SSL on Apache 2.2.14

Hello,

Hopefully someone will be able to help, as I've been working on this
problem for quite a while and have hit a wall. I'm trying to upgrade
Apache 2.0.47 to 2.2.14, and I need SSL support. Everything seems to
build and compile okay, but when I try to access my site running on
2.2.14, I get a strange error from Firefox: "Secure connection
failed. An error occurred during a connection to xxxxxx. SSL peer
reports incorrect Message Authentication Code. (Error code:
ssl_error_bad_mac_alert)."

I've tried compiling with OpenSSL 0.9.8L and 0.9.8G with the same
results. This is hosted on a Solaris sparc box. The 2.2.14 server is
utilizing all the same files and SSL certificates as the 2.0.47
server. I've called Verisign; I have valid certificates, but they've
never heard of this error before. If I self-sign a certificate and
test it with the 2.2.14 server, it seems to work (except for the
expected error message regarding self-signed certificates).

Searching on Google has led me to try forcing Apache to compile with
prefork enabled (but it seems to default to that anyway on Solaris).
I've also tried statically linking Apache during compile with the same
results.

If anyone has any ideas or suggestions, I'd very much appreciate them...

Thank you,
John

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: SSL on Apache 2.2.14

--=_alternative 0062E07A80257679_=
Content-Type: text/html; charset="US-ASCII;"



7bit Content-Transfer-Encoding:>

RE: SSL on Apache 2.2.14

--=_alternative 0063072A80257679_=
Content-Type: text/html; charset="US-ASCII;"



7bit Content-Transfer-Encoding:>

Re: SSL on Apache 2.2.14

--Apple-Mail-12--455343661
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=us-ascii


On Nov 25, 2009, at 9:23 AM, John J. Consolati wrote:

> Hopefully someone will be able to help, as I've been working on this =
problem for quite a while and have hit a wall. I'm trying to upgrade =
Apache 2.0.47 to 2.2.14, and I need SSL support. Everything seems to =
build and compile okay, but when I try to access my site running on =
2.2.14, I get a strange error from Firefox: "Secure connection failed. =
An error occurred during a connection to xxxxxx. SSL peer reports =
incorrect Message Authentication Code. (Error code: =
ssl_error_bad_mac_alert)."

This means that, after the handshake, the client and server have a =
different idea of what their session keys are. This happens when the =
pre-master secret that the client sent was decrypted with a private key =
that does not belong to the certificate that the server passed to the =
client. =20

Do you by any chance use a Hardware Security Module to protect the =
private key?=20

Can you try using your key file and certs with a simple test server =
included with openssl? Like so:=20

openssl s_server -cert /path/to/yourSSLCertificateFile -key =
/path/to/yourSSLCertificateKeyFile -CAfile =
/path/to/yourSSLCertificateChainFile -www

and then from a different terminal connect to localhost:4433

curl -i https://localhost:4433/ or

openssl s_client -connect localhost:4433=20

and see if that works. =20

S.=20

> I've tried compiling with OpenSSL 0.9.8L and 0.9.8G with the same =
results. This is hosted on a Solaris sparc box. The 2.2.14 server is =
utilizing all the same files and SSL certificates as the 2.0.47 server. =
I've called Verisign; I have valid certificates, but they've never heard =
of this error before. If I self-sign a certificate and test it with the =
2.2.14 server, it seems to work (except for the expected error message =
regarding self-signed certificates).
>=20
> Searching on Google has led me to try forcing Apache to compile with =
prefork enabled (but it seems to default to that anyway on Solaris). =
I've also tried statically linking Apache during compile with the same =
results.
>=20
> If anyone has any ideas or suggestions, I'd very much appreciate =
them...
>=20
> Thank you,
> John
>=20
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server =
Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>=20
>=20



--=20
Sander Temme
sctemme@apache.org
PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF




--Apple-Mail-12--455343661
Content-Disposition: attachment;
filename=smime.p7s
Content-Type: application/pkcs7-signature;
name=smime.p7s
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEH AQAAoIIFMzCCBS8w
ggMXoAMCAQICAwVx1DANBgkqhkiG9w0BAQUFADB5MRAwDgYDVQQKEwdSb290 IENBMR4wHAYDVQQL
ExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2ln bmluZyBBdXRob3Jp
dHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzAeFw0wODA3 MDYxNTQzMzRaFw0x
MDA3MDYxNTQzMzRaMDoxFTATBgNVBAMTDFNhbmRlciBUZW1tZTEhMB8GCSqG SIb3DQEJARYSc2N0
ZW1tZUBhcGFjaGUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC AQEAuKsWFApS17cR
51oTARVEphn9w7VKL2p+HqnTJOF7CnihobEp4um9w3c0bcbXruKbjfwzBiaR Av0BGkOezB8XuHpQ
r3abklf7bkvFqYHLaj9ANm2wj2qrUXasaPgsOIXNiPa0qkpxBHk8Of43Q/Jx v4YGF11DvTfXPpbl
qXkJ07pk6fC3MSDAsZc5mdGtIhDY/LGgxr/A6NhwTG3hxwE9zPt/B7v/bctU 4ZWxloeC/eCpCYUU
fk3BGwoU53iEXyMpe/Kz2iIyZe5dimDeOigqC3Cye99EvtjL2ZavRsqL00j5 M9q/MPYh1WsgVOaZ
WxpEnnd+e5kPTjTL7hAbJzv7cwIDAQABo4H+MIH7MAwGA1UdEwEB/wQCMAAw VgYJYIZIAYb4QgEN
BEkWR1RvIGdldCB5b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSBoZWFk IG92ZXIgdG8gaHR0
cDovL3d3dy5DQWNlcnQub3JnMEAGA1UdJQQ5MDcGCCsGAQUFBwMEBggrBgEF BQcDAgYKKwYBBAGC
NwoDBAYKKwYBBAGCNwoDAwYJYIZIAYb4QgQBMDIGCCsGAQUFBwEBBCYwJDAi BggrBgEFBQcwAYYW
aHR0cDovL29jc3AuY2FjZXJ0Lm9yZzAdBgNVHREEFjAUgRJzY3RlbW1lQGFw YWNoZS5vcmcwDQYJ
KoZIhvcNAQEFBQADggIBAITHPZWMXBXh1rSeQ9yJoMBXr0b5bOxUX3V/KsgY LCTu5d0GNB2HHjcq
dHSxbIm7ezIGxTFA491q9wOHQZmYvQzMV2zQUqLrZmNFYPCC1/Q5Gw43CnYQ 0StGX2frOKNIp7fM
KpXux9jjao8sG1Sa0ubclAx3u50wz3k9mEfFhtrZsYLWbruitZeozslMJhG8 tFoRH7J68QmhnyCK
GniNLSu4K6SykM5DOH3GzDKsbjiPqQ7Y+h8qj309oO81fAWo6JdcVdxivFS7 KgHAt+nQS1oaiSeV
W25idOBsTiwWBxkcfq3DltK0HZe6QWMYYvgq2BoHAwGGy+wHjEk8dc/rtf4H Anpee/3Quc3lN+IK
UHYC2RlgtG2JirizdUhkxdsaw6Vl+yk3FvduWJUZjEh7zBMKRUoSOlo6i8Ap CNSgHk1QQSI2wPqs
gltpxhQ8B3wCdUNbywntZVyaNp5CgmkBxOs330nkl+jQsZvE5XmYyZt20W6S uCaV1YYHHducXdc/
DNUrSdsdw2nNmVOqZ3xC53UXX/tuPquLqLbSs2W1vtbCAsdzTalNbqG64OrG 74I2C191RM05l2jp
AHfoz+9OZ+7q2pSGYdbACxY3Rke2s7jqPD/X9aukO50ZDibLEGW8wdL+0yxZ LGaR2zJ9K8yo4YuO
09oUHORRtY0WoMRX0FFTMYIDMzCCAy8CAQEwgYAweTEQMA4GA1UEChMHUm9v dCBDQTEeMBwGA1UE
CxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0IFNp Z25pbmcgQXV0aG9y
aXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2VydC5vcmcCAwVx1DAJ BgUrDgMCGgUAoIIB
hzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0w OTExMjUxODAzMzRa
MCMGCSqGSIb3DQEJBDEWBBQ2DwTUGjOdXjsmHZ0wqQBUXiB7vTCBkQYJKwYB BAGCNxAEMYGDMIGA
MHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2Fj ZXJ0Lm9yZzEiMCAG
A1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJ ARYSc3VwcG9ydEBj
YWNlcnQub3JnAgMFcdQwgZMGCyqGSIb3DQEJEAILMYGDoIGAMHkxEDAOBgNV BAoTB1Jvb3QgQ0Ex
HjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0Eg Q2VydCBTaWduaW5n
IEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3Jn AgMFcdQwDQYJKoZI
hvcNAQEBBQAEggEAGQQrOv+h0y8khUSuxFKLVhmIfak+m3W8BB0Jj3EPBLqx VS7C4OtS8PHSdvXM
qKeXqKPSbl31bIqJPgrBZGnUzwdIFjXYrtTTPTFY9AJgec/IKZwemBvHU1lu U9iU76TEj0JVyXHd
waHH4Bj6xQhgLk31p3yHFK+sDP8Ltn/Jh4ZnVbiGjViqB5mG4X7opDjEixGl +bj8ZGQ8NaBTx7yr
OiVvIQoPg971cS2tB2TypE9q4QnAhLrmh/ftmvOEZ8mAnW0Jxq/zgZC5Fo0C CM66kCf83gtc1ra9
o5KnGeQyjOtsG56lQzh1MuLi0F6giOQIQYpnRGWKx5Pl6dOpGvDu/wAAAAAA AA==

--Apple-Mail-12--455343661--

Re: SSL on Apache 2.2.14

Thank you for the reply.

Unfortunately, upgrading Solaris isn't an option. Here is the version
I have to work with (quite old..):

bash-2.05# cat /etc/release
Solaris 9 4/04 s9s_u6wos_08a SPARC
Copyright 2004 Sun Microsystems, Inc. All Rights Reserved.
Use is subject to license terms.
Assembled 22 March 2004
bash-2.05# uname -a
SunOS lucky 5.9 Generic_118558-17 sun4u sparc SUNW,Sun-Fire-V250

I've been using the Sun cc, not gcc, to compile everything.


Here is the output from the openSSL commands:

openssl -certs....etc etc

Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MHUCAQECAgMBBAIAOQQgXdTo4sJayMnyXJOOV7YI1JLumr7lqj4Sj+kZZTIe X2wE
MO2ne8Ry2DUppChW6xz01mi4gMU+WsyaH6SPREMHpFcSCBYmpX5sD+VVBS3F /Ajy
V6EGAgRLDXPAogQCAgEspAYEBAAAAAE=
-----END SSL SESSION PARAMETERS-----
Shared ciphers:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH -
RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA-A ES128-
SHA:DHE-DSS-AES128-SHA:AES128-SHA:IDEA-CBC-SHA:RC4-SHA:RC4-M D5:EDH-RSA-
DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES- CBC-
SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5: EXP-RC4-MD5
CIPHER is DHE-RSA-AES256-SHA



And on the other terminal:

bash-2.05$ openssl s_client -connect localhost:4433
CONNECTED(00000003)
depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of
use at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure
Server CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=California/L=Livermore/O=Lawrence Livermore National
Laboratory/OU=Environmental Restoration Division erdc/CN=www-
erdc.llnl.gov
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use
at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure
Server CA
1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use
at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure
Server CA
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
certificate hash...
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Livermore/O=Lawrence Livermore National
Laboratory/OU=Environmental Restoration Division erdc/CN=www-
erdc.llnl.gov
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of
use at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure
Server CA
---
No client certificate CA names sent
---
SSL handshake has read 2973 bytes and written 258 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID:
5DD4E8E2C25AC8C9F25C938E57B608D492EE9ABEE5AA3E128FE91965321E 5F6C
Session-ID-ctx:
Master-Key:
EDA77BC472D83529A42856EB1CF4D668B880C53E5ACC9A1FA48F444307A4 5712081626A57E6C0FE555052DC5FC08F257
Key-Arg : None
Start Time: 1259172800
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---

Looks like there is a problem with one of the certificates, but I'm
not sure how to proceed...

Again, thank you for your help, I appreciate it.

Regards,
John


On Nov 25, 2009, at 10:00 AM, daniel.goulder@and.co.uk wrote:

> This sounds like a Solaris bug.
>
> Make sure you have a recent version of Solaris or the latest patches
> installed...
>
> What release/patch level are you using?
>
> Danny
>
> ________________________________
>
> From: "John J. Consolati" [mailto:"John J.
> Consolati" ]
> Sent: 25 November 2009 17:23
> To: users@httpd.apache.org
> Subject: [users@httpd] SSL on Apache 2.2.14
>
>
> Hello,
>
> Hopefully someone will be able to help, as I've been working on this
> problem for quite a while and have hit a wall. I'm trying to upgrade
> Apache 2.0.47 to 2.2.14, and I need SSL support. Everything seems to
> build and compile okay, but when I try to access my site running on
> 2.2.14, I get a strange error from Firefox: "Secure connection
> failed. An error occurred during a connection to xxxxxx. SSL peer
> reports incorrect Message Authentication Code. (Error code:
> ssl_error_bad_mac_alert)."
>
> I've tried compiling with OpenSSL 0.9.8L and 0.9.8G with the same
> results. This is hosted on a Solaris sparc box. The 2.2.14 server is
> utilizing all the same files and SSL certificates as the 2.0.47
> server. I've called Verisign; I have valid certificates, but they've
> never heard of this error before. If I self-sign a certificate and
> test it with the 2.2.14 server, it seems to work (except for the
> expected error message regarding self-signed certificates).
>
> Searching on Google has led me to try forcing Apache to compile with
> prefork enabled (but it seems to default to that anyway on Solaris).
> I've also tried statically linking Apache during compile with the same
> results.
>
> If anyone has any ideas or suggestions, I'd very much appreciate
> them...
> Thank you,
> John
>
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See < URL:http://*httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
> ____________________________________________________________ __________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://*www.*messagelabs.com/email
> ____________________________________________________________ __________
>
>
> ____________________________________________________________ __________
> This e-mail and any attached files are intended for the named
> addressee only. It contains information, which may be confidential
> and legally privileged and also protected by copyright. Unless you
> are the named addressee (or authorised to receive for the addressee)
> you may not copy or use it, or disclose it to anyone else. If you
> received it in error please notify the sender immediately and then
> delete it from your system. Please be advised that the views and
> opinions expressed in this e-mail may not reflect the views and
> opinions of Associated Newspapers Limited or any of its subsidiary
> companies. We make every effort to keep our network free from
> viruses. However, you do need to check this e-mail and any
> attachments to it for viruses as we can take no responsibility for
> any computer virus which may be transferred by way of this e-mail.
> Use of this or any other e-mail facility signifies consent to any
> interception we might lawfully carry out to prevent abuse of these
> faciliti
> es.
> Associated Newspapers Ltd. Registered Office: Northcliffe House, 2
> Derry St, Kensington, London, W8 5TT. Registered No 84121 England.


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: SSL on Apache 2.2.14

--Apple-Mail-13--450672207
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=us-ascii


On Nov 25, 2009, at 10:17 AM, John J. Consolati wrote:

> Thank you for the reply.
>=20
> Unfortunately, upgrading Solaris isn't an option. Here is the version =
I have to work with (quite old..):
>=20
> bash-2.05# cat /etc/release
> Solaris 9 4/04 s9s_u6wos_08a SPARC
> Copyright 2004 Sun Microsystems, Inc. All Rights Reserved.
> Use is subject to license terms.
> Assembled 22 March 2004
> bash-2.05# uname -a
> SunOS lucky 5.9 Generic_118558-17 sun4u sparc SUNW,Sun-Fire-V250
>=20
> I've been using the Sun cc, not gcc, to compile everything.
>=20
>=20
> Here is the output from the openSSL commands:
>=20
> openssl -certs....etc etc

What is your complete command line here?

