At line 1 added 46 lines. |
<style type="text/css" media="all"> |
span.highlight {background: yellow; color: black} |
div.highlight {background: #ffc; color: black; border: 1px solid black; padding: 10px} |
p.testedBy {border-top: 1px dashed black; padding-top: 5px; color: #666; background: transparent; font-size: .9em;} |
</style> |
<div class="canvas"> |
<!-- |
|
Changelog: |
1.7.1 2006-11-16 Added default test certificate pass phrase |
1.7.0 2005-12-29 Added "unknown protocol" issue and solution |
1.6.9 2005-01-24 Added link to new Windows+Apache+SSL Tutorial |
1.6.8 2004-12-13 Links updated; OpenSSL configfile explained; other clarifications |
1.6.7 2004-05-18 Moved to Wiki so users can edit when they find mistakes/updates |
1.6.6 2003-12-30 Added user comments |
1.6.5 2002-09-27 Added instructions for Linux |
1.6.4 2002-09-26 Added information for Apache 2.0 and added a little formatting |
1.6.3 2002-05-18 info about better not overwriting the configuration files |
1.6.2 2002-05-10 more info about "couldn't load..."; apache 2 warning |
1.6.1 2002-04-10 AddModule clarification, more debugging |
1.6 2001-12-28 Windows XP information, common problems section |
1.5.3 2001-11-27 Added link to French translation |
1.5.2 2001-11-06 Added AddModule |
1.5.1 2001-10-26 Added link to Spanish translation |
1.5 2001-10-20 Lots of clarifications based on input from many people |
1.4.4 2001-05-26 Added Peter Holm to the contributors |
1.4.3 2001-05-25 "Port" directive commented out, some fixes for current versions |
1.4.2 2001-04-06 Remark about .so files |
1.4.1 2001-02-20 Success on ME |
1.4 2001-01-28 Information about debugging connect errors |
1.3.14 2000-12-28 Small fixes; right-click to download the openssl.cnf file |
1.3.13 2000-12-19 Added feedback section |
1.2.12 2000-11-21 Information about the languages I speak |
1.2.11 2000-11-15 Removed outdated information about M$ IIS |
1.2.10 2000-11-05 OpenSSL.exe fixes |
1.2.9.2 2000-09-11 Minor tweaks, corrected HTML |
1.2.9.1 2000-07-26 IfDefine Directive added, thanks to Torsten Stanienda |
1.2.8 2000-05-09 OpenSSL -config corrected |
1.2.7 2000-04-29 Peter Barany corrected my English |
1.2.6 2000-04-28 Added info on converting the certificate to DER format for MSIE 4 |
1.2.5 2000-04-21 The HOWTO is now hosted on my on server. Updated the URL |
Added -config parameter for openssl to work with the provided config file |
1.2 2000-01-24 Christoph Zich tested the HOWTO on Windows 98 |
1.1 1999-10-22 Included Horst Brauner's openssl.conf file |
1.0 Initial release |
--> |
At line 48 added 500 lines. |
<div style="float: right; margin-top: 20px;"> |
<script type="text/javascript"><!-- |
google_ad_client = "pub-7968247362757416"; |
google_ad_width = 468; |
google_ad_height = 60;1 |
google_ad_format = "468x60_as"; |
google_color_border = "990000"; |
google_color_bg = "FFFFFF"; |
google_color_link = "000000"; |
google_color_url = "CC0000"; |
google_color_text = "333333"; |
//--></script> |
<script type="text/javascript" |
src="http://pagead2.googlesyndication.com/pagead/show_ads.js"></script> |
</div> |
|
<h1>The Apache + SSL HOWTO</h1> |
|
<p>Version 1.6.8 (changelog: view source)</p> |
|
<p> |
<a href="http://www.geocities.com/sartigas/apachessl.html">Spanish |
translation</a> maintained by <a href="mailto:[email protected]">Sergio |
Artigas</a> |
</p> |
<p> |
<a href="http://netsafe.free.fr/index.php?Chap=A1">French |
translation</a> maintained by <a href="mailto:[email protected]">Jean-Francois |
Moreau</a> |
</p> |
<p> |
Revised September 26, 2002 by <a href="mailto:[email protected]">Matt Raible</a> for Apache 2.0.42. |
Original Article at <a href="http://tud.at/programm/apache-ssl-win32-howto.php3/">http://tud.at/programm/apache-ssl-win32-howto.php3</a>. |
</p> |
|
%%note __NEW!__ (January 23, 2005) Chris Thompson has written an [an updated and simplified|http://www.thompsonbd.com/tutorials/apachessl.php] Apache+SSL HowTo for Windows.%% |
|
<h2>Overview</h2> |
|
<p>This page describes the installation of the Win32 version of Apache with |
the mod_ssl extension. The newest version should always be available from <a |
href="http://tud.at/programm/apache-ssl-win32-howto.php3">http://tud.at/programm/apache-ssl-win32-howto.php3</a>. |
</p> |
<p> This process worked for many people on Windows NT, 98, ME, 2000 and XP; |
please <a href="mailto:[email protected]">mail me</a> your suggestions and |
bug reports. You can even install Apache with SSL in addition to the Microsoft |
Internet Information Server if you need to.</p> |
<p> |
Note: sometimes, there are changes between the precompiled apache |
distributions so that this HOWTO is not correct anymore. In this case, |
if the current version does not work for you, download an older version - |
one that was published before the modification date of this HOWTO. |
Or, if you like adventures, try to make it run, and <a href="mailto:[email protected]">mail |
me</a> if you needed to change anything. |
</p> |
|
<p>Apache with mod_ssl seems to be the only free (as in speech, not in beer) |
solution for Win32. Please note that Apache on Win32 is considered beta |
quality as it doesn't reach the stability and performance of Apache on |
Un*x platforms.</p> |
|
<h2>1.: <a name="install" id="install"></a>Installing Apache</h2> |
|
<p>Get the Win32 version of the Apache web server from one of the <a |
href="http://www.apache.org/mirrors/">mirrors</a>. It is called something like |
|
|
<code>apache_x_y_z_win32.exe</code>. This is a self-extracting archive that |
contains the Apache base system and sample configuration files.</p> |
|
<p> |
Don't mix Apache versions 1.3 and 2! It won't work. If you find 1.3.x on |
modssl.org, you cannot expect it to work with 2.0.x. |
</p> |
|
<p>Install Apache as described in <a href="http://www.apache.org/docs/windows.html">http://www.apache.org/docs/windows.html</a>.</p> |
|
<a name="install-linux" id="install-linux"></a> |
<div class="highlight"> |
For Linux, to install Apache 2.0.42 with mod_sll installed, I performed the following steps: |
|
I used <a href="http://httpd.apache.org/docs-2.0/install.html">http://httpd.apache.org/docs-2.0/install.html</a> as a reference. |
|
<code>$ lynx http://www.apache.org/dist/httpd/httpd-2.0.42.tar.gz</code><br /> |
<code>$ gzip -d httpd-2.0.42.tar.gz</code><br /> |
<code>$ tar xvf httpd-2.0.42.tar</code><br /> |
<code>$ ./configure --enable-mods-shared=most --enable-ssl=shared</code><br /> |
<code>$ make</code><br /> |
<code>$ make install</code> |
|
If you're using Apache 2.0.42 with Tomcat, you can download the binary mod_jk.so from<a href="http://jakarta.apache.org/builds/jakarta-tomcat-connectors/jk/release/v1.2.0/bin/linux/i386/mod_jk-2.0.42.so"> http://jakarta.apache.org/builds/jakarta-tomcat-connectors/jk/release/v1.2.0/bin/linux/i386/mod_jk-2.0.42.so</a>. |
After downloading, put this file into your <code>modules</code> directory |
and rename it <code>mod_jk.so</code>. <a href="http://www.raibledesigns.com/tomcat">Click |
here</a> for more information on configuring Apache and Tomcat. |
|
</div> |
|
<p>Note: You can skip this step and get a full Apache+SSL distribution from |
modssl.org, as described below. There will be no fancy installation program but |
you won't need to overwrite the stock Apache files. This is the better way if |
you are experienced and don't fear editing configuration files (which you will |
need to do anyway).</p> |
|
<p>Change at least the following parameters in <code> |
Apache-dir/conf/httpd.conf</code>:<br /> |
<b>[[Replace all occurences of <code>www.my-server.dom</code> with the real |
domain name!]</b></p> |
|
