LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-27-2004, 11:38 PM   #1
kevinm2
Member
 
Registered: Aug 2004
Distribution: Redhat 7.2
Posts: 73

Rep: Reputation: 15
httpd.conf & ssl.conf


Trying to setup ssl for a virtual host.
On the server with URL https//localhost the lock comes on. But when I localy or remotely type https://www.DomainName.com it hangs and crashes. What I am doing wrong?

Should I do have anything in ssl.conf

httpd.conf contains:
------------------------------

<IfModule mod_ssl.c>
Include etc/ssl.conf
</IfModule>

Listen 80

NameVirtualHost 192.168.1.120

<VirtualHost www.DomainName.com:443>
DocumentRoot /opt/lampp/htdocs/DomainName
ServerName www.DomainName.com
ServerAdmin Info@DomainName.com
ErrorLog logs/error_log
TransferLog logs/access_log
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /opt/lampp/etc/ssl.crt/server.crt
SSLCertificateKeyFile /opt/lampp/etc/ssl.key/server.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/opt/lampp/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

Last edited by kevinm2; 08-27-2004 at 11:44 PM.
 
Old 08-28-2004, 06:59 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,675
Blog Entries: 54

Rep: Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953
Rather crude, but can you confirm that with (from the outside!) "openssl s_client -connect :www.DomainName.com:443" you get shown a cert? If not by FQDN, then by IP address?
 
Old 08-28-2004, 11:00 AM   #3
kevinm2
Member
 
Registered: Aug 2004
Distribution: Redhat 7.2
Posts: 73

Original Poster
Rep: Reputation: 15
Would you explain what "openssl s_client - connect: www.DomainName.com:443 is"?
and also What is FQDN?

I tried the from within LAN ip "https://192.168.1.120", "https://192.168.1.120:443" no connection.

I tried the from outside ip "https://MyStaticI", "https://MyStaticIP:443" it hangs but it gives me the browser lock.


Please explain what FQDN is?
Where and what I should do with "openssl s_client -connect :www.DomainName.com:443"

Inaddition, as I was reading last night. You could only have one ssl serving one virtual host on a server with one IP address. Is that true? And if that is the case should I be placing the following block in ssl.conf?

<VirtualHost www.DomainName.com:443>
DocumentRoot /opt/lampp/htdocs/DomainName
ServerName www.DomainName.com
ServerAdmin Info@DomainName.com
ErrorLog logs/error_log
TransferLog logs/access_log
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /opt/lampp/etc/ssl.crt/server.crt
SSLCertificateKeyFile /opt/lampp/etc/ssl.key/server.key
.
.
.
</VirtualHost>
 
Old 08-28-2004, 07:16 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,675
Blog Entries: 54

Rep: Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953
Would you explain what "openssl s_client - connect: www.DomainName.com:443 is"?
It's using the openssl binary to detect if that servers certificate is viewable (should show plaintext). Just a hunch. Run from commandline or terminal window.


and also What is FQDN?
A fully qualified domain name. Essentially meaning it's (got the correct format and thus should be) resolvable.


You could only have one ssl serving one virtual host on a server with one IP address. Is that true?
As far as I know that's still true. Said in a different way, one certificate resolves to exacty one IP+port designation.
 
Old 08-30-2004, 10:20 AM   #5
stickman
Senior Member
 
Registered: Sep 2002
Location: Nashville, TN
Posts: 1,552

Rep: Reputation: 53
Did you include port 443 in a Listen directive anywhere?

Also, the "one virtual host per IP/port combination" is a valid restriction. If done correctly, there will be one SSL certificate for each site. Apache selects the correct certificate to send based on IP/port combination. Multiple non-SSL sites on one IP/port combination is not a problem because the request is not encrypted.
 
Old 08-30-2004, 11:06 AM   #6
kevinm2
Member
 
Registered: Aug 2004
Distribution: Redhat 7.2
Posts: 73

Original Poster
Rep: Reputation: 15
Here the content of new version of my http.conf.

Listen 80
Listen 443

# <IfModule mod_ssl.c>
# Include etc/ssl.conf
# </IfModule>

NameVirtualHost 192.168.1.120

<VirtualHost *:80>
DocumentRoot /opt/lampp/htdocs/MyDomain
ServerName www.MyDomain.com
ServerAdmin info@MyDomain.com
UseCanonicalName off
DirectoryIndex index.htm index.html index.php
ServerAlias MyDomain.com
</VirtualHost>

<VirtualHost *:443>
DocumentRoot /opt/lampp/htdocs/MyDomain
ServerName www.MyDomain.com
ServerAdmin info@MyDomain.com
UseCanonicalName off
DirectoryIndex index.htm index.html index.php
ServerAlias MyDomain.com
SSLEngine on
SSLCertificateFile /opt/lampp/etc/ssl.crt/server1.crt
SSLCertificateKeyFile /opt/lampp/etc/ssl.key/server1.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/opt/lampp/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

ServerName localhost
 
Old 08-30-2004, 03:50 PM   #7
stickman
Senior Member
 
Registered: Sep 2002
Location: Nashville, TN
Posts: 1,552

Rep: Reputation: 53
Try specifying IPADDR:443 instead of *:443.
 
Old 08-30-2004, 04:01 PM   #8
kevinm2
Member
 
Registered: Aug 2004
Distribution: Redhat 7.2
Posts: 73

Original Poster
Rep: Reputation: 15
Unhappy

No luck. I am runnig out choices. Something so simple yet ....
 
Old 08-30-2004, 04:50 PM   #9
TruckStuff
Member
 
Registered: Apr 2002
Posts: 498

Rep: Reputation: 30
How about some log entries? What are your Apache request/error logs saying when you try to connect?
 
Old 08-30-2004, 05:42 PM   #10
kevinm2
Member
 
Registered: Aug 2004
Distribution: Redhat 7.2
Posts: 73

Original Poster
Rep: Reputation: 15
In my attempt to solve the problem, I have also attached the most recent httpd.conf contents for you viewing.

I notice something about Cache
>> -------------------------
error logs

When restarting Apache
[Mon Aug 30 14:26:42 2004] [notice] caught SIGTERM, shutting down
[Mon Aug 30 14:26:48 2004] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]
[Mon Aug 30 14:26:49 2004] [notice] suEXEC mechanism enabled (wrapper: /opt/lampp/bin/suexec)
[Mon Aug 30 14:26:50 2004] [notice] Digest: generating secret for digest authentication ...
[Mon Aug 30 14:26:50 2004] [notice] Digest: done
[Mon Aug 30 14:26:51 2004] [notice] Apache/2.0.50 (Unix) mod_perl/1.99_13 Perl/v5.8.4 mod_ssl/2.0.50 OpenSSL/0.9.7d PHP/4.3.8 DAV/2 configured -- resuming normal operations


>> -------------------------
Recent httpd.conf

Listen 80
Listen 443

# <IfModule mod_ssl.c>
# Include etc/ssl.conf
# </IfModule>

NameVirtualHost 192.168.1.120

<VirtualHost 192.168.1.120>
DocumentRoot /opt/lampp/htdocs/Domain1
ServerName www.Domain1.com
ServerAdmin info@Domain1.com
UseCanonicalName off
DirectoryIndex index.htm index.html index.php
ServerAlias Domain1.com
</VirtualHost>

<VirtualHost 192.168.1.120>
DocumentRoot /opt/lampp/htdocs/Domain2
ServerName www.Domain2.com
ServerAdmin info@Domain2.com
UseCanonicalName off
DirectoryIndex index.htm index.html index.php
ServerAlias Domain2.com
</VirtualHost>

<VirtualHost Domain2.com:443>
DocumentRoot /opt/lampp/htdocs/Domain2
ServerName www.Domain2.com:443
ServerAdmin info@Domain2.com
UseCanonicalName off
DirectoryIndex index.htm index.html index.php
ServerAlias Domain2.com
SSLEngine on
SSLCertificateFile /opt/lampp/etc/ssl.crt/servertest.crt
SSLCertificateKeyFile /opt/lampp/etc/ssl.key/servertest.key
</VirtualHost>

ServerName localhost

Last edited by kevinm2; 08-30-2004 at 05:45 PM.
 
Old 08-30-2004, 05:51 PM   #11
TruckStuff
Member
 
Registered: Apr 2002
Posts: 498

Rep: Reputation: 30
Your logs when restarting apache aren't very helpful since that isn't where your problem is. Look at your log files, try to connect with a web browser, then post the entries generated by that request. Be sure to check logs/access_log, logs/error_log AND logs/ssl_request_log.

Also, KISS. Remove as much as possible from your httpd.conf file. You need to make sure that the SSL is working correctly before attempting to muddle things up with virtual servers. One thing at a time.
 
Old 08-30-2004, 07:00 PM   #12
kevinm2
Member
 
Registered: Aug 2004
Distribution: Redhat 7.2
Posts: 73

Original Poster
Rep: Reputation: 15
No mention of https in ssl_request_log
No mention of https in access_log

Error Logs - A little recent portion of it. Would you need more?

[Mon Aug 30 14:13:30 2004] [notice] caught SIGTERM, shutting down
[Mon Aug 30 14:13:36 2004] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]
[Mon Aug 30 14:13:37 2004] [notice] suEXEC mechanism enabled (wrapper: /opt/lampp/bin/suexec)
[Mon Aug 30 14:13:38 2004] [notice] Digest: generating secret for digest authentication ...
[Mon Aug 30 14:13:38 2004] [notice] Digest: done
[Mon Aug 30 14:13:39 2004] [notice] Apache/2.0.50 (Unix) mod_perl/1.99_13 Perl/v5.8.4 mod_ssl/2.0.50 OpenSSL/0.9.7d PHP/4.3.8 DAV/2 configured -- resuming normal operations
[Mon Aug 30 14:14:17 2004] [notice] caught SIGTERM, shutting down
[Mon Aug 30 14:14:24 2004] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]
[Mon Aug 30 14:14:25 2004] [notice] suEXEC mechanism enabled (wrapper: /opt/lampp/bin/suexec)
[Mon Aug 30 14:14:26 2004] [notice] Digest: generating secret for digest authentication ...
[Mon Aug 30 14:14:26 2004] [notice] Digest: done
[Mon Aug 30 14:14:27 2004] [notice] Apache/2.0.50 (Unix) mod_perl/1.99_13 Perl/v5.8.4 mod_ssl/2.0.50 OpenSSL/0.9.7d PHP/4.3.8 DAV/2 configured -- resuming normal operations
[Mon Aug 30 14:14:33 2004] [notice] caught SIGTERM, shutting down
[Mon Aug 30 14:14:39 2004] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]
[Mon Aug 30 14:14:40 2004] [notice] suEXEC mechanism enabled (wrapper: /opt/lampp/bin/suexec)
[Mon Aug 30 14:14:41 2004] [notice] Digest: generating secret for digest authentication ...
[Mon Aug 30 14:14:42 2004] [notice] Digest: done
[Mon Aug 30 14:14:43 2004] [notice] Apache/2.0.50 (Unix) mod_perl/1.99_13 Perl/v5.8.4 mod_ssl/2.0.50 OpenSSL/0.9.7d PHP/4.3.8 DAV/2 configured -- resuming normal operations
[Mon Aug 30 14:26:42 2004] [notice] caught SIGTERM, shutting down
[Mon Aug 30 14:26:48 2004] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]
[Mon Aug 30 14:26:49 2004] [notice] suEXEC mechanism enabled (wrapper: /opt/lampp/bin/suexec)
[Mon Aug 30 14:26:50 2004] [notice] Digest: generating secret for digest authentication ...
[Mon Aug 30 14:26:50 2004] [notice] Digest: done
[Mon Aug 30 14:26:51 2004] [notice] Apache/2.0.50 (Unix) mod_perl/1.99_13 Perl/v5.8.4 mod_ssl/2.0.50 OpenSSL/0.9.7d PHP/4.3.8 DAV/2 configured -- resuming normal operations
[Mon Aug 30 14:56:13 2004] [error] [client 63.204.45.52] script not found or unable to stat: /opt/lampp/htdocs/MyDomain1/session_login.cgi, referer: http://MyDomain1.com/webmin/?cat=servers
[Mon Aug 30 15:12:26 2004] [notice] caught SIGTERM, shutting down
[Mon Aug 30 15:12:32 2004] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]
[Mon Aug 30 15:12:33 2004] [notice] suEXEC mechanism enabled (wrapper: /opt/lampp/bin/suexec)
[Mon Aug 30 15:12:34 2004] [notice] Digest: generating secret for digest authentication ...
[Mon Aug 30 15:12:34 2004] [notice] Digest: done
[Mon Aug 30 15:12:35 2004] [notice] Apache/2.0.50 (Unix) mod_perl/1.99_13 Perl/v5.8.4 mod_ssl/2.0.50 OpenSSL/0.9.7d PHP/4.3.8 DAV/2 configured -- resuming normal operations
[Mon Aug 30 15:17:35 2004] [error] [client 63.204.45.52] script not found or unable to stat: /opt/lampp/htdocs/MyDomain2/config.cgi, referer: http://www.MyDomain2.com/webmin/apache/
[Mon Aug 30 15:18:31 2004] [error] [client 63.204.45.52] script not found or unable to stat: /opt/lampp/htdocs/MyDomain2/config.cgi, referer: http://www.MyDomain2.com/webmin/apache/
[Mon Aug 30 15:23:03 2004] [notice] caught SIGTERM, shutting down
[Mon Aug 30 15:23:10 2004] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]
[Mon Aug 30 15:23:11 2004] [notice] suEXEC mechanism enabled (wrapper: /opt/lampp/bin/suexec)
[Mon Aug 30 15:23:12 2004] [notice] Digest: generating secret for digest authentication ...
[Mon Aug 30 15:23:13 2004] [notice] Digest: done
[Mon Aug 30 15:23:14 2004] [notice] Apache/2.0.50 (Unix) mod_perl/1.99_13 Perl/v5.8.4 mod_ssl/2.0.50 OpenSSL/0.9.7d PHP/4.3.8 DAV/2 configured -- resuming normal operations
 
Old 08-31-2004, 02:25 PM   #13
TruckStuff
Member
 
Registered: Apr 2002
Posts: 498

Rep: Reputation: 30
Quote:
Originally posted by kevinm2
No mention of https in ssl_request_log
No mention of https in access_log
What does this mean? Are you looking for a protocal handler in the logs? That won't be there in the standard log configurations.

First, make sure that apache is even listening on port 443: netstat -lnp

Next, remove all of the virtual host references from your httpd.conf file. Un-comment the reference to etc/ssl.conf. Why reinvent the wheel? Restart apache and see if you can connect via SSL. If not, check the logs. If there is no reference to the file you are trying to open in any of the logs, then either your logging is broken or you aren't really trying to connect to this server.

We're trying to help you out here, but you're making it a little difficult by only providing half of the information available to you at any given point in time.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Where is httpd.conf?? Cool_Hand_Luke Linux - Newbie 12 03-10-2005 11:29 AM
Httpd.conf And Httpd2.conf ???? alejandroye Linux - General 2 11-07-2004 01:23 AM
saving changes to apache2/conf/httpd.conf file Zaius Linux - Newbie 6 01-10-2004 12:45 AM
httpd chokes on ScriptAlias line in Apache httpd.conf lhoff Linux - Software 1 07-14-2003 11:32 PM
Httpd.conf smtoughill Linux - General 5 01-28-2003 06:33 AM


All times are GMT -5. The time now is 08:03 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration