You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "Daniel R. Blair" <jo...@realcoders.org> on 2003/05/23 19:42:59 UTC
[users@httpd] Problems with SSL All of a Sudden
Hi guys,
I am new to the list, but have checked all of the FAQs, etc. and
cannot seem to figure out what is wrong.
We have been running Apache2 2.0.43 for quite some time now, with
SSL and a valid certificate for doing credit card processing, et al.
As of yesterday, a user called and said that they could not
complete a credit card transaction. I checked everything, and we just
rebooted the server (RH 7 I believe) remotely to see if that fixed
anything because we were in a hurry to get it fixed (read: my boss was
freaking out and troubleshooting wasn't an issue, so the command to reboot
the box was given.) Now, after a reboot, when trying to access
https://domain.com/anything.html or .jsp immediately returns with a
browser error that it cannot connect to the server.
Nothing was changed in the config file(s), and nothing abnormal is
in the log files AT ALL, no errors, no nothing.. just "recevied SIGTERM,
shuttdown.. and Starting Up, resuming Operations normally" so.. at this
point I am pulling my hair out as to what could have happened and why this
all of a sudden just stopped working.
Now, I asked my boss if his certificate had expired, and then he
informed me that on April 30th he received an email stating he had 90 days
to re-new the certificate, which would mean we still had over 2 months to
re-new (unless verisign messed up or something), but, to my knowledge,
even an expired certificate would just give the user, via their browser,
an error/informative message that the certificate had expired and ask
whether or not to continue.. I see no reason why it would stop responding
COMPLETELY to https requests...
I've tried telneting to port 443 and get no response...
Does anyone have any clue as to what may have happened and/or
perhaps WHY? This is just totally baffling me as to what the problem
could be, and, why a reboot wouldn't fix it.. given that nothing was
modified configuration wise (which by the way, apachectl -t reports syntax
is OK.) Just FYI, Apache *IS* connected to Tomcat using mod_jk connector
and all is fine with it, but again, no https/SSL requests are being server
AT ALL..
Any and all help will be GREATLY appreciated guys.
Thanks alot,
Danny
= Daniel Blair =
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- dblair@realcoders.org - [http://www.realcoders.org]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Problems with SSL All of a Sudden
Posted by "Daniel R. Blair" <jo...@realcoders.org>.
On Fri, 23 May 2003, WC -Sx- Jones wrote:
> > mean? Anything special in this case other than the standard reason
> > for a
> > .core file?
> :)
>
> What would your standard reason be? I ask because ALL core files
> should be considered with HIGH suspicion and saved as you would any
> backup. Especially in a business environment.
I just figured sometimes things crash and that could have been a random
problem.. not our current problem... I'll take your advise from now on..
> If my system at home core dumps, and everything appears to be working,
> I delete it and shake my head while saying to myself "who knows..." If
> it happened at work I'll stick it on a tape I save just for that
> purpose. If something else strange happens then there is a history
> which the primary vendor can use to analyze to make sure that
> particular core file wasn't important and/or related to whatever
> issue(s) we happen to be working on.
>
> Is the Apache/Tomcat server working now?
yeah, without https/SSL... just http is fine..
Danny
= Daniel Blair =
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- dblair@realcoders.org - [http://www.realcoders.org]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-/- s e g m e n t : o f f s e t -/-
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Problems with SSL All of a Sudden
Posted by WC -Sx- Jones <li...@insecurity.org>.
On Friday, May 23, 2003, at 05:41 PM, Daniel R. Blair wrote:
> On Fri, 23 May 2003, WC -Sx- Jones wrote:
>
>> Is there a CORE file laying around?
>
> mean? Anything special in this case other than the standard reason
> for a
> .core file?
:)
What would your standard reason be? I ask because ALL core files
should be considered with HIGH suspicion and saved as you would any
backup. Especially in a business environment.
If my system at home core dumps, and everything appears to be working,
I delete it and shake my head while saying to myself "who knows..." If
it happened at work I'll stick it on a tape I save just for that
purpose. If something else strange happens then there is a history
which the primary vendor can use to analyze to make sure that
particular core file wasn't important and/or related to whatever
issue(s) we happen to be working on.
Is the Apache/Tomcat server working now?
-Sx-
http://insecurity.org/
_Sx____________________
('> iudicium ferat
//\ Have Computer -
v_/_ Will Hack...
\|/ ____ \|/
"@'/ .. \`@"
/_| \__/ |_\
\__U_/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Problems with SSL All of a Sudden
Posted by "Daniel R. Blair" <jo...@realcoders.org>.
On Fri, 23 May 2003, WC -Sx- Jones wrote:
>
> On Friday, May 23, 2003, at 01:42 PM, Daniel R. Blair wrote:
>
> > Nothing was changed in the config file(s), and nothing abnormal is
> > in the log files AT ALL, no errors, no nothing.. just "recevied
> > SIGTERM,
> > shuttdown.. and Starting Up, resuming Operations normally" so.. at this
> > point I am pulling my hair out as to what could have happened and why
> > this
> > all of a sudden just stopped working.
>
> Is there a CORE file laying around?
There was a core file that I deleted, and I think it was from Apache, but
I don't remember, I think it was dated though and older.. I mean had a
date in the filename pre-ceeding .core, like 04-26 or something.. but
again, I'm not 100%.. I wish I had taken closer note now.. what would that
mean? Anything special in this case other than the standard reason for a
.core file?
> Is this system plain Apache or is it running Tomcat, PHP, or some other
> server extension?
It is using mod_jk with tomcat..
> Anyhow, not sure, but there have been rumors of this security issue
> being adapted to hit Linux systems:
>
> http://www.securiteam.com/windowsntfocus/5KP0C1F96Y.html
>
> Not sure 100%...
Thanks for your help,
Danny
= Daniel Blair =
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- dblair@realcoders.org - [http://www.realcoders.org]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-/- s e g m e n t : o f f s e t -/-
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Problems with SSL All of a Sudden
Posted by WC -Sx- Jones <li...@insecurity.org>.
On Friday, May 23, 2003, at 01:42 PM, Daniel R. Blair wrote:
> Nothing was changed in the config file(s), and nothing abnormal is
> in the log files AT ALL, no errors, no nothing.. just "recevied
> SIGTERM,
> shuttdown.. and Starting Up, resuming Operations normally" so.. at this
> point I am pulling my hair out as to what could have happened and why
> this
> all of a sudden just stopped working.
Is there a CORE file laying around?
Is this system plain Apache or is it running Tomcat, PHP, or some other
server extension?
Anyhow, not sure, but there have been rumors of this security issue
being adapted to hit Linux systems:
http://www.securiteam.com/windowsntfocus/5KP0C1F96Y.html
Not sure 100%...
-Sx-
http://insecurity.org/
_Sx____________________
('> iudicium ferat
//\ Have Computer -
v_/_ Will Hack...
\|/ ____ \|/
"@'/ .. \`@"
/_| \__/ |_\
\__U_/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Problems with SSL All of a Sudden
Posted by Nigel Peck - MIS Web Design <ni...@miswebdesign.com>.
Still on 1.3.27 here :) Thanks for putting me straight.
Nigel
MIS Web Design
http://www.miswebdesign.com/
> -----Original Message-----
> From: Daniel R. Blair [mailto:joecamel@realcoders.org]
> Sent: 23 May 2003 19:47
> To: users@httpd.apache.org
> Subject: RE: [users@httpd] Problems with SSL All of a Sudden
>
>
> On Fri, 23 May 2003, Nigel Peck - MIS Web Design wrote:
>
> > I'm sure there will be a lot better suggestions from others on
> the list but have you done a configtest?
> >
> > apachectl configtest
> > or
> > httpsdctl configtest
>
> Nigel,
> That's what httpd -t does, checks the configuration.. I think
> configtest was deprecated after 1.3.x and is now replaced with httpd -t in
> 2.0.x... not 100%, but, I have done the equivalent..
>
> Danny
>
>
> = Daniel Blair =
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> - dblair@realcoders.org - [http://www.realcoders.org]
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> -/- s e g m e n t : o f f s e t -/-
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Problems with SSL All of a Sudden
Posted by "Daniel R. Blair" <jo...@realcoders.org>.
On Fri, 23 May 2003, Nigel Peck - MIS Web Design wrote:
> I'm sure there will be a lot better suggestions from others on the list but have you done a configtest?
>
> apachectl configtest
> or
> httpsdctl configtest
Nigel,
That's what httpd -t does, checks the configuration.. I think
configtest was deprecated after 1.3.x and is now replaced with httpd -t in
2.0.x... not 100%, but, I have done the equivalent..
Danny
= Daniel Blair =
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- dblair@realcoders.org - [http://www.realcoders.org]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-/- s e g m e n t : o f f s e t -/-
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Problems with SSL All of a Sudden
Posted by "Daniel R. Blair" <jo...@realcoders.org>.
On Sun, 25 May 2003, Zac Stevens wrote:
> > That's what I was thinking, but, my Boss doesn't want to "touch anything
> > that's not nessecary right now" so, I don't think it would be well
> > received, although may inevitably be done soon.
>
> Yeah, I've been in that situation before. To be honest, I haven't used SSL
> with Apache 2 so I'm not sure whether the security holes affect it or only
> Apache 1.3. Assuming that the vulnerability is common to both, you run the
> risk of infection by the 'Slapper' worm, or a root compromise via one of
> the other SSL-based exploits. Perhaps you may have more luck if you
> explain to your boss that leaving things as-is may result in "secure" data
> being stolen or destroyed?
I might just take that approach, given his obsessive way of thinking about
things like security, etc.
> There's no right or wrong way to define it, as long as it works :) Just a
> few different approaches. I'm not sure whether you're aware of this, but
> the "0.0.0.0" address can be read as "all addresses". That is, when you
> see 0.0.0.0:443 in the netstat output, it means that something is bound to
> port 443 on *every* address you have configured on your system.
That's what I thought... that's ok because the system only has one public
(internet) address.. so, that's fine.. and that's what I usually interpret
0.0.0.0(*) to indicate is that it's on all/any address(es).. thanks for
the clarification/warning though.
> The other way you might have configured Apache involves listing the actual
> IP address in the Listen statement - ie "Listen 216.24.170.247:443".
>
> There are arguments for and against both approaches - the reason I asked
> was to make sure that the Apache configuration you're using does match what
> is happening on your system.
Gotcha. Well, it is set to "Listen 80\nListen 443" so, I am pretty sure
that it does match what is happening on my system..
> > user list? As in allowed users? Not that I know of, but I will check..
>
> Sorry, I meant a user support list - ie, email :) There is a modssl-users
> email list mentioned on www.modssl.org, however I'm not sure whether this
> is also appropriate for Apache 2.
Yeah, I am aware of it.. I even subscribed to it when I subscribed to the
Apache HTTPD list and for some reason it didn't subscribe me properly...
so, I'll try again and see if anything happens.. thanks though.
> > Zac, how would I go about doing this, if you don't mind me asking?
>
> Unfortunately, now that I've looked at this further I seem to have lead you
> astray. In Apache 1.3's mod_ssl, there were two logging directives -
> SSLLog, and SSLLogLevel. Documentation for them can be found here:
> http://www.modssl.org/docs/2.8/ssl_reference.html#ToC19
>
> Unfortunately, I can't find any reference to either of those in the Apache
> 2.0 documentation. In fact, nothing related to debugging SSL problems at
> all. I believe that the 2.0 module started life as, more or less, a port
> from the 1.3 module, so this omission is surprising.
Meaning that their should be documentation and it's not there yet, which
is suprising to you?
> > Thanks alot, your help is GREATLY appreciated,
>
> No problem - although it seems to be less useful than I first thought!
Well, it has been help in establishing that at least it's not something in
the configuration that's the problem.. and your time is appreciated more
than anything.. I really do want to thank you for taking your time in
helping me deal with this..
