You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Aaron Smith <Aa...@kzoo.edu> on 2007/09/04 22:30:16 UTC
[users@httpd] Apache and mod_ssl (extra info)
So I tried something kind of new. I completely removed the
directory with the non-functioning apache install. I went back to the
source, did a make clean, a new configure using the same parameters as
before:
./configure --prefix=/opt/apache3 --enable-auth-dbm=shared
--enable-expires=shared --enable-headers=shared --enable-rewrite=shared
--enable-mime-magic=shared --enable-info=shared --enable-status=shared
--enable-userdir=shared --enable-http --enable-so --enable-ssl=static
--with-ssl=/opt/openssl098d --with-perl=/opt/perl58 --with-ndbm
--enable-ldap=shared --enable-auth_ldap=shared
--with-ldap=/usr/local/OpenLDAP.2.3
Had SHLIB_PATH set to
"/opt/openssl098d/lib:/usr/local/OpenLDAP.2.3/lib" as well as CPPFLAGS
and LDFLAGS set with -I and -L flags for those two non-standard
directories. This is all the same as what I had done before.
After the make, make install, I went in to the installed directory and
made as minimal changes as I could. I changed Listen port in the main
httpd.conf to 8040 and the Listen port (as well as the VirtualHost port)
in ssl.conf to 8045 so it wouldn't step on the toes of the production
apache process. I then changed the User and Group directives in
httpd.conf to the webadmin user which the other apache process runs as.
Launched this just about plain jane apache using apachectl startssl.
Connecting via http to 8040, everything looks fine. Connecting via
https to port 8045 shows the behavior of child processing hanging in a
waiting state.
Am I wrong in thinking this is a permissions issue? Or perhaps
something is funky with the fact that the SSL libraries are in a strange
spot? I've tried adding the library path to envvars in apache3/bin and
having PassEnv SHLIB_PATH in the httpd.conf. However, the WORKING
installation is linked to these exact same libraries and although
there's a PassEnv command in it's httpd.conf, nothing was added to
envvars.
If it *is* a permissions issue, what does mod_ssl need permission to get
to in order to function properly? I notice that the ssl_scache.dir and
ssl_scache.pag files are created in the logs directory, (though the .dir
file is 0 bytes) both owned by webadmin, so that user can at least
CREATE files in that directory.
RE: [users@httpd] Apache and mod_ssl (extra info)
Posted by Aaron Smith <Aa...@kzoo.edu>.
So tried a different tact. Started with a fresh source tree by deleting
the old one and unpacking a clean tar ball. Gave it the following
configure command:
./configure --prefix=/opt/apache3 --enable-auth-dbm=shared
--enable-expires=shared --enable-headers=shared --enable-rewrite=shared
--enable-mime-magic=shared --enable-info=shared --enable-status=shared
--enable-userdir=shared --enable-http --enable-so --enable-ssl=static
--with-ssl=/opt/openssl098d --with-perl=/opt/perl58 --with-ndbm
--enable-ldap=shared --enable-auth_ldap=shared
--with-ldap=/usr/local/OpenLDAP.2.3
It goes though the configure seemingly ok (more on that later) and then
the make bombs out with this:
make[2]: Entering directory `/var/tmp/httpd-2.0.55/srclib/apr-util'
make[2]: *** No rule to make target `all'. Stop.
make[2]: Leaving directory `/var/tmp/httpd-2.0.55/srclib/apr-util'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/var/tmp/httpd-2.0.55/srclib'
make: *** [all-recursive] Error 1
Going back thru the configure steps, I find this:
checking for ldap support...
/var/tmp/httpd-2.0.55/srclib/apr-util/configure[5947]:
ac_cv_lib_/usr/local/OpenLDAP.2.3_ldap_init: This is not an identifier.
srclib/apr-util configured properly
./configure[3052]: ./srclib/apr-util/apu-config: not found.
./configure[3073]: ./srclib/apr-util/apu-config: not found.
./configure[3089]: ./srclib/apr-util/apu-config: not found.
./configure[3090]: ./srclib/apr-util/apu-config: not found.
Thoughts anyone?
Aaron
-----Original Message-----
From: Aaron Smith [mailto:Aaron.Smith@kzoo.edu]
Sent: Wednesday, September 05, 2007 8:38 AM
To: users@httpd.apache.org
Subject: RE: [users@httpd] Apache and mod_ssl (extra info)
Oh, and I forgot to mention, it doesn't log anything at all in ANY of
the logs when accessing the site via HTTPS.
--------------------------------------------------------------------
Aaron Smith Aaron.Smith@kzoo.edu
System Administrator (269) 337-7496
Kalamazoo College
-----Original Message-----
From: Graeme Fowler [mailto:graeme@graemef.net]
Sent: Tuesday, September 04, 2007 5:25 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Apache and mod_ssl (extra info)
On Tue, 2007-09-04 at 16:30 -0400, Aaron Smith wrote:
> Connecting via https to port 8045 shows the behavior of child
> processing hanging in a waiting state.
Sounds like your system isn't generating enough entropy to me, which can
affect SSL/TLS connections on lots of protocols. I have no experience of
HP/UX though, so suggestions are limited...
Which SSL libraries are you compiling mod_ssl against? OpenSSL, or some
HP ones? Do you have /dev/random and /dev/urandom?
If you do "cat /dev/random" and "cat /dev/urandom", what comes back?
It'll be garbage, but do the rates differ significantly?
When you start up this new Apache instance, what does it log in the
error log?
Graeme
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Apache and mod_ssl (extra info)
Posted by Aaron Smith <Aa...@kzoo.edu>.
Oh, and I forgot to mention, it doesn't log anything at all in ANY of
the logs when accessing the site via HTTPS.
--------------------------------------------------------------------
Aaron Smith Aaron.Smith@kzoo.edu
System Administrator (269) 337-7496
Kalamazoo College
-----Original Message-----
From: Graeme Fowler [mailto:graeme@graemef.net]
Sent: Tuesday, September 04, 2007 5:25 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Apache and mod_ssl (extra info)
On Tue, 2007-09-04 at 16:30 -0400, Aaron Smith wrote:
> Connecting via https to port 8045 shows the behavior of child
> processing hanging in a waiting state.
Sounds like your system isn't generating enough entropy to me, which can
affect SSL/TLS connections on lots of protocols. I have no experience of
HP/UX though, so suggestions are limited...
Which SSL libraries are you compiling mod_ssl against? OpenSSL, or some
HP ones? Do you have /dev/random and /dev/urandom?
If you do "cat /dev/random" and "cat /dev/urandom", what comes back?
It'll be garbage, but do the rates differ significantly?
When you start up this new Apache instance, what does it log in the
error log?
Graeme
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Apache and mod_ssl (extra info)
Posted by Aaron Smith <Aa...@kzoo.edu>.
It's compiled against OpenSSL 0.9.7e, there are indeed /dev/random and
/dev/urandom, but I don't think that's the problem because I have
another copy of apache compiled from the same source code, linked to the
same OpenSSL libraries (ldd confirms this) running on the SAME system
that works just fine.
One difference I've noticed between the two of them is in the apache/lib
directory. The broken installation has libraries for libapr whereas the
working one has those same libraries PLUS libraries for libaprutil and
libexpat. Don't know if that triggers any bells for anyone.
-----Original Message-----
From: Graeme Fowler [mailto:graeme@graemef.net]
Sent: Tuesday, September 04, 2007 5:25 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Apache and mod_ssl (extra info)
On Tue, 2007-09-04 at 16:30 -0400, Aaron Smith wrote:
> Connecting via https to port 8045 shows the behavior of child
> processing hanging in a waiting state.
Sounds like your system isn't generating enough entropy to me, which can
affect SSL/TLS connections on lots of protocols. I have no experience of
HP/UX though, so suggestions are limited...
Which SSL libraries are you compiling mod_ssl against? OpenSSL, or some
HP ones? Do you have /dev/random and /dev/urandom?
If you do "cat /dev/random" and "cat /dev/urandom", what comes back?
It'll be garbage, but do the rates differ significantly?
When you start up this new Apache instance, what does it log in the
error log?
Graeme
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache and mod_ssl (extra info)
Posted by Graeme Fowler <gr...@graemef.net>.
On Tue, 2007-09-04 at 16:30 -0400, Aaron Smith wrote:
> Connecting via https to port 8045 shows the behavior of child
> processing hanging in a waiting state.
Sounds like your system isn't generating enough entropy to me, which can
affect SSL/TLS connections on lots of protocols. I have no experience of
HP/UX though, so suggestions are limited...
Which SSL libraries are you compiling mod_ssl against? OpenSSL, or some
HP ones? Do you have /dev/random and /dev/urandom?
If you do "cat /dev/random" and "cat /dev/urandom", what comes back?
It'll be garbage, but do the rates differ significantly?
When you start up this new Apache instance, what does it log in the
error log?
Graeme
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org