From: "Artem K. Jouravsky" <ujo@ifirst.ru> To: "Spring 2001" <mandrake-russian@altlinux.ru> Subject: [mdk-re] Apache+SSL Date: Tue Oct 30 18:44:02 2001 Message-ID: <20011030184909.38f14f27.ujo@ifirst.ru> (raw) Доброго времени суток! Господа, подскажите хоть что-то! Измучился. Задача - поднять веб-сервер с поддержкой SSL соединений, виртуальных хостов много но надо чтоб SSL был хотя б у одного - не до жиру. Действия: apt-get install mod_ssl, ставится нормально. Дописывает в конец /etc/httpd/conf/httpd.conf строчку включения двух дополнительных конфигов - mod_ssl.conf и ssl.default-vhost.conf. В первом ничего не трогаю (наэкспериментировался уже по горло), во втором .. тоже. Но надо хотя бы заменить сертификаты чтоб он распознавался не как localhost, а чтоб снаружи можно было подойти. Выполняю /usr/lib/ssl/mod_ssl/gid-mkcert.sh, получаю кучу файликов. Копирую server.key и server.crt (и все остальные с именем server.* до кучи) в папку /etc/httpd/conf/ssl, создаю там же папку CA и копирую туда все файлики с именем ca.*. Расставляю права. Стартую сервер, лезу в логи. Имеем: error_log: ^^^^^^^^^^ [Tue Oct 30 18:34:41 2001] [notice] Apache/1.3.22 (ALT Linux/alt1) mod_ssl/2.8.5 OpenSSL/0.9.6b rus/PL30.9 configured -- resuming normal operations [Tue Oct 30 18:34:41 2001] [notice] Accept mutex: sysvsem (Default: sysvsem) ssl_engine_log: ^^^^^^^^^^^^^^^ [30/Oct/2001 18:34:38 08254] [info] Server: Apache/1.3.22, Interface: mod_ssl/2.8.5, Library: OpenSSL/0.9.6b [30/Oct/2001 18:34:38 08254] [info] Init: 1st startup round (still not detached) [30/Oct/2001 18:34:38 08254] [info] Init: Initializing OpenSSL library [30/Oct/2001 18:34:38 08254] [info] Init: Loading certificate & private key of SSL-aware server ujo.int.ifirst.ru:443 [30/Oct/2001 18:34:38 08254] [info] Init: Requesting pass phrase via builtin terminal dialog [30/Oct/2001 18:34:40 08254] [trace] Init: (ujo.int.ifirst.ru:443) encrypted RSA private key - pass phrase requested [30/Oct/2001 18:34:40 08254] [info] Init: Wiped out the queried pass phrases from memory [30/Oct/2001 18:34:40 08254] [info] Init: Seeding PRNG with 136 bytes of entropy [30/Oct/2001 18:34:40 08254] [info] Init: Generating temporary RSA private keys (512/1024 bits) [30/Oct/2001 18:34:41 08254] [info] Init: Configuring temporary DH parameters (512/1024 bits) [30/Oct/2001 18:34:41 08255] [info] Init: 2nd startup round (already detached) [30/Oct/2001 18:34:41 08255] [info] Init: Reinitializing OpenSSL library [30/Oct/2001 18:34:41 08255] [info] Init: Created hash-table (250 buckets) in shared memory (512000 bytes) for SSL session cache [30/Oct/2001 18:34:41 08255] [info] Init: Seeding PRNG with 136 bytes of entropy [30/Oct/2001 18:34:41 08255] [info] Init: Configuring temporary RSA private keys (512/1024 bits) [30/Oct/2001 18:34:41 08255] [info] Init: Configuring temporary DH parameters (512/1024 bits) [30/Oct/2001 18:34:41 08255] [info] Init: Initializing (virtual) servers for SSL [30/Oct/2001 18:34:41 08255] [info] Init: Configuring server ujo.int.ifirst.ru:443 for SSL protocol [30/Oct/2001 18:34:41 08255] [trace] Init: (ujo.int.ifirst.ru:443) Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1) [30/Oct/2001 18:34:41 08255] [trace] Init: (ujo.int.ifirst.ru:443) Configuring RSA server certificate [30/Oct/2001 18:34:41 08255] [info] Init: (ujo.int.ifirst.ru:443) RSA server certificate enables Server Gated Cryptography (SGC) [30/Oct/2001 18:34:41 08255] [trace] Init: (ujo.int.ifirst.ru:443) Configuring RSA server private key Типа думаю, все нормально. Фига! [ujo@ujo doc]$ curl https://ujo.int.ifirst.ru/ curl: (35) SSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol error_log: ^^^^^^^^^^ [Tue Oct 30 18:46:24 2001] [error] [client 192.168.100.148] Invalid method in request ──... [ujo@ujo doc]$ openssl s_client -connect ujo.int.ifirst.ru:443 -state -debug CONNECTED(00000003) SSL_connect:before/connect initialization write to 0809C7A0 [0809C7E8] (130 bytes => 130 (0x82)) 0000 - 80 80 01 03 01 00 57 00-00 00 20 00 00 16 00 00 ......W... ..... 0010 - 13 00 00 0a 07 00 c0 00-00 66 00 00 07 00 00 05 .........f...... 0020 - 00 00 04 05 00 80 03 00-80 01 00 80 08 00 80 00 ................ 0030 - 00 65 00 00 64 00 00 63-00 00 62 00 00 61 00 00 .e..d..c..b..a.. 0040 - 60 00 00 15 00 00 12 00-00 09 06 00 40 00 00 14 `...........@... 0050 - 00 00 11 00 00 08 00 00-06 00 00 03 04 00 80 02 ................ 0060 - 00 80 4e 54 5c 9c 2c 81-8a 5b e5 e6 51 23 d4 88 ..NT\.,..[..Q#.. 0070 - c5 29 18 72 3b 38 86 25-d5 86 b3 de 2e ad c9 73 .).r;8.%.......s 0080 - 6e 06 n. SSL_connect:SSLv2/v3 write client hello A read from 0809C7A0 [080A1D48] (7 bytes => 7 (0x7)) 0000 - 3c 21 44 4f 43 54 59 <!DOCTY SSL_connect:error in SSLv2/v3 read server hello A 8291:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:460: В логах при этом ничего не пишется. Что я не так делаю??? Третий день бьюсь, перечитал кучу док... Вроде все правильно, нет мне просветления. ------ Best wishes, +----------------------+--------------------------+ | ."-. | Work: +7-(095)-229-4278 | | /X | _o.----. _ | ICQ: 103399444 | |/\_ \/ / __ \_// ) | Artem K. Jouravsky | |\__)-/_/\_____)____/ | http://www.ifirst.ru/ | +----------------------+--------------------------+
next reply other threads:[~2001-10-30 18:44 UTC|newest] Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top 2001-10-30 18:44 Artem K. Jouravsky [this message] 2001-10-30 21:10 ` AVL 2001-10-30 21:18 ` Michael Bykov 2001-10-30 21:43 ` AVL 2001-10-30 21:50 ` Michael Bykov 2001-10-30 22:41 ` Artem K. Jouravsky 2001-10-30 22:42 ` Artem K. Jouravsky 2001-10-31 9:13 ` Michael Bykov 2001-10-30 21:20 ` Artem K. Jouravsky 2001-10-31 0:13 ` Dmitry Solovyev 2001-10-31 13:10 ` Artem K. Jouravsky 2001-10-31 14:14 ` Dmitry Solovyev
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20011030184909.38f14f27.ujo@ifirst.ru \ --to=ujo@ifirst.ru \ --cc=mandrake-russian@altlinux.ru \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
ALT Linux Community general discussions This inbox may be cloned and mirrored by anyone: git clone --mirror http://lore.altlinux.org/community/0 community/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 community community/ http://lore.altlinux.org/community \ mandrake-russian@linuxteam.iplabs.ru community@lists.altlinux.org community@lists.altlinux.ru community@lists.altlinux.com public-inbox-index community Example config snippet for mirrors. Newsgroup available over NNTP: nntp://lore.altlinux.org/org.altlinux.lists.community AGPL code for this site: git clone https://public-inbox.org/public-inbox.git