[Klug-general] https in Apache

Nathan Friend nathan.friend at gmail.com
Thu May 28 14:06:14 UTC 2009


I'm having another go at getting https working.  I've followed this short
guide http://en. <goog_1243519068208>opensuse <goog_1243519068208>
.org/Apache_ <goog_1243519068208>Howto <goog_1243519068208>_<goog_1243519068208>
SSL <http://en.opensuse.org/Apache_Howto_SSL>
I looks like I've run into the problem described at the end of the
document, unfortunately it doesn't explain how to resolve it.

*Cause: client speaks HTTPS, server speaks HTTP. If that happens to be port
443, it means that the server is listening on the port but not with SSL.*
*
*
This is a fresh install of opensuse 11.1, so please disregard
my previous e-mail thread on this subject.

Cheers,

Nathan.

On Fri, Apr 24, 2009 at 10:27 AM, Nathan Friend <nathan.friend at gmail.com>wrote:

> Here's my cert.  Didn't have any success with the Apache snake oil example
> one either.
>
> testserver:/etc/apache2/ssl.csr # openssl req -noout -text -in
> testserver.domain.csr
> Certificate Request:
>     Data:
>         Version: 0 (0x0)
>         Subject: C=UK, ST=Kent, L=Canterbury, O=Canterbury College,
> OU=Computing Support, CN=testserver.domain/emailAddress=
> n.friend at cant-col.ac.uk
>         Subject Public Key Info:
>             Public Key Algorithm: rsaEncryption
>             RSA Public Key: (1024 bit)
>                 Modulus (1024 bit):
>                     00:ac:7b:10:9c:75:54:5c:09:85:38:eb:51:ca:75:
>                     bb:07:72:5b:ae:fc:cb:c9:3f:ca:61:a4:61:6f:02:
>                     20:54:62:be:cf:f0:71:4b:74:d0:1b:60:4f:9a:9e:
>                     c3:d4:f7:ec:d8:58:bc:89:0d:3b:bf:28:e1:44:0f:
>                     cb:f2:dc:a6:aa:3f:00:46:ae:a5:67:8e:08:04:2b:
>                     5c:6d:1c:52:6c:a1:6a:19:76:b2:a1:49:01:d0:6b:
>                     69:b5:6f:59:cd:bf:48:d3:2f:a8:90:bf:8a:e1:7f:
>                     23:88:74:41:56:83:fe:3e:42:a4:4f:1d:af:ec:8b:
>                     7e:45:d4:3c:bd:68:ec:90:7d
>                 Exponent: 65537 (0x10001)
>         Attributes:
>             challengePassword        :unable to print attribute
>     Signature Algorithm: sha1WithRSAEncryption
>         80:e7:3c:f8:d0:b6:cb:76:7d:9f:c7:5e:28:7a:94:4d:ae:cd:
>         a5:8f:49:aa:3c:0f:4c:6e:f2:b0:58:43:cc:70:48:66:1c:9f:
>         a8:1c:50:38:4d:66:26:f3:f7:98:2b:1f:b6:e9:49:cf:7a:85:
>         1f:5b:44:af:e0:c9:ad:56:8e:e0:52:bc:7d:1e:0c:47:af:74:
>         a5:37:66:54:2a:b8:06:5e:a7:b8:a8:7c:4e:a6:3a:57:3e:62:
>         0a:7f:63:4a:05:2b:10:f5:8e:f2:12:6a:1e:3d:40:78:ad:76:
>         01:97:f4:ca:73:55:7e:98:eb:1c:cd:42:66:20:2a:35:1a:12:
>         4e:31
>
> Cheers,
>
> Nathan.
>
>
> On Thu, Apr 23, 2009 at 10:43 PM, MacGyveR <macgyver at thedumbterminal.co.uk
> > wrote:
>
>> On Thursday 23 Apr 2009, Nathan Friend wrote:
>> > Hi all,
>> > I'm tyring to use SSL in Apache.  I've created a self signed cert for
>> > testing and setup an SSL vhost using the template provided.
>> >
>> > When I got to https:\\testserver.domain.com in Firefox I get
>> >
>> > Secure Connection Failed
>> > An error occurred during a connection to testserver.domain.com
>> > SSL received a record that exceeded the maximum permissible length.
>> > (Error code: ssl_error_rx_record_too_long)
>> > The page you are trying to view can not be shown because the
>> authenticity
>> > of the received data could not be verified.
>> >     *  Please contact the web site owners to inform them of this
>> problem.
>> >
>> > After a bit of searching round the net I tried
>> >
>> > testserver:~ # openssl s_client -connect localhost:443 -state -debug
>> > CONNECTED(00000003)
>> > SSL_connect:before/connect initialization
>> > write to 0x80c61c0 [0x80c6208] (136 bytes => 136 (0x88))
>> > 0000 - 80 86 01 03 01 00 5d 00-00 00 20 00 00 39 00 00   ......]...
>> ..9..
>> > 0010 - 38 00 00 35 00 00 88 00-00 87 00 00 84 00 00 16
>> 8..5............
>> > 0020 - 00 00 13 00 00 0a 07 00-c0 00 00 33 00 00 32 00
>> ...........3..2.
>> > 0030 - 00 2f 00 00 45 00 00 44-00 00 41 03 00 80 00 00
>> ./..E..D..A.....
>> > 0040 - 05 00 00 04 01 00 80 00-00 15 00 00 12 00 00 09
>> ................
>> > 0050 - 06 00 40 00 00 14 00 00-11 00 00 08 00 00 06 04
>> .. at .............
>> > 0060 - 00 80 00 00 03 02 00 80-33 fa 66 1e 41 05 b8 e3
>> ........3.f.A...
>> > 0070 - 00 59 e5 ed 08 77 c1 45-ac 4b 05 1d 51 d3 28 65
>> .Y...w.E.K..Q.(e
>> > 0080 - 79 ad 7a ac 1b 37 65 8f-                          y.z..7e.
>> > SSL_connect:SSLv2/v3 write client hello A
>> > read from 0x80c61c0 [0x80cb768] (7 bytes => 7 (0x7))
>> > 0000 - 3c 3f 78 6d 6c 20 76                              <?xml v
>> > SSL_connect:error in SSLv2/v3 read server hello A
>> > 6384:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
>> > protocol:s23_clnt.c:585:
>> >
>> > Any ideas?
>> >
>> > Cheers,
>> >
>> > Nathan.
>>
>> Most distros' apache ssl package comes with some self signed certs
>> already,
>> did they work ok for you?
>>
>> Could you give an text dump of your cert using openssl:
>>
>> openssl req -noout -text -in cert.csr
>>
>> This looks a bit strange in the packet dump you posted above:
>>
>> 0000 - 3c 3f 78 6d 6c 20 76                              <?xml v
>>
>> --
>> --------------------------------
>> http://www.thedumbterminal.co.uk
>>
>> _______________________________________________
>> Kent mailing list
>> Kent at mailman.lug.org.uk
>> https://mailman.lug.org.uk/mailman/listinfo/kent
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.lug.org.uk/pipermail/kent/attachments/20090528/aa87b5f0/attachment-0001.htm 


More information about the Kent mailing list