Re: SSL Trouble with httpd-ssl.conf include
Re: SSL Trouble with httpd-ssl.conf include
- Subject: Re: SSL Trouble with httpd-ssl.conf include
- From: Jeff Schmitz <email@hidden>
- Date: Sun, 28 Nov 2010 08:58:10 -0700
It doesn't find the generated URL of:
https://localhost/netBrackets/-9999/wa/poolLogin
but if I just remove the 's' from https, it finds the page:
http://localhost/netBrackets/-9999/wa/poolLogin
I'm thinking it has to do with the secure port not being generated correctly. Shouldn't :443 be specified as part of the https url?
On Nov 28, 2010, at 8:08 AM, Henrique Gomes wrote:
>
> What's the URL that's not found? What code or bindings are you using to generate the hyperlink to the secure page?
>
> Henrique Gomes
>
>
> On Nov 28, 2010, at 2:51 PM, Jeff Schmitz wrote:
>
>> Thanks,
>>
>> That gets me closer. Apache is now running when I restart it, and when I click on the secure WOHyperlink it's creating a https URL, and it picks up the certificate, but then when I accept the certificate I get the "requested URL not found" error. If I simply change the url to be a http:// URL, the page comes up with no other changes to the generated URL. Looks like webobjects is not liking any https URL. Is there something I've forgotten to do?
>>
>> Thanks
>> Jeff
>> On Nov 26, 2010, at 12:11 PM, Henrique Gomes wrote:
>>
>>> The wiki is more complicated than what it's need on a recent system:
>>>
>>> After generating the certificate, just put the certificate and key as server.crt and server.key in /etc/apache2
>>>
>>> The only change needed to the conf files is to uncomment the line in httpd.conf to include the ssl conf. I just left this at it was, included below:
>>> (I believe it's just like snow leopard installed it.)
>>> <httpd-ssl.conf>
>>>
>>> Make sure the cert and key are readable to everyone or to the apache user.
>>> (on a production environment you should be more careful about the key file)
>>>
>>>
>>> Henrique Gomes
>>>
>>>
>>> On Nov 26, 2010, at 2:31 PM, Jeff Schmitz wrote:
>>>
>>>>
>>>> On Nov 26, 2010, at 6:34 AM, Henrique Gomes wrote:
>>>>
>>>>>
>>>>> On Nov 26, 2010, at 4:25 AM, Jeff Schmitz wrote:
>>>>>
>>>>>> Hello,
>>>>>> I'm following the directions at the below link to add ssl support...
>>>>>>
>>>>>> http://wiki.objectstyle.org/confluence/display/WO/Development-SSL+requests+via+https+protocol?showComments=true&showCommentArea=true#addcomment
>>>>>>
>>>>>> but after adding the following Include to the httpd.conf file...
>>>>>>
>>>>>> Include /private/etc/apache2/extra/httpd-ssl.conf
>>>>>
>>>>> Whats in that file? Did you edit it?
>>>>
>>>> Didn't edit it. It's pasted below.
>>>>
>>>>
>>>>
>>>>>
>>>>>>
>>>>>> When I restart apache and try to open http://localhost I get the cannot connect to server error page. Looking in /var/log/apache there are no error messages, and according to the Systems Preferences panel apache is running. If I comment it out again and restart apache, it starts serving pages again.
>>>>>>
>>>>>
>>>>> http? or https? if http://localhost doesn't work, either apache is not running or some thing really strange is wrong with your setup.
>>>>
>>>> Neither works. But as soon as I comment out that line and restart, it starts serving http://localhost, but still not https://localhost
>>>>
>>>> I did notice when restarting this morning with the Include line commented out, I get the following warnings/notices:
>>>>
>>>> [Fri Nov 26 08:19:00 2010] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]
>>>> [Fri Nov 26 08:19:00 2010] [notice] Digest: generating secret for digest authentication ...
>>>> [Fri Nov 26 08:19:00 2010] [notice] Digest: done
>>>> [Fri Nov 26 08:19:00 2010] [notice] Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8l DAV/2 configured -- resuming normal operations
>>>> [Fri Nov 26 08:19:03 2010] [notice] caught SIGTERM, shutting down
>>>> [Fri Nov 26 08:19:03 2010] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]
>>>> [Fri Nov 26 08:19:03 2010] [notice] Digest: generating secret for digest authentication ...
