You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by LuKreme <kr...@kreme.com> on 2009/08/04 02:16:24 UTC

[users@httpd] Secure and unsecure apache

I have a FreeBSD-6.2 server with apache-2.2.4 which unly runs an  
instance of the webmail client Squirrelmail

so, I have the server name set to

ServerName webmail.example.com

and I have

DocumentRoot "/usr/local/www/squirrelmail"

and then I have:

Listen 80
Listen 443
NameVirtualHost *:443
NameVirtualHost *:80

then I have:

<VirtualHost *:443>
    ServerName securemail.example.com
    SSLCertificateFile /usr/local/etc/apache22/server.pem
    SSLCertificateKeyFile /usr/local/etc/apache22/server.key
    ServerAdmin admin@example.com
    DocumentRoot /usr/local/www/squirrelmail/
     ErrorLog /var/log/httpd-error.log
     CustomLog /var/log/httpd-access.log combined
     DirectoryIndex secure.html
</VirtualHost>

If I go to webmail.example.com, it all works perfectly, but over http.  
If I go to https://securemail.example.com I get:

An error occurred during a connection to securemail.example.com.

SSL received a record that exceeded the maximum permissible length.

(Error code: ssl_error_rx_record_too_long)

However, nothing is logged to /var/log/httpd-error.log

I can ping securemail.example.com and it gets to the right IP address.

I can list the .key and .pem files:

-- 
So here's us, on the raggedy edge. Don't push me. And
	I won't push you.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

[users@httpd] Re: Secure and unsecure apache

Posted by LuKreme <kr...@kreme.com>.

On 3-Aug-2009, at 18:39, Eric Covener wrote:
> On Mon, Aug 3, 2009 at 8:16 PM, LuKreme<kr...@kreme.com> wrote:
>> <VirtualHost *:443>
>>   ServerName securemail.example.com
>>   SSLCertificateFile /usr/local/etc/apache22/server.pem
>>   SSLCertificateKeyFile /usr/local/etc/apache22/server.key
>>   ServerAdmin admin@example.com
>>   DocumentRoot /usr/local/www/squirrelmail/
>>    ErrorLog /var/log/httpd-error.log
>>    CustomLog /var/log/httpd-access.log combined
>>    DirectoryIndex secure.html
>> </VirtualHost>
>
> http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslengine

OK, now at least I get something in the error log (added SSLEngine on):

[Thu Aug 06 02:08:38 2009] [notice] caught SIGTERM, shutting down
[Thu Aug 06 02:08:45 2009] [error] Init: Unable to read server  
certificate from file /usr/local/etc/apache22/server.pem
[Thu Aug 06 02:08:45 2009] [error] SSL Library Error: 218529960 error: 
0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Thu Aug 06 02:08:45 2009] [error] SSL Library Error: 218595386 error: 
0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error

Remember, server.pem is there.

$ ls -ls /usr/local/etc/apache22/server.pem
2 -rw-r--r--  1 root  wheel  891 May  3  2007 /usr/local/etc/apache22/ 
server.pem

I can recreate the pem and key files I suppose, I was just using self- 
signed ones anyway. Is that what I need to do?

-- 
You think you can catch Keyser Soze? You think a guy like that
	comes this close to getting caught, and sticks his head out? If
	he comes up for anything it'll be to get rid of me. After that
	my guess is you'll never hear from him again.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Secure and unsecure apache

Posted by Eric Covener <co...@gmail.com>.

On Mon, Aug 3, 2009 at 8:16 PM, LuKreme<kr...@kreme.com> wrote:
> <VirtualHost *:443>
>   ServerName securemail.example.com
>   SSLCertificateFile /usr/local/etc/apache22/server.pem
>   SSLCertificateKeyFile /usr/local/etc/apache22/server.key
>   ServerAdmin admin@example.com
>   DocumentRoot /usr/local/www/squirrelmail/
>    ErrorLog /var/log/httpd-error.log
>    CustomLog /var/log/httpd-access.log combined
>    DirectoryIndex secure.html
> </VirtualHost>

http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslengine
-- 
Eric Covener
covener@gmail.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

[users@httpd] Re: Secure and unsecure apache

Posted by LuKreme <kr...@kreme.com>.

[Sorry, premature send]

On 3-Aug-2009, at 18:16, LuKreme wrote:
> I can list the .key and .pem files:


  $ ls -ls /usr/local/etc/apache22/server.key
0 lrwxr-xr-x  1 root  wheel  17 May  3  2007 /usr/local/etc/apache22/ 
server.key -> server.key.nopass
$ ls -ls /usr/local/etc/apache22/server.key.nopass
2 -rw-r--r--  1 root  wheel  887 May  3  2007 /usr/local/etc/apache22/ 
server.key.nopass
  $ ls -ls /usr/local/etc/apache22/server.pem
2 -rw-r--r--  1 root  wheel  891 May  3  2007 /usr/local/etc/apache22/ 
server.pem

-- 
If a pig loses its voice, is it disgruntled?


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org