SSL support for a VirtualHost on a port other than 443

SSL support for a VirtualHost on a port other than 443

am 16.08.2005 18:57:38 von Andrew Musselman

Hi,

I am trying to set up apache2 to provide SSL support for a VirtualHost
running on port 81.

The server handles https requests just fine, but when I try connecting
with https through port 81 I receive an error (in Firefox "The
connection to [myhost]:81 has terminated unexpectedly. Some data may
have been transferred.").

Openssl seems to be running fine, as these commands from the FAQ at
http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html return no errors:

$ openssl s_client -connect localhost:443 -state -debug
GET / HTTP/1.0

Can anyone offer some help on getting this to work? Thanks for your
time.

Best,
Andrew

Andrew Musselman
andrew@cwu.edu
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSL support for a VirtualHost on a port other than 443

am 16.08.2005 20:06:35 von Mads Toftum

On Tue, Aug 16, 2005 at 09:57:38AM -0700, Andrew Musselman wrote:
> I am trying to set up apache2 to provide SSL support for a VirtualHost
> running on port 81.
>
Have you added a virtualhost for port 81 and the corresponding Listen
statement?

> The server handles https requests just fine, but when I try connecting
> with https through port 81 I receive an error (in Firefox "The
> connection to [myhost]:81 has terminated unexpectedly. Some data may
> have been transferred.").
>
Browser messages are not much use.

> Openssl seems to be running fine, as these commands from the FAQ at
> http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html return no errors:
>
> $ openssl s_client -connect localhost:443 -state -debug
> GET / HTTP/1.0
>
What if you use localhost:81 instead?

We need more info like the SSL specific part of the conf and perhaps
output of openssl s_client.

vh

Mads Toftum
--
`Darn it, who spiked my coffee with water?!' - lwall

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSL support for a VirtualHost on a port other than 443

am 16.08.2005 20:16:36 von Andrew Musselman

Andrew Musselman
andrew@cwu.edu

>>> mads@toftum.dk 8/16/2005 11:06 AM >>>
On Tue, Aug 16, 2005 at 09:57:38AM -0700, Andrew Musselman wrote:
> I am trying to set up apache2 to provide SSL support for a
VirtualHost
> running on port 81.
>
"Have you added a virtualhost for port 81 and the corresponding Listen
statement?"

Yes. Here is the section of httpd.conf that introduces the
virtualhost:

Listen 81

ServerAdmin andrew@cwu.edu
DocumentRoot /usr/local/www/printers
ServerName pc74965.cts.cwu.edu
DirectoryIndex index.html index.php
ErrorLog /var/log/printers-error_log
CustomLog /var/log/printers-error_log combined


Do I need to add any ssl-specific directives in there?

> Openssl seems to be running fine, as these commands from the FAQ at
> http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html return no errors:
>
> $ openssl s_client -connect localhost:443 -state -debug
> GET / HTTP/1.0
>
"What if you use localhost:81 instead?"

openssl s_client -connect localhost:81 -state -debug
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 08097700 [080AF000] (142 bytes => 142 (0x8E))
0000 - 80 8c 01 03 01 00 63 00-00 00 20 00 00 39 00 00 ......c...
...9..
0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0
8..5............
0020 - 00 00 33 00 00 32 00 00-2f 03 00 80 00 00 66 00
...3..2../.....f.
0030 - 00 05 00 00 04 01 00 80-08 00 80 00 00 63 00 00
..............c..
0040 - 62 00 00 61 00 00 15 00-00 12 00 00 09 06 00 40
b..a...........@
0050 - 00 00 65 00 00 64 00 00-60 00 00 14 00 00 11 00
...e..d..`.......
0060 - 00 08 00 00 06 04 00 80-00 00 03 02 00 80 65 43
...............eC
0070 - 72 73 95 0d 7b b2 15 ca-94 15 4a 87 2f 27 30 03
rs..{.....J./'0.
0080 - 9b 3a 3c 1c 9a be 06 01-b3 68 ef 27 53 8b
..:<......h.'S.
SSL_connect:SSLv2/v3 write client hello A
read from 08097700 [080B5000] (7 bytes => 7 (0x7))
0000 - 3c 21 44 4f 43 54 59 SSL_connect:error in SSLv2/v3 read server hello A
3835:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:/usr/src/secure/lib/libssl/../../../crypto/openssl/ ssl/s23_clnt.c:478:


"We need more info like the SSL specific part of the conf and perhaps
output of openssl s_client."

Here is my ssl.conf with extra comments taken out:
#
# This is the Apache server configuration file providing SSL support.
# It contains the configuration directives to instruct the server how
to
# serve pages over an https connection. For detailing information about
these
# directives see

#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are
unsure
# consult the online docs. You have been warned.
#

#
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the SSL library.
# The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. This means you then cannot use the /dev/random device
# because it would lead to very long connection times (as long as
# it requires to make more entropy available). But usually those
# platforms additionally provide a /dev/urandom device which doesn't
# block. So, if available, use this one instead. Read the mod_ssl User
# Manual for more details.
#
# Note: This must come before the container to support
# starting without SSL on platforms with no /dev/random
equivalent
# but a statically compiled-in mod_ssl.
#
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin



#
# When we also provide SSL we have to listen to the
# standard HTTP port (see above) and to the HTTPS port
#
# Note: Configurations that use IPv6 but not IPv4-mapped addresses need
two
# Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443"
#
Listen 443

##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##

#
# Some MIME-types for downloading Certificates and CRLs
#
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl

# Pass Phrase Dialog:
SSLPassPhraseDialog builtin

# Inter-Process Session Cache:
SSLSessionCache dbm:/var/run/ssl_scache
SSLSessionCacheTimeout 300

# Semaphore:
# Configure the path to the mutual exclusion semaphore the
# SSL engine uses internally for inter-process synchronization.
SSLMutex file:/var/run/ssl_mutex

##
## SSL Virtual Host Context
##



# General setup for the virtual host
DocumentRoot "/usr/local/www/data"
ServerName pc74965.cts.cwu.edu:443
ServerAdmin andrew@cwu.edu
ErrorLog /var/log/httpd-error.log
TransferLog /var/log/httpd-access.log

# SSL Engine Switch:
SSLEngine on

# SSL Cipher Suite:
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+e NULL

# Server Certificate:
SSLCertificateFile /usr/local/etc/apache2/ssl.crt/server.crt

# Server Private Key:
SSLCertificateKeyFile /usr/local/etc/apache2/ssl.key/server.key

# Set various options for the SSL engine.

SSLOptions +StdEnvVars


SSLOptions +StdEnvVars


# SSL Protocol Adjustments:

SSLOptions +StdEnvVars


SSLOptions +StdEnvVars


# SSL Protocol Adjustments:
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

# Per-Server Logging:
CustomLog /var/log/httpd-ssl_request.log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"








____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSL support for a VirtualHost on a port other than 443

am 16.08.2005 22:41:15 von Mads Toftum

On Tue, Aug 16, 2005 at 11:16:36AM -0700, Andrew Musselman wrote:
> Listen 81
>
> ServerAdmin andrew@cwu.edu
> DocumentRoot /usr/local/www/printers
> ServerName pc74965.cts.cwu.edu
> DirectoryIndex index.html index.php
> ErrorLog /var/log/printers-error_log
> CustomLog /var/log/printers-error_log combined
>

>
> Do I need to add any ssl-specific directives in there?
>
Yes. SSLEngine on is the first thing to add - you also need to point to
the server cert and key.

> SSL_connect:SSLv2/v3 write client hello A
> read from 08097700 [080B5000] (7 bytes => 7 (0x7))
> 0000 - 3c 21 44 4f 43 54 59
This matches the config above - SSL isn't turned on on port 81 - you
should never see
[SNIP lots of useless comments]
no need to paste comments verbatim from the config file.

vh

Mads Toftum
--
`Darn it, who spiked my coffee with water?!' - lwall

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSL support for a VirtualHost on a port other than 443

am 17.08.2005 01:48:06 von Andrew Musselman

Mads,

Thank you so much for your help. It worked almost perfectly once I
added those lines, plus a couple more:

Listen 81

ServerAdmin andrew@cwu.edu
DocumentRoot /usr/local/www/printers
ServerName pc74965.cts.cwu.edu
DirectoryIndex index.html index.php
ErrorLog /var/log/printers-error_log
CustomLog /var/log/printers-error_log combined

LoadModule ssl_module libexec/apache2/mod_ssl.so
SSLEngine on
SSLCertificateFile /usr/local/etc/apache2/ssl.crt/server.crt
SSLCertificateKeyFile /usr/local/etc/apache2/ssl.key/server.key



There may be a couple extra things in there, since apachectl complains
about loading the ssl_module twice..

I really appreciate the help.

Best,
Andrew

Andrew Musselman
andrew@cwu.edu
>>> mads@toftum.dk 08/16/05 1:41 PM >>>
On Tue, Aug 16, 2005 at 11:16:36AM -0700, Andrew Musselman wrote:
> Listen 81
>
> ServerAdmin andrew@cwu.edu
> DocumentRoot /usr/local/www/printers
> ServerName pc74965.cts.cwu.edu
> DirectoryIndex index.html index.php
> ErrorLog /var/log/printers-error_log
> CustomLog /var/log/printers-error_log combined
>

>
> Do I need to add any ssl-specific directives in there?
>
Yes. SSLEngine on is the first thing to add - you also need to point to
the server cert and key.

> SSL_connect:SSLv2/v3 write client hello A
> read from 08097700 [080B5000] (7 bytes => 7 (0x7))
> 0000 - 3c 21 44 4f 43 54 59
This matches the config above - SSL isn't turned on on port 81 - you
should never see
[SNIP lots of useless comments]
no need to paste comments verbatim from the config file.

vh

Mads Toftum
--
`Darn it, who spiked my coffee with water?!' - lwall

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org