>>>> [Fri Nov 26 08:19:03 2010] [notice] Digest: done
>>>> [Fri Nov 26 08:19:03 2010] [notice] Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8l DAV/2 configured -- resuming normal operations
>>>>
>>>> But I get no messages when the Include line is included.
>>>>
>>>>>
>>>>>
>>>>>> Any ideas?
>>>>>>
>>>>>> Thanks,
>>>>>> Jeff
>>>>>>
>>>>>> _______________________________________________
>>>>>> Do not post admin requests to the list. They will be ignored.
>>>>>> Webobjects-dev mailing list (email@hidden)
>>>>>> Help/Unsubscribe/Update your Subscription:
>>>>>>
>>>>>> This email sent to email@hidden
>>>>>
>>>> #
>>>> # This is the Apache server configuration file providing SSL support.
>>>> # It contains the configuration directives to instruct the server how to
>>>> # serve pages over an https connection. For detailing information about these
>>>> # directives see <URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html>
>>>> #
>>>> # Do NOT simply read the instructions in here without understanding
>>>> # what they do. They're here only as hints or reminders. If you are unsure
>>>> # consult the online docs. You have been warned.
>>>> #
>>>>
>>>> #
>>>> # Pseudo Random Number Generator (PRNG):
>>>> # Configure one or more sources to seed the PRNG of the SSL library.
>>>> # The seed data should be of good random quality.
>>>> # WARNING! On some platforms /dev/random blocks if not enough entropy
>>>> # is available. This means you then cannot use the /dev/random device
>>>> # because it would lead to very long connection times (as long as
>>>> # it requires to make more entropy available). But usually those
>>>> # platforms additionally provide a /dev/urandom device which doesn't
>>>> # block. So, if available, use this one instead. Read the mod_ssl User
>>>> # Manual for more details.
>>>> #
>>>> #SSLRandomSeed startup file:/dev/random 512
>>>> #SSLRandomSeed startup file:/dev/urandom 512
>>>> #SSLRandomSeed connect file:/dev/random 512
>>>> #SSLRandomSeed connect file:/dev/urandom 512
>>>>
>>>>
>>>> #
>>>> # When we also provide SSL we have to listen to the
>>>> # standard HTTP port (see above) and to the HTTPS port
>>>> #
>>>> # Note: Configurations that use IPv6 but not IPv4-mapped addresses need two
>>>> # Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443"
>>>> #
>>>> Listen 443
>>>>
>>>> ##
>>>> ## SSL Global Context
>>>> ##
>>>> ## All SSL configuration in this context applies both to
>>>> ## the main server and all SSL-enabled virtual hosts.
>>>> ##
>>>>
>>>> #
>>>> # Some MIME-types for downloading Certificates and CRLs
>>>> #
>>>> AddType application/x-x509-ca-cert .crt
>>>> AddType application/x-pkcs7-crl .crl
>>>>
>>>> # Pass Phrase Dialog:
>>>> # Configure the pass phrase gathering process.
>>>> # The filtering dialog program (`builtin' is a internal
>>>> # terminal dialog) has to provide the pass phrase on stdout.
>>>> SSLPassPhraseDialog builtin
>>>>
>>>> # Inter-Process Session Cache:
>>>> # Configure the SSL Session Cache: First the mechanism
>>>> # to use and second the expiring timeout (in seconds).
>>>> #SSLSessionCache "dbm:/private/var/run/ssl_scache"
>>>> SSLSessionCache "shmcb:/private/var/run/ssl_scache(512000)"
>>>> SSLSessionCacheTimeout 300
>>>>
>>>> # Semaphore:
>>>> # Configure the path to the mutual exclusion semaphore the
>>>> # SSL engine uses internally for inter-process synchronization.
>>>> SSLMutex "file:/private/var/run/ssl_mutex"
>>>>
>>>> ##
>>>> ## SSL Virtual Host Context
>>>> ##
>>>>
>>>> <VirtualHost localhost:443>
>>>>
>>>> # General setup for the virtual host
>>>> DocumentRoot "/Library/WebServer/Documents"
>>>> ServerName localhost
>>>> ServerAdmin email@hidden
>>>> ErrorLog "/private/var/log/apache2/error_log"
>>>> TransferLog "/private/var/log/apache2/access_log"
>>>>
>>>> # SSL Engine Switch:
>>>> # Enable/Disable SSL for this virtual host.
>>>> SSLEngine on
>>>>
>>>> # SSL Cipher Suite:
>>>> # List the ciphers that the client is permitted to negotiate.
>>>> # See the mod_ssl documentation for a complete list.
>>>> SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>>>>
>>>> # Server Certificate:
>>>> # Point SSLCertificateFile at a PEM encoded certificate. If
>>>> # the certificate is encrypted, then you will be prompted for a
>>>> # pass phrase. Note that a kill -HUP will prompt again. Keep
>>>> # in mind that if you have both an RSA and a DSA certificate you
>>>> # can configure both in parallel (to also allow the use of DSA
>>>> # ciphers, etc.)
>>>> SSLCertificateFile "/private/etc/apache2/devsslcerts/localhost_server.crt"
>>>> #SSLCertificateFile "/private/etc/apache2/server-dsa.crt"
>>>>
>>>> # Server Private Key:
>>>> # If the key is not combined with the certificate, use this
>>>> # directive to point at the key file. Keep in mind that if
>>>> # you've both a RSA and a DSA private key you can configure
>>>> # both in parallel (to also allow the use of DSA ciphers, etc.)
>>>> SSLCertificateKeyFile "/private/etc/apache2/dvsslcerts/localhost_server.key"
>>>> #SSLCertificateKeyFile "/private/etc/apache2/server-dsa.key"
>>>>
>>>> # Server Certificate Chain:
>>>> # Point SSLCertificateChainFile at a file containing the
>>>> # concatenation of PEM encoded CA certificates which form the
>>>> # certificate chain for the server certificate. Alternatively
>>>> # the referenced file can be the same as SSLCertificateFile
>>>> # when the CA certificates are directly appended to the server
>>>> # certificate for convinience.
>>>> #SSLCertificateChainFile "/private/etc/apache2/server-ca.crt"
>>>>
>>>> # Certificate Authority (CA):
>>>> # Set the CA certificate verification path where to find CA
>>>> # certificates for client authentication or alternatively one
>>>> # huge file containing all of them (file must be PEM encoded)
>>>> # Note: Inside SSLCACertificatePath you need hash symlinks
>>>> # to point to the certificate files. Use the provided
>>>> # Makefile to update the hash symlinks after changes.
>>>> #SSLCACertificatePath "/private/etc/apache2/ssl.crt"
>>>> #SSLCACertificateFile "/private/etc/apache2/ssl.crt/ca-bundle.crt"
>>>>
>>>> # Certificate Revocation Lists (CRL):
>>>> # Set the CA revocation path where to find CA CRLs for client
>>>> # authentication or alternatively one huge file containing all
>>>> # of them (file must be PEM encoded)
>>>> # Note: Inside SSLCARevocationPath you need hash symlinks
>>>> # to point to the certificate files. Use the provided
>>>> # Makefile to update the hash symlinks after changes.
>>>> #SSLCARevocationPath "/private/etc/apache2/ssl.crl"
>>>> #SSLCARevocationFile "/private/etc/apache2/ssl.crl/ca-bundle.crl"
>>>>
>>>> # Client Authentication (Type):
>>>> # Client certificate verification type and depth. Types are
>>>> # none, optional, require and optional_no_ca. Depth is a
>>>> # number which specifies how deeply to verify the certificate
>>>> # issuer chain before deciding the certificate is not valid.
>>>> #SSLVerifyClient require
>>>> #SSLVerifyDepth 10
>>>>
>>>> # Access Control:
>>>> # With SSLRequire you can do per-directory access control based
>>>> # on arbitrary complex boolean expressions containing server
>>>> # variable checks and other lookup directives. The syntax is a
>>>> # mixture between C and Perl. See the mod_ssl documentation
>>>> # for more details.
>>>> #<Location />
>>>> #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
>>>> # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
>>>> # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
>>>> # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
>>>> # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
>>>> # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
>>>> #</Location>
>>>>
>>>> # SSL Engine Options:
>>>> # Set various options for the SSL engine.
>>>> # o FakeBasicAuth:
>>>> # Translate the client X.509 into a Basic Authorisation. This means that
>>>> # the standard Auth/DBMAuth methods can be used for access control. The
>>>> # user name is the `one line' version of the client's X.509 certificate.
>>>> # Note that no password is obtained from the user. Every entry in the user
>>>> # file needs this password: `xxj31ZMTZzkVA'.
>>>> # o ExportCertData:
>>>> # This exports two additional environment variables: SSL_CLIENT_CERT and
>>>> # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
>>>> # server (always existing) and the client (only existing when client
>>>> # authentication is used). This can be used to import the certificates
>>>> # into CGI scripts.
>>>> # o StdEnvVars:
>>>> # This exports the standard SSL/TLS related `SSL_*' environment variables.
>>>> # Per default this exportation is switched off for performance reasons,
>>>> # because the extraction step is an expensive operation and is usually
>>>> # useless for serving static content. So one usually enables the
>>>> # exportation for CGI and SSI requests only.
>>>> # o StrictRequire:
>>>> # This denies access when "SSLRequireSSL" or "SSLRequire" applied even
>>>> # under a "Satisfy any" situation, i.e. when it applies access is denied
>>>> # and no other module can change it.
>>>> # o OptRenegotiate:
>>>> # This enables optimized SSL connection renegotiation handling when SSL
>>>> # directives are used in per-directory context.
>>>> #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
>>>> <FilesMatch "\.(cgi|shtml|phtml|php)$">
>>>> SSLOptions +StdEnvVars
>>>> </FilesMatch>
>>>> <Directory "/Library/WebServer/CGI-Executables">
>>>> SSLOptions +StdEnvVars
>>>> </Directory>
>>>>
>>>> # SSL Protocol Adjustments:
>>>> # The safe and default but still SSL/TLS standard compliant shutdown
>>>> # approach is that mod_ssl sends the close notify alert but doesn't wait for
>>>> # the close notify alert from client. When you need a different shutdown
>>>> # approach you can use one of the following variables:
>>>> # o ssl-unclean-shutdown:
>>>> # This forces an unclean shutdown when the connection is closed, i.e. no
>>>> # SSL close notify alert is send or allowed to received. This violates
>>>> # the SSL/TLS standard but is needed for some brain-dead browsers. Use
>>>> # this when you receive I/O errors because of the standard approach where
>>>> # mod_ssl sends the close notify alert.
>>>> # o ssl-accurate-shutdown:
>>>> # This forces an accurate shutdown when the connection is closed, i.e. a
>>>> # SSL close notify alert is send and mod_ssl waits for the close notify
>>>> # alert of the client. This is 100% SSL/TLS standard compliant, but in
>>>> # practice often causes hanging connections with brain-dead browsers. Use
>>>> # this only for browsers where you know that their SSL implementation
>>>> # works correctly.
>>>> # Notice: Most problems of broken clients are also related to the HTTP
>>>> # keep-alive facility, so you usually additionally want to disable
>>>> # keep-alive for those clients, too. Use variable "nokeepalive" for this.
>>>> # Similarly, one has to force some clients to use HTTP/1.0 to workaround
>>>> # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
>>>> # "force-response-1.0" for this.
>>>> BrowserMatch ".*MSIE.*" \
>>>> nokeepalive ssl-unclean-shutdown \
>>>> downgrade-1.0 force-response-1.0
>>>>
>>>> # Per-Server Logging:
>>>> # The home of a custom SSL log file. Use this when you want a
>>>> # compact non-error SSL logfile on a virtual host basis.
>>>> CustomLog "/private/var/log/apache2/ssl_request_log" \
>>>> "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>>>>
>>>> </VirtualHost>
>>>>
>>>
>>
>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden