Difference between revisions of "Apache httpd/SSL"

from HTYP, the free directory anyone can edit if they can prove to me that they're not a spambot
Jump to navigation Jump to search
(→‎Links: 2 more, from tabs)
(→‎Links: removing the passphrase)
Line 63: Line 63:
 
** [http://httpd.apache.org/docs/2.2/mod/mod_ssl.html mod_ssl]: the Apache module which provides SSL/TLS support
 
** [http://httpd.apache.org/docs/2.2/mod/mod_ssl.html mod_ssl]: the Apache module which provides SSL/TLS support
 
* [http://www.thegeekstuff.com/2009/07/linux-apache-mod-ssl-generate-key-csr-crt-file/ How To Generate SSL Key, CSR and Self Signed Certificate For Apache]
 
* [http://www.thegeekstuff.com/2009/07/linux-apache-mod-ssl-generate-key-csr-crt-file/ How To Generate SSL Key, CSR and Self Signed Certificate For Apache]
 +
** [http://www.webhosting.uk.com/kb/how-to-remove-the-passphrase-from-an-apache-ssl-key/ How to remove the passphrase from an Apache SSL Key]: necessary if you want Apache to restart unattended after following the instructions from The Geek Stuff

Revision as of 22:52, 17 March 2015

About

This page is about getting the Apache web server to work with SSL.

How To

To get SSL working with virtual hosting (or at all, really), I had to do the following:

# added above the "Include /etc/apache2/sites-enabled/" line:
NameVirtualHost *:443
# added below it:
SSLProtocol -all +TLSv1 +SSLv3
SSLCertificateFile /etc/apache2/certs/server.crt
SSLCertificateKeyFile /etc/apache2/certs/server.key
<IfModule mod_ssl.c>
   # SSL name based virtual hosts are not yet supported, therefore no
   # NameVirtualHost statement here
   Listen 443 https
</IfModule>
  • Pick which domain to serve for https requests, and add to that site's config file:
<VirtualHost *:443>
       SSLEngine on
       (copy of essential stuff from <VirtualHost:*>)
</VirtualHost>
  • (and finally...) Remember to forward port 443 on the router.

The exact filenames will be different depending on your Apache setup; these were in Ubuntu. "Listen 443" apparently also works (without the "https").

Notes

If the "Listen 443 https" statement is missing, the server may appear to be responding but having some kind of redirect issue. A sample openssl session:

openssl s_client -host domain.name -port 443

CONNECTED(00000003)
3074250904:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:339:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1334194927
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

Since someone else fixed the problem, I'm not sure exactly what was required, but it appears that ssh may have been set to respond on port 443 as well as the standard port 22, making it appear that Apache was listening on 443 when it wasn't. Apache was also missing the "Listen 443" directive.

One way to test for this problem might have been to attempt to ssh to port 443.

Links