unknown protocol

This is a multi-part message in MIME format.

------=_NextPart_000_011D_01C324B3.29BB6A00
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Hi,

I am new to the list and relatively new to administering SSL, so please =
forgive me if this is not the right place to ask this question.

I am having trouble getting SSL to work. I'm on FreeBSD 4.5 Stable with =
apache+mod_ssl-1.3.27+2.8.14 and openssl-0.9.7a_2.

Everything seems to have installed okay and I can run apachectl startssl =
without any problems, but I can't get SSL to actually work. When I try =
to go the url via https, it immediately displays the dreaded "this page =
cannot be displayed" message. When I run apachectl configtest, it spits =
out the following:

apachectl configtest
[Tue May 27 23:20:56 2003] [warn] Loaded DSO libexec/apache/libphp4.so =
uses plain Apache 1.3 API, this module might crash under EAPI! (please =
recompile it with -DEAPI)
Syntax OK

PHP works without any problems, so I'm not concerned about that at the =
moment. The manual says to try:

openssl s_client -connect localhost:443 -state -debug

As an alternative, it suggests:

curl https://localhost/

Both display an error message:

SSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

So, I'm thinkin' that the problem is in the httpd.conf file. A few =
things that are in there of importance (excluding comments and all of =
the other stuff) include:

Port 80


Listen 80
Listen 443



#
#
#
#


DocumentRoot "/usr/local/www/data"
ServerName www.mintecommerce.com
ServerAdmin webmaster@mintecommerce.com
ErrorLog /var/log/httpd-error.log
TransferLog /var/log/httpd-access.log

SSLEngine on
SSLCipherSuite =
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+e NULL
SSLCertificateFile /usr/local/etc/apache/ssl.crt/server.crt
SSLCertificateKeyFile /usr/local/etc/apache/ssl.key/server.key
SSLCACertificatePath /usr/local/etc/apache/ssl.crt
SSLCARevocationPath /usr/local/etc/apache/ssl.crl
SSLVerifyClient require



You can see where I tried different versions of the VirtualHost tag (I =
did change the ServerName value for each variation). This is a server =
that hosts several sites, but they all use the same IP, so all of the =
VirtualHost tags are=20


....


This seems to get the job done for the few sites on this one computer, =
but now I need SSL. I'm at a loss and any help would be appreciated.

TIA,

Tom


------=_NextPart_000_011D_01C324B3.29BB6A00
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable



charset=3Diso-8859-1">

RE: unknown protocol

Plain text please...

It looks like you are not succeeding in starting an SSL VH.

Looking at your config, there is no obvious error, although I don't know
why you put the "Listen 80" inside the IfDefine - this would mean that
even plain HTTP wouldn't work unless you started with SSL.=20

Just to be clear how it works, "apachectl startssl" causes the apache
control script to execute "httpd -DSSL". This starts apache with the
environment variable SSL defined. So when apache finds an
container, it evaluates the condition as "true" and so reads the
directives inside. This is the canonical way of selecting SSL.=20

Of course, you don't need to bother with all of this. If you put the SSL
VH outside the block (or just remove the
tags) then the SSL VH and its directives will fire up in a normal
"apachectl start".

You might try this - just make sure you have a single VH on port 443 and
a Listen 443 and it should startup. Be careful you don't have a plain
HTTP VH on port 443 - it could supersede the SSL VH. To test, what
happens if you make a plain HTTP request to port 443 (it shouldn't
work!)

About the PHP warning - when you recompiled apache to include mod_ssl,
it patched the apache API to extend it to allow hooks into the OpenSSL
library (EAPI =3D Extended API). Since the PHP module was compiled =
before
this, it is expecting the standard API. Probably it will continue to
work since the EAPI is a superset of the API but you never know if there
will be a conflict in some call somewhere (you'll get a seg fault if
there is). The safest thing to do is to recompile mod_php against the
new API.

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored.=20



-----Original Message-----
From: Tom Bartling [mailto:tom@tombartling.com]
Sent: Mittwoch, 28. Mai 2003 07:51
To: modssl-users@modssl.org
Subject: unknown protocol


Hi,

I am new to the list and relatively new to administering SSL, so please
forgive me if this is not the right place to ask this question.

I am having trouble getting SSL to work. I'm on FreeBSD 4.5 Stable with
apache+mod_ssl-1.3.27+2.8.14 and openssl-0.9.7a_2.