Take care,
Danny
= Daniel Blair =
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- dblair@realcoders.org - [http://www.realcoders.org]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Problems with SSL All of a Sudden
Posted by Zac Stevens <zt...@cryptocracy.com>.
Hi Daniel,
On Sat, May 24, 2003 at 08:24:58PM -0400, Daniel R. Blair wrote:
> On Sun, 25 May 2003, Zac Stevens wrote:
> > On Sat, May 24, 2003 at 12:21:11PM -0400, Daniel R. Blair wrote:
> > several security fixes to httpd since 2.0.43, and a large number of serious
> > security problems fixed since OpenSSL 0.9.6b. It would be worth upgrading
> > at this point - and who knows, it might magically fix the problem :)
>
> That's what I was thinking, but, my Boss doesn't want to "touch anything
> that's not nessecary right now" so, I don't think it would be well
> received, although may inevitably be done soon.
Yeah, I've been in that situation before. To be honest, I haven't used SSL
with Apache 2 so I'm not sure whether the security holes affect it or only
Apache 1.3. Assuming that the vulnerability is common to both, you run the
risk of infection by the 'Slapper' worm, or a root compromise via one of
the other SSL-based exploits. Perhaps you may have more luck if you
explain to your boss that leaving things as-is may result in "secure" data
being stolen or destroyed?
> Yes, Listen 443 is at the top, the pasted selection is included (as well
> as a number of other VirtualHost definitions.. I don't understand though
> what you mean by "I thought it was odd that your SSL VirtualHost is
> defined on a specific IP address, while netstat showed the binding on
> 0.0.0.0:443" ? What do you mean by that? Am I supposed to define it
> differently? What that make a difference?
There's no right or wrong way to define it, as long as it works :) Just a
few different approaches. I'm not sure whether you're aware of this, but
the "0.0.0.0" address can be read as "all addresses". That is, when you
see 0.0.0.0:443 in the netstat output, it means that something is bound to
port 443 on *every* address you have configured on your system.
The other way you might have configured Apache involves listing the actual
IP address in the Listen statement - ie "Listen 216.24.170.247:443".
There are arguments for and against both approaches - the reason I asked
was to make sure that the Apache configuration you're using does match what
is happening on your system.
> > In any event, the error generated by using non-SSL on the SSL port seems
> > appropriate and comes from Apache. That being the case, you may be
> > experiencing a more esoteric mod_ssl-specific error. Is there another user
> > list for the mod_ssl which ships with Apache 2? I'm not too sure...
>
> user list? As in allowed users? Not that I know of, but I will check..
Sorry, I meant a user support list - ie, email :) There is a modssl-users
email list mentioned on www.modssl.org, however I'm not sure whether this
is also appropriate for Apache 2.
> > You should probably also try bumping up your SSLLogLevel to 'info' or
> > perhaps 'trace' to see what is happening during an attempted SSL
> > connection. Make sure when testing in this manner that you try at least a
> > couple of different browsers.
>
> Zac, how would I go about doing this, if you don't mind me asking?
Unfortunately, now that I've looked at this further I seem to have lead you
astray. In Apache 1.3's mod_ssl, there were two logging directives -
SSLLog, and SSLLogLevel. Documentation for them can be found here:
http://www.modssl.org/docs/2.8/ssl_reference.html#ToC19
Unfortunately, I can't find any reference to either of those in the Apache
2.0 documentation. In fact, nothing related to debugging SSL problems at
all. I believe that the 2.0 module started life as, more or less, a port
from the 1.3 module, so this omission is surprising.
> Thanks alot, your help is GREATLY appreciated,
No problem - although it seems to be less useful than I first thought!
Zac
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Problems with SSL All of a Sudden
Posted by "Daniel R. Blair" <jo...@realcoders.org>.
On Sun, 25 May 2003, Zac Stevens wrote:
> On Sat, May 24, 2003 at 12:21:11PM -0400, Daniel R. Blair wrote:
> > HTTP/1.1 400 Bad Request
> > Date: Sat, 24 May 2003 18:25:43 GMT
> > Server: Apache/2.0.43 (Unix) mod_ssl/2.0.43 OpenSSL/0.9.6b mod_jk/1.2.0
> > PHP/4.2.
>
> While it isn't directly the cause of the error, the fact that you're
> running old versions of Apache and OpenSSL is a concern. There have been
> several security fixes to httpd since 2.0.43, and a large number of serious
> security problems fixed since OpenSSL 0.9.6b. It would be worth upgrading
> at this point - and who knows, it might magically fix the problem :)
That's what I was thinking, but, my Boss doesn't want to "touch anything
that's not nessecary right now" so, I don't think it would be well
received, although may inevitably be done soon.
> One thing I thought was odd is that your SSL virtualhost is defined on a
> specific IP address, while netstat showed the binding on 0.0.0.0:443. I
> suspect that you have "Listen 443" elsewhere in your config?
Yes, Listen 443 is at the top, the pasted selection is included (as well
as a number of other VirtualHost definitions.. I don't understand though
what you mean by "I thought it was odd that your SSL VirtualHost is
defined on a specific IP address, while netstat showed the binding on
0.0.0.0:443" ? What do you mean by that? Am I supposed to define it
differently? What that make a difference?
> In any event, the error generated by using non-SSL on the SSL port seems
> appropriate and comes from Apache. That being the case, you may be
> experiencing a more esoteric mod_ssl-specific error. Is there another user
> list for the mod_ssl which ships with Apache 2? I'm not too sure...
user list? As in allowed users? Not that I know of, but I will check..
> You should probably also try bumping up your SSLLogLevel to 'info' or
> perhaps 'trace' to see what is happening during an attempted SSL
> connection. Make sure when testing in this manner that you try at least a
> couple of different browsers.
Zac, how would I go about doing this, if you don't mind me asking?
Thanks alot, your help is GREATLY appreciated,
Danny
= Daniel Blair =
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- dblair@realcoders.org - [http://www.realcoders.org]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Problems with SSL All of a Sudden
Posted by Zac Stevens <zt...@cryptocracy.com>.
On Sat, May 24, 2003 at 12:21:11PM -0400, Daniel R. Blair wrote:
> HTTP/1.1 400 Bad Request
> Date: Sat, 24 May 2003 18:25:43 GMT
> Server: Apache/2.0.43 (Unix) mod_ssl/2.0.43 OpenSSL/0.9.6b mod_jk/1.2.0
> PHP/4.2.
While it isn't directly the cause of the error, the fact that you're
running old versions of Apache and OpenSSL is a concern. There have been
several security fixes to httpd since 2.0.43, and a large number of serious
security problems fixed since OpenSSL 0.9.6b. It would be worth upgrading
at this point - and who knows, it might magically fix the problem :)
One thing I thought was odd is that your SSL virtualhost is defined on a
specific IP address, while netstat showed the binding on 0.0.0.0:443. I
suspect that you have "Listen 443" elsewhere in your config?
In any event, the error generated by using non-SSL on the SSL port seems
appropriate and comes from Apache. That being the case, you may be
experiencing a more esoteric mod_ssl-specific error. Is there another user
list for the mod_ssl which ships with Apache 2? I'm not too sure...
You should probably also try bumping up your SSLLogLevel to 'info' or
perhaps 'trace' to see what is happening during an attempted SSL
connection. Make sure when testing in this manner that you try at least a
couple of different browsers.
Cheers,
Zac
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Problems with SSL All of a Sudden
Posted by "Daniel R. Blair" <jo...@realcoders.org>.
On Fri, 23 May 2003, Daniel R. Blair wrote:
> On Fri, 23 May 2003, Paul Simon wrote:
>
> > > Paste of Output:
> > >
> > > tcp 0 0 0.0.0.0:443
> > > 0.0.0.0:* LISTEN
> > >
> > > --------------------- END PASTE OF OUTPUT OF
> > > RELEVANT LINES -----------
> > >
> > >
> > > I would assume this would indicate that yes, it is
> > > listening.. but.. I'm
> > > not 100% sure if it's not responding online..
> >
> > It's says it's listening. And you can telnet to the
> > server on port 443?
> >
> > I wish I could help more...
>
> I can telnet, but it just sits there, apache doesn't say hello and expect
> a GET request or anything...
Ok, today I tried telnetting to port 443 and typing "GET index.html" to
see what would happen and this is what I got.. does this help anyone
figure out why it will not respond to https://www.juke.biz urls?
Response from: telnet 216.24.170.247 443 (as well as with the IP)
telnet 216.24.170.247 443
Trying 216.24.170.247...
Connected to 216.24.170.247.
Escape character is '^]'.
Connected to 216.24.170.247.
Escape character is '^]'.
GET index.html
HTTP/1.1 400 Bad Request
Date: Sat, 24 May 2003 18:25:43 GMT
Server: Apache/2.0.43 (Unix) mod_ssl/2.0.43 OpenSSL/0.9.6b mod_jk/1.2.0
PHP/4.2.
3
Content-Length: 528
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br
/>
Reason: You're speaking plain HTTP to an SSL-enabled server port.<br />
Instead use the HTTPS scheme to access this URL, please.<br />
<blockquote>Hint: <a
href="https://www.juke.biz/"><b>https://www.juke.biz/</b></
a></blockquote></p>
<hr />
<address>Apache/2.0.43 Server at www.juke.biz Port 443</address>
</body></html>
Connection closed by foreign host.
----------------- END RESPONSE PASTE ---------------------
The server Config is below.. would this be a problem at all? It has
worked in the past, and was working, as previously stated.. it apparently
"just stopped working" which is REALLY weird to me as a Unix
administrator.. things just don't "stop working" and I am executing
"apachectl startssl" no "apachectl start" so, I know it is starting in SSL
mode.. no errors are spit out on startup either.. and the httpd -t passes
the configuration syntax check with flying colors...
-------------- CONFIGURATION OF VIRTUAL HOST BEGIN PASTE ---------------
<VirtualHost *>
ServerName www.juke.biz
ServerAlias juke.biz
ServerAdmin binz@juke.biz
DocumentRoot /var/webapps/jukebiz
ErrorLog logs/jukebiz-error_log
CustomLog logs/jukebiz-access_log common
JkMount /*.jsp ajp13
JkMount /servlet/* ajp13
<Directory /var/webapps/jukebiz/>
Allow from all
AllowOverride All
Order allow,deny
</Directory>
# SetEnv SITE_ROOT /usr/java/jakarta-tomcat-4.1.12/webapps/jukebiz
# SetEnv SITE_HTMLROOT
/usr/java/jakarta-tomcat-4.1.12/webapps/jukebiz
</VirtualHost>
<VirtualHost 216.24.170.247:443>
ServerName www.juke.biz:443
DocumentRoot /var/webapps/jukebiz
ErrorLog logs/jukebiz-error_log
CustomLog logs/jukebiz-access_log common
JkMount /*.jsp ajp13
JkMount /servlet/* ajp13
<Directory /var/webapps/jukebiz/>
Allow from all
AllowOverride All
Order allow,deny
</Directory>
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EX$
SSLCertificateFile /usr/local/apache2/conf/ssl.crt/jukebiz.cert
SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/jukebiz.key
CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \$
</VirtualHost>
-------------- CONFIGURATION OF VIRTUAL HOST END PASTE ---------------
Can anyone find anything wrong? This is becoming a real problem as users
are starting to call and complain, and I cannot figure this out for the
life of me.. so I can't even given an estimated ETA for fixing it.. or a
reason...
-------------------------------------------------------------------------
Just For reference, uname -a reports:
Linux rocola.com 2.4.18-14 #1 Wed Sep 4 13:35:50 EDT 2002 i686 i686 i386
GNU/Linux
I don't know if that helps at all...
--------------------------------------------------------------------------
Thanks guys, your help is MORE than GREATLY appreciated.
Dany
= Daniel Blair =
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- dblair@realcoders.org - [http://www.realcoders.org]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-/- s e g m e n t : o f f s e t -/-
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Problems with SSL All of a Sudden
Posted by "Daniel R. Blair" <jo...@realcoders.org>.
On Fri, 23 May 2003, Benjamin Krueger wrote:
> Which is exactly the way it should behave. Try the following.
>
> stunnel -r server:443 -f
>
> When you connect, then you can test your HTTP request.
I compiled and installed stunnel on my FreeBSD machine, however, it
doesn't accept those command line options.. maybe it's a different version
due to the OS difference.. what is the -r and -f implicating?
Danny
= Daniel Blair =
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- dblair@realcoders.org - [http://www.realcoders.org]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-/- s e g m e n t : o f f s e t -/-
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Problems with SSL All of a Sudden
Posted by "Daniel R. Blair" <jo...@realcoders.org>.
On Fri, 23 May 2003, Benjamin Krueger wrote:
> Which is exactly the way it should behave. Try the following.
>
> stunnel -r server:443 -f
>
> When you connect, then you can test your HTTP request.
from localhost or another host?
Danny
= Daniel Blair =
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- dblair@realcoders.org - [http://www.realcoders.org]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-/- s e g m e n t : o f f s e t -/-
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Problems with SSL All of a Sudden
Posted by Paul Simon <wr...@yahoo.com>.
--- Benjamin Krueger <be...@seattlefenix.net>
wrote:
> * Daniel R. Blair (joecamel@realcoders.org) [030523
> 14:45]:
> > On Fri, 23 May 2003, Paul Simon wrote:
> >
> > > > Paste of Output:
> > > >
> > > > tcp 0 0 0.0.0.0:443
> > > > 0.0.0.0:* LISTEN
> > > >
> > > > --------------------- END PASTE OF OUTPUT OF
> > > > RELEVANT LINES -----------
> > > >
> > > >
> > > > I would assume this would indicate that yes,
> it is
> > > > listening.. but.. I'm
> > > > not 100% sure if it's not responding online..
> > >
> > > It's says it's listening. And you can telnet to
> the
> > > server on port 443?
> > >
> > > I wish I could help more...
> >
> > I can telnet, but it just sits there, apache
> doesn't say hello and expect
> > a GET request or anything...
> >
> > Danny
>
> Which is exactly the way it should behave. Try the
> following.
>
> stunnel -r server:443 -f
>
> When you connect, then you can test your HTTP
> request.
>
I just did a simple http request from the command line
on my SSL enabled server (no stunnel):
venus# telnet localhost 443
Trying 127.0.0.1...
Connected to localhost
Escape character is '^]'.
GET /index.html
...
<title>400 Bad Request</title>
<p>Your browser sent a request that this server could
not understand.<br />
Reason: You're speaking plain HTTP to an SSL-enabled
server port.<br />
Instead use the HTTPS scheme to access this URL,
please.<br />
...
Connection closed by foreign host.
On the linux box, which the server resides, can you
access any of the SSL site using lynx or netscape
(KDE/Gnome) as well as the telnet like above?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Problems with SSL All of a Sudden
Posted by Benjamin Krueger <be...@seattlefenix.net>.
* Daniel R. Blair (joecamel@realcoders.org) [030523 14:45]:
> On Fri, 23 May 2003, Paul Simon wrote:
>
> > > Paste of Output:
> > >
> > > tcp 0 0 0.0.0.0:443
> > > 0.0.0.0:* LISTEN
> > >
> > > --------------------- END PASTE OF OUTPUT OF
> > > RELEVANT LINES -----------
> > >
> > >
> > > I would assume this would indicate that yes, it is
> > > listening.. but.. I'm
> > > not 100% sure if it's not responding online..
> >
> > It's says it's listening. And you can telnet to the
> > server on port 443?
> >
> > I wish I could help more...
>
> I can telnet, but it just sits there, apache doesn't say hello and expect
> a GET request or anything...
>
> Danny
Which is exactly the way it should behave. Try the following.
stunnel -r server:443 -f
When you connect, then you can test your HTTP request.
--
Benjamin Krueger
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Problems with SSL All of a Sudden
Posted by "Daniel R. Blair" <jo...@realcoders.org>.
On Fri, 23 May 2003, Paul Simon wrote:
> > Paste of Output:
> >
> > tcp 0 0 0.0.0.0:443
> > 0.0.0.0:* LISTEN
> >
> > --------------------- END PASTE OF OUTPUT OF
> > RELEVANT LINES -----------
> >
> >
> > I would assume this would indicate that yes, it is
> > listening.. but.. I'm
> > not 100% sure if it's not responding online..
>
> It's says it's listening. And you can telnet to the
> server on port 443?
>
> I wish I could help more...
I can telnet, but it just sits there, apache doesn't say hello and expect
a GET request or anything...
Danny
= Daniel Blair =
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- dblair@realcoders.org - [http://www.realcoders.org]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-/- s e g m e n t : o f f s e t -/-
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Problems with SSL All of a Sudden
Posted by Paul Simon <wr...@yahoo.com>.
> Paste of Output:
>
> tcp 0 0 0.0.0.0:443
> 0.0.0.0:* LISTEN
>
> --------------------- END PASTE OF OUTPUT OF
> RELEVANT LINES -----------
>
>
> I would assume this would indicate that yes, it is
> listening.. but.. I'm
> not 100% sure if it's not responding online..
It's says it's listening. And you can telnet to the
server on port 443?
I wish I could help more...
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Problems with SSL All of a Sudden
Posted by "Daniel R. Blair" <jo...@realcoders.org>.
On Fri, 23 May 2003, Paul Simon wrote:
>
> > The log files say absolutely nothing about the
> > current problem. There is
> > NOTHING that says anything is wrong.. but, what log
> > file in particular are
> > you reffering to so I can perhaps inspect it and let
> > you know what EXACTLY
> > it says..
>
> I'm talking about your error logs for both http and
> https (if they are separate). it's hard to
> troubleshoot without any errors being logged.
my point exactly. There are NO ERRORS in either the virtual host's
access/error logs nor the ssl logs for that virtual host. That's why I
had to resort to the knowledge of the list to see if anyone knew what
could be causing this..
> > https://www.juke.biz address and given the https
> > prefix it comes right
> > back with a cannot connect to server...
>
> When I go there, I get a 504 (gateway timeout)
hmm... what would that mean?
> If you do a netstat -na do you see your server
> listening on 443?
I believe the answer is yes... here is a paste of the relevant lines of
output:
Paste of Output:
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN
--------------------- END PASTE OF OUTPUT OF RELEVANT LINES -----------
I would assume this would indicate that yes, it is listening.. but.. I'm
not 100% sure if it's not responding online..
Thank you so much for your time and help on this matter.. btw, I'm not a
Unix newbie at all, so, if you need to know some more in-depth info, feel
free to ask.. I am however more used to Apache 1.3.27 (as we ran on my
last job's server) and now am taking on a pre-setup (by someone else)
Apache2 running on Red Hat installation using non-standard directory
structures, et al. and it's a nightmare to troubleshoot when I'm still
learning the environment.. Not to mention the fact that I'm a FreeBSD
guru, and a Linux/RedHat non-newbie, but non-expert.. so.. again, thank
you so much for your time in this matter, it means a GREAT DEAL to me.
Sincerely,
Danny
= Daniel Blair =
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- dblair@realcoders.org - [http://www.realcoders.org]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-/- s e g m e n t : o f f s e t -/-
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Problems with SSL All of a Sudden
Posted by Paul Simon <wr...@yahoo.com>.
> I'm
> about to resort to re-compiling a newer version of
> apache (like 2.0.44/45)
> and see if that solves anything,
I wouldn't do that yet :-) This problem sounds like a
network issue, especially since you connected
successfully via localhost using lynx SSL!!!
> he thinks it was something
> that I did to cause
> this,
He's drunk.
> but, I have to take his word on it.. so.. I honestly
> am in the dark here,
I think you're in the light now. You are about to get
this resolved...
> non-standard layout of the
> environment.. plus, I am a FreeBSD veteran, not a
> Linux user,
I just recently dumped my red hat stuff and am now
using FreeBSD. I love it.
>
> Thank you Paul for all of your help.. I really
> appreciate it and your
> valuable time..
No problem. I've been helped by lists more times than
I can count. Good Luck.
Paul
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Problems with SSL All of a Sudden
Posted by "Daniel R. Blair" <jo...@realcoders.org>.
On Sun, 25 May 2003, Paul Simon wrote:
> > > I believe the list has exhausted all avenues for
> > resolution, therefore
> > > (if I were in your shoes) I suggest you contact a
> > third party SSL
> > > consultant who can troubleshoot and rebuild the
> > SSL portion as
> > > appropriate.
> > >
> > > I mean, if this is a business issue, then it would
> > dictate that a
> > > proper business resolution be followed at this
> > late date.
> >
> > I agree, it's got to be fixed.. and I have no clue
> > given what everyone has
> > tried to do to help what in the hell to do to fix
> > it...
>
> I would have rebuilt this server by now. Or tried
> moving a mirror into the production space.
>
> That said, I would DEFINITELY jump through every hoop
> to get a localhost SSL request served. Danny, I don't
> think you have determined whether or not you can do
> that. Have you? It seems you should be able to do that
> since there is a socket listening on 443. If you can
> do that, then the server is working properly.
Well, we don't have lynx or links installed on the box, but I am about to
compile and install lynx and see if that works at all at establishing a
localhost/SSL connection.. is there anything else that you could recommend
that would allow me to establish an SSL connection?
I did telnet to port 443 of localhost, type in "GET index.jsp" and have it
Apache spit out an HTML formatted response claiming that the client was
not communicating in SSL mode and that operations couldn't continue, then
the telnet session was dropped... , just FYI..
> Also, you say that this suddenly happened. In my
> experience this has always (almost always :-) been
> some kind of network issue, despite what your ISP
> says, a changed router/switch config etc... The
> apache/SSL server is a very stable piece of software.
> For it suddenly to stop working wouldn't immediately
> make me think that the software is at fault.
My thoughts exactly.. if something just randomly started happening, I
would imagine that it would not be our software.. I even recovered an
older backup of the config files (which I had just added a new virtual
host to the current config files before this started happening (without
SSL)) and brought the server down, and backup with apachectl startssl
(using backup conf files) and the problem did not go away. so, it was not
the configuration file minor change.. We checked with the Co-Lo facility
and they assured us that port 443 was open, etc. But, I don't know what
else to make them tell us to assure that it's not their problem.. As far
as I know (my boss spoke with them) they haven't changed anything...
> I hope you get it working soon and share your
> solution!
Paul,
Oh I will definitely post my solution if I can find one.. I'm
about to resort to re-compiling a newer version of apache (like 2.0.44/45)
and see if that solves anything, but, My boss hates to mess with anything
that "was working fine", he thinks it was something that I did to cause
this, and to tell you the truth, even if I was malicious enough to want to
inflict this kind of trouble, I wouldn't know how.. so.. I can honestly
say it wasn't something I did.. the only thing I did from time of known
working to time of not working was a re-make of sendmail's
/etc/mail/access.db file and a mysqldump --all-databases of the mysql
server for a backup.. and the addition of VirtualHost definition in the
apache configuration file for a new project we were working on for
reporting database statistics.. then I took the server down (apachectl
stop) and brought it back up (apachectl startssl) and that was it..
virtual host reposnded and worked fine.. and then the next day I get a
call telling me that the SSL wasn't working..
