Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: apache2 setup for SSL-TLS

  1. #1

    Default apache2 setup for SSL-TLS

    I am integrating osCommerce into my existing (brochure-type) website and need help configuring SSL with apache2.
    I just loaded my CA issued ssl.csr and ssl.key files into their respective directories. I was hoping not to use the VirtualHost protocol, but would like to have my basic web content served through http/port 80 and my osCommerce pages through https/port 443 using the same Apache instance.

    Here is some output which may be useful:

    tall:/var/log/apache2 # service apache2 restart
    Syntax OK
    Shutting down httpd2 (waiting for all children to terminate) done
    Starting httpd2 (prefork) done
    tall:/var/log/apache2 # tail -n 2 error_log
    [Sat Aug 29 16:22:44 2009] [notice] caught SIGTERM, shutting down
    [Sat Aug 29 16:22:45 2009] [notice] Apache/2.2.10 (Linux/SUSE) mod_ssl/2.2.10 OpenSSL/0.9.8h PHP/5.2.9 with Suhosin-Patch configured -- resuming normal operations
    tall:/var/log/apache2 #

    I can navigate to my home page from outside my network using a web client (i.e. with Konqueror-- <!--http://menardsystems.com:80--> or <!--http://menardsystems.com:443-->, and get no indication of SSL being enabled. When I try <!--https://menardsystems.com-->, I get the following browser client message:

    Secure Connection Failed


    An error occurred during a connection to menardsystems.com.

    SSL received a record that exceeded the maximum permissible length.

    (Error code: ssl_error_rx_record_too_long)

    The page you are trying to view can not be shown because the authenticity of the received data could not be verified.

    * Please contact the web site owners to inform them of this problem.

    The key I generated and submitted to the CA was a 2048-bit RSA private key. Any suggestions before I call the CA?

  2. #2
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,686
    Blog Entries
    4

    Default Re: apache2 setup for SSL-TLS

    First of all, you have to use https://..., http://...:443 will not work.

    Secondly, it's the crt and key files that you install, and not the csr file.

    You should check the files in /var/log/apache2/ for any log messages related to SSL startup.

    Note that virtual hosting doesn't work with HTTPS, you can only have one site per IP address with SSL. But virtual hosting will work with HTTP. HTTP and HTTPS can coexist on the same server.

  3. #3

    Default Re: apache2 setup for SSL-TLS

    My original post included the client attempts with <!--http://menardsystems.com:80 and http://menardsystems.com:443--> partly in order to establish that Apache is listening on those ports and that my firewall is configured accordingly. Is my understanding correct on that matter?

    My earlier reference to "ssl.csr" was a typographical error--I had intended "ssl.crt".

    Here is an error_log message related to a client https request:
    tall:/var/log/apache2 # tail -f /var/log/apache2/error_log
    ...
    [Sun Aug 30 07:54:29 2009] [error] [client 99.2.135.18] Invalid method in request \x16\x03\x01
    ...

    I have seen numerous Apache documentation references to the use of one (ip-based) https-SSL enabled site coexisting with an http site, with the option to use the virtual host directive or not for the https site. My case is simple in that I wish to serve both http and https content through "99.2.135.18"
    My understanding is that the pertinent configuration file related to this is "listen.conf", so here is my current state:

    tall:/etc/apache2 # cat listen.conf
    # Listen: Allows you to bind Apache to specific IP addresses and/or
    # ports. See also the <VirtualHost> directive.
    #
    # mpm_common - Apache HTTP Server
    #
    # Change this to Listen on specific IP addresses as shown below to
    # prevent Apache from glomming onto all bound IP addresses (0.0.0.0)
    #
    # When we also provide SSL we have to listen to the
    # standard HTTP port (see above) and to the HTTPS port
    #
    # Note: Configurations that use IPv6 but not IPv4-mapped addresses need two
    # Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443"
    #
    #Listen 443



    <IfDefine SSL>
    <IfDefine !NOSSL>
    <IfModule mod_ssl.c>

    Listen 443

    </IfModule>
    </IfDefine>
    </IfDefine>


    # Use name-based virtual hosting
    #
    # - on a specified address / port:
    #
    #NameVirtualHost 12.34.56.78:80
    #
    # - name-based virtual hosting:
    #
    #NameVirtualHost *:80
    #
    # - on all addresses and ports. This is your best bet when you are on
    # dynamically assigned IP addresses:
    #
    #NameVirtualHost *

    #Listen 443
    Listen 80

    tall:/etc/apache2 #

    My CA tech support responded to my service request with:

    Please do refer the following link to know more about "SSL_ERROR_RX_RECORD_TOO_LONG"
    https://support.comodo.com/index.php...articleid=1196

    That link suggests:
    "...If you are using Apache2:
    In the ports.conf file, make sure it looks like the following:
    clip
    Listen 80
    Listen 443 https
    clip

    The https after the 443 tells Apache2 to use the SSL protocol on that port."

    I am assuming that Suse "listen.conf" file is an analogue to the "ports.conf" file.