Everything seems to have installed okay and I can run apachectl startssl
without any problems, but I can't get SSL to actually work. When I try
to go the url via https, it immediately displays the dreaded "this page
cannot be displayed" message. When I run apachectl configtest, it spits
out the following:

apachectl configtest
[Tue May 27 23:20:56 2003] [warn] Loaded DSO libexec/apache/libphp4.so
uses plain Apache 1.3 API, this module might crash under EAPI! (please
recompile it with -DEAPI)
Syntax OK

PHP works without any problems, so I'm not concerned about that at the
moment. The manual says to try:

openssl s_client -connect localhost:443 -state -debug

As an alternative, it suggests:

curl https://localhost/

Both display an error message:

SSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

So, I'm thinkin' that the problem is in the httpd.conf file. A few
things that are in there of importance (excluding comments and all of
the other stuff) include:

Port 80


Listen 80
Listen 443



#
#
#
#


DocumentRoot "/usr/local/www/data"
ServerName www.mintecommerce.com
ServerAdmin webmaster@mintecommerce.com
ErrorLog /var/log/httpd-error.log
TransferLog /var/log/httpd-access.log

SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+e NULL
SSLCertificateFile /usr/local/etc/apache/ssl.crt/server.crt
SSLCertificateKeyFile /usr/local/etc/apache/ssl.key/server.key
SSLCACertificatePath /usr/local/etc/apache/ssl.crt
SSLCARevocationPath /usr/local/etc/apache/ssl.crl
SSLVerifyClient require



You can see where I tried different versions of the VirtualHost tag (I
did change the ServerName value for each variation). This is a server
that hosts several sites, but they all use the same IP, so all of the
VirtualHost tags are=20


....


This seems to get the job done for the few sites on this one computer,
but now I need SSL. I'm at a loss and any help would be appreciated.

TIA,

Tom
Diese E-mail ist eine private und persönliche Kommunikation. Sie hat
keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Swiss =
Exchange.
This e-mail is of a private and personal nature. It is not related to
the exchange or business activities of the SWX Swiss Exchange. Le
pr=E9sent e-mail est un message priv=E9 et personnel, sans rapport avec
l'activit=E9 boursi=E8re de la SWX Swiss Exchange

This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company.=20


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: unknown protocol

Thanks for the help. When I comment out the containers, none o=
f
the sites work. If I leave everything the way I have it now except move t=
he
"Port 443" line outsite the IfDefine containers, http'ing to any of the
sites will display the primary site.

Any ideas?

Thanks, again.

Tom



----- Original Message -----
From: "Boyle Owen"
To:
Sent: Wednesday, May 28, 2003 3:31 AM
Subject: RE: unknown protocol


Plain text please...

It looks like you are not succeeding in starting an SSL VH.

Looking at your config, there is no obvious error, although I don't know
why you put the "Listen 80" inside the IfDefine - this would mean that
even plain HTTP wouldn't work unless you started with SSL.

Just to be clear how it works, "apachectl startssl" causes the apache
control script to execute "httpd -DSSL". This starts apache with the
environment variable SSL defined. So when apache finds an
container, it evaluates the condition as "true" and so reads the
directives inside. This is the canonical way of selecting SSL.

Of course, you don't need to bother with all of this. If you put the SSL
VH outside the block (or just remove the
tags) then the SSL VH and its directives will fire up in a normal
"apachectl start".

You might try this - just make sure you have a single VH on port 443 and
a Listen 443 and it should startup. Be careful you don't have a plain
HTTP VH on port 443 - it could supersede the SSL VH. To test, what
happens if you make a plain HTTP request to port 443 (it shouldn't
work!)

About the PHP warning - when you recompiled apache to include mod_ssl,
it patched the apache API to extend it to allow hooks into the OpenSSL
library (EAPI =3D Extended API). Since the PHP module was compiled before
this, it is expecting the standard API. Probably it will continue to
work since the EAPI is a superset of the API but you never know if there
will be a conflict in some call somewhere (you'll get a seg fault if
there is). The safest thing to do is to recompile mod_php against the
new API.

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored.



-----Original Message-----
From: Tom Bartling [mailto:tom@tombartling.com]
Sent: Mittwoch, 28. Mai 2003 07:51
To: modssl-users@modssl.org
Subject: unknown protocol


Hi,

I am new to the list and relatively new to administering SSL, so please
forgive me if this is not the right place to ask this question.

I am having trouble getting SSL to work. I'm on FreeBSD 4.5 Stable with
apache+mod_ssl-1.3.27+2.8.14 and openssl-0.9.7a_2.

Everything seems to have installed okay and I can run apachectl startssl
without any problems, but I can't get SSL to actually work. When I try
to go the url via https, it immediately displays the dreaded "this page
cannot be displayed" message. When I run apachectl configtest, it spits
out the following:

apachectl configtest
[Tue May 27 23:20:56 2003] [warn] Loaded DSO libexec/apache/libphp4.so
uses plain Apache 1.3 API, this module might crash under EAPI! (please
recompile it with -DEAPI)
Syntax OK

PHP works without any problems, so I'm not concerned about that at the
moment. The manual says to try:

openssl s_client -connect localhost:443 -state -debug

As an alternative, it suggests:

curl https://localhost/

Both display an error message:

SSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

So, I'm thinkin' that the problem is in the httpd.conf file. A few
things that are in there of importance (excluding comments and all of
the other stuff) include:

Port 80


Listen 80
Listen 443



#
#
#
#


DocumentRoot "/usr/local/www/data"
ServerName www.mintecommerce.com
ServerAdmin webmaster@mintecommerce.com
ErrorLog /var/log/httpd-error.log
TransferLog /var/log/httpd-access.log

SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+e NULL
SSLCertificateFile /usr/local/etc/apache/ssl.crt/server.crt
SSLCertificateKeyFile /usr/local/etc/apache/ssl.key/server.key
SSLCACertificatePath /usr/local/etc/apache/ssl.crt
SSLCARevocationPath /usr/local/etc/apache/ssl.crl
SSLVerifyClient require



You can see where I tried different versions of the VirtualHost tag (I
did change the ServerName value for each variation). This is a server
that hosts several sites, but they all use the same IP, so all of the
VirtualHost tags are


....


This seems to get the job done for the few sites on this one computer,
but now I need SSL. I'm at a loss and any help would be appreciated.

TIA,

Tom
Diese E-mail ist eine private und persönliche Kommunikation. Sie hat
keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Swiss Exch=
ange.
This e-mail is of a private and personal nature. It is not related to
the exchange or business activities of the SWX Swiss Exchange. Le
pr=E9sent e-mail est un message priv=E9 et personnel, sans rapport avec
l'activit=E9 boursi=E8re de la SWX Swiss Exchange

This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company.


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: unknown protocol

>-----Original Message-----
>From: Tom Bartling [mailto:tom@tombartling.com]
>
>Thanks for the help. When I comment out the =20
>containers, none of
>the sites work. If I leave everything the way I have it now=20
>except move the
>"Port 443" line outsite the IfDefine containers, http'ing to any of the
>sites will display the primary site.

Commenting out the tags means that the directives that they =
contain will be acted upon. If that changes things, then they can't have =
been getting activated before. If activating these directives breaks =
your VirtualHosting setup, then it must have been in error to begin with =
and was "working" by accident.

If you'd care to post your config or send it directly, I'll have a look =
and see if there's anything wrong with it.

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored.=20


>
>Any ideas?
>
>Thanks, again.
>
>Tom
>
>
>
>----- Original Message -----
>From: "Boyle Owen"
>To:
>Sent: Wednesday, May 28, 2003 3:31 AM
>Subject: RE: unknown protocol
>
>
>Plain text please...
>
>It looks like you are not succeeding in starting an SSL VH.
>
>Looking at your config, there is no obvious error, although I=20
>don't know
>why you put the "Listen 80" inside the IfDefine - this would mean that
>even plain HTTP wouldn't work unless you started with SSL.
>
>Just to be clear how it works, "apachectl startssl" causes the apache
>control script to execute "httpd -DSSL". This starts apache with the
>environment variable SSL defined. So when apache finds an=20
>
>container, it evaluates the condition as "true" and so reads the
>directives inside. This is the canonical way of selecting SSL.
>
>Of course, you don't need to bother with all of this. If you=20
>put the SSL
>VH outside the block (or just remove the
>tags) then the SSL VH and its directives will fire up in a normal
>"apachectl start".
>
>You might try this - just make sure you have a single VH on=20
>port 443 and
>a Listen 443 and it should startup. Be careful you don't have a plain
>HTTP VH on port 443 - it could supersede the SSL VH. To test, what
>happens if you make a plain HTTP request to port 443 (it shouldn't
>work!)
>
>About the PHP warning - when you recompiled apache to include mod_ssl,
>it patched the apache API to extend it to allow hooks into the OpenSSL
>library (EAPI =3D Extended API). Since the PHP module was compiled =
before
>this, it is expecting the standard API. Probably it will continue to
>work since the EAPI is a superset of the API but you never=20
>know if there
>will be a conflict in some call somewhere (you'll get a seg fault if
>there is). The safest thing to do is to recompile mod_php against the
>new API.
>
>Rgds,
>Owen Boyle
>Disclaimer: Any disclaimer attached to this message may be ignored.
>
>
>
>-----Original Message-----
>From: Tom Bartling [mailto:tom@tombartling.com]
>Sent: Mittwoch, 28. Mai 2003 07:51
>To: modssl-users@modssl.org
>Subject: unknown protocol
>
>
>Hi,
>
>I am new to the list and relatively new to administering SSL, so please
>forgive me if this is not the right place to ask this question.
>
>I am having trouble getting SSL to work. I'm on FreeBSD 4.5 Stable with
>apache+mod_ssl-1.3.27+2.8.14 and openssl-0.9.7a_2.
>
>Everything seems to have installed okay and I can run=20
>apachectl startssl
>without any problems, but I can't get SSL to actually work. When I try
>to go the url via https, it immediately displays the dreaded "this page
>cannot be displayed" message. When I run apachectl configtest, it spits
>out the following:
>
>apachectl configtest
>[Tue May 27 23:20:56 2003] [warn] Loaded DSO libexec/apache/libphp4.so
>uses plain Apache 1.3 API, this module might crash under EAPI! (please
>recompile it with -DEAPI)
>Syntax OK
>
>PHP works without any problems, so I'm not concerned about that at the
>moment. The manual says to try:
>
>openssl s_client -connect localhost:443 -state -debug
>
>As an alternative, it suggests:
>
>curl https://localhost/
>
>Both display an error message:
>
>SSL: error:140770FC:SSL=20
>routines:SSL23_GET_SERVER_HELLO:unknown protocol
>
>So, I'm thinkin' that the problem is in the httpd.conf file. A few
>things that are in there of importance (excluding comments and all of
>the other stuff) include:
>
>Port 80
>
>
>Listen 80
>Listen 443
>
>
>
>#
>#
>#
>#
>
>
>DocumentRoot "/usr/local/www/data"
>ServerName www.mintecommerce.com
>ServerAdmin webmaster@mintecommerce.com
>ErrorLog /var/log/httpd-error.log
>TransferLog /var/log/httpd-access.log
>
>SSLEngine on
>SSLCipherSuite
>ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+ eNULL
>SSLCertificateFile /usr/local/etc/apache/ssl.crt/server.crt
>SSLCertificateKeyFile /usr/local/etc/apache/ssl.key/server.key
>SSLCACertificatePath /usr/local/etc/apache/ssl.crt
>SSLCARevocationPath /usr/local/etc/apache/ssl.crl
>SSLVerifyClient require
>
>
>
>You can see where I tried different versions of the VirtualHost tag (I
>did change the ServerName value for each variation). This is a server
>that hosts several sites, but they all use the same IP, so all of the
>VirtualHost tags are
>
>
>...
>
>
>This seems to get the job done for the few sites on this one computer,
>but now I need SSL. I'm at a loss and any help would be appreciated.
>
>TIA,
>
>Tom
>Diese E-mail ist eine private und persönliche Kommunikation. Sie hat
>keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Swiss=20
>Exchange.
>This e-mail is of a private and personal nature. It is not related to
>the exchange or business activities of the SWX Swiss Exchange. Le
>pr=E9sent e-mail est un message priv=E9 et personnel, sans rapport avec
>l'activit=E9 boursi=E8re de la SWX Swiss Exchange
>
>This message is for the named person's use only. It may contain
>confidential, proprietary or legally privileged information. No
>confidentiality or privilege is waived or lost by any mistransmission.
>If you receive this message in error, please notify the sender urgently
>and then immediately delete the message and any copies of it from your
>system. Please also immediately destroy any hardcopies of the message.
>You must not, directly or indirectly, use, disclose, distribute, print,
>or copy any part of this message if you are not the intended recipient.
>The sender's company reserves the right to monitor all e-mail
>communications through their networks. Any views expressed in this
>message are those of the individual sender, except where the message
>states otherwise and the sender is authorised to state them to be the
>views of the sender's company.
>
>
>___________________________________________________________ ___________
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List modssl-users@modssl.org
>Automated List Manager majordomo@modssl.org
>
>___________________________________________________________ ___________
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List modssl-users@modssl.org
>Automated List Manager majordomo@modssl.org
>
Diese E-mail ist eine private und persönliche Kommunikation. Sie hat =
keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Swiss =
Exchange. This e-mail is of a private and personal nature. It is not =
related to the exchange or business activities of the SWX Swiss =
Exchange. Le pr=E9sent e-mail est un message priv=E9 et personnel, sans =
rapport avec l'activit=E9 boursi=E8re de la SWX Swiss Exchange

=20
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Get cert values

Hi,

Is there a way to get these X509 Certificate values:
- Subject Key Identifier:
- Authority Key Identifier:


i am actually able to get DN, Serial, with ssl_var_lookup(), but i
didn't find how to do with SKI and AKI

regards,

Estrade Matthieu

____________________________________________________________ _________
Envie de discuter en "live" avec vos amis ? Télécharger MSN Messenger
http://www.ifrance.com/_reloc/m la 1ère messagerie instantanée de France

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: unknown protocol

>>-----Original Message-----
>>From: Tom Bartling [mailto:tom@tombartling.com]
>>
>If you'd care to post your config or send it directly, I'll=20
>have a look and see if there's anything wrong with it.

There are several minor problems with your config which, taken together, =
may be adding up to the confusing behaviour you are seeing. If you work =
through the following it may improve matters:

General Strategy:
- Since your server has two IP addresses, use default IP addressing =
(i.e. listen to all active IPs).
- Since you need VirtualHosting, use this throughout (i.e. lose the idea =
of a "main server").
- Aim for multiple name-based VHs on port 80 and one single SSL VH on =
port 443.

Details:
1) Don't use "Port" and "Listen". These two directives are very similar =
and "Listen" is preferred ("Port" is deprecated): Remove all "Port" =
directives.

2) Don't use domain names in Listens or VHs since this makes your config =
dependent on DNS. Use default:
=20
Listen secure.mintecommerce.com:443 -> Listen 443
->

(NB - the only thing which should define the SSL VH is the port number).

3) Move "main server" into first VH container. At the moment, this has =
only a ServerName - this is odd and I've no idea what apache would do in =
this case (I guess you expect it to default to the "main server" - I =
wouldn't count on it). You can achieve this simply by moving the "main" =
DocumentRoot into this VH:


ServerName www.mintecommerce.com
DocumentRoot "/usr/local/www/data"


the other directives can remain outside where they will apply globally =
as appropriate.

4) To complete the encapsulation of HTTP and HTTPS, add port 80 to all =
HTTP VHs:

->

(already done this for the SSL VH in (2) above).

Now try a restart without SSL and check the name-based VHs all work, =
including the "main" server. If that's OK, restart with SSL and test =
https://www.mintecommerce.com/.

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored.=20


>>
>>
>>
>>----- Original Message -----
>>From: "Boyle Owen"
>>To:
>>Sent: Wednesday, May 28, 2003 3:31 AM
>>Subject: RE: unknown protocol
>>
>>
>>Plain text please...
>>
>>It looks like you are not succeeding in starting an SSL VH.
>>
>>Looking at your config, there is no obvious error, although I=20
>>don't know
>>why you put the "Listen 80" inside the IfDefine - this would mean that
>>even plain HTTP wouldn't work unless you started with SSL.
>>
>>Just to be clear how it works, "apachectl startssl" causes the apache
>>control script to execute "httpd -DSSL". This starts apache with the
>>environment variable SSL defined. So when apache finds an=20
>>
>>container, it evaluates the condition as "true" and so reads the
>>directives inside. This is the canonical way of selecting SSL.
>>
>>Of course, you don't need to bother with all of this. If you=20
>>put the SSL
>>VH outside the block (or just remove the
>>tags) then the SSL VH and its directives will fire up in a normal
>>"apachectl start".
>>
>>You might try this - just make sure you have a single VH on=20
>>port 443 and
>>a Listen 443 and it should startup. Be careful you don't have a plain
>>HTTP VH on port 443 - it could supersede the SSL VH. To test, what
>>happens if you make a plain HTTP request to port 443 (it shouldn't
>>work!)
>>
>>About the PHP warning - when you recompiled apache to include mod_ssl,
>>it patched the apache API to extend it to allow hooks into the OpenSSL
>>library (EAPI =3D Extended API). Since the PHP module was=20
>compiled before
>>this, it is expecting the standard API. Probably it will continue to
>>work since the EAPI is a superset of the API but you never=20
>>know if there
>>will be a conflict in some call somewhere (you'll get a seg fault if
>>there is). The safest thing to do is to recompile mod_php against the
>>new API.
>>
>>Rgds,
>>Owen Boyle
>>Disclaimer: Any disclaimer attached to this message may be ignored.
>>
>>
>>
>>-----Original Message-----
>>From: Tom Bartling [mailto:tom@tombartling.com]
>>Sent: Mittwoch, 28. Mai 2003 07:51
>>To: modssl-users@modssl.org
>>Subject: unknown protocol
>>
>>
>>Hi,
>>
>>I am new to the list and relatively new to administering SSL,=20
>so please
>>forgive me if this is not the right place to ask this question.
>>
>>I am having trouble getting SSL to work. I'm on FreeBSD 4.5=20
>Stable with
>>apache+mod_ssl-1.3.27+2.8.14 and openssl-0.9.7a_2.
>>
>>Everything seems to have installed okay and I can run=20
>>apachectl startssl
>>without any problems, but I can't get SSL to actually work. When I try
>>to go the url via https, it immediately displays the dreaded=20
>"this page
>>cannot be displayed" message. When I run apachectl=20
>configtest, it spits
>>out the following:
>>
>>apachectl configtest
>>[Tue May 27 23:20:56 2003] [warn] Loaded DSO libexec/apache/libphp4.so
>>uses plain Apache 1.3 API, this module might crash under EAPI! (please
>>recompile it with -DEAPI)
>>Syntax OK
>>
>>PHP works without any problems, so I'm not concerned about that at the
>>moment. The manual says to try:
>>
>>openssl s_client -connect localhost:443 -state -debug
>>
>>As an alternative, it suggests:
>>
>>curl https://localhost/
>>
>>Both display an error message:
>>
>>SSL: error:140770FC:SSL=20
>>routines:SSL23_GET_SERVER_HELLO:unknown protocol
>>
>>So, I'm thinkin' that the problem is in the httpd.conf file. A few
>>things that are in there of importance (excluding comments and all of
>>the other stuff) include:
>>
>>Port 80
>>
>>
>>Listen 80
>>Listen 443
>>
>>
>>
>>#
>>#
>>#
>>#
>>
>>
>>DocumentRoot "/usr/local/www/data"
>>ServerName www.mintecommerce.com
>>ServerAdmin webmaster@mintecommerce.com
>>ErrorLog /var/log/httpd-error.log
>>TransferLog /var/log/httpd-access.log
>>
>>SSLEngine on
>>SSLCipherSuite
>>ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP: +eNULL
>>SSLCertificateFile /usr/local/etc/apache/ssl.crt/server.crt
>>SSLCertificateKeyFile /usr/local/etc/apache/ssl.key/server.key
>>SSLCACertificatePath /usr/local/etc/apache/ssl.crt
>>SSLCARevocationPath /usr/local/etc/apache/ssl.crl
>>SSLVerifyClient require
>>
>>
>>
>>You can see where I tried different versions of the VirtualHost tag (I
>>did change the ServerName value for each variation). This is a server
>>that hosts several sites, but they all use the same IP, so all of the
>>VirtualHost tags are
>>
>>
>>...
>>
>>
>>This seems to get the job done for the few sites on this one computer,
>>but now I need SSL. I'm at a loss and any help would be appreciated.
>>
>>TIA,
>>
>>Tom
>>Diese E-mail ist eine private und persönliche Kommunikation. Sie hat
>>keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Swiss=20
>>Exchange.
>>This e-mail is of a private and personal nature. It is not related to
>>the exchange or business activities of the SWX Swiss Exchange. Le
>>pr=E9sent e-mail est un message priv=E9 et personnel, sans rapport =
avec
>>l'activit=E9 boursi=E8re de la SWX Swiss Exchange
>>
>>This message is for the named person's use only. It may contain
>>confidential, proprietary or legally privileged information. No
>>confidentiality or privilege is waived or lost by any mistransmission.
>>If you receive this message in error, please notify the=20
>sender urgently
>>and then immediately delete the message and any copies of it from your
>>system. Please also immediately destroy any hardcopies of the message.
>>You must not, directly or indirectly, use, disclose,=20
>distribute, print,
>>or copy any part of this message if you are not the intended=20
>recipient.
>>The sender's company reserves the right to monitor all e-mail
>>communications through their networks. Any views expressed in this
>>message are those of the individual sender, except where the message
>>states otherwise and the sender is authorised to state them to be the
>>views of the sender's company.
>>
>>
>>__________________________________________________________ ____________
>>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>>User Support Mailing List modssl-users@modssl.org
>>Automated List Manager majordomo@modssl.org
>>
>>__________________________________________________________ ____________
>>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>>User Support Mailing List modssl-users@modssl.org
>>Automated List Manager majordomo@modssl.org
>>
>Diese E-mail ist eine private und persönliche Kommunikation.=20
>Sie hat keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der=20
>SWX Swiss Exchange. This e-mail is of a private and personal=20
>nature. It is not related to the exchange or business=20
>activities of the SWX Swiss Exchange. Le pr=E9sent e-mail est un=20
>message priv=E9 et personnel, sans rapport avec l'activité
>boursi=E8re de la SWX Swiss Exchange
>
>=20
>___________________________________________________________ ___________
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List modssl-users@modssl.org
>Automated List Manager majordomo@modssl.org
>
Diese E-mail ist eine private und persönliche Kommunikation. Sie hat =
keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Swiss =
Exchange. This e-mail is of a private and personal nature. It is not =
related to the exchange or business activities of the SWX Swiss =
Exchange. Le pr=E9sent e-mail est un message priv=E9 et personnel, sans =
rapport avec l'activit=E9 boursi=E8re de la SWX Swiss Exchange.=20

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: unknown protocol

Thanks for your help, Owen! I did everything you said, although it didn't
work right away. I had to change "NameVirtualHost *" to "NameVirtualHost
*:80". Now, I need to get the certificate stuff worked out and I'm on my
way.

Thanks!
Tom



----- Original Message -----
From: "Boyle Owen"
To:
Sent: Monday, June 02, 2003 3:54 AM
Subject: RE: unknown protocol


>>-----Original Message-----
>>From: Tom Bartling [mailto:tom@tombartling.com]
>>
>If you'd care to post your config or send it directly, I'll
>have a look and see if there's anything wrong with it.

There are several minor problems with your config which, taken together, =
may
be adding up to the confusing behaviour you are seeing. If you work throu=
gh
the following it may improve matters:

General Strategy:
- Since your server has two IP addresses, use default IP addressing (i.e.
listen to all active IPs).
- Since you need VirtualHosting, use this throughout (i.e. lose the idea =
of
a "main server").
- Aim for multiple name-based VHs on port 80 and one single SSL VH on por=
t
443.

Details:
1) Don't use "Port" and "Listen". These two directives are very similar a=
nd
"Listen" is preferred ("Port" is deprecated): Remove all "Port" directive=
s.

2) Don't use domain names in Listens or VHs since this makes your config
dependent on DNS. Use default:

Listen secure.mintecommerce.com:443 -> Listen 443
->

(NB - the only thing which should define the SSL VH is the port number).

3) Move "main server" into first VH container. At the moment, this has on=
ly
a ServerName - this is odd and I've no idea what apache would do in this
case (I guess you expect it to default to the "main server" - I wouldn't
count on it). You can achieve this simply by moving the "main" DocumentRo=
ot
into this VH:


ServerName www.mintecommerce.com
DocumentRoot "/usr/local/www/data"


the other directives can remain outside where they will apply globally as
appropriate.

4) To complete the encapsulation of HTTP and HTTPS, add port 80 to all HT=
TP
VHs:

->

(already done this for the SSL VH in (2) above).

Now try a restart without SSL and check the name-based VHs all work,
including the "main" server. If that's OK, restart with SSL and test
https://www.mintecommerce.com/.

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored.


>>
>>
>>
>>----- Original Message -----
>>From: "Boyle Owen"
>>To:
>>Sent: Wednesday, May 28, 2003 3:31 AM
>>Subject: RE: unknown protocol
>>
>>
>>Plain text please...
>>
>>It looks like you are not succeeding in starting an SSL VH.
>>
>>Looking at your config, there is no obvious error, although I
>>don't know
>>why you put the "Listen 80" inside the IfDefine - this would mean that
>>even plain HTTP wouldn't work unless you started with SSL.
>>
>>Just to be clear how it works, "apachectl startssl" causes the apache
>>control script to execute "httpd -DSSL". This starts apache with the
>>environment variable SSL defined. So when apache finds an
>>
>>container, it evaluates the condition as "true" and so reads the
>>directives inside. This is the canonical way of selecting SSL.
>>
>>Of course, you don't need to bother with all of this. If you
>>put the SSL
>>VH outside the block (or just remove the
>>tags) then the SSL VH and its directives will fire up in a normal
>>"apachectl start".
>>
>>You might try this - just make sure you have a single VH on
>>port 443 and
>>a Listen 443 and it should startup. Be careful you don't have a plain
>>HTTP VH on port 443 - it could supersede the SSL VH. To test, what
>>happens if you make a plain HTTP request to port 443 (it shouldn't
>>work!)
>>
>>About the PHP warning - when you recompiled apache to include mod_ssl,
>>it patched the apache API to extend it to allow hooks into the OpenSSL
>>library (EAPI =3D Extended API). Since the PHP module was
>compiled before
>>this, it is expecting the standard API. Probably it will continue to
>>work since the EAPI is a superset of the API but you never
>>know if there
>>will be a conflict in some call somewhere (you'll get a seg fault if
>>there is). The safest thing to do is to recompile mod_php against the
>>new API.
>>
>>Rgds,
>>Owen Boyle
>>Disclaimer: Any disclaimer attached to this message may be ignored.
>>
>>
>>
>>-----Original Message-----
>>From: Tom Bartling [mailto:tom@tombartling.com]
>>Sent: Mittwoch, 28. Mai 2003 07:51
>>To: modssl-users@modssl.org
>>Subject: unknown protocol
>>
>>
>>Hi,
>>
>>I am new to the list and relatively new to administering SSL,
>so please
>>forgive me if this is not the right place to ask this question.
>>
>>I am having trouble getting SSL to work. I'm on FreeBSD 4.5
>Stable with
>>apache+mod_ssl-1.3.27+2.8.14 and openssl-0.9.7a_2.
>>
>>Everything seems to have installed okay and I can run
>>apachectl startssl
>>without any problems, but I can't get SSL to actually work. When I try
>>to go the url via https, it immediately displays the dreaded
>"this page
>>cannot be displayed" message. When I run apachectl
>configtest, it spits
>>out the following:
>>
>>apachectl configtest
>>[Tue May 27 23:20:56 2003] [warn] Loaded DSO libexec/apache/libphp4.so
>>uses plain Apache 1.3 API, this module might crash under EAPI! (please
>>recompile it with -DEAPI)
>>Syntax OK
>>
>>PHP works without any problems, so I'm not concerned about that at the
>>moment. The manual says to try:
>>
>>openssl s_client -connect localhost:443 -state -debug
>>
>>As an alternative, it suggests:
>>
>>curl https://localhost/
>>
>>Both display an error message:
>>
>>SSL: error:140770FC:SSL
>>routines:SSL23_GET_SERVER_HELLO:unknown protocol
>>
>>So, I'm thinkin' that the problem is in the httpd.conf file. A few
>>things that are in there of importance (excluding comments and all of
>>the other stuff) include:
>>
>>Port 80
>>
>>
>>Listen 80
>>Listen 443
>>
>>
>>
>>#
>>#
>>#
>>#
>>
>>
>>DocumentRoot "/usr/local/www/data"
>>ServerName www.mintecommerce.com
>>ServerAdmin webmaster@mintecommerce.com
>>ErrorLog /var/log/httpd-error.log
>>TransferLog /var/log/httpd-access.log
>>
>>SSLEngine on
>>SSLCipherSuite
>>ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP: +eNULL
>>SSLCertificateFile /usr/local/etc/apache/ssl.crt/server.crt
>>SSLCertificateKeyFile /usr/local/etc/apache/ssl.key/server.key
>>SSLCACertificatePath /usr/local/etc/apache/ssl.crt
>>SSLCARevocationPath /usr/local/etc/apache/ssl.crl
>>SSLVerifyClient require
>>
>>
>>
>>You can see where I tried different versions of the VirtualHost tag (I
>>did change the ServerName value for each variation). This is a server
>>that hosts several sites, but they all use the same IP, so all of the
>>VirtualHost tags are
>>
>>
>>...
>>
>>
>>This seems to get the job done for the few sites on this one computer,
>>but now I need SSL. I'm at a loss and any help would be appreciated.
>>
>>TIA,
>>
>>Tom
>>Diese E-mail ist eine private und persönliche Kommunikation. Sie hat
>>keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Swiss
>>Exchange.
>>This e-mail is of a private and personal nature. It is not related to
>>the exchange or business activities of the SWX Swiss Exchange. Le
>>pr=E9sent e-mail est un message priv=E9 et personnel, sans rapport avec
>>l'activit=E9 boursi=E8re de la SWX Swiss Exchange
>>
>>This message is for the named person's use only. It may contain
>>confidential, proprietary or legally privileged information. No
>>confidentiality or privilege is waived or lost by any mistransmission.
>>If you receive this message in error, please notify the
>sender urgently
>>and then immediately delete the message and any copies of it from your
>>system. Please also immediately destroy any hardcopies of the message.
>>You must not, directly or indirectly, use, disclose,
>distribute, print,
>>or copy any part of this message if you are not the intended
>recipient.
>>The sender's company reserves the right to monitor all e-mail
>>communications through their networks. Any views expressed in this
>>message are those of the individual sender, except where the message
>>states otherwise and the sender is authorised to state them to be the
>>views of the sender's company.
>>
>>
>>__________________________________________________________ ____________
>>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>>User Support Mailing List modssl-users@modssl.org
>>Automated List Manager majordomo@modssl.org
>>
>>__________________________________________________________ ____________
>>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>>User Support Mailing List modssl-users@modssl.org
>>Automated List Manager majordomo@modssl.org
>>
>Diese E-mail ist eine private und persönliche Kommunikation.
>Sie hat keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der
>SWX Swiss Exchange. This e-mail is of a private and personal
>nature. It is not related to the exchange or business
>activities of the SWX Swiss Exchange. Le pr=E9sent e-mail est un
>message priv=E9 et personnel, sans rapport avec l'activit=E9
>boursi=E8re de la SWX Swiss Exchange
>
>
>___________________________________________________________ ___________
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List modssl-users@modssl.org
>Automated List Manager majordomo@modssl.org
>
Diese E-mail ist eine private und persönliche Kommunikation. Sie hat ke=
inen
Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Swiss Exchange. T=
his
e-mail is of a private and personal nature. It is not related to the
exchange or business activities of the SWX Swiss Exchange. Le pr=E9sent e=
-mail
est un message priv=E9 et personnel, sans rapport avec l'activit=E9 bours=
i=E8re de
la SWX Swiss Exchange.

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org