According to my Boss, it was the Verisign credit card transactions
that were not working when he called me.. then, when I rebooted the
machine on his request to see if it would fix it, all https:// urls
stopped working (he claims that the https://www.juke.biz/content/index.jsp
was accessible before the reboot... now.. I didn't verify this myself,
but, I have to take his word on it.. so.. I honestly am in the dark here,
and I recently (less than a month ago) took over administration of this
box and am just getting familar with the non-standard layout of the
environment.. plus, I am a FreeBSD veteran, not a Linux user, and this is
a Non-standard lay'ed out Redhat install.. so.. That makes everything even
more difficult for me..
Thank you Paul for all of your help.. I really appreciate it and your
valuable time.. I will post the fix if I can fix it AS SOON AS I DO FIX
IT, I promise =] I wouldn't put this on my worst enemy...
Danny
= Daniel Blair =
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- dblair@realcoders.org - [http://www.realcoders.org]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Problems with SSL All of a Sudden
Posted by Paul Simon <wr...@yahoo.com>.
> > I believe the list has exhausted all avenues for
> resolution, therefore
> > (if I were in your shoes) I suggest you contact a
> third party SSL
> > consultant who can troubleshoot and rebuild the
> SSL portion as
> > appropriate.
> >
> > I mean, if this is a business issue, then it would
> dictate that a
> > proper business resolution be followed at this
> late date.
>
> I agree, it's got to be fixed.. and I have no clue
> given what everyone has
> tried to do to help what in the hell to do to fix
> it...
I would have rebuilt this server by now. Or tried
moving a mirror into the production space.
That said, I would DEFINITELY jump through every hoop
to get a localhost SSL request served. Danny, I don't
think you have determined whether or not you can do
that. Have you? It seems you should be able to do that
since there is a socket listening on 443. If you can
do that, then the server is working properly.
Also, you say that this suddenly happened. In my
experience this has always (almost always :-) been
some kind of network issue, despite what your ISP
says, a changed router/switch config etc... The
apache/SSL server is a very stable piece of software.
For it suddenly to stop working wouldn't immediately
make me think that the software is at fault.
I hope you get it working soon and share your
solution!
-Paul
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Problems with SSL All of a Sudden
Posted by Jeff Cohen <su...@gej-it.com>.
I would also suggest to you to try telneting your server to port 443 from
*your* router, the one that grants that server the access to the internet to
try this scenario.
Jeff Cohen
Support@GEJ-IT.com
Tel. (416) 917-2324
www.GEJ-IT.com
GEJ-IT Networks!
> -----Original Message-----
> From: Paul Simon [mailto:wreckmybike@yahoo.com]
> Sent: Monday, May 26, 2003 7:47 PM
> To: users@httpd.apache.org
> Subject: RE: [users@httpd] Problems with SSL All of a Sudden
>
> If you could create another SSL connection from a host
> within your own private network space, besides
> localhost, it would definitely mean that your provider
> is blocking 443.
>
> I think you have enough evidence to tell the provider
> that 443 is closed to the public, but is serving
> localhost perfectly.
>
> --- Jeff Cohen <su...@gej-it.com> wrote:
> > What I mean is, make yourself a small network right
> > behind your hosting
> > company's gateways and check your server's
> > connectivity within that small
> > network you created. And then go to your provider
> > and compliant.
> >
> > All the best,
> > Jeff Cohen
> > Support@GEJ-IT.com
> > Tel. (416) 917-2324
> > www.GEJ-IT.com
> > GEJ-IT Networks!
> >
> > > -----Original Message-----
> > > From: Daniel R. Blair
> > [mailto:joecamel@realcoders.org]
> > > Sent: Monday, May 26, 2003 4:57 PM
> > > To: users@httpd.apache.org
> > > Subject: RE: [users@httpd] Problems with SSL All
> > of a Sudden
> > >
> > > On Mon, 26 May 2003, Jeff Cohen wrote:
> > >
> > > > I would suggest to add a private IP address to
> > the machine, and add
> > another
> > > > host/router a private IP address and try
> > connecting to any of the ports
> > to
> > > > it, including SSL port, and than make sure that
> > you can connect to the
> > > > server.
> > >
> > > Jeff,
> > > Excuse my apparent ignorance, but I don't quite
> > understand what
> > > you're saying... add a private IP to the machine
> > (i.e. 192.168.1.1 or
> > > something) and then have the Co-Lo facility map
> > the requests to our IP to
> > > that local IP? Or what? Given the fact that I
> > just connected locally
> > > using lynx to the https stuff, does that not
> > negate the need for this kind
> > > of "hack"? And when you say add another
> > host/router a private IP, what
> > > exactly do you mean? literately add another
> > router between us and their
> > > router?
> > >
> > > Danny
> > >
> > > = Daniel Blair =
> > > - - - - - - - - - - - - - - - - - - - - - - - - -
> > - - - - - - - - - - -
> > > - dblair@realcoders.org -
> > [http://www.realcoders.org]
> > > - - - - - - - - - - - - - - - - - - - - - - - - -
> > - - - - - - - - - - -
> > >
> > >
> > >
> >
> ---------------------------------------------------------------------
> > > The official User-To-User support forum of the
> > Apache HTTP Server Project.
> > > See <URL:http://httpd.apache.org/userslist.html>
> > for more info.
> > > To unsubscribe, e-mail:
> > users-unsubscribe@httpd.apache.org
> > > " from the digest:
> > users-digest-unsubscribe@httpd.apache.org
> > > For additional commands, e-mail:
> > users-help@httpd.apache.org
> >
> >
> >
> ---------------------------------------------------------------------
> > The official User-To-User support forum of the
> > Apache HTTP Server Project.
> > See <URL:http://httpd.apache.org/userslist.html> for
> > more info.
> > To unsubscribe, e-mail:
> > users-unsubscribe@httpd.apache.org
> > " from the digest:
> > users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail:
> > users-help@httpd.apache.org
> >
>
>
> =====
> =====
> 'Ideals are like stars. We may never reach them, but we use them to chart
our
> course.' -- Unknown
> =====
> "Do not go where the path may lead, go instead where there is no path and
leave
> a trail" -- Ralph Waldo Emerson.
> =====
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Problems with SSL All of a Sudden
Posted by Paul Simon <wr...@yahoo.com>.
If you could create another SSL connection from a host
within your own private network space, besides
localhost, it would definitely mean that your provider
is blocking 443.
I think you have enough evidence to tell the provider
that 443 is closed to the public, but is serving
localhost perfectly.
--- Jeff Cohen <su...@gej-it.com> wrote:
> What I mean is, make yourself a small network right
> behind your hosting
> company's gateways and check your server's
> connectivity within that small
> network you created. And then go to your provider
> and compliant.
>
> All the best,
> Jeff Cohen
> Support@GEJ-IT.com
> Tel. (416) 917-2324
> www.GEJ-IT.com
> GEJ-IT Networks!
>
> > -----Original Message-----
> > From: Daniel R. Blair
> [mailto:joecamel@realcoders.org]
> > Sent: Monday, May 26, 2003 4:57 PM
> > To: users@httpd.apache.org
> > Subject: RE: [users@httpd] Problems with SSL All
> of a Sudden
> >
> > On Mon, 26 May 2003, Jeff Cohen wrote:
> >
> > > I would suggest to add a private IP address to
> the machine, and add
> another
> > > host/router a private IP address and try
> connecting to any of the ports
> to
> > > it, including SSL port, and than make sure that
> you can connect to the
> > > server.
> >
> > Jeff,
> > Excuse my apparent ignorance, but I don't quite
> understand what
> > you're saying... add a private IP to the machine
> (i.e. 192.168.1.1 or
> > something) and then have the Co-Lo facility map
> the requests to our IP to
> > that local IP? Or what? Given the fact that I
> just connected locally
> > using lynx to the https stuff, does that not
> negate the need for this kind
> > of "hack"? And when you say add another
> host/router a private IP, what
> > exactly do you mean? literately add another
> router between us and their
> > router?
> >
> > Danny
> >
> > = Daniel Blair =
> > - - - - - - - - - - - - - - - - - - - - - - - - -
> - - - - - - - - - - -
> > - dblair@realcoders.org -
> [http://www.realcoders.org]
> > - - - - - - - - - - - - - - - - - - - - - - - - -
> - - - - - - - - - - -
> >
> >
> >
>
---------------------------------------------------------------------
> > The official User-To-User support forum of the
> Apache HTTP Server Project.
> > See <URL:http://httpd.apache.org/userslist.html>
> for more info.
> > To unsubscribe, e-mail:
> users-unsubscribe@httpd.apache.org
> > " from the digest:
> users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail:
> users-help@httpd.apache.org
>
>
>
---------------------------------------------------------------------
> The official User-To-User support forum of the
> Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for
> more info.
> To unsubscribe, e-mail:
> users-unsubscribe@httpd.apache.org
> " from the digest:
> users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail:
> users-help@httpd.apache.org
>
=====
=====
'Ideals are like stars. We may never reach them, but we use them to chart our course.' -- Unknown
=====
"Do not go where the path may lead, go instead where there is no path and leave a trail" -- Ralph Waldo Emerson.
=====
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Problems with SSL All of a Sudden
Posted by Jeff Cohen <su...@gej-it.com>.
What I mean is, make yourself a small network right behind your hosting
company's gateways and check your server's connectivity within that small
network you created. And then go to your provider and compliant.
All the best,
Jeff Cohen
Support@GEJ-IT.com
Tel. (416) 917-2324
www.GEJ-IT.com
GEJ-IT Networks!
> -----Original Message-----
> From: Daniel R. Blair [mailto:joecamel@realcoders.org]
> Sent: Monday, May 26, 2003 4:57 PM
> To: users@httpd.apache.org
> Subject: RE: [users@httpd] Problems with SSL All of a Sudden
>
> On Mon, 26 May 2003, Jeff Cohen wrote:
>
> > I would suggest to add a private IP address to the machine, and add
another
> > host/router a private IP address and try connecting to any of the ports
to
> > it, including SSL port, and than make sure that you can connect to the
> > server.
>
> Jeff,
> Excuse my apparent ignorance, but I don't quite understand what
> you're saying... add a private IP to the machine (i.e. 192.168.1.1 or
> something) and then have the Co-Lo facility map the requests to our IP to
> that local IP? Or what? Given the fact that I just connected locally
> using lynx to the https stuff, does that not negate the need for this kind
> of "hack"? And when you say add another host/router a private IP, what
> exactly do you mean? literately add another router between us and their
> router?
>
> Danny
>
> = Daniel Blair =
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> - dblair@realcoders.org - [http://www.realcoders.org]
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Problems with SSL All of a Sudden
Posted by "Daniel R. Blair" <jo...@realcoders.org>.
On Mon, 26 May 2003, Jeff Cohen wrote:
> I would suggest to add a private IP address to the machine, and add another
> host/router a private IP address and try connecting to any of the ports to
> it, including SSL port, and than make sure that you can connect to the
> server.
Jeff,
Excuse my apparent ignorance, but I don't quite understand what
you're saying... add a private IP to the machine (i.e. 192.168.1.1 or
something) and then have the Co-Lo facility map the requests to our IP to
that local IP? Or what? Given the fact that I just connected locally
using lynx to the https stuff, does that not negate the need for this kind
of "hack"? And when you say add another host/router a private IP, what
exactly do you mean? literately add another router between us and their
router?
Danny
= Daniel Blair =
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- dblair@realcoders.org - [http://www.realcoders.org]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Problems with SSL All of a Sudden
Posted by Chad Morland <ch...@inquent.com>.
>I would suggest to add a private IP address to the machine, and add
another
>host/router a private IP address and try connecting to any of the ports
to
>it, including SSL port, and than make sure that you can connect to the
>server.
This is obviously not needed as his ISP is blocking access to his SSL
port. If he can SSH into his box and access his page using regular HTTP
then why add confusion to the issue and screw around with NAT? All he
needs to do is have his ISP open up port 443 to his box which is
obviously being restricted at the router. This has not been done even
though Daniel stated that his boss had made sure it was done.
Rule #3456 If you want something done right... do it yourself! ;-)
-CM
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Problems with SSL All of a Sudden
Posted by Jeff Cohen <su...@gej-it.com>.
I would suggest to add a private IP address to the machine, and add another
host/router a private IP address and try connecting to any of the ports to
it, including SSL port, and than make sure that you can connect to the
server.
All the best,
Jeff Cohen
support@GEJ-IT.com
Tel. (416) 917-2324
www.GEJ-IT.com
GEJ-IT Networks!
> -----Original Message-----
> From: Daniel R. Blair [mailto:joecamel@realcoders.org]
> Sent: Monday, May 26, 2003 4:14 PM
> To: users@httpd.apache.org
> Subject: RE: [users@httpd] Problems with SSL All of a Sudden
>
>
> Ok guys,
> I installed lynx on the machine... from lynx, I pressed "g" for
> goto URL, and typed in "https://www.juke.biz/content/index.jsp" and
> pressed enter.. from there it promted me to accept a cookie, and then
> displayed the page! Now, from my box at home, I did the same thing,
> through lynx, tried to access the page, and got service unavailable. What
> does this tell anyone about the problem? Is the box fine and it's the
> Service Provider (Co-Lo facility?) or is it something that the box is
> doing like denying outside connections of type https or something?
>
> This makes me feel a lot better given that I can make localhost https
> connections... I think this means that it's working ok.. and like Jeff had
> said, that it's a network error.. but... I'd like some more feedback on
> the situation to make sure, before I call the Co-Lo facility and bitch
> them out or whatever...
>
> Thanks alot guys for all of your help,
>
> Danny
>
>
> = Daniel Blair =
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> - dblair@realcoders.org - [http://www.realcoders.org]
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Problems with SSL All of a Sudden
Posted by "Daniel R. Blair" <jo...@realcoders.org>.
Ok guys,
I installed lynx on the machine... from lynx, I pressed "g" for
goto URL, and typed in "https://www.juke.biz/content/index.jsp" and
pressed enter.. from there it promted me to accept a cookie, and then
displayed the page! Now, from my box at home, I did the same thing,
through lynx, tried to access the page, and got service unavailable. What
does this tell anyone about the problem? Is the box fine and it's the
Service Provider (Co-Lo facility?) or is it something that the box is
doing like denying outside connections of type https or something?
This makes me feel a lot better given that I can make localhost https
connections... I think this means that it's working ok.. and like Jeff had
said, that it's a network error.. but... I'd like some more feedback on
the situation to make sure, before I call the Co-Lo facility and bitch
them out or whatever...
Thanks alot guys for all of your help,
Danny
= Daniel Blair =
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- dblair@realcoders.org - [http://www.realcoders.org]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Problems with SSL All of a Sudden
Posted by "Daniel R. Blair" <jo...@realcoders.org>.
On Mon, 26 May 2003, Jeff Cohen wrote:
> Hi Daniel,
>
> It seems like you have a connectivity problem to port 443 into your server,
> but the problem is not locally cause you can telnet localhost 443,
> therefore, i would suggest trying and changing the IP on your server and try
> and forward the port from the router into your new IP address, check if that
> would do, i think it's more likely a network issue rather than an Apache
> issue.
Jeff,
Ok, so you are suggesting that I request a change of IP address
from the Co-Lo provider? And having them leave it as is (IP wise) but
forward all requests to our new IP? I don't quite understand changing IPs
and then forwarding from the router.. it seems to me that that would just
achieve the same results as we are getting now?
I am compiling lynx now to see if I can connect to the server
through localhost using lynx (however the box doesn't have ncurses, g++ or
anything, so, gcc is compiling now, next is ncurses, then I can compile
lynx ;) ) so.. I'll report what I get in that area soon..
Thanks for all of your help,
Danny
= Daniel Blair =
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- dblair@realcoders.org - [http://www.realcoders.org]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Problems with SSL All of a Sudden
Posted by Jeff Cohen <su...@gej-it.com>.
Hi Daniel,
It seems like you have a connectivity problem to port 443 into your server,
but the problem is not locally cause you can telnet localhost 443,
therefore, i would suggest trying and changing the IP on your server and try
and forward the port from the router into your new IP address, check if that
would do, i think it's more likely a network issue rather than an Apache
issue.
All the best,
Jeff Cohen
Support@GEJ-IT.com
Tel. (416) 917-2324
www.GEJ-IT.com
GEJ-IT Networks!
> -----Original Message-----
> From: Daniel R. Blair [mailto:joecamel@realcoders.org]
> Sent: Monday, May 26, 2003 1:54 PM
> To: users@httpd.apache.org
> Subject: RE: [users@httpd] Problems with SSL All of a Sudden
>
> On Sun, 25 May 2003, Jeff Cohen wrote:
>
> > I know these questions are not really in time, but nobody asked that and
> > they might lead you somewhere I guess.
> > 1. Are you running this server behind a firewall? Which firewall??
>
> Not local on the box...
>
> > 2. Did you check with the ISP is they changed any network configuration
in
> > their networks?
>
> We did make sure that port 443 was open (because when we moved to the new
> facility, we had problems with a lot of stuff and they had to open up a
> lot of ports for us upon request for each service we needed (22 for ssh,
> 443 for SSL, 25 for SMTP, etc..) Now, my Boss called them and made sure
> that 443 was open, but that's it.. I don't think he asked if they changed
> anything, but, I'm sure he explained the problem we are having and I would
> hope they would come back with something like "We replaced the router and
> everything should have been restored properly, but, let us make sure" or
> something if they had done something non-standard... I know this is an
> assumtion, but, they are a fairly competent Co-Lo facility....
>
> > 3. If you do have a firewall, who's responsible for it, maybe it was all
> > started due to a reboot of the firewall, when some configuration weren't
> > active.
>
> The only thing I can think of that would constitue anything related to
> your question would be that we do have the router that we're behind only
> allowing certain ports through.. so.. it's possible that it was rebooted
> and it's causing problems.. but, I don't think so.. not 100% though
> because we don't run it/have access to it..
>
> Thanks Jeff... all of your help is greatly appreciated.. as well as your
> time in this matter...
>
>
> Sincerely,
>
> Danny
>
>
> = Daniel Blair =
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> - dblair@realcoders.org - [http://www.realcoders.org]
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Problems with SSL All of a Sudden
Posted by "Daniel R. Blair" <jo...@realcoders.org>.
On Sun, 25 May 2003, Jeff Cohen wrote:
> I know these questions are not really in time, but nobody asked that and
> they might lead you somewhere I guess.
> 1. Are you running this server behind a firewall? Which firewall??
Not local on the box...
> 2. Did you check with the ISP is they changed any network configuration in
> their networks?
We did make sure that port 443 was open (because when we moved to the new
facility, we had problems with a lot of stuff and they had to open up a
lot of ports for us upon request for each service we needed (22 for ssh,
443 for SSL, 25 for SMTP, etc..) Now, my Boss called them and made sure
that 443 was open, but that's it.. I don't think he asked if they changed
anything, but, I'm sure he explained the problem we are having and I would
hope they would come back with something like "We replaced the router and
everything should have been restored properly, but, let us make sure" or
something if they had done something non-standard... I know this is an
assumtion, but, they are a fairly competent Co-Lo facility....
> 3. If you do have a firewall, who's responsible for it, maybe it was all
> started due to a reboot of the firewall, when some configuration weren't
> active.
The only thing I can think of that would constitue anything related to
your question would be that we do have the router that we're behind only
allowing certain ports through.. so.. it's possible that it was rebooted
and it's causing problems.. but, I don't think so.. not 100% though
because we don't run it/have access to it..
Thanks Jeff... all of your help is greatly appreciated.. as well as your
time in this matter...
Sincerely,
Danny
= Daniel Blair =
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- dblair@realcoders.org - [http://www.realcoders.org]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Problems with SSL All of a Sudden
Posted by Jeff Cohen <su...@gej-it.com>.
I know these questions are not really in time, but nobody asked that and
they might lead you somewhere I guess.
1. Are you running this server behind a firewall? Which firewall??
2. Did you check with the ISP is they changed any network configuration in
their networks?
3. If you do have a firewall, who's responsible for it, maybe it was all
started due to a reboot of the firewall, when some configuration weren't
active.
All the best,
Jeff Cohen
Support@GEJ-IT.com
Tel. (416) 917-2324
www.GEJ-IT.com
GEJ-IT Networks!
> -----Original Message-----
> From: Daniel R. Blair [mailto:joecamel@realcoders.org]
> Sent: Sunday, May 25, 2003 1:17 PM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Problems with SSL All of a Sudden
>
> On Sat, 24 May 2003, WC -Sx- Jones wrote:
>
> >
> > On Saturday, May 24, 2003, at 07:05 PM, Daniel R. Blair wrote:
> >
> > > https://www.juke.biz/content/index.jsp...
> >
> >
> > I ran a few checks (nmap, Tyrantula, a few Perl SSL scans) and I will
> > say that as of Sat 20:10 Eastern, that https server is NOT online --
> > all connect attempts failed (if you are using tripwire or portsentry
> > then your logs will show connect attempts from bellsouth and/or
> > insecurity.org...) What version of Unix are you using? If you are
> > using SUN/Solaris - did you check to make sure SunScreen lite is not
> > installed and active?
>
> Well, regular http://www.juke.biz/content/index.jsp works fine, and, the
> netstat -na reports that there is a LISTEN setup on port 443 for all IP
> addresses (0.0.0.0:443 LISTEN) so, that's the problem, it SHOULD be
> online, but it's not.. and nothing was changed so, it shouldn't have even
> changed it's operation, even a reboot didn't help... We're running Redhat
> 7, the output of uname -a follows:
>
> uname -a Output: Linux rocola.com 2.4.18-14 #1 Wed Sep 4 13:35:50 EDT
> 2002 i686 i686 i386 GNU/Linux
>
>
> > At any rate, it can only be one or more of the following -
> >
> > 1) A Juke.biz firewall is blocking access to 443.
>
> There is no firewall on the box, and we've verified with the Co-Lo
> provider that port 443 was and still is open on their router..
>
> > 2) There is a 443 config error - whether logged or not -- from one or
> > more Apache server extension modules:
> >
> > My scan shows (http checked, could not connect to https) -
> >
> > HTTP Status: 200 null
> > Date: Sun, 25 May 2003 02:26:16 GMT
> > Server: Apache/2.0.43 (Unix) mod_ssl/2.0.43 OpenSSL/0.9.6b
> > mod_jk/1.2.0 PHP/4.2.3
> > Set-Cookie: JSESSIONID=733BDB1F81BB4D3DF0F49801EE3550BB; Path=/
> > Keep-Alive: timeout=15, max=100
> > Connection: Keep-Alive
> > Transfer-Encoding: chunked
> > Content-Type: text/html;charset=ISO-8859-1
> > content-length: 20977
>
> a 443 config error? Where would this be configured and where could I
> check/change this? This is the first time I've heard of this..
>
> > 3. The apachectl startssl command (or -D SSL option) was not used to
> > start the server.
>
> /usr/local/apache2/bin/apachectl startssl is the command used to start the
> server on startup and manually when trying to fix the problem.. numerous
> times, so that is NOT the problem..
>
> > 4. The ssl.conf file is not being included, and therefore ignored,
> > upon start-up.
>
> Hmm... it needs to be included in the Apache config? I'll check and make
> sure that it's being included...
>
> > I believe the list has exhausted all avenues for resolution, therefore
> > (if I were in your shoes) I suggest you contact a third party SSL
> > consultant who can troubleshoot and rebuild the SSL portion as
> > appropriate.
> >
> > I mean, if this is a business issue, then it would dictate that a
> > proper business resolution be followed at this late date.
>
> I agree, it's got to be fixed.. and I have no clue given what everyone has
> tried to do to help what in the hell to do to fix it...
>
>
> Thank you immensely for your detailed troubleshooting help and
> information, it means a great deal.
>
> Danny
>
>
> = Daniel Blair =
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> - dblair@realcoders.org - [http://www.realcoders.org]
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Problems with SSL All of a Sudden
Posted by "Daniel R. Blair" <jo...@realcoders.org>.
On Tue, 27 May 2003, Ryan Tracey wrote:
> Hi
>
> For what it's worth I tried a tcptraceroute on port 443 to www.juke.biz
> and got 'port unreachable' on the last hop.
>
> ---cut---
> 13 sl-gw29-atl-9-0.sprintlink.net (144.232.8.230) 283.151 ms 284.057
> ms 284.908 ms
> 14 208.30.202.6 (208.30.202.6) 282.099 ms 281.914 ms 280.972 ms
> 15 s95332-2.savvis-internet.usatln2-bsn.savvis.net (216.90.158.2)
> 287.740 ms 289.404 ms 293.214 ms
> 16 rocola.com (216.24.170.247) 287.361 ms !p 286.400 ms !p 287.292 ms !p
> --
>
> Danny also might want to try using openssl (on a box that has it -- like
> the web server itself should) to test out connectivity on port 443.
> Might be faster than lynx and later on can be used to run more detailed
> tests, if necessary.
>
> tsunami: ~$ openssl s_client -connect www.juke.biz:443
> connect: Connection refused
> connect:errno=29
>
> Also, nmap indicates that FIN packets get through but SYN packets are
> filtered -- most probably by the router in front of the web server. But
> see if 'ipchains -nL' or 'iptables -nL' returns anything on the
> webserver -- it wouldn't be the first time that someone inadvertantly
> started up firewalling on booting.
>
> I hope that helps in some way.
Ryan,
Thanks.. will try that if the other things don't work, but, lynx
did connect without a problem.. so, it's most likely the ISP.. we'll see
soon, and I'll post my fix, etc. for everyone to know...
Danny
= Daniel Blair =
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- dblair@realcoders.org - [http://www.realcoders.org]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Problems with SSL All of a Sudden - FIXED!!!
Posted by Ryan Tracey <ry...@thawte.com>.
Great! Quite a load off then. Been there too, though. Except it was
with ipchains. Various cgi scripts connected to localhost:25 to send
confirmation emails. However, our MTA, in its then configuration, had a
30 second timeout for ident -- and I didn't have a localhost:ident
ipchains rule, with the result that it took at least 30 seconds to
execute the cgi script... Looked at database connectivity, contacted the
ISP, sent shrapnel in all directions and then finally a colleague went
through the cgi code step by step and noticed that it took a long time
to send emails... forehead, hand, slap! Anyway, now there's an ident
rule *and* the MTA no longer requires ident...
Cheers,
Ryan
Daniel R. Blair wrote:
> Ok guys, fixed it. Finally. Thank you all for your help, you don't know
> what it's meant to me over the past week, and how much of a help it was in
> troubleshooting the problem and where it was.
>
> The fix: /sbin/iptables -F (flush) INPUT
>
> apparently *SOMETHING* in the iptables was causing it to reject something
> that was allowing localhost, but *NOT* allowing anything else.. but, in
> anycase, flushing the rules fixed it... so.. that was the problem all
> along.. damnit.. well.. at least we/you guys will know if/when a next time
> occurs.. I just wish I had more experience with linux to have known to
> check the IP Tables configuration (even though we've rebooted multiple
> times before and never had a problem.. and didn't change ANY of the rules,
> and *DIDN'T* reboot to cause the problem to start happening) anyways, it's
> over.. I'm happy, I'm sure you guys are too so you can stop seeing these
> posts... but.. thank you ALL again, you guys were excellent!
>
> Too thankful to state in words,
>
> Danny
>
> = Daniel Blair =
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> - dblair@realcoders.org - [http://www.realcoders.org]
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
--
Ryan Tracey | +27 21 917 8909
Thawte Certification | https://www.thawte.com
Mollison's Bureaucracy Hypothesis:
If an idea can survive a bureaucratic review and be implemented
it wasn't worth doing.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Problems with SSL All of a Sudden - FIXED!!!
Posted by "Daniel R. Blair" <jo...@realcoders.org>.
Ok guys, fixed it. Finally. Thank you all for your help, you don't know
what it's meant to me over the past week, and how much of a help it was in
troubleshooting the problem and where it was.
The fix: /sbin/iptables -F (flush) INPUT
apparently *SOMETHING* in the iptables was causing it to reject something
that was allowing localhost, but *NOT* allowing anything else.. but, in
anycase, flushing the rules fixed it... so.. that was the problem all
along.. damnit.. well.. at least we/you guys will know if/when a next time
occurs.. I just wish I had more experience with linux to have known to
check the IP Tables configuration (even though we've rebooted multiple
times before and never had a problem.. and didn't change ANY of the rules,
and *DIDN'T* reboot to cause the problem to start happening) anyways, it's
over.. I'm happy, I'm sure you guys are too so you can stop seeing these
posts... but.. thank you ALL again, you guys were excellent!
Too thankful to state in words,
Danny
= Daniel Blair =
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- dblair@realcoders.org - [http://www.realcoders.org]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Problems with SSL All of a Sudden
Posted by "Daniel R. Blair" <jo...@realcoders.org>.
On Wed, 28 May 2003, Benjamin Krueger wrote:
> If iptables is configured to deny by default, and it is not in your ruleset,
> 443 will be blocked. Before you go any further accusing your ISP of blocking
> HTTPS I would verify that you aren't doing the firewalling with iptables. ;)
Benjamin,
you got it =] lol.. I figured it out before reading this, but,
that was the prob... thanks for the response though, much appreciated.
Danny
= Daniel Blair =
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- dblair@realcoders.org - [http://www.realcoders.org]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Problems with SSL All of a Sudden
Posted by Benjamin Krueger <be...@seattlefenix.net>.
* Daniel R. Blair (joecamel@realcoders.org) [030528 11:48]:
> On Tue, 27 May 2003, Ryan Tracey wrote:
>
> > Danny also might want to try using openssl (on a box that has it -- like
> > the web server itself should) to test out connectivity on port 443.
> > Might be faster than lynx and later on can be used to run more detailed
> > tests, if necessary.
> >
> > tsunami: ~$ openssl s_client -connect www.juke.biz:443
> > connect: Connection refused
> > connect:errno=29
>
> Ryan,
> This does connect from within the box.. and shows the certificate,
> etc.
>
>
> >
> > Also, nmap indicates that FIN packets get through but SYN packets are
> > filtered -- most probably by the router in front of the web server. But
> > see if 'ipchains -nL' or 'iptables -nL' returns anything on the
> > webserver -- it wouldn't be the first time that someone inadvertantly
> > started up firewalling on booting.
>
> iptables -nL shows nothing about 443, but it does show ACCEPT 80, etc.
> does it need to have an ACCEPT 443? Could that be the problem? ipchains
> doesn't exist on the box, I searched for the binary and couldn't find it..
> so.. was unable to run that command...
>
> Danny
If iptables is configured to deny by default, and it is not in your ruleset,
443 will be blocked. Before you go any further accusing your ISP of blocking
HTTPS I would verify that you aren't doing the firewalling with iptables. ;)
--
Benjamin Krueger
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Problems with SSL All of a Sudden
Posted by "Daniel R. Blair" <jo...@realcoders.org>.
On Tue, 27 May 2003, Ryan Tracey wrote:
> Danny also might want to try using openssl (on a box that has it -- like
> the web server itself should) to test out connectivity on port 443.
> Might be faster than lynx and later on can be used to run more detailed
> tests, if necessary.
>
> tsunami: ~$ openssl s_client -connect www.juke.biz:443
> connect: Connection refused
> connect:errno=29
Ryan,
This does connect from within the box.. and shows the certificate,
etc.
>
> Also, nmap indicates that FIN packets get through but SYN packets are
> filtered -- most probably by the router in front of the web server. But
> see if 'ipchains -nL' or 'iptables -nL' returns anything on the
> webserver -- it wouldn't be the first time that someone inadvertantly
> started up firewalling on booting.
iptables -nL shows nothing about 443, but it does show ACCEPT 80, etc.
does it need to have an ACCEPT 443? Could that be the problem? ipchains
doesn't exist on the box, I searched for the binary and couldn't find it..
so.. was unable to run that command...
Danny
= Daniel Blair =
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- dblair@realcoders.org - [http://www.realcoders.org]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Problems with SSL All of a Sudden
Posted by Ryan Tracey <ry...@thawte.com>.
Hi
For what it's worth I tried a tcptraceroute on port 443 to www.juke.biz
and got 'port unreachable' on the last hop.
---cut---
13 sl-gw29-atl-9-0.sprintlink.net (144.232.8.230) 283.151 ms 284.057
ms 284.908 ms
14 208.30.202.6 (208.30.202.6) 282.099 ms 281.914 ms 280.972 ms
15 s95332-2.savvis-internet.usatln2-bsn.savvis.net (216.90.158.2)
287.740 ms 289.404 ms 293.214 ms
16 rocola.com (216.24.170.247) 287.361 ms !p 286.400 ms !p 287.292 ms !p
--
Danny also might want to try using openssl (on a box that has it -- like
the web server itself should) to test out connectivity on port 443.
Might be faster than lynx and later on can be used to run more detailed
tests, if necessary.
tsunami: ~$ openssl s_client -connect www.juke.biz:443
connect: Connection refused
connect:errno=29
Also, nmap indicates that FIN packets get through but SYN packets are
filtered -- most probably by the router in front of the web server. But
see if 'ipchains -nL' or 'iptables -nL' returns anything on the
webserver -- it wouldn't be the first time that someone inadvertantly
started up firewalling on booting.
I hope that helps in some way.
Regards,
Ryan
WC -Sx- Jones wrote:
>
> On Monday, May 26, 2003, at 02:05 PM, Daniel R. Blair wrote:
>
>> Ifconfig output:
>>
>> eth0 Link encap:Ethernet HWaddr 00:E0:18:84:8A:1A
>> inet addr:216.24.170.247 Bcast:216.24.170.255
>> Mask:255.255.255.0
>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>> RX packets:303339 errors:0 dropped:0 overruns:0 frame:0
>> TX packets:173926 errors:0 dropped:0 overruns:0 carrier:0
>> collisions:0 txqueuelen:100
>> RX bytes:30012947 (28.6 Mb) TX bytes:148454005 (141.5 Mb)
>> Interrupt:9 Base address:0xb000
>>
>
>
> What does netstat -r say ?
>
>
> Also, did you tell someone else earlier that you were also accepting
> SMTP (port 25) mail on this server?
>
> If so, in you mail.log (or syslog) do you see a lot of TIME OUT AFTER
> DATA in it?
>
> If you do, then that very strongly suggests that your MTU is invalid...
>
>
> I am totally out of ideas...
>
> http://insecurity.org/
> _Sx____________________
> ('> iudicium ferat
> //\ Have Computer -
> v_/_ Will Hack...
>
> \|/ ____ \|/
> "@'/ .. \`@"
> /_| \__/ |_\
> \__U_/
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
--
Ryan Tracey | +27 21 917 8909
Thawte Certification | https://www.thawte.com
Mollison's Bureaucracy Hypothesis:
If an idea can survive a bureaucratic review and be implemented
it wasn't worth doing.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Problems with SSL All of a Sudden
Posted by "Daniel R. Blair" <jo...@realcoders.org>.
On Tue, 27 May 2003, WC -Sx- Jones wrote:
>
> On Monday, May 26, 2003, at 02:05 PM, Daniel R. Blair wrote:
>
> > Ifconfig output:
> >
> > eth0 Link encap:Ethernet HWaddr 00:E0:18:84:8A:1A
> > inet addr:216.24.170.247 Bcast:216.24.170.255
> > Mask:255.255.255.0
> > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> > RX packets:303339 errors:0 dropped:0 overruns:0 frame:0
> > TX packets:173926 errors:0 dropped:0 overruns:0 carrier:0
> > collisions:0 txqueuelen:100
> > RX bytes:30012947 (28.6 Mb) TX bytes:148454005 (141.5 Mb)
> > Interrupt:9 Base address:0xb000
> >
>
>
> What does netstat -r say ?
>
>
> Also, did you tell someone else earlier that you were also accepting
> SMTP (port 25) mail on this server?
>
> If so, in you mail.log (or syslog) do you see a lot of TIME OUT AFTER
> DATA in it?
>
> If you do, then that very strongly suggests that your MTU is invalid...
>
>
> I am totally out of ideas...
We think we figured it out, and it was the ISP blocking port 443 at the
router and falsely telling us that it was open, not sure if it's fixed
yet, but, that is believed to be the cause the whole damn time.. given
that I can connect from localhost with lynx just fine..
Danny
= Daniel Blair =
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- dblair@realcoders.org - [http://www.realcoders.org]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Problems with SSL All of a Sudden
Posted by WC -Sx- Jones <li...@insecurity.org>.
On Monday, May 26, 2003, at 02:05 PM, Daniel R. Blair wrote:
> Ifconfig output:
>
> eth0 Link encap:Ethernet HWaddr 00:E0:18:84:8A:1A
> inet addr:216.24.170.247 Bcast:216.24.170.255
> Mask:255.255.255.0
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:303339 errors:0 dropped:0 overruns:0 frame:0
> TX packets:173926 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:100
> RX bytes:30012947 (28.6 Mb) TX bytes:148454005 (141.5 Mb)
> Interrupt:9 Base address:0xb000
>
What does netstat -r say ?
Also, did you tell someone else earlier that you were also accepting
SMTP (port 25) mail on this server?
If so, in you mail.log (or syslog) do you see a lot of TIME OUT AFTER
DATA in it?
If you do, then that very strongly suggests that your MTU is invalid...
I am totally out of ideas...
http://insecurity.org/
_Sx____________________
('> iudicium ferat
//\ Have Computer -
v_/_ Will Hack...
\|/ ____ \|/
"@'/ .. \`@"
/_| \__/ |_\
\__U_/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Problems with SSL All of a Sudden
Posted by "Daniel R. Blair" <jo...@realcoders.org>.
On Sun, 25 May 2003, WC -Sx- Jones wrote:
>
> On Sunday, May 25, 2003, at 01:17 PM, Daniel R. Blair wrote:
> > changed it's operation, even a reboot didn't help... We're running
> > Redhat
> > 7, the output of uname -a follows:
> >
> > uname -a Output: Linux rocola.com 2.4.18-14 #1 Wed Sep 4 13:35:50 EDT
> > 2002 i686 i686 i386 GNU/Linux
>
>
> Hmmm.... Last question then and I will stop pestering you:
Please, ask away.. I *NEED* this fixed and am willing to answer any
question you pose right now buddy... your help is so greatly appreciated
that you cannot even comprehend how much..
> What does
>
> ifconfig -a
>
> state about the network interfaces? Are you *sure* the MTU matches
> what the Co-Lo (ISP backbone) *router* states it should be? If their
> router is 1500 - then your MTU should be 1500 -- however IF their
> router is something weird like 1492 - then YOUR mtu should be 1492.
> See?
MTU is 1500, not sure what their's is, but, is there a way to find out
without asking them? Note that this was all working fine for quite some
time, this issue just "happened" without any big change (with the
exception of adding a VirtualHost definition in the httpd.conf file and
restarting with apachectl startssl) however, the change that was made has
been removed, and the httpd.conf file was actually replaced by one in
place 2 weeks ago just in case a line break or something was causing a
problem.. so, I think if our MTU being different than their was a problem,
it would have surfaced upon placing the box at the Co-Lo, not now.. unless
they just replaced a router or something which introduced the problem...
-----------------------------------------------------------------------
Ifconfig output:
eth0 Link encap:Ethernet HWaddr 00:E0:18:84:8A:1A
inet addr:216.24.170.247 Bcast:216.24.170.255
Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:303339 errors:0 dropped:0 overruns:0 frame:0
TX packets:173926 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:30012947 (28.6 Mb) TX bytes:148454005 (141.5 Mb)
Interrupt:9 Base address:0xb000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:39929 errors:0 dropped:0 overruns:0 frame:0
TX packets:39929 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:10181486 (9.7 Mb) TX bytes:10181486 (9.7 Mb)
--------------------- END ifconfig -a OUTPUT --------------------------
> > Thank you immensely for your detailed troubleshooting help and
> > information, it means a great deal.
>
>
> You're welcome, I know how aggravating these things can become.
I already had an ulcer, but, I think I have gotten at least another one
over this.. any other help you could provide would be GREATLY
appreciated.. any other commands I could run to help you determine the
state of things and why they are/are not working, I would be happy to do..
Thank you again, so much, I can't express it enough right now,
Danny
= Daniel Blair =
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- dblair@realcoders.org - [http://www.realcoders.org]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Problems with SSL All of a Sudden
Posted by WC -Sx- Jones <li...@insecurity.org>.
On Sunday, May 25, 2003, at 01:17 PM, Daniel R. Blair wrote:
> changed it's operation, even a reboot didn't help... We're running
> Redhat
> 7, the output of uname -a follows:
>
> uname -a Output: Linux rocola.com 2.4.18-14 #1 Wed Sep 4 13:35:50 EDT
> 2002 i686 i686 i386 GNU/Linux
Hmmm.... Last question then and I will stop pestering you:
What does
ifconfig -a
state about the network interfaces? Are you *sure* the MTU matches
what the Co-Lo (ISP backbone) *router* states it should be? If their
router is 1500 - then your MTU should be 1500 -- however IF their
router is something weird like 1492 - then YOUR mtu should be 1492.
See?
> Thank you immensely for your detailed troubleshooting help and
> information, it means a great deal.
You're welcome, I know how aggravating these things can become.
-Sx-
http://insecurity.org/
_Sx____________________
('> iudicium ferat
//\ Have Computer -
v_/_ Will Hack...
\|/ ____ \|/
"@'/ .. \`@"
/_| \__/ |_\
\__U_/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Problems with SSL All of a Sudden
Posted by "Daniel R. Blair" <jo...@realcoders.org>.
On Sat, 24 May 2003, WC -Sx- Jones wrote:
>
> On Saturday, May 24, 2003, at 07:05 PM, Daniel R. Blair wrote:
>
> > https://www.juke.biz/content/index.jsp...
>
>
> I ran a few checks (nmap, Tyrantula, a few Perl SSL scans) and I will
> say that as of Sat 20:10 Eastern, that https server is NOT online --
> all connect attempts failed (if you are using tripwire or portsentry
> then your logs will show connect attempts from bellsouth and/or
> insecurity.org...) What version of Unix are you using? If you are
> using SUN/Solaris - did you check to make sure SunScreen lite is not
> installed and active?
Well, regular http://www.juke.biz/content/index.jsp works fine, and, the
netstat -na reports that there is a LISTEN setup on port 443 for all IP
addresses (0.0.0.0:443 LISTEN) so, that's the problem, it SHOULD be
online, but it's not.. and nothing was changed so, it shouldn't have even
changed it's operation, even a reboot didn't help... We're running Redhat
7, the output of uname -a follows:
uname -a Output: Linux rocola.com 2.4.18-14 #1 Wed Sep 4 13:35:50 EDT
2002 i686 i686 i386 GNU/Linux
> At any rate, it can only be one or more of the following -
>
> 1) A Juke.biz firewall is blocking access to 443.
There is no firewall on the box, and we've verified with the Co-Lo
provider that port 443 was and still is open on their router..
> 2) There is a 443 config error - whether logged or not -- from one or
> more Apache server extension modules:
>
> My scan shows (http checked, could not connect to https) -
>
> HTTP Status: 200 null
> Date: Sun, 25 May 2003 02:26:16 GMT
> Server: Apache/2.0.43 (Unix) mod_ssl/2.0.43 OpenSSL/0.9.6b
> mod_jk/1.2.0 PHP/4.2.3
> Set-Cookie: JSESSIONID=733BDB1F81BB4D3DF0F49801EE3550BB; Path=/
> Keep-Alive: timeout=15, max=100
> Connection: Keep-Alive
> Transfer-Encoding: chunked
> Content-Type: text/html;charset=ISO-8859-1
> content-length: 20977
a 443 config error? Where would this be configured and where could I
check/change this? This is the first time I've heard of this..
> 3. The apachectl startssl command (or -D SSL option) was not used to
> start the server.
/usr/local/apache2/bin/apachectl startssl is the command used to start the
server on startup and manually when trying to fix the problem.. numerous
times, so that is NOT the problem..
> 4. The ssl.conf file is not being included, and therefore ignored,
> upon start-up.
Hmm... it needs to be included in the Apache config? I'll check and make
sure that it's being included...
> I believe the list has exhausted all avenues for resolution, therefore
> (if I were in your shoes) I suggest you contact a third party SSL
> consultant who can troubleshoot and rebuild the SSL portion as
> appropriate.
>
> I mean, if this is a business issue, then it would dictate that a
> proper business resolution be followed at this late date.
I agree, it's got to be fixed.. and I have no clue given what everyone has
tried to do to help what in the hell to do to fix it...
Thank you immensely for your detailed troubleshooting help and
information, it means a great deal.
Danny
= Daniel Blair =
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- dblair@realcoders.org - [http://www.realcoders.org]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Problems with SSL All of a Sudden
Posted by WC -Sx- Jones <li...@insecurity.org>.
On Saturday, May 24, 2003, at 07:05 PM, Daniel R. Blair wrote:
> https://www.juke.biz/content/index.jsp...
I ran a few checks (nmap, Tyrantula, a few Perl SSL scans) and I will
say that as of Sat 20:10 Eastern, that https server is NOT online --
all connect attempts failed (if you are using tripwire or portsentry
then your logs will show connect attempts from bellsouth and/or
insecurity.org...) What version of Unix are you using? If you are
using SUN/Solaris - did you check to make sure SunScreen lite is not
installed and active?
At any rate, it can only be one or more of the following -
1) A Juke.biz firewall is blocking access to 443.
2) There is a 443 config error - whether logged or not -- from one or
more Apache server extension modules:
My scan shows (http checked, could not connect to https) -
HTTP Status: 200 null
Date: Sun, 25 May 2003 02:26:16 GMT
Server: Apache/2.0.43 (Unix) mod_ssl/2.0.43 OpenSSL/0.9.6b
mod_jk/1.2.0 PHP/4.2.3
Set-Cookie: JSESSIONID=733BDB1F81BB4D3DF0F49801EE3550BB; Path=/
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html;charset=ISO-8859-1
content-length: 20977
3. The apachectl startssl command (or -D SSL option) was not used to
start the server.
4. The ssl.conf file is not being included, and therefore ignored,
upon start-up.
I believe the list has exhausted all avenues for resolution, therefore
(if I were in your shoes) I suggest you contact a third party SSL
consultant who can troubleshoot and rebuild the SSL portion as
appropriate.
I mean, if this is a business issue, then it would dictate that a
proper business resolution be followed at this late date.
HTH/Sx
http://insecurity.org/
_Sx____________________
('> iudicium ferat
//\ Have Computer -
v_/_ Will Hack...
\|/ ____ \|/
"@'/ .. \`@"
/_| \__/ |_\
\__U_/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Problems with SSL All of a Sudden
Posted by "Daniel R. Blair" <jo...@realcoders.org>.
On Sat, 24 May 2003, Paul Simon wrote:
> > well, in the VirtualHost for the :443, there is a
> > CustomLog directive,
> > which logs stuff to ssl_request_log, and, when I
> > telnet to port 443, and
> > execute a get request, it does log an error stating
> > that the client isn't
> > communicating in SSL mode.. would there be anything
> > I could do that would
> > help you troubleshoot anymore by telnetting to port
> > 443 and executing
> > anything and sending you the log entries?
> >
> > I beleive the errors it's reporting are simply
> > because I'm not
> > comunicating in SSL, so, I'm not taking them as true
> > errors.. but.. they
> > could be..
>
> Ok. This to me is a good thing. It's saying that the
> SSL server would handle the request if the client was
> communicating using SSL. Is there anything on the
> *localhost* you could try which CAN communicate using
> SSL, successfully?
Unfortunately, lynx nor links is installed, and I'm not aware of anything
else that would establish an SSL connection.. I can ssh to the box, but
that's port 22, not 443.. and I am pretty sure is unrelated to SSL.. is
there anything you know of that I could do to test it using SSL?
> > What is a 504 (gateway timeout) error? I don't get
> > this using mozilla
> > through a FreeBSD gateway aliasing my DSL IP.. I've
> > tried through lynx and
> > links as well.. does 504 gateway timeout give any
> > indication as to what is
> > the problem?
>
> Do you have a proxy server between the SSL box and the
> web user?
That error was submitted by someone else on the list when attempting to
connect to the server, so, it's possible that they had a proxy in between
and that's why they were getting the error.. the server is "www.juke.biz"
which, once loaded, will allow you to enter a username/pw in the upper
left hand corner, once you click login, it will try to post it to an https
URL and return an error (to me right away) stating that it cannot connect.
I am running a local DNS server, so, it's possible that the DNS is cached,
hence the immediate return.. but, if you'd like to try and see for
yourself, you can see what you get when trying to access
https://www.juke.biz/content/index.jsp...
> > Since we have established that it is listening on
> > 443 by the 0.0.0.0:443
> > LISTEN in the netstat -na output, what does that
> > mean/not mean? That
> > apache is establishing an SSL listener socket, but
> > it's not being
> > forwarded to Apache? Or Apache is not responding
> > properly?
> >
>
> Yes, there's a SSL socket listening for requests.
> Whenever I've seen a listening socket, it's been a
> good thing for me during the troubleshooting process.
Ok, that's what I figured, but, wasn't sure due to the 0.0.0.0 part of the
netstat report... wasn't sure if it was confused as to which address to
connect on, or something else that I wasn't aware of.. but.. this confirms
my thoughts on the particular piece of information..
> To me, it seems like your server is listening on the
> correct port. If you could just establish an actual
> SSL conection from the localhost then that would be a
> step in the right direction.
Is there any reason that Apache would just stop responding to SSL requests
for no reason? Today I even replaced the conf files and included virtual
host files with a backup from a week or two ago, restarted, and am still
getting the same error... it's totally weird, and it's getting to the
point where it must be fixed.. and I have no clue what to do about it...
Danny
= Daniel Blair =
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- dblair@realcoders.org - [http://www.realcoders.org]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Problems with SSL All of a Sudden
Posted by Paul Simon <wr...@yahoo.com>.
> well, in the VirtualHost for the :443, there is a
> CustomLog directive,
> which logs stuff to ssl_request_log, and, when I
> telnet to port 443, and
> execute a get request, it does log an error stating
> that the client isn't
> communicating in SSL mode.. would there be anything
> I could do that would
> help you troubleshoot anymore by telnetting to port
> 443 and executing
> anything and sending you the log entries?
>
> I beleive the errors it's reporting are simply
> because I'm not
> comunicating in SSL, so, I'm not taking them as true
> errors.. but.. they
> could be..
Ok. This to me is a good thing. It's saying that the
SSL server would handle the request if the client was
communicating using SSL. Is there anything on the
*localhost* you could try which CAN communicate using
SSL, successfully?
> What is a 504 (gateway timeout) error? I don't get
> this using mozilla
> through a FreeBSD gateway aliasing my DSL IP.. I've
> tried through lynx and
> links as well.. does 504 gateway timeout give any
> indication as to what is
> the problem?
Do you have a proxy server between the SSL box and the
web user?
> Since we have established that it is listening on
> 443 by the 0.0.0.0:443
> LISTEN in the netstat -na output, what does that
> mean/not mean? That
> apache is establishing an SSL listener socket, but
> it's not being
> forwarded to Apache? Or Apache is not responding
> properly?
>
Yes, there's a SSL socket listening for requests.
Whenever I've seen a listening socket, it's been a
good thing for me during the troubleshooting process.
To me, it seems like your server is listening on the
correct port. If you could just establish an actual
SSL conection from the localhost then that would be a
step in the right direction.
=====
=====
'Ideals are like stars. We may never reach them, but we use them to chart our course.' -- Unknown
=====
"Do not go where the path may lead, go instead where there is no path and leave a trail" -- Ralph Waldo Emerson.
=====
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Problems with SSL All of a Sudden
Posted by "Daniel R. Blair" <jo...@realcoders.org>.
On Fri, 23 May 2003, Paul Simon wrote:
>
> > The log files say absolutely nothing about the
> > current problem. There is
> > NOTHING that says anything is wrong.. but, what log
> > file in particular are
> > you reffering to so I can perhaps inspect it and let
> > you know what EXACTLY
> > it says..
>
> I'm talking about your error logs for both http and
> https (if they are separate). it's hard to
> troubleshoot without any errors being logged.
well, in the VirtualHost for the :443, there is a CustomLog directive,
which logs stuff to ssl_request_log, and, when I telnet to port 443, and
execute a get request, it does log an error stating that the client isn't
communicating in SSL mode.. would there be anything I could do that would
help you troubleshoot anymore by telnetting to port 443 and executing
anything and sending you the log entries?
I beleive the errors it's reporting are simply because I'm not
comunicating in SSL, so, I'm not taking them as true errors.. but.. they
could be.. if so, I can send the log entries to you... if it would help..
> > https://www.juke.biz address and given the https
> > prefix it comes right
> > back with a cannot connect to server...
>
> When I go there, I get a 504 (gateway timeout)
What is a 504 (gateway timeout) error? I don't get this using mozilla
through a FreeBSD gateway aliasing my DSL IP.. I've tried through lynx and
links as well.. does 504 gateway timeout give any indication as to what is
the problem?
> If you do a netstat -na do you see your server
> listening on 443?
Since we have established that it is listening on 443 by the 0.0.0.0:443
LISTEN in the netstat -na output, what does that mean/not mean? That
apache is establishing an SSL listener socket, but it's not being
forwarded to Apache? Or Apache is not responding properly?
Danny
= Daniel Blair =
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- dblair@realcoders.org - [http://www.realcoders.org]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Problems with SSL All of a Sudden
Posted by Paul Simon <wr...@yahoo.com>.
> The log files say absolutely nothing about the
> current problem. There is
> NOTHING that says anything is wrong.. but, what log
> file in particular are
> you reffering to so I can perhaps inspect it and let
> you know what EXACTLY
> it says..
I'm talking about your error logs for both http and
https (if they are separate). it's hard to
troubleshoot without any errors being logged.
> https://www.juke.biz address and given the https
> prefix it comes right
> back with a cannot connect to server...
When I go there, I get a 504 (gateway timeout)
If you do a netstat -na do you see your server
listening on 443?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Problems with SSL All of a Sudden
Posted by "Daniel R. Blair" <jo...@realcoders.org>.
On Fri, 23 May 2003, Paul Simon wrote:
>
> One user caused you to reboot the server? Had you ever
> rebooted the server without problems before this
> incident?
We have rebooted with no problems previously... and it wasn't "one user"
the boss said "Just reboot it and see if it fixes it rather than analyzing
log files, etc. we need it back up.."
> An expired certificate wouldn't cause your server to
> stop listening on 443. What do your server logs say?
The log files say absolutely nothing about the current problem. There is
NOTHING that says anything is wrong.. but, what log file in particular are
you reffering to so I can perhaps inspect it and let you know what EXACTLY
it says.. or is there something I can do that would help you troubleshoot
it any further? The site is: www.juke.biz and when you try to login,
just type anything as user/pw, you can see it trying to post to an
https://www.juke.biz address and given the https prefix it comes right
back with a cannot connect to server...
Danny
= Daniel Blair =
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- dblair@realcoders.org - [http://www.realcoders.org]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-/- s e g m e n t : o f f s e t -/-
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Problems with SSL All of a Sudden
Posted by Paul Simon <wr...@yahoo.com>.
One user caused you to reboot the server? Had you ever
rebooted the server without problems before this
incident?
An expired certificate wouldn't cause your server to
stop listening on 443. What do your server logs say?
=====
=====
'Ideals are like stars. We may never reach them, but we use them to chart our course.' -- Unknown
=====
"Do not go where the path may lead, go instead where there is no path and leave a trail" -- Ralph Waldo Emerson.
=====
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Problems with SSL All of a Sudden
Posted by Nigel Peck - MIS Web Design <ni...@miswebdesign.com>.
I'm sure there will be a lot better suggestions from others on the list but have you done a configtest?
apachectl configtest
or
httpsdctl configtest
I was getting a SIGTERM about an hour ago and it was because the Listen and Port directives were done incorrectly in httpsd.conf.
HTH
Nigel
> -----Original Message-----
> From: Daniel R. Blair [mailto:joecamel@realcoders.org]
> Sent: 23 May 2003 18:43
> To: Apache's HTTPD Mailing List
> Subject: [users@httpd] Problems with SSL All of a Sudden
>
>
> Hi guys,
> I am new to the list, but have checked all of the FAQs, etc. and
> cannot seem to figure out what is wrong.
>
> We have been running Apache2 2.0.43 for quite some time now, with
> SSL and a valid certificate for doing credit card processing, et al.
>
> As of yesterday, a user called and said that they could not
> complete a credit card transaction. I checked everything, and we just
> rebooted the server (RH 7 I believe) remotely to see if that fixed
> anything because we were in a hurry to get it fixed (read: my boss was
> freaking out and troubleshooting wasn't an issue, so the command to reboot
> the box was given.) Now, after a reboot, when trying to access
> https://domain.com/anything.html or .jsp immediately returns with a
> browser error that it cannot connect to the server.
>
> Nothing was changed in the config file(s), and nothing abnormal is
> in the log files AT ALL, no errors, no nothing.. just "recevied SIGTERM,
> shuttdown.. and Starting Up, resuming Operations normally" so.. at this
> point I am pulling my hair out as to what could have happened and why this
> all of a sudden just stopped working.
>
> Now, I asked my boss if his certificate had expired, and then he
> informed me that on April 30th he received an email stating he had 90 days
> to re-new the certificate, which would mean we still had over 2 months to
> re-new (unless verisign messed up or something), but, to my knowledge,
> even an expired certificate would just give the user, via their browser,
> an error/informative message that the certificate had expired and ask
> whether or not to continue.. I see no reason why it would stop responding
> COMPLETELY to https requests...
>
> I've tried telneting to port 443 and get no response...
>
> Does anyone have any clue as to what may have happened and/or
> perhaps WHY? This is just totally baffling me as to what the problem
> could be, and, why a reboot wouldn't fix it.. given that nothing was
> modified configuration wise (which by the way, apachectl -t reports syntax
> is OK.) Just FYI, Apache *IS* connected to Tomcat using mod_jk connector
> and all is fine with it, but again, no https/SSL requests are being server
> AT ALL..
>
> Any and all help will be GREATLY appreciated guys.
>
> Thanks alot,
>
> Danny
>
> = Daniel Blair =
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> - dblair@realcoders.org - [http://www.realcoders.org]
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org