> Using default temp DH parameters
> Using default temp ECDH parameters
> ACCEPT
> -----BEGIN SSL SESSION PARAMETERS-----
> MHUCAQECAgMBBAIAOQQgXdTo4sJayMnyXJOOV7YI1JLumr7lqj4Sj+kZZTIe X2wE
> MO2ne8Ry2DUppChW6xz01mi4gMU+WsyaH6SPREMHpFcSCBYmpX5sD+VVBS3F /Ajy
> V6EGAgRLDXPAogQCAgEspAYEBAAAAAE=3D
> -----END SSL SESSION PARAMETERS-----
> Shared =
ciphers:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH -RSA-DES-CBC3-=
SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA-AES128-SHA:DHE -DSS-AES128-SH=
A:AES128-SHA:IDEA-CBC-SHA:RC4-SHA:RC4-MD5:EDH-RSA-DES-CBC-SH A:EDH-DSS-DES-=
CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES- CBC-SHA:EXP-DE=
S-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5
> CIPHER is DHE-RSA-AES256-SHA
>=20
>=20
>=20
> And on the other terminal:
>=20
> bash-2.05$ openssl s_client -connect localhost:4433
> CONNECTED(00000003)
> depth=3D1 /C=3DUS/O=3DVeriSign, Inc./OU=3DVeriSign Trust =
Network/OU=3DTerms of use at https://www.verisign.com/rpa =
(c)05/CN=3DVeriSign Class 3 Secure Server CA
> verify error:num=3D20:unable to get local issuer certificate
> verify return:0

That's not a problem, just OpenSSL complaining it can't find the =
Verisign root cert. If you happen to have a copy of that (like your =
browser does) and point openssl s_client to it, it can verify all the =
way to the top. This does not impact the connection itself. =20

> ---
> Certificate chain
> 0 s:/C=3DUS/ST=3DCalifornia/L=3DLivermore/O=3DLawrence Livermore =
National Laboratory/OU=3DEnvironmental Restoration Division =
erdc/CN=3Dwww-erdc.llnl.gov
> i:/C=3DUS/O=3DVeriSign, Inc./OU=3DVeriSign Trust Network/OU=3DTerms =
of use at https://www.verisign.com/rpa (c)05/CN=3DVeriSign Class 3 =
Secure Server CA
> 1 s:/C=3DUS/O=3DVeriSign, Inc./OU=3DVeriSign Trust Network/OU=3DTerms =
of use at https://www.verisign.com/rpa (c)05/CN=3DVeriSign Class 3 =
Secure Server CA
> i:/C=3DUS/O=3DVeriSign, Inc./OU=3DClass 3 Public Primary =
Certification Authority
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> certificate hash...
> -----END CERTIFICATE-----
> subject=3D/C=3DUS/ST=3DCalifornia/L=3DLivermore/O=3DLawrence Livermore =
National Laboratory/OU=3DEnvironmental Restoration Division =
erdc/CN=3Dwww-erdc.llnl.gov
> issuer=3D/C=3DUS/O=3DVeriSign, Inc./OU=3DVeriSign Trust =
Network/OU=3DTerms of use at https://www.verisign.com/rpa =
(c)05/CN=3DVeriSign Class 3 Secure Server CA
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 2973 bytes and written 258 bytes
> ---
> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> Server public key is 1024 bit
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol : TLSv1
> Cipher : DHE-RSA-AES256-SHA
> Session-ID: =
5DD4E8E2C25AC8C9F25C938E57B608D492EE9ABEE5AA3E128FE91965321E 5F6C
> Session-ID-ctx:
> Master-Key: =
EDA77BC472D83529A42856EB1CF4D668B880C53E5ACC9A1FA48F444307A4 5712081626A57E=
6C0FE555052DC5FC08F257
> Key-Arg : None
> Start Time: 1259172800
> Timeout : 300 (sec)
> Verify return code: 20 (unable to get local issuer certificate)
> ---
>=20
> Looks like there is a problem with one of the certificates, but I'm =
not sure how to proceed...

At this point, you have a valid handshake, and the client and server =
have exchanged data encrypted and MACed with the session keys. All is =
well. You could type on the command line 'GET / HTTP/1.0\r\r' (two =
returns) and you'll get the status page generated by openssl s_server =
-www.=20

This means you have a configuration problem with Apache. Make sure =
you're using the ssl and crypto libraries that you think you are by =
running ldd on the httpd binary and the mod_ssl.so binary. While the =
Solaris build environment usually gets this right by hardcoding the path =
to the libraries at link time, make sure this is ok at run time.=20

Then, make sure your server is configured correctly, and that your SSL =
virtual host(s) use the correct combination of SSLCertificateFile and =
SSLCertificateKeyFile. =20

S.

> Again, thank you for your help, I appreciate it.
>=20
> Regards,
> John
>=20
>=20
> On Nov 25, 2009, at 10:00 AM, daniel.goulder@and.co.uk wrote:
>=20
>> This sounds like a Solaris bug.
>>=20
>> Make sure you have a recent version of Solaris or the latest patches
>> installed...
>>=20
>> What release/patch level are you using?
>>=20
>> Danny
>>=20
>> ________________________________
>>=20
>> From: "John J. Consolati" [mailto:"John J.
>> Consolati" ]
>> Sent: 25 November 2009 17:23
>> To: users@httpd.apache.org
>> Subject: [users@httpd] SSL on Apache 2.2.14
>>=20
>>=20
>> Hello,
>>=20
>> Hopefully someone will be able to help, as I've been working on this
>> problem for quite a while and have hit a wall. I'm trying to upgrade
>> Apache 2.0.47 to 2.2.14, and I need SSL support. Everything seems to
>> build and compile okay, but when I try to access my site running on
>> 2.2.14, I get a strange error from Firefox: "Secure connection
>> failed. An error occurred during a connection to xxxxxx. SSL peer
>> reports incorrect Message Authentication Code. (Error code:
>> ssl_error_bad_mac_alert)."
>>=20
>> I've tried compiling with OpenSSL 0.9.8L and 0.9.8G with the same
>> results. This is hosted on a Solaris sparc box. The 2.2.14 server is
>> utilizing all the same files and SSL certificates as the 2.0.47
>> server. I've called Verisign; I have valid certificates, but they've
>> never heard of this error before. If I self-sign a certificate and
>> test it with the 2.2.14 server, it seems to work (except for the
>> expected error message regarding self-signed certificates).
>>=20
>> Searching on Google has led me to try forcing Apache to compile with
>> prefork enabled (but it seems to default to that anyway on Solaris).
>> I've also tried statically linking Apache during compile with the =
same
>> results.
>>=20
>> If anyone has any ideas or suggestions, I'd very much appreciate =
them...
>> Thank you,
>> John
>>=20
>> ------------------------------------------------------------ ---------
>> The official User-To-User support forum of the Apache HTTP Server
>> Project.
>> See < URL:http://*httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>=20
>>=20
>> =
____________________________________________________________ __________
>> This email has been scanned by the MessageLabs Email Security System.
>> For more information please visit http://*www.*messagelabs.com/email
>> =
____________________________________________________________ __________
>>=20
>>=20
>> =
____________________________________________________________ __________
>> This e-mail and any attached files are intended for the named =
addressee only. It contains information, which may be confidential and =
legally privileged and also protected by copyright. Unless you are the =
named addressee (or authorised to receive for the addressee) you may not =
copy or use it, or disclose it to anyone else. If you received it in =
error please notify the sender immediately and then delete it from your =
system. Please be advised that the views and opinions expressed in this =
e-mail may not reflect the views and opinions of Associated Newspapers =
Limited or any of its subsidiary companies. We make every effort to keep =
our network free from viruses. However, you do need to check this e-mail =
and any attachments to it for viruses as we can take no responsibility =
for any computer virus which may be transferred by way of this e-mail. =
Use of this or any other e-mail facility signifies consent to any =
interception we might lawfully carry out to prevent abuse of these =
faciliti
>> es.
>> Associated Newspapers Ltd. Registered Office: Northcliffe House, 2 =
Derry St, Kensington, London, W8 5TT. Registered No 84121 England.
>=20
>=20
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server =
Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>=20
>=20



--=20
Sander Temme
sctemme@apache.org
PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF




--Apple-Mail-13--450672207
Content-Disposition: attachment;
filename=smime.p7s
Content-Type: application/pkcs7-signature;
name=smime.p7s
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEH AQAAoIIFMzCCBS8w
ggMXoAMCAQICAwVx1DANBgkqhkiG9w0BAQUFADB5MRAwDgYDVQQKEwdSb290 IENBMR4wHAYDVQQL
ExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2ln bmluZyBBdXRob3Jp
dHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzAeFw0wODA3 MDYxNTQzMzRaFw0x
MDA3MDYxNTQzMzRaMDoxFTATBgNVBAMTDFNhbmRlciBUZW1tZTEhMB8GCSqG SIb3DQEJARYSc2N0
ZW1tZUBhcGFjaGUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC AQEAuKsWFApS17cR
51oTARVEphn9w7VKL2p+HqnTJOF7CnihobEp4um9w3c0bcbXruKbjfwzBiaR Av0BGkOezB8XuHpQ
r3abklf7bkvFqYHLaj9ANm2wj2qrUXasaPgsOIXNiPa0qkpxBHk8Of43Q/Jx v4YGF11DvTfXPpbl
qXkJ07pk6fC3MSDAsZc5mdGtIhDY/LGgxr/A6NhwTG3hxwE9zPt/B7v/bctU 4ZWxloeC/eCpCYUU
fk3BGwoU53iEXyMpe/Kz2iIyZe5dimDeOigqC3Cye99EvtjL2ZavRsqL00j5 M9q/MPYh1WsgVOaZ
WxpEnnd+e5kPTjTL7hAbJzv7cwIDAQABo4H+MIH7MAwGA1UdEwEB/wQCMAAw VgYJYIZIAYb4QgEN
BEkWR1RvIGdldCB5b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSBoZWFk IG92ZXIgdG8gaHR0
cDovL3d3dy5DQWNlcnQub3JnMEAGA1UdJQQ5MDcGCCsGAQUFBwMEBggrBgEF BQcDAgYKKwYBBAGC
NwoDBAYKKwYBBAGCNwoDAwYJYIZIAYb4QgQBMDIGCCsGAQUFBwEBBCYwJDAi BggrBgEFBQcwAYYW
aHR0cDovL29jc3AuY2FjZXJ0Lm9yZzAdBgNVHREEFjAUgRJzY3RlbW1lQGFw YWNoZS5vcmcwDQYJ
KoZIhvcNAQEFBQADggIBAITHPZWMXBXh1rSeQ9yJoMBXr0b5bOxUX3V/KsgY LCTu5d0GNB2HHjcq
dHSxbIm7ezIGxTFA491q9wOHQZmYvQzMV2zQUqLrZmNFYPCC1/Q5Gw43CnYQ 0StGX2frOKNIp7fM
KpXux9jjao8sG1Sa0ubclAx3u50wz3k9mEfFhtrZsYLWbruitZeozslMJhG8 tFoRH7J68QmhnyCK
GniNLSu4K6SykM5DOH3GzDKsbjiPqQ7Y+h8qj309oO81fAWo6JdcVdxivFS7 KgHAt+nQS1oaiSeV
W25idOBsTiwWBxkcfq3DltK0HZe6QWMYYvgq2BoHAwGGy+wHjEk8dc/rtf4H Anpee/3Quc3lN+IK
UHYC2RlgtG2JirizdUhkxdsaw6Vl+yk3FvduWJUZjEh7zBMKRUoSOlo6i8Ap CNSgHk1QQSI2wPqs
gltpxhQ8B3wCdUNbywntZVyaNp5CgmkBxOs330nkl+jQsZvE5XmYyZt20W6S uCaV1YYHHducXdc/
DNUrSdsdw2nNmVOqZ3xC53UXX/tuPquLqLbSs2W1vtbCAsdzTalNbqG64OrG 74I2C191RM05l2jp
AHfoz+9OZ+7q2pSGYdbACxY3Rke2s7jqPD/X9aukO50ZDibLEGW8wdL+0yxZ LGaR2zJ9K8yo4YuO
09oUHORRtY0WoMRX0FFTMYIDMzCCAy8CAQEwgYAweTEQMA4GA1UEChMHUm9v dCBDQTEeMBwGA1UE
CxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0IFNp Z25pbmcgQXV0aG9y
aXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2VydC5vcmcCAwVx1DAJ BgUrDgMCGgUAoIIB
hzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0w OTExMjUxOTIxMjZa
MCMGCSqGSIb3DQEJBDEWBBRSyPnNwb69JpmtuC9LzS3Fwj3nXTCBkQYJKwYB BAGCNxAEMYGDMIGA
MHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2Fj ZXJ0Lm9yZzEiMCAG
A1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJ ARYSc3VwcG9ydEBj
YWNlcnQub3JnAgMFcdQwgZMGCyqGSIb3DQEJEAILMYGDoIGAMHkxEDAOBgNV BAoTB1Jvb3QgQ0Ex
HjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0Eg Q2VydCBTaWduaW5n
IEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3Jn AgMFcdQwDQYJKoZI
hvcNAQEBBQAEggEAE1wRzdIr485dQK414PIiyySwlXLFFJOQwJUP0KYEcKhV dB9Q6pU4Q1sbl/sm
LnSSwt8Uaj84rY/03X9Q1LwPv+JtNjXkHrMYwx3w3xqhUSmImHDxdxANnvy2 kPUISHhzEng2xlAv
S+JrRZafZqOXVkzQOS7OOUyyEvm1NH9BpvGFlTdnK5ZrbTAoycSxHN6i6fle UdmLYkzV1dntg1Yg
Sfv2nsPQnaIkKORLq3lFErp6E9DCrhJPornt6allS4xYam1zqL1UIYpWOn8D tvfZ32WMYxA0S1iZ
0DCtLwAAxiV/4HZDNtRN/EEmpy2rCyxr0xVogwXAsFG02Tq4h1J6QgAAAAAA AA==

--Apple-Mail-13--450672207--

Re: SSL on Apache 2.2.14

Here is the complete command:

openssl s_server -cert /erd/www/erd/server/apache/httpd-2.2.14/
installed/conf/ssl.crt/www-erdc.crt -key /erd/www/erd/server/apache/
httpd-2.2.14/installed/conf/ssl.key/www-erdc.secureprivate.k ey -
CAfile /erd/www/erd/server/apache/httpd-2.2.14/installed/conf/ssl.c rt/
intermediate.crt -www

Your suggested 'GET / HTTP/1.0\r\r' was successful.

However, I found something interesting doing an ldd -- a few of them
have wrong paths:

bash-2.05# ldd httpd
libm.so.1 => /usr/lib/libm.so.1
libaprutil-1.so.0 => /wrong/path
libexpat.so.0 => /wrong/path
libapr-1.so.0 => /wrong/path
libuuid.so.1 => /usr/lib/libuuid.so.1
libsendfile.so.1 => /usr/lib/libsendfile.so.1
librt.so.1 => /usr/lib/librt.so.1
libsocket.so.1 => /usr/lib/libsocket.so.1
libnsl.so.1 => /usr/lib/libnsl.so.1
libpthread.so.1 => /usr/lib/libpthread.so.1
libdl.so.1 => /usr/lib/libdl.so.1
libthread.so.1 => /usr/lib/libthread.so.1
libc.so.1 => /usr/lib/libc.so.1
libucb.so.1 => (file not found)
libresolv.so.2 => /usr/lib/libresolv.so.2
libelf.so.1 => /usr/lib/libelf.so.1
libucb.so.1 => /usr/ucblib/libucb.so.1
libaio.so.1 => /usr/lib/libaio.so.1
libmd5.so.1 => /usr/lib/libmd5.so.1
libmp.so.2 => /usr/lib/libmp.so.2
/usr/platform/SUNW,Sun-Fire-V250/lib/libc_psr.so.1
/usr/platform/SUNW,Sun-Fire-V250/lib/libmd5_psr.so.1

I wasn't sure where to find mod_ssl.so -- I could only find mod_ssl.h.

Is there a way to change the links without rebuilding?

Thank you,
John

On Nov 25, 2009, at 11:21 AM, Sander Temme wrote:

>
> On Nov 25, 2009, at 10:17 AM, John J. Consolati wrote:
>
>> Thank you for the reply.
>>
>> Unfortunately, upgrading Solaris isn't an option. Here is the
>> version I have to work with (quite old..):
>>
>> bash-2.05# cat /etc/release
>> Solaris 9 4/04 s9s_u6wos_08a SPARC
>> Copyright 2004 Sun Microsystems, Inc. All Rights Reserved.
>> Use is subject to license terms.
>> Assembled 22 March 2004
>> bash-2.05# uname -a
>> SunOS lucky 5.9 Generic_118558-17 sun4u sparc SUNW,Sun-Fire-V250
>>
>> I've been using the Sun cc, not gcc, to compile everything.
>>
>>
>> Here is the output from the openSSL commands:
>>
>> openssl -certs....etc etc
>
> What is your complete command line here?
>
>> Using default temp DH parameters
>> Using default temp ECDH parameters
>> ACCEPT
>> -----BEGIN SSL SESSION PARAMETERS-----
>> MHUCAQECAgMBBAIAOQQgXdTo4sJayMnyXJOOV7YI1JLumr7lqj4Sj+kZZTIe X2wE
>> MO2ne8Ry2DUppChW6xz01mi4gMU+WsyaH6SPREMHpFcSCBYmpX5sD+VVBS3F /Ajy
>> V6EGAgRLDXPAogQCAgEspAYEBAAAAAE=
>> -----END SSL SESSION PARAMETERS-----
>> Shared ciphers:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH -
>> RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA-A ES128-
>> SHA:DHE-DSS-AES128-SHA:AES128-SHA:IDEA-CBC-SHA:RC4-SHA:RC4-M D5:EDH-
>> RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA- DES-CBC-
>> SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5: EXP-RC4-
>> MD5
>> CIPHER is DHE-RSA-AES256-SHA
>>
>>
>>
>> And on the other terminal:
>>
>> bash-2.05$ openssl s_client -connect localhost:4433
>> CONNECTED(00000003)
>> depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms
>> of use at https://*www.*verisign.com/rpa (c)05/CN=VeriSign Class 3
>> Secure Server CA
>> verify error:num=20:unable to get local issuer certificate
>> verify return:0
>
> That's not a problem, just OpenSSL complaining it can't find the
> Verisign root cert. If you happen to have a copy of that (like your
> browser does) and point openssl s_client to it, it can verify all
> the way to the top. This does not impact the connection itself.
>
>> ---
>> Certificate chain
>> 0 s:/C=US/ST=California/L=Livermore/O=Lawrence Livermore National
>> Laboratory/OU=Environmental Restoration Division erdc/CN=www-
>> erdc.llnl.gov
>> i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use
>> at https://*www.*verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure
>> Server CA
>> 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of
>> use at https://*www.*verisign.com/rpa (c)05/CN=VeriSign Class 3
>> Secure Server CA
>> i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
>> Authority
>> ---
>> Server certificate
>> -----BEGIN CERTIFICATE-----
>> certificate hash...
>> -----END CERTIFICATE-----
>> subject=/C=US/ST=California/L=Livermore/O=Lawrence Livermore
>> National Laboratory/OU=Environmental Restoration Division erdc/
>> CN=www-erdc.llnl.gov
>> issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of
>> use at https://*www.*verisign.com/rpa (c)05/CN=VeriSign Class 3
>> Secure Server CA
>> ---
>> No client certificate CA names sent
>> ---
>> SSL handshake has read 2973 bytes and written 258 bytes
>> ---
>> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
>> Server public key is 1024 bit
>> Compression: NONE
>> Expansion: NONE
>> SSL-Session:
>> Protocol : TLSv1
>> Cipher : DHE-RSA-AES256-SHA
>> Session-ID:
>> 5DD4E8E2C25AC8C9F25C938E57B608D492EE9ABEE5AA3E128FE91965321E 5F6C
>> Session-ID-ctx:
>> Master-Key:
>> EDA77BC472D83529A42856EB1CF4D668B880C53E5ACC9A1FA48F444307A4 5712081626A57E6C0FE555052DC5FC08F257
>> Key-Arg : None
>> Start Time: 1259172800
>> Timeout : 300 (sec)
>> Verify return code: 20 (unable to get local issuer certificate)
>> ---
>>
>> Looks like there is a problem with one of the certificates, but I'm
>> not sure how to proceed...
>
> At this point, you have a valid handshake, and the client and server
> have exchanged data encrypted and MACed with the session keys. All
> is well. You could type on the command line 'GET / HTTP/1.0\r
> \r' (two returns) and you'll get the status page generated by
> openssl s_server -www.*
>
> This means you have a configuration problem with Apache. Make sure
> you're using the ssl and crypto libraries that you think you are by
> running ldd on the httpd binary and the mod_ssl.so binary. While
> the Solaris build environment usually gets this right by hardcoding
> the path to the libraries at link time, make sure this is ok at run
> time.
>
> Then, make sure your server is configured correctly, and that your
> SSL virtual host(s) use the correct combination of
> SSLCertificateFile and SSLCertificateKeyFile.
>
> S.
>
>> Again, thank you for your help, I appreciate it.
>>
>> Regards,
>> John
>>
>>
>> On Nov 25, 2009, at 10:00 AM, daniel.goulder@and.co.uk wrote:
>>
>>> This sounds like a Solaris bug.
>>>
>>> Make sure you have a recent version of Solaris or the latest patches
>>> installed...
>>>
>>> What release/patch level are you using?
>>>
>>> Danny
>>>
>>> ________________________________
>>>
>>> From: "John J. Consolati" [mailto:"John J.
>>> Consolati" ]
>>> Sent: 25 November 2009 17:23
>>> To: users@httpd.apache.org
>>> Subject: [users@httpd] SSL on Apache 2.2.14
>>>
>>>
>>> Hello,
>>>
>>> Hopefully someone will be able to help, as I've been working on this
>>> problem for quite a while and have hit a wall. I'm trying to upgrade
>>> Apache 2.0.47 to 2.2.14, and I need SSL support. Everything seems to
>>> build and compile okay, but when I try to access my site running on
>>> 2.2.14, I get a strange error from Firefox: "Secure connection
>>> failed. An error occurred during a connection to xxxxxx. SSL peer
>>> reports incorrect Message Authentication Code. (Error code:
>>> ssl_error_bad_mac_alert)."
>>>
>>> I've tried compiling with OpenSSL 0.9.8L and 0.9.8G with the same
>>> results. This is hosted on a Solaris sparc box. The 2.2.14 server is
>>> utilizing all the same files and SSL certificates as the 2.0.47
>>> server. I've called Verisign; I have valid certificates, but they've
>>> never heard of this error before. If I self-sign a certificate and
>>> test it with the 2.2.14 server, it seems to work (except for the
>>> expected error message regarding self-signed certificates).
>>>
>>> Searching on Google has led me to try forcing Apache to compile with
>>> prefork enabled (but it seems to default to that anyway on Solaris).
>>> I've also tried statically linking Apache during compile with the
>>> same
>>> results.
>>>
>>> If anyone has any ideas or suggestions, I'd very much appreciate
>>> them...
>>> Thank you,
>>> John
>>>
>>> ------------------------------------------------------------ ---------
>>> The official User-To-User support forum of the Apache HTTP Server
>>> Project.
>>> See < URL:http://**httpd.apache.org/userslist.html> for more info.
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>>
>>> ____________________________________________________________ __________
>>> This email has been scanned by the MessageLabs Email Security
>>> System.
>>> For more information please visit http://**www.**messagelabs.com/
>>> email
>>> ____________________________________________________________ __________
>>>
>>>
>>> ____________________________________________________________ __________
>>> This e-mail and any attached files are intended for the named
>>> addressee only. It contains information, which may be confidential
>>> and legally privileged and also protected by copyright. Unless you
>>> are the named addressee (or authorised to receive for the
>>> addressee) you may not copy or use it, or disclose it to anyone
>>> else. If you received it in error please notify the sender
>>> immediately and then delete it from your system. Please be advised
>>> that the views and opinions expressed in this e-mail may not
>>> reflect the views and opinions of Associated Newspapers Limited or
>>> any of its subsidiary companies. We make every effort to keep our
>>> network free from viruses. However, you do need to check this e-
>>> mail and any attachments to it for viruses as we can take no
>>> responsibility for any computer virus which may be transferred by
>>> way of this e-mail. Use of this or any other e-mail facility
>>> signifies consent to any interception we might lawfully carry out
>>> to prevent abuse of these faciliti
>>> es.
>>> Associated Newspapers Ltd. Registered Office: Northcliffe House, 2
>>> Derry St, Kensington, London, W8 5TT. Registered No 84121 England.
>>
>>
>> ------------------------------------------------------------ ---------
>> The official User-To-User support forum of the Apache HTTP Server
>> Project.
>> See for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>
>
>
> --
> Sander Temme
> sctemme@apache.org
> PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF
>
>
>


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: SSL on Apache 2.2.14

Just checked into it further, and the ldd might not be a problem (I
think?)

The LD_LIBRARY_PATH env variable is being set to a location where the /
wrong/path files are. Is that a good enough solution?

As far as the Apache configuration, it is correct to my knowledge...I
followed the appropriate directions on the Apache site.
SSLCertificateFile points to my server.crt, SSLCertificateKeyFile
points to my private.key, and SSLCACertificateFile points to my
intermediate.crt...

Thanks,
John

On Nov 25, 2009, at 11:47 AM, John J. Consolati wrote:

> Here is the complete command:
>
> openssl s_server -cert /erd/www/erd/server/apache/httpd-2.2.14/
> installed/conf/ssl.crt/www-erdc.crt -key /erd/www/erd/server/apache/
> httpd-2.2.14/installed/conf/ssl.key/www-erdc.secureprivate.k ey -
> CAfile /erd/www/erd/server/apache/httpd-2.2.14/installed/conf/
> ssl.crt/intermediate.crt -www
>
> Your suggested 'GET / HTTP/1.0\r\r' was successful.
>
> However, I found something interesting doing an ldd -- a few of them
> have wrong paths:
>
> bash-2.05# ldd httpd
> libm.so.1 => /usr/lib/libm.so.1
> libaprutil-1.so.0 => /wrong/path
> libexpat.so.0 => /wrong/path
> libapr-1.so.0 => /wrong/path
> libuuid.so.1 => /usr/lib/libuuid.so.1
> libsendfile.so.1 => /usr/lib/libsendfile.so.1
> librt.so.1 => /usr/lib/librt.so.1
> libsocket.so.1 => /usr/lib/libsocket.so.1
> libnsl.so.1 => /usr/lib/libnsl.so.1
> libpthread.so.1 => /usr/lib/libpthread.so.1
> libdl.so.1 => /usr/lib/libdl.so.1
> libthread.so.1 => /usr/lib/libthread.so.1
> libc.so.1 => /usr/lib/libc.so.1
> libucb.so.1 => (file not found)
> libresolv.so.2 => /usr/lib/libresolv.so.2
> libelf.so.1 => /usr/lib/libelf.so.1
> libucb.so.1 => /usr/ucblib/libucb.so.1
> libaio.so.1 => /usr/lib/libaio.so.1
> libmd5.so.1 => /usr/lib/libmd5.so.1
> libmp.so.2 => /usr/lib/libmp.so.2
> /usr/platform/SUNW,Sun-Fire-V250/lib/libc_psr.so.1
> /usr/platform/SUNW,Sun-Fire-V250/lib/libmd5_psr.so.1
>
> I wasn't sure where to find mod_ssl.so -- I could only find mod_ssl.h.
>
> Is there a way to change the links without rebuilding?
>
> Thank you,
> John
>
> On Nov 25, 2009, at 11:21 AM, Sander Temme wrote:
>
>>
>> On Nov 25, 2009, at 10:17 AM, John J. Consolati wrote:
>>
>>> Thank you for the reply.
>>>
>>> Unfortunately, upgrading Solaris isn't an option. Here is the
>>> version I have to work with (quite old..):
>>>
>>> bash-2.05# cat /etc/release
>>> Solaris 9 4/04 s9s_u6wos_08a SPARC
>>> Copyright 2004 Sun Microsystems, Inc. All Rights Reserved.
>>> Use is subject to license terms.
>>> Assembled 22 March 2004
>>> bash-2.05# uname -a
>>> SunOS lucky 5.9 Generic_118558-17 sun4u sparc SUNW,Sun-Fire-V250
>>>
>>> I've been using the Sun cc, not gcc, to compile everything.
>>>
>>>
>>> Here is the output from the openSSL commands:
>>>
>>> openssl -certs....etc etc
>>
>> What is your complete command line here?
>>
>>> Using default temp DH parameters
>>> Using default temp ECDH parameters
>>> ACCEPT
>>> -----BEGIN SSL SESSION PARAMETERS-----
>>> MHUCAQECAgMBBAIAOQQgXdTo4sJayMnyXJOOV7YI1JLumr7lqj4Sj+kZZTIe X2wE
>>> MO2ne8Ry2DUppChW6xz01mi4gMU+WsyaH6SPREMHpFcSCBYmpX5sD+VVBS3F /Ajy
>>> V6EGAgRLDXPAogQCAgEspAYEBAAAAAE=
>>> -----END SSL SESSION PARAMETERS-----
>>> Shared ciphers:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-
>>> SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:D HE-RSA-
>>> AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:IDEA-CBC-SHA:RC4-SH A:RC4-
>>> MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP- EDH-
>>> RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP- RC2-
>>> CBC-MD5:EXP-RC4-MD5
>>> CIPHER is DHE-RSA-AES256-SHA
>>>
>>>
>>>
>>> And on the other terminal:
>>>
>>> bash-2.05$ openssl s_client -connect localhost:4433
>>> CONNECTED(00000003)
>>> depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms
>>> of use at https://**www.**verisign.com/rpa (c)05/CN=VeriSign Class
>>> 3 Secure Server CA
>>> verify error:num=20:unable to get local issuer certificate
>>> verify return:0
>>
>> That's not a problem, just OpenSSL complaining it can't find the
>> Verisign root cert. If you happen to have a copy of that (like
>> your browser does) and point openssl s_client to it, it can verify
>> all the way to the top. This does not impact the connection itself.
>>
>>> ---
>>> Certificate chain
>>> 0 s:/C=US/ST=California/L=Livermore/O=Lawrence Livermore National
>>> Laboratory/OU=Environmental Restoration Division erdc/CN=www-
>>> erdc.llnl.gov
>>> i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use
>>> at https://**www.**verisign.com/rpa (c)05/CN=VeriSign Class 3
>>> Secure Server CA
>>> 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of
>>> use at https://**www.**verisign.com/rpa (c)05/CN=VeriSign Class 3
>>> Secure Server CA
>>> i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
>>> Authority
>>> ---
>>> Server certificate
>>> -----BEGIN CERTIFICATE-----
>>> certificate hash...
>>> -----END CERTIFICATE-----
>>> subject=/C=US/ST=California/L=Livermore/O=Lawrence Livermore
>>> National Laboratory/OU=Environmental Restoration Division erdc/
>>> CN=www-erdc.llnl.gov
>>> issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms
>>> of use at https://**www.**verisign.com/rpa (c)05/CN=VeriSign Class
>>> 3 Secure Server CA
>>> ---
>>> No client certificate CA names sent
>>> ---
>>> SSL handshake has read 2973 bytes and written 258 bytes
>>> ---
>>> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
>>> Server public key is 1024 bit
>>> Compression: NONE
>>> Expansion: NONE
>>> SSL-Session:
>>> Protocol : TLSv1
>>> Cipher : DHE-RSA-AES256-SHA
>>> Session-ID:
>>> 5DD4E8E2C25AC8C9F25C938E57B608D492EE9ABEE5AA3E128FE91965321E 5F6C
>>> Session-ID-ctx:
>>> Master-Key:
>>> EDA77BC472D83529A42856EB1CF4D668B880C53E5ACC9A1FA48F444307A4 5712081626A57E6C0FE555052DC5FC08F257
>>> Key-Arg : None
>>> Start Time: 1259172800
>>> Timeout : 300 (sec)
>>> Verify return code: 20 (unable to get local issuer certificate)
>>> ---
>>>
>>> Looks like there is a problem with one of the certificates, but
>>> I'm not sure how to proceed...
>>
>> At this point, you have a valid handshake, and the client and
>> server have exchanged data encrypted and MACed with the session
>> keys. All is well. You could type on the command line 'GET / HTTP/
>> 1.0\r\r' (two returns) and you'll get the status page generated by
>> openssl s_server -www.**
>>
>> This means you have a configuration problem with Apache. Make sure
>> you're using the ssl and crypto libraries that you think you are by
>> running ldd on the httpd binary and the mod_ssl.so binary. While
>> the Solaris build environment usually gets this right by hardcoding
>> the path to the libraries at link time, make sure this is ok at run
>> time.
>>
>> Then, make sure your server is configured correctly, and that your
>> SSL virtual host(s) use the correct combination of
>> SSLCertificateFile and SSLCertificateKeyFile.
>>
>> S.
>>
>>> Again, thank you for your help, I appreciate it.
>>>
>>> Regards,
>>> John
>>>
>>>
>>> On Nov 25, 2009, at 10:00 AM, daniel.goulder@and.co.uk wrote:
>>>
>>>> This sounds like a Solaris bug.
>>>>
>>>> Make sure you have a recent version of Solaris or the latest
>>>> patches
>>>> installed...
>>>>
>>>> What release/patch level are you using?
>>>>
>>>> Danny
>>>>
>>>> ________________________________
>>>>
>>>> From: "John J. Consolati" [mailto:"John J.
>>>> Consolati" ]
>>>> Sent: 25 November 2009 17:23
>>>> To: users@httpd.apache.org
>>>> Subject: [users@httpd] SSL on Apache 2.2.14
>>>>
>>>>
>>>> Hello,
>>>>
>>>> Hopefully someone will be able to help, as I've been working on
>>>> this
>>>> problem for quite a while and have hit a wall. I'm trying to
>>>> upgrade
>>>> Apache 2.0.47 to 2.2.14, and I need SSL support. Everything seems
>>>> to
>>>> build and compile okay, but when I try to access my site running on
>>>> 2.2.14, I get a strange error from Firefox: "Secure connection
>>>> failed. An error occurred during a connection to xxxxxx. SSL peer
>>>> reports incorrect Message Authentication Code. (Error code:
>>>> ssl_error_bad_mac_alert)."
>>>>
>>>> I've tried compiling with OpenSSL 0.9.8L and 0.9.8G with the same
>>>> results. This is hosted on a Solaris sparc box. The 2.2.14 server
>>>> is
>>>> utilizing all the same files and SSL certificates as the 2.0.47
>>>> server. I've called Verisign; I have valid certificates, but
>>>> they've
>>>> never heard of this error before. If I self-sign a certificate and
>>>> test it with the 2.2.14 server, it seems to work (except for the
>>>> expected error message regarding self-signed certificates).
>>>>
>>>> Searching on Google has led me to try forcing Apache to compile
>>>> with
>>>> prefork enabled (but it seems to default to that anyway on
>>>> Solaris).
>>>> I've also tried statically linking Apache during compile with the
>>>> same
>>>> results.
>>>>
>>>> If anyone has any ideas or suggestions, I'd very much appreciate
>>>> them...
>>>> Thank you,
>>>> John
>>>>
>>>> ------------------------------------------------------------ ---------
>>>> The official User-To-User support forum of the Apache HTTP Server
>>>> Project.
>>>> See < URL:http://***httpd.apache.org/userslist.html> for more info.
>>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>>
>>>>
>>>> ____________________________________________________________ __________
>>>> This email has been scanned by the MessageLabs Email Security
>>>> System.
>>>> For more information please visit http://
>>>> ***www.***messagelabs.com/email
>>>> ____________________________________________________________ __________
>>>>
>>>>
>>>> ____________________________________________________________ __________
>>>> This e-mail and any attached files are intended for the named
>>>> addressee only. It contains information, which may be
>>>> confidential and legally privileged and also protected by
>>>> copyright. Unless you are the named addressee (or authorised to
>>>> receive for the addressee) you may not copy or use it, or
>>>> disclose it to anyone else. If you received it in error please
>>>> notify the sender immediately and then delete it from your
>>>> system. Please be advised that the views and opinions expressed
>>>> in this e-mail may not reflect the views and opinions of
>>>> Associated Newspapers Limited or any of its subsidiary companies.
>>>> We make every effort to keep our network free from viruses.
>>>> However, you do need to check this e-mail and any attachments to
>>>> it for viruses as we can take no responsibility for any computer
>>>> virus which may be transferred by way of this e-mail. Use of this
>>>> or any other e-mail facility signifies consent to any
>>>> interception we might lawfully carry out to prevent abuse of
>>>> these faciliti
>>>> es.
>>>> Associated Newspapers Ltd. Registered Office: Northcliffe House,
>>>> 2 Derry St, Kensington, London, W8 5TT. Registered No 84121
>>>> England.
>>>
>>>
>>> ------------------------------------------------------------ ---------
>>> The official User-To-User support forum of the Apache HTTP Server
>>> Project.
>>> See for more info.
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>>
>>
>>
>>
>> --
>> Sander Temme
>> sctemme@apache.org
>> PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF
>>
>>
>>
>
>
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: SSL on Apache 2.2.14

--=_alternative 006E83AF88257679_=
Content-Type: text/plain; charset="US-ASCII"

John,

You should not need to upgrade Solaris. I've got apache running on a
solaris 9 box just fine.

Your "wrong path" shouldn't be a problem either. Those are just "the last
place to look" for an .so. Solaris will use what is in the 'crle' command
and the LD_LIBRARY_PATH environment variable first (I'm not sure of the
order).

You may or may not have a mod_ssl.so, depending on how you compiled
apache. If you run:

httpd -l (that's an el)

It will list out which modules are compiled in. If you see mod_ssl.c, you
will not have a mod_ssl.so. Otherwise, mod_ssl.so should normally be in
your apache's modules subdirectory.

Do you only get the error on Firefox and not IE?

Dan



Please respond to users@httpd.apache.org

To: users@httpd.apache.org
cc: (bcc: Dan Mitton/YD/RWDOE)
Subject: Re: [users@httpd] SSL on Apache 2.2.14
LSN: Not Relevant
User Filed as: Not a Record

Here is the complete command:

openssl s_server -cert /erd/www/erd/server/apache/httpd-2.2.14/
installed/conf/ssl.crt/www-erdc.crt -key /erd/www/erd/server/apache/
httpd-2.2.14/installed/conf/ssl.key/www-erdc.secureprivate.k ey -
CAfile /erd/www/erd/server/apache/httpd-2.2.14/installed/conf/ssl.c rt/
intermediate.crt -www

Your suggested 'GET / HTTP/1.0\r\r' was successful.

However, I found something interesting doing an ldd -- a few of them
have wrong paths:

bash-2.05# ldd httpd
libm.so.1 => /usr/lib/libm.so.1
libaprutil-1.so.0 => /wrong/path
libexpat.so.0 => /wrong/path
libapr-1.so.0 => /wrong/path
libuuid.so.1 => /usr/lib/libuuid.so.1
libsendfile.so.1 => /usr/lib/libsendfile.so.1
librt.so.1 => /usr/lib/librt.so.1
libsocket.so.1 => /usr/lib/libsocket.so.1
libnsl.so.1 => /usr/lib/libnsl.so.1
libpthread.so.1 => /usr/lib/libpthread.so.1
libdl.so.1 => /usr/lib/libdl.so.1
libthread.so.1 => /usr/lib/libthread.so.1
libc.so.1 => /usr/lib/libc.so.1
libucb.so.1 => (file not found)
libresolv.so.2 => /usr/lib/libresolv.so.2
libelf.so.1 => /usr/lib/libelf.so.1
libucb.so.1 => /usr/ucblib/libucb.so.1
libaio.so.1 => /usr/lib/libaio.so.1
libmd5.so.1 => /usr/lib/libmd5.so.1
libmp.so.2 => /usr/lib/libmp.so.2
/usr/platform/SUNW,Sun-Fire-V250/lib/libc_psr.so.1
/usr/platform/SUNW,Sun-Fire-V250/lib/libmd5_psr.so.1

I wasn't sure where to find mod_ssl.so -- I could only find mod_ssl.h.

Is there a way to change the links without rebuilding?

Thank you,
John

On Nov 25, 2009, at 11:21 AM, Sander Temme wrote:

>
> On Nov 25, 2009, at 10:17 AM, John J. Consolati wrote:
>
>> Thank you for the reply.
>>
>> Unfortunately, upgrading Solaris isn't an option. Here is the
>> version I have to work with (quite old..):
>>
>> bash-2.05# cat /etc/release
>> Solaris 9 4/04 s9s_u6wos_08a SPARC
>> Copyright 2004 Sun Microsystems, Inc. All Rights Reserved.
>> Use is subject to license terms.
>> Assembled 22 March 2004
>> bash-2.05# uname -a
>> SunOS lucky 5.9 Generic_118558-17 sun4u sparc SUNW,Sun-Fire-V250
>>
>> I've been using the Sun cc, not gcc, to compile everything.
>>
>>
>> Here is the output from the openSSL commands:
>>
>> openssl -certs....etc etc
>
> What is your complete command line here?
>
>> Using default temp DH parameters
>> Using default temp ECDH parameters
>> ACCEPT
>> -----BEGIN SSL SESSION PARAMETERS-----
>> MHUCAQECAgMBBAIAOQQgXdTo4sJayMnyXJOOV7YI1JLumr7lqj4Sj+kZZTIe X2wE
>> MO2ne8Ry2DUppChW6xz01mi4gMU+WsyaH6SPREMHpFcSCBYmpX5sD+VVBS3F /Ajy
>> V6EGAgRLDXPAogQCAgEspAYEBAAAAAE=
>> -----END SSL SESSION PARAMETERS-----
>> Shared ciphers:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH -
>> RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA-A ES128-
>> SHA:DHE-DSS-AES128-SHA:AES128-SHA:IDEA-CBC-SHA:RC4-SHA:RC4-M D5:EDH-
>> RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA- DES-CBC-
>> SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5: EXP-RC4-
>> MD5
>> CIPHER is DHE-RSA-AES256-SHA
>>
>>
>>
>> And on the other terminal:
>>
>> bash-2.05$ openssl s_client -connect localhost:4433
>> CONNECTED(00000003)
>> depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms
>> of use at https://*www.*verisign.com/rpa (c)05/CN=VeriSign Class 3
>> Secure Server CA
>> verify error:num=20:unable to get local issuer certificate
>> verify return:0
>
> That's not a problem, just OpenSSL complaining it can't find the
> Verisign root cert. If you happen to have a copy of that (like your
> browser does) and point openssl s_client to it, it can verify all
> the way to the top. This does not impact the connection itself.
>
>> ---
>> Certificate chain
>> 0 s:/C=US/ST=California/L=Livermore/O=Lawrence Livermore National
>> Laboratory/OU=Environmental Restoration Division erdc/CN=www-
>> erdc.llnl.gov
>> i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use
>> at https://*www.*verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure
>> Server CA
>> 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of
>> use at https://*www.*verisign.com/rpa (c)05/CN=VeriSign Class 3
>> Secure Server CA
>> i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
>> Authority
>> ---
>> Server certificate
>> -----BEGIN CERTIFICATE-----
>> certificate hash...
>> -----END CERTIFICATE-----
>> subject=/C=US/ST=California/L=Livermore/O=Lawrence Livermore
>> National Laboratory/OU=Environmental Restoration Division erdc/
>> CN=www-erdc.llnl.gov
>> issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of
>> use at https://*www.*verisign.com/rpa (c)05/CN=VeriSign Class 3
>> Secure Server CA
>> ---
>> No client certificate CA names sent
>> ---
>> SSL handshake has read 2973 bytes and written 258 bytes
>> ---
>> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
>> Server public key is 1024 bit
>> Compression: NONE
>> Expansion: NONE
>> SSL-Session:
>> Protocol : TLSv1
>> Cipher : DHE-RSA-AES256-SHA
>> Session-ID:
>> 5DD4E8E2C25AC8C9F25C938E57B608D492EE9ABEE5AA3E128FE91965321E 5F6C
>> Session-ID-ctx:
>> Master-Key:
>>
EDA77BC472D83529A42856EB1CF4D668B880C53E5ACC9A1FA48F444307A4 5712081626A57E6C0FE555052DC5FC08F257
>> Key-Arg : None
>> Start Time: 1259172800
>> Timeout : 300 (sec)
>> Verify return code: 20 (unable to get local issuer certificate)
>> ---
>>
>> Looks like there is a problem with one of the certificates, but I'm
>> not sure how to proceed...
>
> At this point, you have a valid handshake, and the client and server
> have exchanged data encrypted and MACed with the session keys. All
> is well. You could type on the command line 'GET / HTTP/1.0\r
> \r' (two returns) and you'll get the status page generated by
> openssl s_server -www.*
>
> This means you have a configuration problem with Apache. Make sure
> you're using the ssl and crypto libraries that you think you are by
> running ldd on the httpd binary and the mod_ssl.so binary. While
> the Solaris build environment usually gets this right by hardcoding
> the path to the libraries at link time, make sure this is ok at run
> time.
>
> Then, make sure your server is configured correctly, and that your
> SSL virtual host(s) use the correct combination of
> SSLCertificateFile and SSLCertificateKeyFile.
>
> S.
>
>> Again, thank you for your help, I appreciate it.
>>
>> Regards,
>> John
>>
>>
>> On Nov 25, 2009, at 10:00 AM, daniel.goulder@and.co.uk wrote:
>>
>>> This sounds like a Solaris bug.
>>>
>>> Make sure you have a recent version of Solaris or the latest patches
>>> installed...
>>>
>>> What release/patch level are you using?
>>>
>>> Danny
>>>
>>> ________________________________
>>>
>>> From: "John J. Consolati" [mailto:"John J.
>>> Consolati" ]
>>> Sent: 25 November 2009 17:23
>>> To: users@httpd.apache.org
>>> Subject: [users@httpd] SSL on Apache 2.2.14
>>>
>>>
>>> Hello,
>>>
>>> Hopefully someone will be able to help, as I've been working on this
>>> problem for quite a while and have hit a wall. I'm trying to upgrade
>>> Apache 2.0.47 to 2.2.14, and I need SSL support. Everything seems to
>>> build and compile okay, but when I try to access my site running on
>>> 2.2.14, I get a strange error from Firefox: "Secure connection
>>> failed. An error occurred during a connection to xxxxxx. SSL peer
>>> reports incorrect Message Authentication Code. (Error code:
>>> ssl_error_bad_mac_alert)."
>>>
>>> I've tried compiling with OpenSSL 0.9.8L and 0.9.8G with the same
>>> results. This is hosted on a Solaris sparc box. The 2.2.14 server is
>>> utilizing all the same files and SSL certificates as the 2.0.47
>>> server. I've called Verisign; I have valid certificates, but they've
>>> never heard of this error before. If I self-sign a certificate and
>>> test it with the 2.2.14 server, it seems to work (except for the
>>> expected error message regarding self-signed certificates).
>>>
>>> Searching on Google has led me to try forcing Apache to compile with
>>> prefork enabled (but it seems to default to that anyway on Solaris).
>>> I've also tried statically linking Apache during compile with the
>>> same
>>> results.
>>>
>>> If anyone has any ideas or suggestions, I'd very much appreciate
>>> them...
>>> Thank you,
>>> John
>>>
>>> ------------------------------------------------------------ ---------
>>> The official User-To-User support forum of the Apache HTTP Server
>>> Project.
>>> See < URL:http://**httpd.apache.org/userslist.html> for more info.
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>>
>>> ____________________________________________________________ __________
>>> This email has been scanned by the MessageLabs Email Security
>>> System.
>>> For more information please visit http://**www.**messagelabs.com/
>>> email
>>> ____________________________________________________________ __________
>>>
>>>
>>> ____________________________________________________________ __________
>>> This e-mail and any attached files are intended for the named
>>> addressee only. It contains information, which may be confidential
>>> and legally privileged and also protected by copyright. Unless you
>>> are the named addressee (or authorised to receive for the
>>> addressee) you may not copy or use it, or disclose it to anyone
>>> else. If you received it in error please notify the sender
>>> immediately and then delete it from your system. Please be advised
>>> that the views and opinions expressed in this e-mail may not
>>> reflect the views and opinions of Associated Newspapers Limited or
>>> any of its subsidiary companies. We make every effort to keep our
>>> network free from viruses. However, you do need to check this e-
>>> mail and any attachments to it for viruses as we can take no
>>> responsibility for any computer virus which may be transferred by
>>> way of this e-mail. Use of this or any other e-mail facility
>>> signifies consent to any interception we might lawfully carry out
>>> to prevent abuse of these faciliti
>>> es.
>>> Associated Newspapers Ltd. Registered Office: Northcliffe House, 2
>>> Derry St, Kensington, London, W8 5TT. Registered No 84121 England.
>>
>>
>> ------------------------------------------------------------ ---------
>> The official User-To-User support forum of the Apache HTTP Server
>> Project.
>> See for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>
>
>
> --
> Sander Temme
> sctemme@apache.org
> PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF
>
>
>


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org




--=_alternative 006E83AF88257679_=
Content-Type: text/html; charset="US-ASCII"



John,



You should not need to upgrade Solaris.
 I've got apache running on a solaris 9 box just fine.



Your "wrong path" shouldn't
be a problem either.  Those are just "the last place to look"
for an .so.  Solaris will use what is in the 'crle' command and the
LD_LIBRARY_PATH environment variable first (I'm not sure of the order).



You may or may not have a mod_ssl.so,
depending on how you compiled apache.  If you run:



httpd -l (that's an el)



It will list out which modules are compiled
in.  If you see mod_ssl.c, you will not have a mod_ssl.so.  Otherwise,
mod_ssl.so should normally be in your apache's modules subdirectory.



Do you only get the error on Firefox
and not IE?



Dan

Please respond to users@httpd.apache.org

To:      
 users@httpd.apache.org

cc:      
  (bcc: Dan Mitton/YD/RWDOE)

Subject:    
   Re: [users@httpd]
SSL on Apache 2.2.14

Re: SSL on Apache 2.2.14

--=_alternative 006F451288257679_=
Content-Type: text/plain; charset="US-ASCII"

John,

This is a (very) short explanation of the error code at:

http://www.mozilla.org/projects/security/pki/nss/ref/ssl/ssl err.html

and this one has a possible cause:

http://serverfault.com/questions/63167/sslerrorbadmacalert-e rror-in-firefox

You might want to Google the message for more info.

Dan



Please respond to users@httpd.apache.org

To: users@httpd.apache.org
cc: (bcc: Dan Mitton/YD/RWDOE)
Subject: [users@httpd] SSL on Apache 2.2.14
LSN: Not Relevant
User Filed as: Not a Record

Hello,

Hopefully someone will be able to help, as I've been working on this
problem for quite a while and have hit a wall. I'm trying to upgrade
Apache 2.0.47 to 2.2.14, and I need SSL support. Everything seems to
build and compile okay, but when I try to access my site running on
2.2.14, I get a strange error from Firefox: "Secure connection
failed. An error occurred during a connection to xxxxxx. SSL peer
reports incorrect Message Authentication Code. (Error code:
ssl_error_bad_mac_alert)."

I've tried compiling with OpenSSL 0.9.8L and 0.9.8G with the same
results. This is hosted on a Solaris sparc box. The 2.2.14 server is
utilizing all the same files and SSL certificates as the 2.0.47
server. I've called Verisign; I have valid certificates, but they've
never heard of this error before. If I self-sign a certificate and
test it with the 2.2.14 server, it seems to work (except for the
expected error message regarding self-signed certificates).

Searching on Google has led me to try forcing Apache to compile with
prefork enabled (but it seems to default to that anyway on Solaris).
I've also tried statically linking Apache during compile with the same
results.

If anyone has any ideas or suggestions, I'd very much appreciate them...

Thank you,
John

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org




--=_alternative 006F451288257679_=
Content-Type: text/html; charset="US-ASCII"



John,



This is a (very) short explanation of
the error code at:







and this one has a possible cause:







You might want to Google the message
for more info.



Dan

Please respond to users@httpd.apache.org

To:      
 users@httpd.apache.org

cc:      
  (bcc: Dan Mitton/YD/RWDOE)

Subject:    
   [users@httpd]
SSL on Apache 2.2.14

Re: SSL on Apache 2.2.14

Dan,

The error occurs on both Safari and Firefox on Apache 2.2.14. We
don't have IE in our environment. Both Safari and Firefox work as
they should with 2.0.47.

It looks like mod_ssl.c is compiled in -- it shows up with httpd -l.

I've checked the links you sent me. The description doesn't provide a
whole lot of detail, and, according to the other one, I checked to
make sure I am using prefork instead of MPM -- it seems to default to
prefork anyway, but I specified it in the /config before compilation.

I've Googled to my wit's end for several days without finding anything
conclusive. Some pages hint at compilation options, others at
compilers (I'm using Sun's cc, not gcc), but nothing conclusive.

Here is one question I couldn't find the answer to, though: if I
requested a server certificate using a specific version of OpenSSL,
can I use that same certificate in a different version of Apache with
a different version of OpenSSL? Or do I have to re-request if I
upgrade OpenSSL? A long shot I know, but I'm running out of options...

Thank you for the help,
John

On Nov 25, 2009, at 12:07 PM, Dan_Mitton@YMP.GOV wrote:

>
> John,
>
> You should not need to upgrade Solaris. I've got apache running on
> a solaris 9 box just fine.
>
> Your "wrong path" shouldn't be a problem either. Those are just
> "the last place to look" for an .so. Solaris will use what is in
> the 'crle' command and the LD_LIBRARY_PATH environment variable
> first (I'm not sure of the order).
>
> You may or may not have a mod_ssl.so, depending on how you compiled
> apache. If you run:
>
> httpd -l (that's an el)
>
> It will list out which modules are compiled in. If you see
> mod_ssl.c, you will not have a mod_ssl.so. Otherwise, mod_ssl.so
> should normally be in your apache's modules subdirectory.
>
> Do you only get the error on Firefox and not IE?
>
> Dan
>
>
> Please respond to users@httpd.apache.org
>
>
> To: users@httpd.apache.org
> cc: (bcc: Dan Mitton/YD/RWDOE)
> Subject: Re: [users@httpd] SSL on Apache 2.2.14
>
>
> LSN: Not Relevant
> User Filed as: Not a Record
>
> Here is the complete command:
>
> openssl s_server -cert /erd/www/erd/server/apache/httpd-2.2.14/
> installed/conf/ssl.crt/www-erdc.crt -key /erd/www/erd/server/apache/
> httpd-2.2.14/installed/conf/ssl.key/www-erdc.secureprivate.k ey -
> CAfile /erd/www/erd/server/apache/httpd-2.2.14/installed/conf/ssl.c rt/
> intermediate.crt -www
>
> Your suggested 'GET / HTTP/1.0\r\r' was successful.
>
> However, I found something interesting doing an ldd -- a few of them
> have wrong paths:
>
> bash-2.05# ldd httpd
> libm.so.1 => /usr/lib/libm.so.1
> libaprutil-1.so.0 => /wrong/path
> libexpat.so.0 => /wrong/path
> libapr-1.so.0 => /wrong/path
> libuuid.so.1 => /usr/lib/libuuid.so.1
> libsendfile.so.1 => /usr/lib/libsendfile.so.1
> librt.so.1 => /usr/lib/librt.so.1
> libsocket.so.1 => /usr/lib/libsocket.so.1
> libnsl.so.1 => /usr/lib/libnsl.so.1
> libpthread.so.1 => /usr/lib/libpthread.so.1
> libdl.so.1 => /usr/lib/libdl.so.1
> libthread.so.1 => /usr/lib/libthread.so.1
> libc.so.1 => /usr/lib/libc.so.1
> libucb.so.1 => (file not found)
> libresolv.so.2 => /usr/lib/libresolv.so.2
> libelf.so.1 => /usr/lib/libelf.so.1
> libucb.so.1 => /usr/ucblib/libucb.so.1
> libaio.so.1 => /usr/lib/libaio.so.1
> libmd5.so.1 => /usr/lib/libmd5.so.1
> libmp.so.2 => /usr/lib/libmp.so.2
> /usr/platform/SUNW,Sun-Fire-V250/lib/libc_psr.so.1
> /usr/platform/SUNW,Sun-Fire-V250/lib/libmd5_psr.so.1
>
> I wasn't sure where to find mod_ssl.so -- I could only find mod_ssl.h.
>
> Is there a way to change the links without rebuilding?
>
> Thank you,
> John
>
> On Nov 25, 2009, at 11:21 AM, Sander Temme wrote:
>
> >
> > On Nov 25, 2009, at 10:17 AM, John J. Consolati wrote:
> >
> >> Thank you for the reply.
> >>
> >> Unfortunately, upgrading Solaris isn't an option. Here is the
> >> version I have to work with (quite old..):
> >>
> >> bash-2.05# cat /etc/release
> >> Solaris 9 4/04 s9s_u6wos_08a SPARC
> >> Copyright 2004 Sun Microsystems, Inc. All Rights
> Reserved.
> >> Use is subject to license terms.
> >> Assembled 22 March 2004
> >> bash-2.05# uname -a
> >> SunOS lucky 5.9 Generic_118558-17 sun4u sparc SUNW,Sun-Fire-V250
> >>
> >> I've been using the Sun cc, not gcc, to compile everything.
> >>
> >>
> >> Here is the output from the openSSL commands:
> >>
> >> openssl -certs....etc etc
> >
> > What is your complete command line here?
> >
> >> Using default temp DH parameters
> >> Using default temp ECDH parameters
> >> ACCEPT
> >> -----BEGIN SSL SESSION PARAMETERS-----
> >> MHUCAQECAgMBBAIAOQQgXdTo4sJayMnyXJOOV7YI1JLumr7lqj4Sj+kZZTIe X2wE
> >> MO2ne8Ry2DUppChW6xz01mi4gMU+WsyaH6SPREMHpFcSCBYmpX5sD+VVBS3F /Ajy
> >> V6EGAgRLDXPAogQCAgEspAYEBAAAAAE=
> >> -----END SSL SESSION PARAMETERS-----
> >> Shared ciphers:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-
> SHA:EDH-
> >> RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA-A ES128-
> >> SHA:DHE-DSS-AES128-SHA:AES128-SHA:IDEA-CBC-SHA:RC4-SHA:RC4-M D5:EDH-
> >> RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA- DES-
> CBC-
> >> SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5: EXP-
> RC4-
> >> MD5
> >> CIPHER is DHE-RSA-AES256-SHA
> >>
> >>
> >>
> >> And on the other terminal:
> >>
> >> bash-2.05$ openssl s_client -connect localhost:4433
> >> CONNECTED(00000003)
> >> depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms
> >> of use at https://**www.**verisign.com/rpa (c)05/CN=VeriSign
> Class 3
> >> Secure Server CA
> >> verify error:num=20:unable to get local issuer certificate
> >> verify return:0
> >
> > That's not a problem, just OpenSSL complaining it can't find the
> > Verisign root cert. If you happen to have a copy of that (like your
> > browser does) and point openssl s_client to it, it can verify all
> > the way to the top. This does not impact the connection itself.
> >
> >> ---
> >> Certificate chain
> >> 0 s:/C=US/ST=California/L=Livermore/O=Lawrence Livermore National
> >> Laboratory/OU=Environmental Restoration Division erdc/CN=www-
> >> erdc.llnl.gov
> >> i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use
> >> at https://**www.**verisign.com/rpa (c)05/CN=VeriSign Class 3
> Secure
> >> Server CA
> >> 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of
> >> use at https://**www.**verisign.com/rpa (c)05/CN=VeriSign Class 3
> >> Secure Server CA
> >> i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
> >> Authority
> >> ---
> >> Server certificate
> >> -----BEGIN CERTIFICATE-----
> >> certificate hash...
> >> -----END CERTIFICATE-----
> >> subject=/C=US/ST=California/L=Livermore/O=Lawrence Livermore
> >> National Laboratory/OU=Environmental Restoration Division erdc/
> >> CN=www-erdc.llnl.gov
> >> issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of
> >> use at https://**www.**verisign.com/rpa (c)05/CN=VeriSign Class 3
> >> Secure Server CA
> >> ---
> >> No client certificate CA names sent
> >> ---
> >> SSL handshake has read 2973 bytes and written 258 bytes
> >> ---
> >> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> >> Server public key is 1024 bit
> >> Compression: NONE
> >> Expansion: NONE
> >> SSL-Session:
> >> Protocol : TLSv1
> >> Cipher : DHE-RSA-AES256-SHA
> >> Session-ID:
> >> 5DD4E8E2C25AC8C9F25C938E57B608D492EE9ABEE5AA3E128FE91965321E 5F6C
> >> Session-ID-ctx:
> >> Master-Key:
> >>
> EDA77BC472D83529A42856EB1CF4D668B880C53E5ACC9A1FA48F444307A4 5712081626A57E6C0FE555052DC5FC08F257
> >> Key-Arg : None
> >> Start Time: 1259172800
> >> Timeout : 300 (sec)
> >> Verify return code: 20 (unable to get local issuer certificate)
> >> ---
> >>
> >> Looks like there is a problem with one of the certificates, but I'm
> >> not sure how to proceed...
> >
> > At this point, you have a valid handshake, and the client and server
> > have exchanged data encrypted and MACed with the session keys. All
> > is well. You could type on the command line 'GET / HTTP/1.0\r
> > \r' (two returns) and you'll get the status page generated by
> > openssl s_server -www.**
> >
> > This means you have a configuration problem with Apache. Make sure
> > you're using the ssl and crypto libraries that you think you are by
> > running ldd on the httpd binary and the mod_ssl.so binary. While
> > the Solaris build environment usually gets this right by hardcoding
> > the path to the libraries at link time, make sure this is ok at run
> > time.
> >
> > Then, make sure your server is configured correctly, and that your
> > SSL virtual host(s) use the correct combination of
> > SSLCertificateFile and SSLCertificateKeyFile.
> >
> > S.
> >
> >> Again, thank you for your help, I appreciate it.
> >>
> >> Regards,
> >> John
> >>
> >>
> >> On Nov 25, 2009, at 10:00 AM, daniel.goulder@and.co.uk wrote:
> >>
> >>> This sounds like a Solaris bug.
> >>>
> >>> Make sure you have a recent version of Solaris or the latest
> patches
> >>> installed...
> >>>
> >>> What release/patch level are you using?
> >>>
> >>> Danny
> >>>
> >>> ________________________________
> >>>
> >>> From: "John J. Consolati" [mailto:"John J.
> >>> Consolati" ]
> >>> Sent: 25 November 2009 17:23
> >>> To: users@httpd.apache.org
> >>> Subject: [users@httpd] SSL on Apache 2.2.14
> >>>
> >>>
> >>> Hello,
> >>>
> >>> Hopefully someone will be able to help, as I've been working on
> this
> >>> problem for quite a while and have hit a wall. I'm trying to
> upgrade
> >>> Apache 2.0.47 to 2.2.14, and I need SSL support. Everything
> seems to
> >>> build and compile okay, but when I try to access my site running
> on
> >>> 2.2.14, I get a strange error from Firefox: "Secure connection
> >>> failed. An error occurred during a connection to xxxxxx. SSL peer
> >>> reports incorrect Message Authentication Code. (Error code:
> >>> ssl_error_bad_mac_alert)."
> >>>
> >>> I've tried compiling with OpenSSL 0.9.8L and 0.9.8G with the same
> >>> results. This is hosted on a Solaris sparc box. The 2.2.14
> server is
> >>> utilizing all the same files and SSL certificates as the 2.0.47
> >>> server. I've called Verisign; I have valid certificates, but
> they've
> >>> never heard of this error before. If I self-sign a certificate and
> >>> test it with the 2.2.14 server, it seems to work (except for the
> >>> expected error message regarding self-signed certificates).
> >>>
> >>> Searching on Google has led me to try forcing Apache to compile
> with
> >>> prefork enabled (but it seems to default to that anyway on
> Solaris).
> >>> I've also tried statically linking Apache during compile with the
> >>> same
> >>> results.
> >>>
> >>> If anyone has any ideas or suggestions, I'd very much appreciate
> >>> them...
> >>> Thank you,
> >>> John
> >>>
> >>>
> ------------------------------------------------------------ ---------
> >>> The official User-To-User support forum of the Apache HTTP Server
> >>> Project.
> >>> See < URL:http://***httpd.apache.org/userslist.html> for more
> info.
> >>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >>> " from the digest: users-digest-unsubscribe@httpd.apache.org
> >>> For additional commands, e-mail: users-help@httpd.apache.org
> >>>
> >>>
> >>>
> ____________________________________________________________ __________
> >>> This email has been scanned by the MessageLabs Email Security
> >>> System.
> >>> For more information please visit http://
> ***www.***messagelabs.com/
> >>> email
> >>>
> ____________________________________________________________ __________
> >>>
> >>>
> >>>
> ____________________________________________________________ __________
> >>> This e-mail and any attached files are intended for the named
> >>> addressee only. It contains information, which may be confidential
> >>> and legally privileged and also protected by copyright. Unless you
> >>> are the named addressee (or authorised to receive for the
> >>> addressee) you may not copy or use it, or disclose it to anyone
> >>> else. If you received it in error please notify the sender
> >>> immediately and then delete it from your system. Please be advised
> >>> that the views and opinions expressed in this e-mail may not
> >>> reflect the views and opinions of Associated Newspapers Limited or
> >>> any of its subsidiary companies. We make every effort to keep our
> >>> network free from viruses. However, you do need to check this e-
> >>> mail and any attachments to it for viruses as we can take no
> >>> responsibility for any computer virus which may be transferred by
> >>> way of this e-mail. Use of this or any other e-mail facility
> >>> signifies consent to any interception we might lawfully carry out
> >>> to prevent abuse of these faciliti
> >>> es.
> >>> Associated Newspapers Ltd. Registered Office: Northcliffe House, 2
> >>> Derry St, Kensington, London, W8 5TT. Registered No 84121 England.
> >>
> >>
> >>
> ------------------------------------------------------------ ---------
> >> The official User-To-User support forum of the Apache HTTP Server
> >> Project.
> >> See for more info.
> >> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >> " from the digest: users-digest-unsubscribe@httpd.apache.org
> >> For additional commands, e-mail: users-help@httpd.apache.org
> >>
> >>
> >
> >
> >
> > --
> > Sander Temme
> > sctemme@apache.org
> > PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF
> >
> >
> >
>
>
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: SSL on Apache 2.2.14

--=_alternative 007A382A88257679_=
Content-Type: text/plain; charset="US-ASCII"

We are only at Apache 2.2.9, but don't have any problems. The command I
use to build apache with is:

../configure --prefix=/usr/local/apache-2.2.9 --with-ssl=/usr/local/ssl
--with-z=/usr/local/lib --enable-ssl --enable-cache --enable-disk-cache
--enable-mem-cache --enable-autoindex --enable-mods-shared="rewrite ssl
dav dav-fs proxy"

of course, this is building a shared mod_ssl.so, and a few other things.
We use gcc instead of Sun's. Can you try it with gcc? I can't image that
is the problem, but it might be worth a test.

We have changed both Apache and OpenSSL versions, several times, and never
had any certificate problems.

Here is one thing to look into... Looking back at your 'ldd httpd'
output, there is no mention of libssl or libcrypt, so I assume that you
are statically linking them in. Are you sure that you are picking up the
OpenSSL version and not Sun's default installed version in /lib ? Can you
post your build command? Personally, I like dynamic linking, so that you
can upgrade to a new OpenSSL, without having to redo everything that uses
it.

Dan



Please respond to users@httpd.apache.org

To: users@httpd.apache.org
cc: (bcc: Dan Mitton/YD/RWDOE)
Subject: Re: [users@httpd] SSL on Apache 2.2.14
LSN: Not Relevant
User Filed as: Not a Record

Dan,

The error occurs on both Safari and Firefox on Apache 2.2.14. We
don't have IE in our environment. Both Safari and Firefox work as
they should with 2.0.47.

It looks like mod_ssl.c is compiled in -- it shows up with httpd -l.

I've checked the links you sent me. The description doesn't provide a
whole lot of detail, and, according to the other one, I checked to
make sure I am using prefork instead of MPM -- it seems to default to
prefork anyway, but I specified it in the /config before compilation.

I've Googled to my wit's end for several days without finding anything
conclusive. Some pages hint at compilation options, others at
compilers (I'm using Sun's cc, not gcc), but nothing conclusive.

Here is one question I couldn't find the answer to, though: if I
requested a server certificate using a specific version of OpenSSL,
can I use that same certificate in a different version of Apache with
a different version of OpenSSL? Or do I have to re-request if I
upgrade OpenSSL? A long shot I know, but I'm running out of options...

Thank you for the help,
John

On Nov 25, 2009, at 12:07 PM, Dan_Mitton@YMP.GOV wrote:

>
> John,
>
> You should not need to upgrade Solaris. I've got apache running on
> a solaris 9 box just fine.
>
> Your "wrong path" shouldn't be a problem either. Those are just
> "the last place to look" for an .so. Solaris will use what is in
> the 'crle' command and the LD_LIBRARY_PATH environment variable
> first (I'm not sure of the order).
>
> You may or may not have a mod_ssl.so, depending on how you compiled
> apache. If you run:
>
> httpd -l (that's an el)
>
> It will list out which modules are compiled in. If you see
> mod_ssl.c, you will not have a mod_ssl.so. Otherwise, mod_ssl.so
> should normally be in your apache's modules subdirectory.
>
> Do you only get the error on Firefox and not IE?
>
> Dan
>
>
> Please respond to users@httpd.apache.org
>
>
> To: users@httpd.apache.org
> cc: (bcc: Dan Mitton/YD/RWDOE)
> Subject: Re: [users@httpd] SSL on Apache 2.2.14
>
>
> LSN: Not Relevant
> User Filed as: Not a Record
>
> Here is the complete command:
>
> openssl s_server -cert /erd/www/erd/server/apache/httpd-2.2.14/
> installed/conf/ssl.crt/www-erdc.crt -key /erd/www/erd/server/apache/
> httpd-2.2.14/installed/conf/ssl.key/www-erdc.secureprivate.k ey -
> CAfile /erd/www/erd/server/apache/httpd-2.2.14/installed/conf/ssl.c rt/
> intermediate.crt -www
>
> Your suggested 'GET / HTTP/1.0\r\r' was successful.
>
> However, I found something interesting doing an ldd -- a few of them
> have wrong paths:
>
> bash-2.05# ldd httpd
> libm.so.1 => /usr/lib/libm.so.1
> libaprutil-1.so.0 => /wrong/path
> libexpat.so.0 => /wrong/path
> libapr-1.so.0 => /wrong/path
> libuuid.so.1 => /usr/lib/libuuid.so.1
> libsendfile.so.1 => /usr/lib/libsendfile.so.1
> librt.so.1 => /usr/lib/librt.so.1
> libsocket.so.1 => /usr/lib/libsocket.so.1
> libnsl.so.1 => /usr/lib/libnsl.so.1
> libpthread.so.1 => /usr/lib/libpthread.so.1
> libdl.so.1 => /usr/lib/libdl.so.1
> libthread.so.1 => /usr/lib/libthread.so.1
> libc.so.1 => /usr/lib/libc.so.1
> libucb.so.1 => (file not found)
> libresolv.so.2 => /usr/lib/libresolv.so.2
> libelf.so.1 => /usr/lib/libelf.so.1
> libucb.so.1 => /usr/ucblib/libucb.so.1
> libaio.so.1 => /usr/lib/libaio.so.1
> libmd5.so.1 => /usr/lib/libmd5.so.1
> libmp.so.2 => /usr/lib/libmp.so.2
> /usr/platform/SUNW,Sun-Fire-V250/lib/libc_psr.so.1
> /usr/platform/SUNW,Sun-Fire-V250/lib/libmd5_psr.so.1
>
> I wasn't sure where to find mod_ssl.so -- I could only find mod_ssl.h.
>
> Is there a way to change the links without rebuilding?
>
> Thank you,
> John
>
> On Nov 25, 2009, at 11:21 AM, Sander Temme wrote:
>
> >
> > On Nov 25, 2009, at 10:17 AM, John J. Consolati wrote:
> >
> >> Thank you for the reply.
> >>
> >> Unfortunately, upgrading Solaris isn't an option. Here is the
> >> version I have to work with (quite old..):
> >>
> >> bash-2.05# cat /etc/release
> >> Solaris 9 4/04 s9s_u6wos_08a SPARC
> >> Copyright 2004 Sun Microsystems, Inc. All Rights
> Reserved.
> >> Use is subject to license terms.
> >> Assembled 22 March 2004
> >> bash-2.05# uname -a
> >> SunOS lucky 5.9 Generic_118558-17 sun4u sparc SUNW,Sun-Fire-V250
> >>
> >> I've been using the Sun cc, not gcc, to compile everything.
> >>
> >>
> >> Here is the output from the openSSL commands:
> >>
> >> openssl -certs....etc etc
> >
> > What is your complete command line here?
> >
> >> Using default temp DH parameters
> >> Using default temp ECDH parameters
> >> ACCEPT
> >> -----BEGIN SSL SESSION PARAMETERS-----
> >> MHUCAQECAgMBBAIAOQQgXdTo4sJayMnyXJOOV7YI1JLumr7lqj4Sj+kZZTIe X2wE
> >> MO2ne8Ry2DUppChW6xz01mi4gMU+WsyaH6SPREMHpFcSCBYmpX5sD+VVBS3F /Ajy
> >> V6EGAgRLDXPAogQCAgEspAYEBAAAAAE=
> >> -----END SSL SESSION PARAMETERS-----
> >> Shared ciphers:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-
> SHA:EDH-
> >> RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA-A ES128-
> >> SHA:DHE-DSS-AES128-SHA:AES128-SHA:IDEA-CBC-SHA:RC4-SHA:RC4-M D5:EDH-
> >> RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA- DES-
> CBC-
> >> SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5: EXP-
> RC4-
> >> MD5
> >> CIPHER is DHE-RSA-AES256-SHA
> >>
> >>
> >>
> >> And on the other terminal:
> >>
> >> bash-2.05$ openssl s_client -connect localhost:4433
> >> CONNECTED(00000003)
> >> depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms
> >> of use at https://**www.**verisign.com/rpa (c)05/CN=VeriSign
> Class 3
> >> Secure Server CA
> >> verify error:num=20:unable to get local issuer certificate
> >> verify return:0
> >
> > That's not a problem, just OpenSSL complaining it can't find the
> > Verisign root cert. If you happen to have a copy of that (like your
> > browser does) and point openssl s_client to it, it can verify all
> > the way to the top. This does not impact the connection itself.
> >
> >> ---
> >> Certificate chain
> >> 0 s:/C=US/ST=California/L=Livermore/O=Lawrence Livermore National
> >> Laboratory/OU=Environmental Restoration Division erdc/CN=www-
> >> erdc.llnl.gov
> >> i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use
> >> at https://**www.**verisign.com/rpa (c)05/CN=VeriSign Class 3
> Secure
> >> Server CA
> >> 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of
> >> use at https://**www.**verisign.com/rpa (c)05/CN=VeriSign Class 3
> >> Secure Server CA
> >> i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
> >> Authority
> >> ---
> >> Server certificate
> >> -----BEGIN CERTIFICATE-----
> >> certificate hash...
> >> -----END CERTIFICATE-----
> >> subject=/C=US/ST=California/L=Livermore/O=Lawrence Livermore
> >> National Laboratory/OU=Environmental Restoration Division erdc/
> >> CN=www-erdc.llnl.gov
> >> issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of
> >> use at https://**www.**verisign.com/rpa (c)05/CN=VeriSign Class 3
> >> Secure Server CA
> >> ---
> >> No client certificate CA names sent
> >> ---
> >> SSL handshake has read 2973 bytes and written 258 bytes
> >> ---
> >> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> >> Server public key is 1024 bit
> >> Compression: NONE
> >> Expansion: NONE
> >> SSL-Session:
> >> Protocol : TLSv1
> >> Cipher : DHE-RSA-AES256-SHA
> >> Session-ID:
> >> 5DD4E8E2C25AC8C9F25C938E57B608D492EE9ABEE5AA3E128FE91965321E 5F6C
> >> Session-ID-ctx:
> >> Master-Key:
> >>
>
EDA77BC472D83529A42856EB1CF4D668B880C53E5ACC9A1FA48F444307A4 5712081626A57E6C0FE555052DC5FC08F257
> >> Key-Arg : None
> >> Start Time: 1259172800
> >> Timeout : 300 (sec)
> >> Verify return code: 20 (unable to get local issuer certificate)
> >> ---
> >>
> >> Looks like there is a problem with one of the certificates, but I'm
> >> not sure how to proceed...
> >
> > At this point, you have a valid handshake, and the client and server
> > have exchanged data encrypted and MACed with the session keys. All
> > is well. You could type on the command line 'GET / HTTP/1.0\r
> > \r' (two returns) and you'll get the status page generated by
> > openssl s_server -www.**
> >
> > This means you have a configuration problem with Apache. Make sure
> > you're using the ssl and crypto libraries that you think you are by
> > running ldd on the httpd binary and the mod_ssl.so binary. While
> > the Solaris build environment usually gets this right by hardcoding
> > the path to the libraries at link time, make sure this is ok at run
> > time.
> >
> > Then, make sure your server is configured correctly, and that your
> > SSL virtual host(s) use the correct combination of
> > SSLCertificateFile and SSLCertificateKeyFile.
> >
> > S.
> >
> >> Again, thank you for your help, I appreciate it.
> >>
> >> Regards,
> >> John
> >>
> >>
> >> On Nov 25, 2009, at 10:00 AM, daniel.goulder@and.co.uk wrote:
> >>
> >>> This sounds like a Solaris bug.
> >>>
> >>> Make sure you have a recent version of Solaris or the latest
> patches
> >>> installed...
> >>>
> >>> What release/patch level are you using?
> >>>
> >>> Danny
> >>>
> >>> ________________________________
> >>>
> >>> From: "John J. Consolati" [mailto:"John J.
> >>> Consolati" ]
> >>> Sent: 25 November 2009 17:23
> >>> To: users@httpd.apache.org
> >>> Subject: [users@httpd] SSL on Apache 2.2.14
> >>>
> >>>
> >>> Hello,
> >>>
> >>> Hopefully someone will be able to help, as I've been working on
> this
> >>> problem for quite a while and have hit a wall. I'm trying to
> upgrade
> >>> Apache 2.0.47 to 2.2.14, and I need SSL support. Everything
> seems to
> >>> build and compile okay, but when I try to access my site running
> on
> >>> 2.2.14, I get a strange error from Firefox: "Secure connection
> >>> failed. An error occurred during a connection to xxxxxx. SSL peer
> >>> reports incorrect Message Authentication Code. (Error code:
> >>> ssl_error_bad_mac_alert)."
> >>>
> >>> I've tried compiling with OpenSSL 0.9.8L and 0.9.8G with the same
> >>> results. This is hosted on a Solaris sparc box. The 2.2.14
> server is
> >>> utilizing all the same files and SSL certificates as the 2.0.47
> >>> server. I've called Verisign; I have valid certificates, but
> they've
> >>> never heard of this error before. If I self-sign a certificate and
> >>> test it with the 2.2.14 server, it seems to work (except for the
> >>> expected error message regarding self-signed certificates).
> >>>
> >>> Searching on Google has led me to try forcing Apache to compile
> with
> >>> prefork enabled (but it seems to default to that anyway on
> Solaris).
> >>> I've also tried statically linking Apache during compile with the
> >>> same
> >>> results.
> >>>
> >>> If anyone has any ideas or suggestions, I'd very much appreciate
> >>> them...
> >>> Thank you,
> >>> John
> >>>
> >>>
> ------------------------------------------------------------ ---------
> >>> The official User-To-User support forum of the Apache HTTP Server
> >>> Project.
> >>> See < URL:http://***httpd.apache.org/userslist.html> for more
> info.
> >>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >>> " from the digest: users-digest-unsubscribe@httpd.apache.org
> >>> For additional commands, e-mail: users-help@httpd.apache.org
> >>>
> >>>
> >>>
> ____________________________________________________________ __________
> >>> This email has been scanned by the MessageLabs Email Security
> >>> System.
> >>> For more information please visit http://
> ***www.***messagelabs.com/
> >>> email
> >>>
> ____________________________________________________________ __________
> >>>
> >>>
> >>>
> ____________________________________________________________ __________
> >>> This e-mail and any attached files are intended for the named
> >>> addressee only. It contains information, which may be confidential
> >>> and legally privileged and also protected by copyright. Unless you
> >>> are the named addressee (or authorised to receive for the
> >>> addressee) you may not copy or use it, or disclose it to anyone
> >>> else. If you received it in error please notify the sender
> >>> immediately and then delete it from your system. Please be advised
> >>> that the views and opinions expressed in this e-mail may not
> >>> reflect the views and opinions of Associated Newspapers Limited or
> >>> any of its subsidiary companies. We make every effort to keep our
> >>> network free from viruses. However, you do need to check this e-
> >>> mail and any attachments to it for viruses as we can take no
> >>> responsibility for any computer virus which may be transferred by
> >>> way of this e-mail. Use of this or any other e-mail facility
> >>> signifies consent to any interception we might lawfully carry out
> >>> to prevent abuse of these faciliti
> >>> es.
> >>> Associated Newspapers Ltd. Registered Office: Northcliffe House, 2
> >>> Derry St, Kensington, London, W8 5TT. Registered No 84121 England.
> >>
> >>
> >>
> ------------------------------------------------------------ ---------
> >> The official User-To-User support forum of the Apache HTTP Server
> >> Project.
> >> See for more info.
> >> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >> " from the digest: users-digest-unsubscribe@httpd.apache.org
> >> For additional commands, e-mail: users-help@httpd.apache.org
> >>
> >>
> >
> >
> >
> > --
> > Sander Temme
> > sctemme@apache.org
> > PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF
> >
> >
> >
>
>
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org




--=_alternative 007A382A88257679_=
Content-Type: text/html; charset="US-ASCII"



We are only at Apache 2.2.9, but don't
have any problems.  The command I use to build apache with is:



./configure --prefix=/usr/local/apache-2.2.9
--with-ssl=/usr/local/ssl --with-z=/usr/local/lib --enable-ssl --enable-cache
--enable-disk-cache --enable-mem-cache --enable-autoindex --enable-mods-shared="rewrite
ssl dav dav-fs proxy"



of course, this is building a shared
mod_ssl.so, and a few other things.  We use gcc instead of Sun's.
 Can you try it with gcc?  I can't image that is the problem,
but it might be worth a test.



We have changed both Apache and OpenSSL
versions, several times, and never had any certificate problems.



Here is one thing to look into...  Looking
back at your 'ldd httpd' output, there is no mention of libssl or libcrypt,
so I assume that you are statically linking them in.  Are you sure
that you are picking up the OpenSSL version and not Sun's default installed
version in /lib ?  Can you post your build command?  Personally,
I like dynamic linking, so that you can upgrade to a new OpenSSL, without
having to redo everything that uses it.



Dan

Please respond to users@httpd.apache.org

To:      
 users@httpd.apache.org

cc:      
  (bcc: Dan Mitton/YD/RWDOE)

Subject:    
   Re: [users@httpd]
SSL on Apache 2.2.14

Re: SSL on Apache 2.2.14

Here are the build commands I've tried:

../configure --prefix=/home/consolati1/apache/httpd-2.2.14/installed --
enable-static-support --enable-ssl --with-ssl=/home/consolati1/openssl/
openssl-0.9.8l/installed --with-mpm=prefork

../configure --prefix=/home/consolati1/apache/httpd-2.2.14/installed/ --
enable-ssl --with-ssl=/home/consolati1/openssl/openssl-0.9.8g/
installed/ (currently using this one)

Both of them result in the same thing, and were the commands my
predecessor used.

I will try building it with the configure command you sent. I haven't
personally tried gcc, but my coworkers have left extensive notes of
errors that gcc throws. It couldn't hurt to try again.

It is odd that libssl and libcrypt aren't in there -- I tried building
statically, as you can see, but the httpd -l that I posted was from
the second one (which should be dynamic). Any ideas why they're
missing?

Thanks,
John

On Nov 25, 2009, at 2:14 PM, Dan_Mitton@YMP.GOV wrote:

>
> We are only at Apache 2.2.9, but don't have any problems. The
> command I use to build apache with is:
>
> ./configure --prefix=/usr/local/apache-2.2.9 --with-ssl=/usr/local/
> ssl --with-z=/usr/local/lib --enable-ssl --enable-cache --enable-
> disk-cache --enable-mem-cache --enable-autoindex --enable-mods-
> shared="rewrite ssl dav dav-fs proxy"
>
> of course, this is building a shared mod_ssl.so, and a few other
> things. We use gcc instead of Sun's. Can you try it with gcc? I
> can't image that is the problem, but it might be worth a test.
>
> We have changed both Apache and OpenSSL versions, several times, and
> never had any certificate problems.
>
> Here is one thing to look into... Looking back at your 'ldd httpd'
> output, there is no mention of libssl or libcrypt, so I assume that
> you are statically linking them in. Are you sure that you are
> picking up the OpenSSL version and not Sun's default installed
> version in /lib ? Can you post your build command? Personally, I
> like dynamic linking, so that you can upgrade to a new OpenSSL,
> without having to redo everything that uses it.
>
> Dan
>
>
> Please respond to users@httpd.apache.org
>
>
> To: users@httpd.apache.org
> cc: (bcc: Dan Mitton/YD/RWDOE)
> Subject: Re: [users@httpd] SSL on Apache 2.2.14
>
>
> LSN: Not Relevant
> User Filed as: Not a Record
>
> Dan,
>
> The error occurs on both Safari and Firefox on Apache 2.2.14. We
> don't have IE in our environment. Both Safari and Firefox work as
> they should with 2.0.47.
>
> It looks like mod_ssl.c is compiled in -- it shows up with httpd -l.
>
> I've checked the links you sent me. The description doesn't provide a
> whole lot of detail, and, according to the other one, I checked to
> make sure I am using prefork instead of MPM -- it seems to default to
> prefork anyway, but I specified it in the /config before compilation.
>
> I've Googled to my wit's end for several days without finding anything
> conclusive. Some pages hint at compilation options, others at
> compilers (I'm using Sun's cc, not gcc), but nothing conclusive.
>
> Here is one question I couldn't find the answer to, though: if I
> requested a server certificate using a specific version of OpenSSL,
> can I use that same certificate in a different version of Apache with
> a different version of OpenSSL? Or do I have to re-request if I
> upgrade OpenSSL? A long shot I know, but I'm running out of
> options...
>
> Thank you for the help,
> John
>
> On Nov 25, 2009, at 12:07 PM, Dan_Mitton@YMP.GOV wrote:
>
> >
> > John,
> >
> > You should not need to upgrade Solaris. I've got apache running on
> > a solaris 9 box just fine.
> >
> > Your "wrong path" shouldn't be a problem either. Those are just
> > "the last place to look" for an .so. Solaris will use what is in
> > the 'crle' command and the LD_LIBRARY_PATH environment variable
> > first (I'm not sure of the order).
> >
> > You may or may not have a mod_ssl.so, depending on how you compiled
> > apache. If you run:
> >
> > httpd -l (that's an el)
> >
> > It will list out which modules are compiled in. If you see
> > mod_ssl.c, you will not have a mod_ssl.so. Otherwise, mod_ssl.so
> > should normally be in your apache's modules subdirectory.
> >
> > Do you only get the error on Firefox and not IE?
> >
> > Dan
> >
> >
> > Please respond to users@httpd.apache.org
> >
> >
> > To: users@httpd.apache.org
> > cc: (bcc: Dan Mitton/YD/RWDOE)
> > Subject: Re: [users@httpd] SSL on Apache 2.2.14
> >
> >
> > LSN: Not Relevant
> > User Filed as: Not a Record
> >
> > Here is the complete command:
> >
> > openssl s_server -cert /erd/www/erd/server/apache/httpd-2.2.14/
> > installed/conf/ssl.crt/www-erdc.crt -key /erd/www/erd/server/apache/
> > httpd-2.2.14/installed/conf/ssl.key/www-erdc.secureprivate.k ey -
> > CAfile /erd/www/erd/server/apache/httpd-2.2.14/installed/conf/
> ssl.crt/
> > intermediate.crt -www
> >
> > Your suggested 'GET / HTTP/1.0\r\r' was successful.
> >
> > However, I found something interesting doing an ldd -- a few of them
> > have wrong paths:
> >
> > bash-2.05# ldd httpd
> > libm.so.1 => /usr/lib/libm.so.1
> > libaprutil-1.so.0 => /wrong/path
> > libexpat.so.0 => /wrong/path
> > libapr-1.so.0 => /wrong/path
> > libuuid.so.1 => /usr/lib/libuuid.so.1
> > libsendfile.so.1 => /usr/lib/libsendfile.so.1
> > librt.so.1 => /usr/lib/librt.so.1
> > libsocket.so.1 => /usr/lib/libsocket.so.1
> > libnsl.so.1 => /usr/lib/libnsl.so.1
> > libpthread.so.1 => /usr/lib/libpthread.so.1
> > libdl.so.1 => /usr/lib/libdl.so.1
> > libthread.so.1 => /usr/lib/libthread.so.1
> > libc.so.1 => /usr/lib/libc.so.1
> > libucb.so.1 => (file not found)
> > libresolv.so.2 => /usr/lib/libresolv.so.2
> > libelf.so.1 => /usr/lib/libelf.so.1
> > libucb.so.1 => /usr/ucblib/libucb.so.1
> > libaio.so.1 => /usr/lib/libaio.so.1
> > libmd5.so.1 => /usr/lib/libmd5.so.1
> > libmp.so.2 => /usr/lib/libmp.so.2
> > /usr/platform/SUNW,Sun-Fire-V250/lib/libc_psr.so.1
> > /usr/platform/SUNW,Sun-Fire-V250/lib/libmd5_psr.so.1
> >
> > I wasn't sure where to find mod_ssl.so -- I could only find
> mod_ssl.h.
> >
> > Is there a way to change the links without rebuilding?
> >
> > Thank you,
> > John
> >
> > On Nov 25, 2009, at 11:21 AM, Sander Temme wrote:
> >
> > >
> > > On Nov 25, 2009, at 10:17 AM, John J. Consolati wrote:
> > >
> > >> Thank you for the reply.
> > >>
> > >> Unfortunately, upgrading Solaris isn't an option. Here is the
> > >> version I have to work with (quite old..):
> > >>
> > >> bash-2.05# cat /etc/release
> > >> Solaris 9 4/04 s9s_u6wos_08a SPARC
> > >> Copyright 2004 Sun Microsystems, Inc. All Rights
> > Reserved.
> > >> Use is subject to license terms.
> > >> Assembled 22 March 2004
> > >> bash-2.05# uname -a
> > >> SunOS lucky 5.9 Generic_118558-17 sun4u sparc SUNW,Sun-Fire-V250
> > >>
> > >> I've been using the Sun cc, not gcc, to compile everything.
> > >>
> > >>
> > >> Here is the output from the openSSL commands:
> > >>
> > >> openssl -certs....etc etc
> > >
> > > What is your complete command line here?
> > >
> > >> Using default temp DH parameters
> > >> Using default temp ECDH parameters
> > >> ACCEPT
> > >> -----BEGIN SSL SESSION PARAMETERS-----
> > >> MHUCAQECAgMBBAIAOQQgXdTo4sJayMnyXJOOV7YI1JLumr7lqj4Sj+kZZTIe X2wE
> > >> MO2ne8Ry2DUppChW6xz01mi4gMU+WsyaH6SPREMHpFcSCBYmpX5sD+VVBS3F /Ajy
> > >> V6EGAgRLDXPAogQCAgEspAYEBAAAAAE=
> > >> -----END SSL SESSION PARAMETERS-----
> > >> Shared ciphers:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-
> > SHA:EDH-
> > >> RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA-
> AES128-
> > >> SHA:DHE-DSS-AES128-SHA:AES128-SHA:IDEA-CBC-SHA:RC4-SHA:RC4-
> MD5:EDH-
> > >> RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA- DES-
> > CBC-
> > >> SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5: EXP-
> > RC4-
> > >> MD5
> > >> CIPHER is DHE-RSA-AES256-SHA
> > >>
> > >>
> > >>
> > >> And on the other terminal:
> > >>
> > >> bash-2.05$ openssl s_client -connect localhost:4433
> > >> CONNECTED(00000003)
> > >> depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms
> > >> of use at https://***www.***verisign.com/rpa (c)05/CN=VeriSign
> > Class 3
> > >> Secure Server CA
> > >> verify error:num=20:unable to get local issuer certificate
> > >> verify return:0
> > >
> > > That's not a problem, just OpenSSL complaining it can't find the
> > > Verisign root cert. If you happen to have a copy of that (like
> your
> > > browser does) and point openssl s_client to it, it can verify all
> > > the way to the top. This does not impact the connection itself.
> > >
> > >> ---
> > >> Certificate chain
> > >> 0 s:/C=US/ST=California/L=Livermore/O=Lawrence Livermore National
> > >> Laboratory/OU=Environmental Restoration Division erdc/CN=www-
> > >> erdc.llnl.gov
> > >> i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of
> use
> > >> at https://***www.***verisign.com/rpa (c)05/CN=VeriSign Class 3
> > Secure
> > >> Server CA
> > >> 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of
> > >> use at https://***www.***verisign.com/rpa (c)05/CN=VeriSign
> Class 3
> > >> Secure Server CA
> > >> i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
> > >> Authority
> > >> ---
> > >> Server certificate
> > >> -----BEGIN CERTIFICATE-----
> > >> certificate hash...
> > >> -----END CERTIFICATE-----
> > >> subject=/C=US/ST=California/L=Livermore/O=Lawrence Livermore
> > >> National Laboratory/OU=Environmental Restoration Division erdc/
> > >> CN=www-erdc.llnl.gov
> > >> issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/
> OU=Terms of
> > >> use at https://***www.***verisign.com/rpa (c)05/CN=VeriSign
> Class 3
> > >> Secure Server CA
> > >> ---
> > >> No client certificate CA names sent
> > >> ---
> > >> SSL handshake has read 2973 bytes and written 258 bytes
> > >> ---
> > >> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> > >> Server public key is 1024 bit
> > >> Compression: NONE
> > >> Expansion: NONE
> > >> SSL-Session:
> > >> Protocol : TLSv1
> > >> Cipher : DHE-RSA-AES256-SHA
> > >> Session-ID:
> > >> 5DD4E8E2C25AC8C9F25C938E57B608D492EE9ABEE5AA3E128FE91965321E 5F6C
> > >> Session-ID-ctx:
> > >> Master-Key:
> > >>
> >
> EDA77BC472D83529A42856EB1CF4D668B880C53E5ACC9A1FA48F444307A4 5712081626A57E6C0FE555052DC5FC08F257
> > >> Key-Arg : None
> > >> Start Time: 1259172800
> > >> Timeout : 300 (sec)
> > >> Verify return code: 20 (unable to get local issuer certificate)
> > >> ---
> > >>
> > >> Looks like there is a problem with one of the certificates, but
> I'm
> > >> not sure how to proceed...
> > >
> > > At this point, you have a valid handshake, and the client and
> server
> > > have exchanged data encrypted and MACed with the session keys.
> All
> > > is well. You could type on the command line 'GET / HTTP/1.0\r
> > > \r' (two returns) and you'll get the status page generated by
> > > openssl s_server -www.***
> > >
> > > This means you have a configuration problem with Apache. Make
> sure
> > > you're using the ssl and crypto libraries that you think you are
> by
> > > running ldd on the httpd binary and the mod_ssl.so binary. While
> > > the Solaris build environment usually gets this right by
> hardcoding
> > > the path to the libraries at link time, make sure this is ok at
> run
> > > time.
> > >
> > > Then, make sure your server is configured correctly, and that your
> > > SSL virtual host(s) use the correct combination of
> > > SSLCertificateFile and SSLCertificateKeyFile.
> > >
> > > S.
> > >
> > >> Again, thank you for your help, I appreciate it.
> > >>
> > >> Regards,
> > >> John
> > >>
> > >>
> > >> On Nov 25, 2009, at 10:00 AM, daniel.goulder@and.co.uk wrote:
> > >>
> > >>> This sounds like a Solaris bug.
> > >>>
> > >>> Make sure you have a recent version of Solaris or the latest
> > patches
> > >>> installed...
> > >>>
> > >>> What release/patch level are you using?
> > >>>
> > >>> Danny
> > >>>
> > >>> ________________________________
> > >>>
> > >>> From: "John J. Consolati" [mailto:"John J.
> > >>> Consolati" ]
> > >>> Sent: 25 November 2009 17:23
> > >>> To: users@httpd.apache.org
> > >>> Subject: [users@httpd] SSL on Apache 2.2.14
> > >>>
> > >>>
> > >>> Hello,
> > >>>
> > >>> Hopefully someone will be able to help, as I've been working on
> > this
> > >>> problem for quite a while and have hit a wall. I'm trying to
> > upgrade
> > >>> Apache 2.0.47 to 2.2.14, and I need SSL support. Everything
> > seems to
> > >>> build and compile okay, but when I try to access my site running
> > on
> > >>> 2.2.14, I get a strange error from Firefox: "Secure connection
> > >>> failed. An error occurred during a connection to xxxxxx. SSL
> peer
> > >>> reports incorrect Message Authentication Code. (Error code:
> > >>> ssl_error_bad_mac_alert)."
> > >>>
> > >>> I've tried compiling with OpenSSL 0.9.8L and 0.9.8G with the
> same
> > >>> results. This is hosted on a Solaris sparc box. The 2.2.14
> > server is
> > >>> utilizing all the same files and SSL certificates as the 2.0.47
> > >>> server. I've called Verisign; I have valid certificates, but
> > they've
> > >>> never heard of this error before. If I self-sign a certificate
> and
> > >>> test it with the 2.2.14 server, it seems to work (except for the
> > >>> expected error message regarding self-signed certificates).
> > >>>
> > >>> Searching on Google has led me to try forcing Apache to compile
> > with
> > >>> prefork enabled (but it seems to default to that anyway on
> > Solaris).
> > >>> I've also tried statically linking Apache during compile with
> the
> > >>> same
> > >>> results.
> > >>>
> > >>> If anyone has any ideas or suggestions, I'd very much appreciate
> > >>> them...
> > >>> Thank you,
> > >>> John
> > >>>
> > >>>
> >
> ------------------------------------------------------------ ---------
> > >>> The official User-To-User support forum of the Apache HTTP
> Server
> > >>> Project.
> > >>> See < URL:http://****httpd.apache.org/userslist.html> for more
> > info.
> > >>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > >>> " from the digest: users-digest-unsubscribe@httpd.apache.org
> > >>> For additional commands, e-mail: users-help@httpd.apache.org
> > >>>
> > >>>
> > >>>
> >
> ____________________________________________________________ __________
> > >>> This email has been scanned by the MessageLabs Email Security
> > >>> System.
> > >>> For more information please visit http://*
> > ***www.****messagelabs.com/
> > >>> email
> > >>>
> >
> ____________________________________________________________ __________
> > >>>
> > >>>
> > >>>
> >
> ____________________________________________________________ __________
> > >>> This e-mail and any attached files are intended for the named
> > >>> addressee only. It contains information, which may be
> confidential
> > >>> and legally privileged and also protected by copyright. Unless
> you
> > >>> are the named addressee (or authorised to receive for the
> > >>> addressee) you may not copy or use it, or disclose it to anyone
> > >>> else. If you received it in error please notify the sender
> > >>> immediately and then delete it from your system. Please be
> advised
> > >>> that the views and opinions expressed in this e-mail may not
> > >>> reflect the views and opinions of Associated Newspapers
> Limited or
> > >>> any of its subsidiary companies. We make every effort to keep
> our
> > >>> network free from viruses. However, you do need to check this e-
> > >>> mail and any attachments to it for viruses as we can take no
> > >>> responsibility for any computer virus which may be transferred
> by
> > >>> way of this e-mail. Use of this or any other e-mail facility
> > >>> signifies consent to any interception we might lawfully carry
> out
> > >>> to prevent abuse of these faciliti
> > >>> es.
> > >>> Associated Newspapers Ltd. Registered Office: Northcliffe
> House, 2
> > >>> Derry St, Kensington, London, W8 5TT. Registered No 84121
> England.
> > >>
> > >>
> > >>
> >
> ------------------------------------------------------------ ---------
> > >> The official User-To-User support forum of the Apache HTTP Server
> > >> Project.
> > >> See for more
> info.
> > >> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > >> " from the digest: users-digest-unsubscribe@httpd.apache.org
> > >> For additional commands, e-mail: users-help@httpd.apache.org
> > >>
> > >>
> > >
> > >
> > >
> > > --
> > > Sander Temme
> > > sctemme@apache.org
> > > PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF
> > >
> > >
> > >
> >
> >
> >
> ------------------------------------------------------------ ---------
> > The official User-To-User support forum of the Apache HTTP Server
> > Project.
> > See for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
> >
>
>
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: SSL on Apache 2.2.14

--=_alternative 007C5B7A88257679_=
Content-Type: text/plain; charset="US-ASCII"

I would stick with openssl-0.9.8l, the other have a bunch of
vulnerabilities, but that can get taken care of once this other problem is
fixed :)

When you built OpenSSL, did you build it "shared"? My command is:

../config shared zlib-dynamic --prefix=/usr/local/ssl-0.9.8l
--openssldir=/usr/local/ssl-0.9.8l

are your openssl libraries in:

/home/consolati1/openssl/openssl-0.9.8g/installed/

or are they in:

/home/consolati1/openssl/openssl-0.9.8g/installed/lib

you should have a libssl.so.0.9.8 and libcrypto.so.0.9.8 somewhere.



Please respond to users@httpd.apache.org

To: users@httpd.apache.org
cc: (bcc: Dan Mitton/YD/RWDOE)
Subject: Re: [users@httpd] SSL on Apache 2.2.14
LSN: Not Relevant
User Filed as: Not a Record

Here are the build commands I've tried:

../configure --prefix=/home/consolati1/apache/httpd-2.2.14/installed --
enable-static-support --enable-ssl --with-ssl=/home/consolati1/openssl/
openssl-0.9.8l/installed --with-mpm=prefork

../configure --prefix=/home/consolati1/apache/httpd-2.2.14/installed/ --
enable-ssl --with-ssl=/home/consolati1/openssl/openssl-0.9.8g/
installed/ (currently using this one)

Both of them result in the same thing, and were the commands my
predecessor used.

I will try building it with the configure command you sent. I haven't
personally tried gcc, but my coworkers have left extensive notes of
errors that gcc throws. It couldn't hurt to try again.

It is odd that libssl and libcrypt aren't in there -- I tried building
statically, as you can see, but the httpd -l that I posted was from
the second one (which should be dynamic). Any ideas why they're
missing?

Thanks,
John

On Nov 25, 2009, at 2:14 PM, Dan_Mitton@YMP.GOV wrote:

>
> We are only at Apache 2.2.9, but don't have any problems. The
> command I use to build apache with is:
>
> ./configure --prefix=/usr/local/apache-2.2.9 --with-ssl=/usr/local/
> ssl --with-z=/usr/local/lib --enable-ssl --enable-cache --enable-
> disk-cache --enable-mem-cache --enable-autoindex --enable-mods-
> shared="rewrite ssl dav dav-fs proxy"
>
> of course, this is building a shared mod_ssl.so, and a few other
> things. We use gcc instead of Sun's. Can you try it with gcc? I
> can't image that is the problem, but it might be worth a test.
>
> We have changed both Apache and OpenSSL versions, several times, and
> never had any certificate problems.
>
> Here is one thing to look into... Looking back at your 'ldd httpd'
> output, there is no mention of libssl or libcrypt, so I assume that
> you are statically linking them in. Are you sure that you are
> picking up the OpenSSL version and not Sun's default installed
> version in /lib ? Can you post your build command? Personally, I
> like dynamic linking, so that you can upgrade to a new OpenSSL,
> without having to redo everything that uses it.
>
> Dan
>
>
> Please respond to users@httpd.apache.org
>
>
> To: users@httpd.apache.org
> cc: (bcc: Dan Mitton/YD/RWDOE)
> Subject: Re: [users@httpd] SSL on Apache 2.2.14
>
>
> LSN: Not Relevant
> User Filed as: Not a Record
>
> Dan,
>
> The error occurs on both Safari and Firefox on Apache 2.2.14. We
> don't have IE in our environment. Both Safari and Firefox work as
> they should with 2.0.47.
>
> It looks like mod_ssl.c is compiled in -- it shows up with httpd -l.
>
> I've checked the links you sent me. The description doesn't provide a
> whole lot of detail, and, according to the other one, I checked to
> make sure I am using prefork instead of MPM -- it seems to default to
> prefork anyway, but I specified it in the /config before compilation.
>
> I've Googled to my wit's end for several days without finding anything
> conclusive. Some pages hint at compilation options, others at
> compilers (I'm using Sun's cc, not gcc), but nothing conclusive.
>
> Here is one question I couldn't find the answer to, though: if I
> requested a server certificate using a specific version of OpenSSL,
> can I use that same certificate in a different version of Apache with
> a different version of OpenSSL? Or do I have to re-request if I
> upgrade OpenSSL? A long shot I know, but I'm running out of
> options...
>
> Thank you for the help,
> John
>
> On Nov 25, 2009, at 12:07 PM, Dan_Mitton@YMP.GOV wrote:
>
> >
> > John,
> >
> > You should not need to upgrade Solaris. I've got apache running on
> > a solaris 9 box just fine.
> >
> > Your "wrong path" shouldn't be a problem either. Those are just
> > "the last place to look" for an .so. Solaris will use what is in
> > the 'crle' command and the LD_LIBRARY_PATH environment variable
> > first (I'm not sure of the order).
> >
> > You may or may not have a mod_ssl.so, depending on how you compiled
> > apache. If you run:
> >
> > httpd -l (that's an el)
> >
> > It will list out which modules are compiled in. If you see
> > mod_ssl.c, you will not have a mod_ssl.so. Otherwise, mod_ssl.so
> > should normally be in your apache's modules subdirectory.
> >
> > Do you only get the error on Firefox and not IE?
> >
> > Dan
> >
> >
> > Please respond to users@httpd.apache.org
> >
> >
> > To: users@httpd.apache.org
> > cc: (bcc: Dan Mitton/YD/RWDOE)
> > Subject: Re: [users@httpd] SSL on Apache 2.2.14
> >
> >
> > LSN: Not Relevant
> > User Filed as: Not a Record
> >
> > Here is the complete command:
> >
> > openssl s_server -cert /erd/www/erd/server/apache/httpd-2.2.14/
> > installed/conf/ssl.crt/www-erdc.crt -key /erd/www/erd/server/apache/
> > httpd-2.2.14/installed/conf/ssl.key/www-erdc.secureprivate.k ey -
> > CAfile /erd/www/erd/server/apache/httpd-2.2.14/installed/conf/
> ssl.crt/
> > intermediate.crt -www
> >
> > Your suggested 'GET / HTTP/1.0\r\r' was successful.
> >
> > However, I found something interesting doing an ldd -- a few of them
> > have wrong paths:
> >
> > bash-2.05# ldd httpd
> > libm.so.1 => /usr/lib/libm.so.1
> > libaprutil-1.so.0 => /wrong/path
> > libexpat.so.0 => /wrong/path
> > libapr-1.so.0 => /wrong/path
> > libuuid.so.1 => /usr/lib/libuuid.so.1
> > libsendfile.so.1 => /usr/lib/libsendfile.so.1
> > librt.so.1 => /usr/lib/librt.so.1
> > libsocket.so.1 => /usr/lib/libsocket.so.1
> > libnsl.so.1 => /usr/lib/libnsl.so.1
> > libpthread.so.1 => /usr/lib/libpthread.so.1
> > libdl.so.1 => /usr/lib/libdl.so.1
> > libthread.so.1 => /usr/lib/libthread.so.1
> > libc.so.1 => /usr/lib/libc.so.1
> > libucb.so.1 => (file not found)
> > libresolv.so.2 => /usr/lib/libresolv.so.2
> > libelf.so.1 => /usr/lib/libelf.so.1
> > libucb.so.1 => /usr/ucblib/libucb.so.1
> > libaio.so.1 => /usr/lib/libaio.so.1
> > libmd5.so.1 => /usr/lib/libmd5.so.1
> > libmp.so.2 => /usr/lib/libmp.so.2
> > /usr/platform/SUNW,Sun-Fire-V250/lib/libc_psr.so.1
> > /usr/platform/SUNW,Sun-Fire-V250/lib/libmd5_psr.so.1
> >
> > I wasn't sure where to find mod_ssl.so -- I could only find
> mod_ssl.h.
> >
> > Is there a way to change the links without rebuilding?
> >
> > Thank you,
> > John
> >
> > On Nov 25, 2009, at 11:21 AM, Sander Temme wrote:
> >
> > >
> > > On Nov 25, 2009, at 10:17 AM, John J. Consolati wrote:
> > >
> > >> Thank you for the reply.
> > >>
> > >> Unfortunately, upgrading Solaris isn't an option. Here is the
> > >> version I have to work with (quite old..):
> > >>
> > >> bash-2.05# cat /etc/release
> > >> Solaris 9 4/04 s9s_u6wos_08a SPARC
> > >> Copyright 2004 Sun Microsystems, Inc. All Rights
> > Reserved.
> > >> Use is subject to license terms.
> > >> Assembled 22 March 2004
> > >> bash-2.05# uname -a
> > >> SunOS lucky 5.9 Generic_118558-17 sun4u sparc SUNW,Sun-Fire-V250
> > >>
> > >> I've been using the Sun cc, not gcc, to compile everything.
> > >>
> > >>
> > >> Here is the output from the openSSL commands:
> > >>
> > >> openssl -certs....etc etc
> > >
> > > What is your complete command line here?
> > >
> > >> Using default temp DH parameters
> > >> Using default temp ECDH parameters
> > >> ACCEPT
> > >> -----BEGIN SSL SESSION PARAMETERS-----
> > >> MHUCAQECAgMBBAIAOQQgXdTo4sJayMnyXJOOV7YI1JLumr7lqj4Sj+kZZTIe X2wE
> > >> MO2ne8Ry2DUppChW6xz01mi4gMU+WsyaH6SPREMHpFcSCBYmpX5sD+VVBS3F /Ajy
> > >> V6EGAgRLDXPAogQCAgEspAYEBAAAAAE=
> > >> -----END SSL SESSION PARAMETERS-----
> > >> Shared ciphers:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-
> > SHA:EDH-
> > >> RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA-
> AES128-
> > >> SHA:DHE-DSS-AES128-SHA:AES128-SHA:IDEA-CBC-SHA:RC4-SHA:RC4-
> MD5:EDH-
> > >> RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA- DES-
> > CBC-
> > >> SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5: EXP-
> > RC4-
> > >> MD5
> > >> CIPHER is DHE-RSA-AES256-SHA
> > >>
> > >>
> > >>
> > >> And on the other terminal:
> > >>
> > >> bash-2.05$ openssl s_client -connect localhost:4433
> > >> CONNECTED(00000003)
> > >> depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms
> > >> of use at https://***www.***verisign.com/rpa (c)05/CN=VeriSign
> > Class 3
> > >> Secure Server CA
> > >> verify error:num=20:unable to get local issuer certificate
> > >> verify return:0
> > >
> > > That's not a problem, just OpenSSL complaining it can't find the
> > > Verisign root cert. If you happen to have a copy of that (like
> your
> > > browser does) and point openssl s_client to it, it can verify all
> > > the way to the top. This does not impact the connection itself.
> > >
> > >> ---
> > >> Certificate chain
> > >> 0 s:/C=US/ST=California/L=Livermore/O=Lawrence Livermore National
> > >> Laboratory/OU=Environmental Restoration Division erdc/CN=www-
> > >> erdc.llnl.gov
> > >> i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of
> use
> > >> at https://***www.***verisign.com/rpa (c)05/CN=VeriSign Class 3
> > Secure
> > >> Server CA
> > >> 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of
> > >> use at https://***www.***verisign.com/rpa (c)05/CN=VeriSign
> Class 3
> > >> Secure Server CA
> > >> i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
> > >> Authority
> > >> ---
> > >> Server certificate
> > >> -----BEGIN CERTIFICATE-----
> > >> certificate hash...
> > >> -----END CERTIFICATE-----
> > >> subject=/C=US/ST=California/L=Livermore/O=Lawrence Livermore
> > >> National Laboratory/OU=Environmental Restoration Division erdc/
> > >> CN=www-erdc.llnl.gov
> > >> issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/
> OU=Terms of
> > >> use at https://***www.***verisign.com/rpa (c)05/CN=VeriSign
> Class 3
> > >> Secure Server CA
> > >> ---
> > >> No client certificate CA names sent
> > >> ---
> > >> SSL handshake has read 2973 bytes and written 258 bytes
> > >> ---
> > >> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> > >> Server public key is 1024 bit
> > >> Compression: NONE
> > >> Expansion: NONE
> > >> SSL-Session:
> > >> Protocol : TLSv1
> > >> Cipher : DHE-RSA-AES256-SHA
> > >> Session-ID:
> > >> 5DD4E8E2C25AC8C9F25C938E57B608D492EE9ABEE5AA3E128FE91965321E 5F6C
> > >> Session-ID-ctx:
> > >> Master-Key:
> > >>
> >
>
EDA77BC472D83529A42856EB1CF4D668B880C53E5ACC9A1FA48F444307A4 5712081626A57E6C0FE555052DC5FC08F257
> > >> Key-Arg : None
> > >> Start Time: 1259172800
> > >> Timeout : 300 (sec)
> > >> Verify return code: 20 (unable to get local issuer certificate)
> > >> ---
> > >>
> > >> Looks like there is a problem with one of the certificates, but
> I'm
> > >> not sure how to proceed...
> > >
> > > At this point, you have a valid handshake, and the client and
> server
> > > have exchanged data encrypted and MACed with the session keys.
> All
> > > is well. You could type on the command line 'GET / HTTP/1.0\r
> > > \r' (two returns) and you'll get the status page generated by
> > > openssl s_server -www.***
> > >
> > > This means you have a configuration problem with Apache. Make
> sure
> > > you're using the ssl and crypto libraries that you think you are
> by
> > > running ldd on the httpd binary and the mod_ssl.so binary. While
> > > the Solaris build environment usually gets this right by
> hardcoding
> > > the path to the libraries at link time, make sure this is ok at
> run
> > > time.
> > >
> > > Then, make sure your server is configured correctly, and that your
> > > SSL virtual host(s) use the correct combination of
> > > SSLCertificateFile and SSLCertificateKeyFile.
> > >
> > > S.
> > >
> > >> Again, thank you for your help, I appreciate it.
> > >>
> > >> Regards,
> > >> John
> > >>
> > >>
> > >> On Nov 25, 2009, at 10:00 AM, daniel.goulder@and.co.uk wrote:
> > >>
> > >>> This sounds like a Solaris bug.
> > >>>
> > >>> Make sure you have a recent version of Solaris or the latest
> > patches
> > >>> installed...
> > >>>
> > >>> What release/patch level are you using?
> > >>>
> > >>> Danny
> > >>>
> > >>> ________________________________
> > >>>
> > >>> From: "John J. Consolati" [mailto:"John J.
> > >>> Consolati" ]
> > >>> Sent: 25 November 2009 17:23
> > >>> To: users@httpd.apache.org
> > >>> Subject: [users@httpd] SSL on Apache 2.2.14
> > >>>
> > >>>
> > >>> Hello,
> > >>>
> > >>> Hopefully someone will be able to help, as I've been working on
> > this
> > >>> problem for quite a while and have hit a wall. I'm trying to
> > upgrade
> > >>> Apache 2.0.47 to 2.2.14, and I need SSL support. Everything
> > seems to
> > >>> build and compile okay, but when I try to access my site running
> > on
> > >>> 2.2.14, I get a strange error from Firefox: "Secure connection
> > >>> failed. An error occurred during a connection to xxxxxx. SSL
> peer
> > >>> reports incorrect Message Authentication Code. (Error code:
> > >>> ssl_error_bad_mac_alert)."
> > >>>
> > >>> I've tried compiling with OpenSSL 0.9.8L and 0.9.8G with the
> same
> > >>> results. This is hosted on a Solaris sparc box. The 2.2.14
> > server is
> > >>> utilizing all the same files and SSL certificates as the 2.0.47
> > >>> server. I've called Verisign; I have valid certificates, but
> > they've
> > >>> never heard of this error before. If I self-sign a certificate
> and
> > >>> test it with the 2.2.14 server, it seems to work (except for the
> > >>> expected error message regarding self-signed certificates).
> > >>>
> > >>> Searching on Google has led me to try forcing Apache to compile
> > with
> > >>> prefork enabled (but it seems to default to that anyway on
> > Solaris).
> > >>> I've also tried statically linking Apache during compile with
> the
> > >>> same
> > >>> results.
> > >>>
> > >>> If anyone has any ideas or suggestions, I'd very much appreciate
> > >>> them...
> > >>> Thank you,
> > >>> John
> > >>>
> > >>>
> >
> ------------------------------------------------------------ ---------
> > >>> The official User-To-User support forum of the Apache HTTP
> Server
> > >>> Project.
> > >>> See < URL:http://****httpd.apache.org/userslist.html> for more
> > info.
> > >>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > >>> " from the digest: users-digest-unsubscribe@httpd.apache.org
> > >>> For additional commands, e-mail: users-help@httpd.apache.org
> > >>>
> > >>>
> > >>>
> >
> ____________________________________________________________ __________
> > >>> This email has been scanned by the MessageLabs Email Security
> > >>> System.
> > >>> For more information please visit http://*
> > ***www.****messagelabs.com/
> > >>> email
> > >>>
> >
> ____________________________________________________________ __________
> > >>>
> > >>>
> > >>>
> >
> ____________________________________________________________ __________
> > >>> This e-mail and any attached files are intended for the named
> > >>> addressee only. It contains information, which may be
> confidential
> > >>> and legally privileged and also protected by copyright. Unless
> you
> > >>> are the named addressee (or authorised to receive for the
> > >>> addressee) you may not copy or use it, or disclose it to anyone
> > >>> else. If you received it in error please notify the sender
> > >>> immediately and then delete it from your system. Please be
> advised
> > >>> that the views and opinions expressed in this e-mail may not
> > >>> reflect the views and opinions of Associated Newspapers
> Limited or
> > >>> any of its subsidiary companies. We make every effort to keep
> our
> > >>> network free from viruses. However, you do need to check this e-
> > >>> mail and any attachments to it for viruses as we can take no
> > >>> responsibility for any computer virus which may be transferred
> by
> > >>> way of this e-mail. Use of this or any other e-mail facility
> > >>> signifies consent to any interception we might lawfully carry
> out
> > >>> to prevent abuse of these faciliti
> > >>> es.
> > >>> Associated Newspapers Ltd. Registered Office: Northcliffe
> House, 2
> > >>> Derry St, Kensington, London, W8 5TT. Registered No 84121
> England.
> > >>
> > >>
> > >>
> >
> ------------------------------------------------------------ ---------
> > >> The official User-To-User support forum of the Apache HTTP Server
> > >> Project.
> > >> See for more
> info.
> > >> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > >> " from the digest: users-digest-unsubscribe@httpd.apache.org
> > >> For additional commands, e-mail: users-help@httpd.apache.org
> > >>
> > >>
> > >
> > >
> > >
> > > --
> > > Sander Temme
> > > sctemme@apache.org
> > > PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF
> > >
> > >
> > >
> >
> >
> >
> ------------------------------------------------------------ ---------
> > The official User-To-User support forum of the Apache HTTP Server
> > Project.
> > See for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
> >
>
>
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org




--=_alternative 007C5B7A88257679_=
Content-Type: text/html; charset="US-ASCII"



I would stick with openssl-0.9.8l, the
other have a bunch of vulnerabilities, but that can get taken care of once
this other problem is fixed :)



When you built OpenSSL, did you build
it "shared"?  My command is:



./config shared zlib-dynamic --prefix=/usr/local/ssl-0.9.8l
--openssldir=/usr/local/ssl-0.9.8l



are your openssl libraries in:



/home/consolati1/openssl/openssl-0.9.8g/installed/



or are they in:



/home/consolati1/openssl/openssl-0.9.8g/installed/lib



you should have a libssl.so.0.9.8 and
libcrypto.so.0.9.8 somewhere.

Please respond to users@httpd.apache.org

To:      
 users@httpd.apache.org

cc:      
  (bcc: Dan Mitton/YD/RWDOE)

Subject:    
   Re: [users@httpd]
SSL on Apache 2.2.14

RE: SSL on Apache 2.2.14

--=_alternative 004358628025767A_=
Content-Type: text/html; charset="US-ASCII;"



7bit Content-Transfer-Encoding:>