    When I adjust "listen.conf" accordingly, Apache fails to restart:
    tall:/etc/apache2 # vi listen.conf
    tall:/etc/apache2 # service apache2 restart
    Syntax OK
    Shutting down httpd2 (waiting for all children to terminate) done
    Starting httpd2 (prefork) (98)Address already in use: make_sock: could not bind to address [::]:443
    (98)Address already in use: make_sock: could not bind to address 0.0.0.0:80
    no listening sockets available, shutting down
    Unable to open logs
    startproc: exit status of parent of /usr/sbin/httpd2-prefork: 1
    failed
    tall:/etc/apache2 #

    Any guidance will be appreciated--Mark

  4. #4
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,686
    Blog Entries
    4

    Default Re: apache2 setup for SSL-TLS

    Looking at a working openSUSE server that does HTTPS: The ports do not need to be edited in listen.conf, only the line for the type of VirtualHosting. That's the only change you need to listen.conf. To enable HTTPS you only have to enable SSL in /etc/sysconfig/apache.conf. Chances are you have have repeated the 443 in two places. You can't have the 443 inside a VirtualHost scope. VirtualHosts don't work with HTTPS. But you can have VirtualHosts for port 80.

  5. #5

    Default Re: apache2 setup for SSL-TLS

    I don't have /etc/sysconfig/apache.conf:

    tall:/etc/sysconfig # ls -l
    total 348
    -rw-r--r-- 1 root root 34041 Aug 28 23:04 SuSEfirewall2
    drwxr-xr-x 3 root root 21 Dec 3 2008 SuSEfirewall2.d
    -rw-r--r-- 1 root root 571 Aug 22 13:31 amavis
    -rw-r--r-- 1 root root 10084 Aug 29 22:52 apache2
    -rw-r--r-- 1 root root 10065 Aug 29 16:03 apache2-old
    -rw-r--r-- 1 root root 450 Aug 22 13:31 atd
    ...

    Did you mean to say /etc/sysconfig/apache2?

    If so, here is an excerpt from that file:

    APACHE_SERVER_FLAGS="SSL"

    (--not commented out--)

    After restarting Apache, the output in the error_log file incudes:
    [Sun Aug 30 16:27:44 2009] [notice] Apache/2.2.10 (Linux/SUSE) mod_ssl/2.2.10 OpenSSL/0.9.8h PHP/5.2.9 with Suhosin-Patch configured -- resuming normal operations

    Doesn't that suggest that SSL is enabled?

  6. #6
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,686
    Blog Entries
    4

    Default Re: apache2 setup for SSL-TLS

    Yeah /etc/sysconfig/apache2.

    That log message simply says that the ssl module is loaded. Whether it is actually activated depends on that -DSSL.

    You should also be able to see that Apache is listening on 443 in the output of:

    netstat -atn | grep :443

  7. #7

    Default Re: apache2 setup for SSL-TLS

    As stated earlier, http://localhost:443 works, but https://localhost:443 does not.

    tall:/ # netstat -atn | grep :443
    tcp 0 0 :::443 :::* LISTEN
    tall:/ # curl https://localhost/
    curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
    tall:/ #

  8. #8
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,686
    Blog Entries
    4

    Default Re: apache2 setup for SSL-TLS

    This means Apache is listening for HTTP on 443. Usually it's because you don't have HTTPS activated for that port, or have activated HTTP for that port. I would put listen.conf back the way it was fresh from the install, forget about VirtualHosts for HTTP for the time being and see if you can get HTTPS working. Check that you don't have other listen 443's in any of the config files. The only listen 443 should be the one enclosed within the ifdef SSL.

    Another possibility is the cert isn't correct. You could try turning on any debug options on curl. Or try wget with -S to show server responses.

    wget -S https://localhost

    or use telnet

    telnet localhost 443
    GET / HTTP/1.1

  9. #9

    Default Re: apache2 setup for SSL-TLS

    tall:/ # wget -S https://localhost
    --2009-08-30 22:00:05-- https://localhost/
    Resolving localhost... ::1, 127.0.0.1
    Connecting to localhost|::1|:443... connected.
    OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
    Unable to establish SSL connection.

    tall:/ # curl -v https://menardsystems.com
    * About to connect() to menardsystems.com port 443 (#0)
    * Trying 192.168.1.18... connected
    * Connected to menardsystems.com (192.168.1.18) port 443 (#0)
    * successfully set certificate verify locations:
    * CAfile: none
    CApath: /etc/ssl/certs/
    * SSLv3, TLS handshake, Client hello (1):
    * error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
    * Closing connection #0
    curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
    tall:/ #

    I would like to know precisely what is generating error:140770FC.

  10. #10
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,686
    Blog Entries
    4

    Default Re: apache2 setup for SSL-TLS

    Try to connect with telnet and see if port 443 responds to a HTTP request and delivers the content as if it were port 80. If so, you are not serving HTTPS on port 443 as the client expects.

    Code:
    telnet localhost 443
    GET / HTTP/1.1
    <return>
    <return>
    However if it says something to the effect "I was expecting you (the client) to start a SSL negotiation", then that's not the problem.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •