 150 MB of ram or so.
I wanted access to SquirrelMail and I wanted to be able to do so with
https, so that I was secure when doing it outside of the local
network.

Despite generating the keys (password free) and signing them,
configuring to what I believed to be correct (obviously not) conf
files for mod_ssl and httpd, I get the following error:

$ openssl s_client -connect def.con.ca:443
CONNECTED(00000003)
24271:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:s23_clnt.c:475:

I did some searching online and reading around someone suggested that
I'd add the following to httpd.conf:

LoadModule ssl_module libexec/libssl.so
AddModule mod_ssl.c

There is no need:

root@turbine:/etc/apache# apachectl configtest
[Mon Dec 27 22:08:58 2004] [warn] module ssl_module is already
loaded, skipping
[Mon Dec 27 22:08:58 2004] [warn] module mod_ssl.c is already added,
skipping

Further reading online: add SSLEngine on within the Virtual Host
setting (I'm guessing they meant in mod_ssl.conf?) and that is done.
As well it was suggested that there may be a lack of directory.
That's present as well.

Checking the status:

root@turbine:/etc/apache# netstat -tln | grep 443
tcp 0 0 0.0.0.0:443 0.0.0.0:*
LISTEN

Okay, so I'm not that off.

Obviously I am doing something wrong, albeit I am at a loss as to
what excatly I screwed up. Can someone kindly kick me in the right
direction?

leandro
--
leandro asnaghi-nicastro - editor in chief - leandro@con.ca
capital of nasty electronic magazine - http://con.ca/
irc.con.ca #con / icq uin 889318 / msn msn@def.con.ca
"more annoying than any other leading brand"

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Apache and MOD_SSL

On Mon, Dec 27, 2004 at 11:06:21PM -0500, leandro asnaghi-nicastro wrote:
> $ openssl s_client -connect def.con.ca:443
> CONNECTED(00000003)
> 24271:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
> protocol:s23_clnt.c:475:
>
That's usually what happens if the server is responding in HTTP instead
of HTTPS. You could try adding -state -debug to the openssl s_client
command to get more info. Also check your error log on the server, it
should have something about invalid method.
If def.con.ca is in fact the host with the problem, then I get the
following with -debug:

[SNIP]
0000 - 3c 21 44 4f 43 54 59
The connection, so I'm quite sure SSL isn't on.

> Further reading online: add SSLEngine on within the Virtual Host
> setting (I'm guessing they meant in mod_ssl.conf?) and that is done.

It has to go inside the VirtualHost block for the port 443 vhost. You
also need a few other settings there pointing to the certificates. You
could try posting the ssl related part of that vhost.

> root@turbine:/etc/apache# netstat -tln | grep 443
> tcp 0 0 0.0.0.0:443 0.0.0.0:*
> LISTEN
>
> Okay, so I'm not that off.
>
Certainly there is something listening on port 443 - the s_client error
would have been different if there was nothing on that port.

> Obviously I am doing something wrong, albeit I am at a loss as to
> what excatly I screwed up. Can someone kindly kick me in the right
> direction?
>
It still looks like you don't have SSLEngine on in the right place.

vh

Mads Toftum
--
`Darn it, who spiked my coffee with water?!' - lwall

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org