You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "Law, Bob" <Ro...@wolterskluwer.com> on 2012/09/11 17:09:15 UTC
[users@httpd] RE: httpd 2.2.22, mod_jk, open_ssl, does not appear to be running
secure
I was able to figure out the problem. Httpd 2.2.22 does not support the <IfDefined SSL> command in the ssl.conf file. Once I removed that, then it started loading my ssl configuration.
Robert Law
Software Engineer
Wolters Kluwer Health Medical Research
801.304.3012 tel
Robert.Law@wolterskluwer.com
www.ovid.com
-----Original Message-----
From: Law, Bob [mailto:Robert.Law@wolterskluwer.com]
Sent: Monday, September 10, 2012 1:40 PM
To: users@httpd.apache.org
Subject: [users@httpd] httpd 2.2.22, mod_jk, open_ssl, does not appear to be running secure
I am trying to run httpd 2.2.22 with open_ssl built in and mod_jk. It does not appear that my SSL is working. Using Firefox and the following httpd.conf and ssl.conf files, I can access my site https://shibboleth-dev.XXXX.com:8397/osp and my request is routed through mod_jk and the application runs. The application is known as a discovery page and allows me to redirect a browser to a institution where they can log in using the institution's credentials (basic SAML authentication). Once they log in they send a redirect to my browser that is supposed to go to my web application and continue. However, I am always getting an SSL error at that point. If I try to use Internet Explorer or Chrome, I never even get to my discovery page. I get an SSL error right at the beginning.
The error_log gives me the following error:
Invalid method in request \x16\x03
The access_log gives me the following:
"\x16\x03" 501 214
(The XXXX in this document replace the actual site name)
Can anybody tell me how to get ssl working on 2.2.22?
If I move the JKWorkersFile, JKLogFile, JKLogLevel, JKLogStampFormat, and JKMount commands into the VirtualHost, then I am told that /osp/ cannot be found on the server.
Running httpd -l give me the following output:
Compiled in modules:
core.c
mod_authn_file.c
mod_authn_default.c
mod_authz_host.c
mod_authz_groupfile.c
mod_authz_user.c
mod_authz_default.c
mod_auth_basic.c
mod_include.c
mod_filter.c
mod_log_config.c
mod_env.c
mod_setenvif.c
mod_version.c
mod_ssl.c
prefork.c
http_core.c
mod_mime.c
mod_status.c
mod_autoindex.c
mod_asis.c
mod_cgi.c
mod_negotiation.c
mod_dir.c
mod_actions.c
mod_userdir.c
mod_alias.c
mod_so.c
My error_log gives me the following startup messages:
[Mon Sep 10 14:24:42 2012] [warn] No JkShmFile defined in httpd.conf. Using default /o/r/rlaw/openat
hens/http/logs/jk-runtime-status
[Mon Sep 10 14:24:42 2012] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]
[Mon Sep 10 14:24:42 2012] [warn] No JkShmFile defined in httpd.conf. Using default /o/r/rlaw/openat
hens/http/logs/jk-runtime-status
[Mon Sep 10 14:24:43 2012] [notice] Apache/2.2.22 (Unix) mod_jk/1.2.37 mod_ssl/2.2.22 OpenSSL/1.0.0g
configured -- resuming normal operations
The log files for ssl are never created.
Here are my httpd.conf and ssl.conf files.
httpd.conf
ServerRoot "/o/r/rlaw/openathens/http"
Listen 10.200.209.145:8397
Listen 10.200.209.145:8398
LoadModule jk_module libexec/mod_jk.so
JkWorkersFile /o/r/rlaw/openathens/tomcat/conf/workers.properties
JkLogFile /o/r/rlaw/openathens/tomcat/logs/mod_jk.log
JKLogLevel info
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
JkMount /osp/* ajp13
<IfModule !mpm_netware_module>
<IfModule !mpm_winnt_module>
User nobody
Group #-1
</IfModule>
</IfModule>
ServerAdmin you@example.com
ServerName shibbooleth-dev.XXXX.com
DocumentRoot "/o/r/rlaw/openathens/http/htdocs"
<Directory />
Options FollowSymLinks
AllowOverride None
#Order deny,allow
#Deny from all
</Directory>
<Directory "/o/r/rlaw/openathens/http/htdocs">
Options Indexes FollowSymLinks
AllowOverride None
</Directory>
<IfModule dir_module>
DirectoryIndex index.html
</IfModule>
<FilesMatch "^\.ht">
#Order allow,deny
#Deny from all
#Satisfy All
</FilesMatch>
ErrorLog "logs/error_log"
LogLevel warn
<IfModule log_config_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
# You need to enable mod_logio.c to use %I and %O
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>
CustomLog "logs/access_log" common
</IfModule>
<IfModule alias_module>
ScriptAlias /cgi-bin/ "/o/r/rlaw/openathens/http/cgi-bin/"
</IfModule>
<IfModule cgid_module>
</IfModule>
<Directory "/o/r/rlaw/openathens/http/cgi-bin">
AllowOverride None
Options None
#Order allow,deny
#Allow from all
</Directory>
DefaultType text/plain
<IfModule mime_module>