<ul> |
<li><code>Port 80</code> to <code><b>#</b> Port 80</code> (Comment it out; |
|
<code>Port</code> is not necessary, <code>Listen</code> overrides it |
later.)</li> |
|
<li>(if <b>not</b> in addition to IIS) <code>Listen 80</code></li> |
|
<li><code>ServerName</code> <b>www.my-server.dom</b></li> |
|
<li>(if in addition to IIS) <code>DocumentRoot</code> and the corresponding |
<code><Directory</code> some-dir<code>></code> to your <code>Inetpub\wwwroot</code></li> |
|
</ul> |
|
<p>Install the Apache service (NT only) and start the server. Verify that |
everything works before proceeding to the SSL installation because this |
limits the possible errors.</p> |
|
<p>Try <u><b>http://www.my-server.dom:443/</b></u>. It won't be encrypted yet but if |
this works then the port configuration (port 443) is right.</p> |
|
<h2>2.: <a name="openssl" id="openssl"></a>Getting OpenSSL and mod_ssl</h2> |
|
<p> |
If you want to compile the mod_ssl.so module, you can use the latest |
sources, available at |
<a href="http://www.modssl.org/contrib/ftp/source/">http://www.modssl.org/contrib/ftp/source/</a> |
for Apache 1.3.x and included in Apache HTTP server sources, |
accesible as a CVS code repository (see the instructions at <a href="http://httpd.apache.org/dev/anoncvs.txt">http://httpd.apache.org/dev/anoncvs.txt</a>) |
for Apache 2.0.x.</p> |
<p>For Windows, the precompiled module is available at |
<a href="http://hunter.campbus.com/">http://hunter.campbus.com/</a> |
(where you will find there Apache 1.3 and 2.0 binaries with |
the corresponding mod_ssl.so module versions included), while binaries for Linux are |
included in the major Linux distributions. |
</li> |
</ul> |
Apache Software Foundation mades a point in not offering the compiled binaries |
for the SSL module, due to the export regulations for cryptographic software from USA. |
Don't ask for binaries if they will not be available at the currently indicated locations. |
Various ISVs provide free binaries for this module in various projects such as |
<a href="http://www.nusphere.com/products/index.htm#NuSphereTechPlatform">NuSphere |
Technology Platform</a>, <a href="http://www.apache-ssl.org/">Apache-SSL</a> etc. |
</p> |
|
<p>OpenSSL is required for getting a certificate to use with your web server. You may |
download its sources and compile it from |
<a href="http://www.openssl.org/source/">http://www.openssl.org/source/</a>. Compiled |
binaries are available at <a href="http://gnuwin32.sourceforge.net/packages/openssl.htm">http://gnuwin32.sourceforge.net/packages/openssl.htm</a> |
for Windows and are included in major Linux distributions.</p> |
|
<p>OpenSSL for Windows might also be obtained by downloading and installing |
<strong>Cygwin </strong>from <a href="http://www.cygwin.com">http://www.cygwin.com</a>.</p> |
|
<p><span class="highlight">Put the files <code>ssleay32.dll</code> and <code>libeay32.dll</code> |
from the Apache/modssl distribution directory to <code>WINNT\System32</code> |
(or in another folder mentioned in the PATH environment variable). |
This is important! About 70 % of the e-mails I receive is because people |
forget to do this.</span></p> |
|
<h2>3.: <a name="create-cert" id="create-cert"></a>Creating a test certificate</h2> |
|
<p>The following instructions are adapted from |
<a href="http://www.apache-ssl.org/#FAQ">http://www.apache-ssl.org/#FAQ</a>.</p> |
|
<p>Open a shell window (Command Prompt in Windows) and change the current directory to |
the directory where you have the openssl.exe file (openssl file for Linux).</p> |
|
<p><code>openssl req -config openssl.cnf -new -out server.csr</code><br /> |
This creates a certificate signing request (<code>server.csr</code>) and a |
private key (<code>privkey.pem</code>), using the configuration |
file that is provided with the binary distribution of OpenSSL or with |
Cygwin (<code>openssl.cnf</code>) that will make the OpenSSL application to |
prompt for each detail of the certificate. When asked for |
<code>"Common Name (eg, your websites domain name)"</code>, |
give the exact domain name of your web server (e.g. <b>www.my-server.dom</b>). |
The certificate belongs to this server name and browsers complain if the |
name doesn't match.</p> |
|
<p style="margin-left: 20px; font-style: italic; color: green"> |
If you didn't provide a config file, OpenSSL will try to use the file specified |
by the OPENSSL_CONF environment variable. This variable is usually not defined |
and if you follow the instructions from the original tutorial (linked at the |
top of this page), which does not use the <code>-conf</code> switch, you will |
get an error about "distinguished name". (Thanks to |
<strong>Olivier Gambier</strong> for clearing this problem, using information from |
<a href="http://www.openssl.org/docs/apps/req.html">http://www.openssl.org/docs/apps/req.html</a>.)</p> |
|
<p style="margin-left: 20px; font-style: italic; color: green"> |
On a Windows system, files with <code>cnf</code> extensions are treated as special files |
(of type SpeedDial) and Windows Explorer will refuse to display its extension, regardless |
of display settings, and the file will have a strongly modified context menu that |
might prevent you from editing it and might mislead you to believe you don't have this file. |
Just look for a SpeedDial-type file displayed simply as <code>openssl</code>.</p> |
|
<p><code>openssl rsa -in privkey.pem -out server.key</code><br /> |
This removes the passphrase from the private key. You MUST understand |
what this means; <code>server.key</code> should be only readable by the |
Apache server and the administrator.<br /> |
You should delete the <code>.rnd</code> file because it contains the entropy |
information for creating the key and could be used for cryptographic attacks |
against your private key.</p> |
|
<p><code>openssl x509 -in server.csr -out server.crt -req -signkey server.key |
-days 365</code><br /> |
This creates a self-signed certificate that you can use until you get a |
"real" one from a certificate authority. (Which is optional; if you |
know your users, you can tell them to install the certificate into their |
browsers.) Note that this certificate expires after one year, you can |
increase <code>-days 365</code> if you don't want this.</p> |
|
<p>If you have users with MS Internet Explorer 4.0+ and want them to be able |
to install the certificate into their certificate storage (by downloading and |
opening it), you need to create a DER-encoded version of the certificate:<br /> |
<code>openssl x509 -in server.crt -out server.der.crt -outform DER</code></p> |
|
<p>Create an <code>Apache/conf/ssl</code> directory and move <code> server.key</code> |
and <code>server.crt</code> into it. <strong>For Linux</strong> create |
two directories: <code>ssl.key</code> and <code>ssl.crt</code>. Move <code>server.crt</code> |
into <code>ssl.crt</code> and move <code>server.key</code> into <code>ssl.key</code>.</p> |
|
<p><span class="highlight">__Note:__ The default pass phrase shipped with openssl.cnf is ''aaaa''.</span></p> |
|
<h2>4.: <a name="configuring" id="configuring"></a>Configuring Apache and mod_ssl</h2> |
|
<p>Copy the executable files (*.exe, *.dll, *.so) from the downloaded |
apache-mod_ssl distribution over your original Apache installation directory |
(remember to stop Apache first and DO NOT overwrite your edited config files |
etc.!).</p> |
|
<p>Find the LoadModule directives in your <code>httpd.conf</code> file and |
add this after the existing ones, according to the file you have found in the |
distribution:</p> |
|
<p><code>LoadModule ssl_module modules/ApacheModuleSSL.dll</code> <br /> or<br /> |
<code>LoadModule ssl_module modules/ApacheModuleSSL.so</code> <br /> or<br /> |
<code>LoadModule ssl_module modules/mod_ssl.so</code> |
<br /> |
in newer versions. (Use this for 2.0.42 on Windows, on Linux, this will |
be done for you when you compile with <code>--enable-ssh=shared</code>)</p> |
|
<p>In newer versions of the distribution for Apache 1.x, it could also be necessary to add<br /> |
<code>AddModule mod_ssl.c</code><br /> |
after the AddModule lines that are already in the config file. </p> |
|
<p>Copy <code>ssl.conf</code> from the OpenSSL distribution to Apache/conf/. |
For Windows, you can download from <a href="http://www.raibledesigns.com/tomcat/ssl.conf">http://www.raibledesigns.com/tomcat/ssl.conf</a> |
(Right click -> Save Target As...). <span class="highlight">Make sure |
and change the <code>DocumentRoot</code> and <code>ServerName</code> values |
on lines 93 and 94.</span></p> |
|
<p>Add the following to the end of <code>httpd.conf</code>: <span class="highlight">Make sure and change <b>www.my-server.dom</b> in the example below.</span></p> |
<pre> |
<code><i># see <a |
href="http://www.modssl.org/docs/2.4/ssl_reference.html">http://www.modssl.org/docs/2.4/ssl_reference.html</a> for more info</i> |
SSLMutex sem |
SSLRandomSeed startup builtin |
SSLSessionCache none |
|
ErrorLog logs/ssl.log |
LogLevel info |
<i># You can later change "info" to "warn" if everything is OK</i> |
|
<VirtualHost <b>www.my-server.dom</b>:443> |
SSLEngine On |
SSLCertificateFile conf/ssl/server.crt |
SSLCertificateKeyFile conf/ssl/server.key |
</VirtualHost></code></pre> |
|
<p>Don't forget to call apache with <code>-D SSL</code> if the <code>IfDefine</code> |
directive is active in the config file! <span class="highlight">In other words, |
either start Apache from the command line with <code>-D SSL</code> or comment |
out the <code>IfDefine</code> start/end tags in <code>ssl.conf</code>.</span></p> |
|
<div class="highlight"> |
|
<p><span class="c1"><strong>NOTE</strong>:</span> When using SSL with |
multiple Virtual Hosts, you must use an ip-based configuration. This |
is because SSL requires you to configure a specific port (443), whereas |
name-based specifies all ports (*). You might the following error |
if you try to mix name-based virtual hosts with SSL.</p> |
<p><code>[[error] VirtualHost _default_:443 -- mixing * ports and non-* |
ports with a NameVirtualHost address is not supported, proceeding |
with undefined results</code></p> |
</div> |
|
<p>You might need to use <code>regedit</code> to change the key <code> |
|
HKEY_LOCAL_MACHINE\SOFTWARE\Apache Group\Apache\X.Y.Z</code> to the |
correct number if the <code>apache.exe</code> from |
<code>modssl.org/contrib</code> is not the same version as the previously installed |
one. (This seems not to be necessary with recent versions.)</p> |
|
<p>Start the server, this time from the command prompt (not as a service) in order |
to see the error messages that prevent Apache from starting. If everything |
is OK, (optionally) press CTRL+C to stop the server and start it as a service |
if you prefer.</p> |
<p> |
If it doesn't work, Apache should write meaningful messages to the screen |
and/or into the error.log and SSL.log files in the Apache/logs directory.<br /> |
|
If something doesn't work, set all <code>LogLevel</code>s to the maximum |
and <em>look into the logfiles</em>. They are very helpful.</p> |
|
<p>DON'T e-mail me or the other contributors without having plain Apache |
installed (Step 1). We will ignore your request; we are not the Free Apache |
Helpdesk and there is enough good documentation on configuring Apache; if that |
is not enough for you, you shouldn't run a secure server anyway. Also, DON'T |
e-mail without having looked into the error.log and SSL.log with |
<code>LogLevel</code> set to Debug.</p> |
|
<h2><a name="debugging" id="debugging"></a>Debugging connect problems</h2> |
|
<p> |
Problems connecting to the server with a browser can have many reasons, |
many of them on the client (proxy, DNS, general IE dumbness). |
</p> |
<p> |
So, if you encounter problems connecting with SSL, try another browser |
and/or look into the settings. If even this doesn't work, you can use |
OpenSSL to debug the problem. |
</p> |
<pre><code>bb@www$ <b>openssl s_client -connect no-such-machine:443</b> |
gethostbyname failure <i># Error resolving this DNS name. Connect with the IP address.</i> |
connect:errno=2 |
|
bb@www$ <b>openssl s_client -connect www1.tud.at:443</b> |
|
connect: Connection refused |
connect:errno=111 |
<i># No SSL server on this port. Double-check the <b>Listen</b> and <b>Port</b> directives.</i> |
|
bb@www$ <b>openssl s_client -connect </b>apcenter.apcinteractive.net<b>:443</b> |
<i># everything OK. OpenSSL shows the information it obtained from the server.</i> |
|
CONNECTED(00000003) |
depth=0 /C=at/ST=Wien/L=Wien/O=APC interactive/OU=Lifecycle Management/CN=apcenter.apcinteractive.net/[email protected] |
verify error:num=18:self signed certificate |
verify return:1 |
depth=0 /C=at/ST=Wien/L=Wien/O=APC interactive/OU=Lifecycle Management/CN=apcenter.apcinteractive.net/[email protected] |
verify return:1 |
--- |
Certificate chain |
0 s:/C=at/ST=Wien/L=Wien/O=APC interactive/OU=Lifecycle Management/CN=apcenter.apcinteractive.net/[email protected] |
i:/C=at/ST=Wien/L=Wien/O=APC interactive/OU=Lifecycle Management/CN=apcenter.apcinteractive.net/[email protected] |
--- |
Server certificate |
---BEGIN CERTIFICATE--- |
MIIC0TCCAjoCAQAwDQYJKoZIhvcNAQEEBQAwgbAxCzAJBgNVBAYTAmF0MQ0wCwYDV |
[[...] |
9ucXUnk= |
---END CERTIFICATE--- |
subject=/C=at/ST=Wien/L=Wien/O=APC interactive/OU=Lifecycle Management/CN=apcenter.apcinteractive.net/[email protected] |
issuer=/C=at/ST=Wien/L=Wien/O=APC interactive/OU=Lifecycle Management/CN=apcenter.apcinteractive.net/[email protected] |
--- |
No client certificate CA names sent |
--- |
SSL handshake has read 1281 bytes and written 320 bytes |
--- |
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA |
Server public key is 1024 bit |
SSL-Session: |
Protocol : TLSv1 |
Cipher : EDH-RSA-DES-CBC3-SHA |
Session-ID: 49ACE1CF484A67D2C476B923D52110A6FCA1A7CE53D76DF7F233DEBF2333D4FB |
Session-ID-ctx: |
Master-Key: 00E9FA964253752294ECD69C18ADBA527B7170C112E2B3BCB25EA8F4FD847EC46E1FF0194EF8E16985B5E38BF6F12131 |
Key-Arg : None |
Start Time: 980696025 |
Timeout : 300 (sec) |
Verify return code: 0 (ok) |
--- |
<b>[Enter: |
GET / HTTP/1.0 |
and press RETURN twice]</b> |
HTTP/1.1 200 OK |
Date: Sun, 28 Jan 2001 15:34:58 GMT |
Server: Apache/1.3.9 (Win32) mod_ssl/2.4.9 OpenSSL/0.9.4 |
Cache-Control: no-cache, no-store, must-revalidate, private |
Expires: 0 |
Pragma: no-cache |
X-Powered-By: PHP/4.0.4 |
Last-Modified: Sun, 28 Jan 2001 15:35:00 GMT |
Connection: close |
Content-Type: text/html |
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> |
<html> |
<i># the server shows its main document</i> |
</code></pre> |
|
<h2>Common problems</h2> |
|
<p>Q: I see the following when starting Apache: |
</p><pre>Syntax error on line [[some number] of ...httpd.conf |
Cannot load apache/modules/mod_ssl.so into server |
(126) The module could not be found: |
</pre> |
<br /> |
A: Did you copy the openssl DLLs to WINNT/SYSTEM32 (or WINDOWS/SYSTEM on |
Win9x/ME)? <br /> |
You can verify this by copying <code>openssl.exe</code> into a directory of its |
own and executing it. If it complains about not being able to find some DLLs, |
then you haven't copied them into the correct directory. |
<br /> |
One user told me that he had this problem even when he did everything right. He |
then found the problem: corrupt openssl DLLs. So if you get this error despite |
having done everything correctly, try the openssl DLLs from another version from |
modssl.org/contrib. |
<p></p> |
|
<p>Q: I see the following when starting Apache: |
</p><pre>Syntax error on line [[some number] of apache/conf/httpd.conf: |
Cannot load apache/modules/apachemodulessl.dll into server: |
(127) The specified procedure could not be found:</pre> |
or: |
|
<pre>Syntax error on line [[some number] of apache/conf/httpd.conf: |
Invalid command 'SSLMutex', perhaps mis-spelled or defined by a module not |
included in the server configuration</pre> |
<br /> |
A: You didn't add the AddModule line (or not where it belongs, it belongs below |
the other AddModule lines). |
<p></p> |
|
<p>Q: SSL doesn't work in the browser and I see the following in some logfile: |
</p><pre> |
[Fri Nov 16 15:46:30 2001] [[error] OpenSSL: error:1407609C:SSL |
routines:SSL23_GET_CLIENT_HELLO:http request [[Hint: speaking HTTP to |
HTTPS port!?] |
</pre> |
A: How much clearer can an error message get? Your VirtualHost or Listen |
configuration is wrong. |
<p></p> |
|
<p>Q: When trying to connect to https://www.myhost.com I kept getting an error about an unknown protocol. I could however connect to https://10.10.0.14 which is the local ip of the server. |
<br /><br /> |
A: Under the VirtualHost section you add to the httpd.conf, I had to change __<VirtualHost www.myhost.com:443>__ to __<VirtualHost _default_:443>__.Not sure why this had to be done in my case, but it works. |
|
<h3>Questions about Java servlets, OpenSSL compilation etc.</h3> |
|
<p> |
Don't ask us about installing servlet extensions, recompiling mod_ssl or |
Apache with EAPI, recompiled versions etc. We have no idea and won't be able |
help you. We are just users and not programmers.<br /> |
If your needs are so special, you are better off with a |
<a href="http://www.debian.org/">Debian GNU/Linux</a> or |
<a href="http://www.openbsd.org/">OpenBSD</a> server. It will save you lots |
of trouble. Really. </p> |
|
<h2>Links</h2> |
|
<p> |
Apache Web Server: <a href="http://www.apache.org">http://www.apache.org</a><br /> |
mod_ssl: <a href="http://www.modssl.org">http://www.modssl.org</a><br /> |
mod_ssl configuration: <a |
href="http://www.modssl.org/docs/2.4/ssl_reference.html">http://www.modssl.org/docs/2.4/ssl_reference.html</a><br /> |
OpenSSL: <a href="http://www.openssl.org">http://www.openssl.org</a><br /> |
PHP Hypertext preprocessor: <a href="http://www.php.net">http://www.php.net</a> |
</p> |
|
<p>Author of this document: <a href="mailto:[email protected]">Balázs |
Bárány</a> (<a href="http://tud.at">http://tud.at</a>) <br /> |
(mail me your questions, but only after having looked into the error logs with |
<code>LogLevel debug</code>. You can mail me in English, German and Hungarian. |
<br /> |
If I am constantly ignoring your e-mail, read all the hints in the HOWTO about |
how to e-mail me.)</p> |
|
<p> |
Contributor: <a href="mailto:[email protected]">Horst |
Bräuner</a> (OpenSSL configuration on NT)<br /> |
Contributor: <a href="mailto:[email protected]">Christoph Zich</a> |
(Windows 98)<br /> |
Contributor: <a href="mailto:[email protected]">Torsten Stanienda</a> |
(Test with 1.3.12, IfDefine directive)<br /> |
|
Contributor: <a href="mailto:[email protected]">Peter Holm</a> (Listen and Port directives) |
</p> |
|
<p>Last change: 2002-05-18</p> |
<p>This document can be redistributed under the |
<a href="http://www.gnu.org/copyleft/fdl.html">GNU Free |
Documentation License</a>. © Balázs Bárány 1999-2002</p> |
|
<p class="testedBy"> |
These instructions were tested by <a href="mailto:[email protected]">Matt Raible</a> |
on Windows XP (SP1) and Red Hat Linux 7.3 with Apache 2.0.42. |
</p> |
|
</div> |