You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Boyle Owen <Ow...@swx.com> on 2008/02/01 09:14:44 UTC
RE: [users@httpd] Customers getting "Page Cannot be Displayed" over SSL
> -----Original Message-----
> From: Douglas Hobaugh [mailto:doug@essex3.com]
> Sent: Thursday, January 31, 2008 5:33 PM
> To: users@httpd.apache.org
> Subject: [users@httpd] Customers getting "Page Cannot be
> Displayed" over SSL
>
> Hi all, I hope this is the correct list. First time posting.
>
> I am getting a lot of customers complaining that they get
> "Page Cannot be
> Displayed" errors when they connect to our SSL server.
Browser messages are practically worthless - what's in the error log?
Otherwise, guessing... hostname/common-name mismatch, cipher mismatch,
keep-alive problems... you name it.
Is your site top-secret? Because a quick test would tell a lot...
Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored.
> I
> cannot for the life
> of me figure out if its my problem or theirs. Below is my
> SSL configuration
> for my server. Can someone take a look and let me know if its
> OK? I have
> also included results from an openssl s_client test
>
> Thanks,
> Doug
>
>
>
> ## SSL Global Context
> <IfDefine SSL>
> <IfDefine !NOSSL>
> <IfModule mod_ssl.c>
> AddType application/x-x509-ca-cert .crt
> AddType application/x-pkcs7-crl .crl
> SSLPassPhraseDialog builtin
> SSLSessionCache shmcb:/var/lib/apache2/ssl_scache
> SSLSessionCacheTimeout 600
> SSLMutex sem
> SSLRandomSeed startup builtin
> SSLRandomSeed connect builtin
> </IfModule>
> </IfDefine>
> </IfDefine>
>
> <VirtualHost 192.168.0.9:443>
> ServerAdmin me@server.com
> ServerName my.server.com:443
> SuexecUserGroup dspam dspam
> DocumentRoot /srv/www/vhosts/my.server.com/htdocs
> SetEnvIf Remote_Addr "192\.168\.0" dontlog
> SetEnvIf Remote_Addr "127\.0\.0\.1" dontlog
> SetEnvIf Request_URI "^.*getsessiontime\.php.*$" dontlog
> ErrorLog "|/usr/local/sbin/cronolog
> /srv/www/vhosts/my.server.com/logs/%m-%Y/error.log"
> CustomLog "|/usr/local/sbin/cronolog
> /srv/www/vhosts/my.server.com/logs/%m-%Y/access.log" combined
> env=!dontlog
>
> SSLEngine on
> SSLCipherSuite
> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> SSLOptions +StrictRequire
>
> SSLCertificateFile /etc/apache2/ssl.crt/secure_essex3_com-new2.crt
> SSLCertificateKeyFile /etc/apache2/ssl.key/secure-essex3-com-new2.key
> SSLCACertificatePath /etc/apache2/ssl.crt
> SSLCACertificateFile /etc/apache2/ssl.crt/secure_essex3_com.ca-bundle
>
> <Directory "/srv/www/vhosts/my.server.com/htdocs">
> Options -Indexes FollowSymLinks
> AllowOverride none
> Order allow,deny
> Allow from all
> SSLRequireSSL
> </Directory>
>
> <Directory "/srv/www/vhosts/my.server.com/htdocs/xxx/xxx/admin">
> Order allow,deny
> Allow from 192.168.0
> </Directory>
>
> <Directory "/srv/www/vhosts/my.server.com/htdocs/zzz/vvv">
> php_value register_globals 1
> </Directory>
>
> Alias /product/base.css /srv/www/htdocs/product/base.css
> Alias /product/product-logo-small.gif
> /srv/www/htdocs/product/product-logo-small.gif
> ScriptAlias /product/ /srv/www/htdocs/product/
> <directory "/srv/www/htdocs/product">
> Options +ExecCGI
> AuthName "PRODUCT Quarantine Area"
> AuthType Basic
> AuthShadow on
> Require valid-user
> Order Deny,allow
> Allow from all
> </directory>
>
> <directory "/srv/www/vhosts/my.server.com/htdocs/yyy/admin">
> Options +ExecCGI
> AuthName "Restricted Site"
> AuthType Basic
> AuthShadow on
> Require valid-user
> Order Deny,allow
> Allow from all
> </directory>
>
> SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
> downgrade-1.0 force-response-1.0
> </VirtualHost>
>
>
>
>
> openssl s_client -connect my.server.com:443 -state -reconnect
> CONNECTED(00000003)
> SSL_connect:before/connect initialization
> SSL_connect:SSLv2/v3 write client hello A
> SSL_connect:SSLv3 read server hello A
> ...
> SSL_connect:SSLv3 read server certificate A
> SSL_connect:SSLv3 read server key exchange A
> SSL_connect:SSLv3 read server done A
> SSL_connect:SSLv3 write client key exchange A
> SSL_connect:SSLv3 write change cipher spec A
> SSL_connect:SSLv3 write finished A
> SSL_connect:SSLv3 flush data
> SSL_connect:SSLv3 read finished A
> ...
> SSL handshake has read 3080 bytes and written 340 bytes
> ---
> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> Server public key is 1024 bit
> SSL-Session:
> ...
> drop connection and then reconnect
> SSL3 alert write:warning:close notify
> CONNECTED(00000003)
> SSL_connect:before/connect initialization
> SSL_connect:SSLv3 write client hello A
> SSL_connect:SSLv3 read server hello A
> SSL_connect:SSLv3 read finished A
> SSL_connect:SSLv3 write change cipher spec A
> SSL_connect:SSLv3 write finished A
> SSL_connect:SSLv3 flush data
> ---
> Reused, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> SSL-Session:
> ---
> drop connection and then reconnect
> SSL3 alert write:warning:close notify
> CONNECTED(00000003)
> SSL_connect:before/connect initialization
> SSL_connect:SSLv3 write client hello A
> SSL_connect:SSLv3 read server hello A
> SSL_connect:SSLv3 read finished A
> SSL_connect:SSLv3 write change cipher spec A
> SSL_connect:SSLv3 write finished A
> SSL_connect:SSLv3 flush data
> ---
> Reused, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> SSL-Session:
> ---
> drop connection and then reconnect
> SSL3 alert write:warning:close notify
> CONNECTED(00000003)
> SSL_connect:before/connect initialization
> SSL_connect:SSLv3 write client hello A
> SSL_connect:SSLv3 read server hello A
> SSL_connect:SSLv3 read finished A
> SSL_connect:SSLv3 write change cipher spec A
> SSL_connect:SSLv3 write finished A
> SSL_connect:SSLv3 flush data
> ---
> Reused, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> SSL-Session:
> ---
> drop connection and then reconnect
> SSL3 alert write:warning:close notify
> CONNECTED(00000003)
> SSL_connect:before/connect initialization
> SSL_connect:SSLv3 write client hello A
> SSL_connect:SSLv3 read server hello A
> SSL_connect:SSLv3 read finished A
> SSL_connect:SSLv3 write change cipher spec A
> SSL_connect:SSLv3 write finished A
> SSL_connect:SSLv3 flush data
> ---
> Reused, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> SSL-Session:
> ---
> drop connection and then reconnect
> SSL3 alert write:warning:close notify
> CONNECTED(00000003)
> SSL_connect:before/connect initialization
> SSL_connect:SSLv3 write client hello A
> SSL_connect:SSLv3 read server hello A
> SSL_connect:SSLv3 read finished A
> SSL_connect:SSLv3 write change cipher spec A
> SSL_connect:SSLv3 write finished A
> SSL_connect:SSLv3 flush data
> ---
> Reused, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> SSL-Session:
>
>
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. The sender's company reserves the right to monitor all e-mail communications through their networks.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Customers getting "Page Cannot be Displayed" over SSL
Posted by Boyle Owen <Ow...@swx.com>.
> -----Original Message-----
> From: Axel-Stephane SMORGRAV
> [mailto:Axel-Stephane.SMORGRAV@europe.adp.com]
> Sent: Friday, February 01, 2008 9:39 AM
> To: users@httpd.apache.org
> Subject: RE: [users@httpd] Customers getting "Page Cannot be
> Displayed" over SSL
>
> Can't possibly be a keep-alive problem with the following
> line is in the config:
>
> SetEnvIf User-Agent ".*MSIE.*" nokeepalive
> ssl-unclean-shutdown downgrade-1.0 force-response-1.0
I hope you didn't expect me to actually *read* the guy's config before responding :-)
...especially since he didn't bother to put in error logs, or version/OS or even a site.
Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored.
>
> I can however think of another issue with MSIE which may
> cause such behaviour.
> Do you happen to apply compression? (mod_deflate)
> In that case make sure that JS and CSS are NOT compressed
> when served to MSIE.
>
> And as says Bowl, "a quick test would tell a lot..."
>
> -ascs
>
> -----Message d'origine-----
> De : Boyle Owen [mailto:Owen.Boyle@swx.com]
> Envoyé : vendredi 1 février 2008 09:15
> À : users@httpd.apache.org
> Objet : RE: [users@httpd] Customers getting "Page Cannot be
> Displayed" over SSL
>
> > -----Original Message-----
> > From: Douglas Hobaugh [mailto:doug@essex3.com]
> > Sent: Thursday, January 31, 2008 5:33 PM
> > To: users@httpd.apache.org
> > Subject: [users@httpd] Customers getting "Page Cannot be Displayed"
> > over SSL
> >
> > Hi all, I hope this is the correct list. First time posting.
> >
> > I am getting a lot of customers complaining that they get
> "Page Cannot
> > be Displayed" errors when they connect to our SSL server.
>
> Browser messages are practically worthless - what's in the error log?
>
> Otherwise, guessing... hostname/common-name mismatch, cipher
> mismatch, keep-alive problems... you name it.
>
> Is your site top-secret? Because a quick test would tell a lot...
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. The sender's company reserves the right to monitor all e-mail communications through their networks.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Customers getting "Page Cannot be Displayed" over SSL
Posted by Douglas Hobaugh <do...@essex3.com>.
Thanks for your response
I do have mod_deflate but I have the setting below for IE which I believe
will only compress html documents.
BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html
If I view the headers I sill get Content-Encoding: gzip for css and
Javascript below are the headers for a style sheet, bummer!
Date: Fri, 01 Feb 2008 14:45:11 GMT
Server: Apache/2.0.50 (Linux/SUSE)
Last-Modified: Wed, 12 Dec 2007 20:32:18 GMT
ETag: "247d6f-b12-4411cb9be7880"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Cache-Control: max-age=172801
Expires: Sun, 03 Feb 2008 14:45:12 GMT
Content-Length: 980
Connection: close
Content-Type: text/css
I just looked and I have not had any mod_deflate logs since Dec. 2007 but
apache is gzipping, weird.
Doug
-----Original Message-----
From: Axel-Stephane SMORGRAV
[mailto:Axel-Stephane.SMORGRAV@europe.adp.com]
Sent: Friday, February 01, 2008 3:39 AM
To: users@httpd.apache.org
Subject: RE: [users@httpd] Customers getting "Page Cannot be Displayed"
over SSL
Can't possibly be a keep-alive problem with the following line is in the
config:
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0
I can however think of another issue with MSIE which may cause such
behaviour.
Do you happen to apply compression? (mod_deflate)
In that case make sure that JS and CSS are NOT compressed when served to
MSIE.
And as says Bowl, "a quick test would tell a lot..."
-ascs
-----Message d'origine-----
De : Boyle Owen [mailto:Owen.Boyle@swx.com]
Envoy� : vendredi 1 f�vrier 2008 09:15
� : users@httpd.apache.org
Objet : RE: [users@httpd] Customers getting "Page Cannot be Displayed" over
SSL
> -----Original Message-----
> From: Douglas Hobaugh [mailto:doug@essex3.com]
> Sent: Thursday, January 31, 2008 5:33 PM
> To: users@httpd.apache.org
> Subject: [users@httpd] Customers getting "Page Cannot be Displayed"
> over SSL
>
> Hi all, I hope this is the correct list. First time posting.
>
> I am getting a lot of customers complaining that they get "Page Cannot
> be Displayed" errors when they connect to our SSL server.
Browser messages are practically worthless - what's in the error log?
Otherwise, guessing... hostname/common-name mismatch, cipher mismatch,
keep-alive problems... you name it.
Is your site top-secret? Because a quick test would tell a lot...
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
!DSPAM:47a2daf4187442038414371!
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Customers getting "Page Cannot be Displayed" over SSL
Posted by Axel-Stephane SMORGRAV <Ax...@europe.adp.com>.
Can't possibly be a keep-alive problem with the following line is in the config:
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
I can however think of another issue with MSIE which may cause such behaviour.
Do you happen to apply compression? (mod_deflate)
In that case make sure that JS and CSS are NOT compressed when served to MSIE.
And as says Bowl, "a quick test would tell a lot..."
-ascs
-----Message d'origine-----
De : Boyle Owen [mailto:Owen.Boyle@swx.com]
Envoyé : vendredi 1 février 2008 09:15
À : users@httpd.apache.org
Objet : RE: [users@httpd] Customers getting "Page Cannot be Displayed" over SSL
> -----Original Message-----
> From: Douglas Hobaugh [mailto:doug@essex3.com]
> Sent: Thursday, January 31, 2008 5:33 PM
> To: users@httpd.apache.org
> Subject: [users@httpd] Customers getting "Page Cannot be Displayed"
> over SSL
>
> Hi all, I hope this is the correct list. First time posting.
>
> I am getting a lot of customers complaining that they get "Page Cannot
> be Displayed" errors when they connect to our SSL server.
Browser messages are practically worthless - what's in the error log?
Otherwise, guessing... hostname/common-name mismatch, cipher mismatch, keep-alive problems... you name it.
Is your site top-secret? Because a quick test would tell a lot...
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org