TypesConfig conf/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
</IfModule>
Include conf/ssl.conf
ssl.conf
--------
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
<IfDefine SSL>
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache dbm:/o/r/rlaw/openathens/http/logs/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex file:/o/r/rlaw/openathens/http/logs/ssl_mutex
NameVirtualHost 10.200.209.145:8398
NameVirtualHost 10.200.209.145:8397
<VirtualHost 10.200.209.145:8398>
ServerName shibboleth-dev.XXXX.com
DocumentRoot /o/r/rlaw/openathens/http/htdocs
ErrorLog /o/r/rlaw/openathens/http/logs/error_log
CustomLog /o/r/rlaw/openathens/http/logs/access_log combined
</VirtualHost>
<VirtualHost 10.200.209.145:8397>
DocumentRoot "/o/r/rlaw/openathens/http/htdocs"
ServerName shibboleth-dev.XXXX.com
ServerAdmin info@somesite.com
ErrorLog /o/r/rlaw/openathens/http/logs/ssl_shibboleth.XXXX.com.error_log
CustomLog /o/r/rlaw/openathens/http/logs/ssl-shibboleth.XXXX.com-access_log combined
SSLEngine on
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /online/shibboleth/ssl/certs/shibboleth.XXXX.com.crt
SSLCertificateKeyFile /online/shibboleth/ssl/private/shibboleth.XXXX.com.key
SSLCertificateChainFile /online/shibboleth/ssl/certs/verisign.crt
SSLVerifyClient optional_no_ca
<FilesMatch "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/o/r/rlaw/openathens/http/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /o/r/rlaw/openathens/http/logs/ssl_request_shibboleth_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
</IfDefine>
Thanks for your help.
Robert Law
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] RE: httpd 2.2.22, mod_jk, open_ssl, does not appear
to be running secure
Posted by Tom Evans <te...@googlemail.com>.
On Tue, Sep 11, 2012 at 4:55 PM, Law, Bob <Ro...@wolterskluwer.com> wrote:
> That must have been a change since 2.0.63. We are running apache with shibboleth and httpd-2.0.63. Our ssl.conf file has the <IfDefine> for SSL, but we don't start up httpd with -DSSL.
>
> I'm just glad I got it working.
>
Perhaps your OS/init scripts was starting the older version of httpd
in a manner you did not understand; this functionality hasn't changed
since httpd 1.3 at the latest. 2.0 documents it explicitly:
http://httpd.apache.org/docs/2.0/mod/core.html#ifdefine
http://httpd.apache.org/docs/2.0/programs/httpd.html
Some/most Linux distributions will have init scripts that
automatically insert "-DFEATURE" that cause parts of their generic
httpd.conf to activate, based upon whatever way of expressing
preferences that distribution has blessed.
Eg, in gentoo, you edit "/etc/conf.d/apache2" and add APACHE"_OPTS="-D
SSL", where as in Debian you would run the command "a2enmod ssl",
which presumably does something similar behind the scenes.
Cheers
Tom
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] RE: httpd 2.2.22, mod_jk, open_ssl, does not
appear to be running secure
Posted by "Law, Bob" <Ro...@wolterskluwer.com>.
That must have been a change since 2.0.63. We are running apache with shibboleth and httpd-2.0.63. Our ssl.conf file has the <IfDefine> for SSL, but we don't start up httpd with -DSSL.
I'm just glad I got it working.
Robert Law
Software Engineer
Wolters Kluwer Health Medical Research
801.304.3012 tel
Robert.Law@wolterskluwer.com
www.ovid.com
-----Original Message-----
From: Tom Evans [mailto:tevans.uk@googlemail.com]
Sent: Tuesday, September 11, 2012 9:16 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] RE: httpd 2.2.22, mod_jk, open_ssl, does not appear to be running secure
On Tue, Sep 11, 2012 at 4:09 PM, Law, Bob <Ro...@wolterskluwer.com> wrote:
> I was able to figure out the problem. Httpd 2.2.22 does not support the <IfDefined SSL> command in the ssl.conf file. Once I removed that, then it started loading my ssl configuration.
>
httpd supports <IfDefine> just fine. For 'SSL' to be defined, httpd
must be started with the command line flag '-DSSL'.
Cheers
Tom
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] RE: httpd 2.2.22, mod_jk, open_ssl, does not appear
to be running secure
Posted by Tom Evans <te...@googlemail.com>.
On Tue, Sep 11, 2012 at 4:09 PM, Law, Bob <Ro...@wolterskluwer.com> wrote:
> I was able to figure out the problem. Httpd 2.2.22 does not support the <IfDefined SSL> command in the ssl.conf file. Once I removed that, then it started loading my ssl configuration.
>
httpd supports <IfDefine> just fine. For 'SSL' to be defined, httpd
must be started with the command line flag '-DSSL'.
Cheers
Tom
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org