Raible's Wiki: ApacheSSL

-       Raible's Wiki




    Raible Designs

Wiki Home

News

Recent Changes

AppFuse
Homepage

  -  Korean

  -  Chinese

  -  Italian

  -  Japanese

QuickStart Guide

  - Chinese
 
  - French

  - German

  - Italian

  - Korean

  - Portuguese

  - Spanish

  - Japanese


User Guide

  - Korean

  - Chinese
 

Tutorials

  -  Chinese

  -  German

  -  Italian

  -  Korean

  -  Portuguese

  -  Spanish


FAQ

  -  Korean


Latest Downloads

Other Applications
Struts Resume

Security Example

Struts Menu



    




    

    
         
        Set your name in

        UserPreferences
            
    





       
       
       
       




    

Referenced by

Articles
Articles_cn
Articles_de
Articles_pt
Articles_zh



    




   



   
   JSPWiki v2.2.33 
   



       
           

           

           
           
           


           Hide Menu
+            ApacheSSL
            



  
    Search Wiki:
    
    
  



         
         
            Your trail: 
         
      

      


      

      
         



      
          Difference between 
          version 17 
          and 
          version 3:
          

          
At line 1 added 46 lines.
<style type="text/css" media="all">
    span.highlight {background: yellow; color: black}
    div.highlight {background: #ffc; color: black; border: 1px solid black; padding: 10px}	
    p.testedBy {border-top: 1px dashed black; padding-top: 5px; color: #666; background: transparent; font-size: .9em;}
</style>
<div class="canvas">
    <!--
    
    Changelog:
    1.7.1       2006-11-16      Added default test certificate pass phrase
    1.7.0       2005-12-29      Added "unknown protocol" issue and solution
    1.6.9       2005-01-24      Added link to new Windows+Apache+SSL Tutorial
    1.6.8       2004-12-13      Links updated; OpenSSL configfile explained; other clarifications
    1.6.7       2004-05-18      Moved to Wiki so users can edit when they find mistakes/updates
    1.6.6	2003-12-30	Added user comments
    1.6.5	2002-09-27	Added instructions for Linux
    1.6.4	2002-09-26	Added information for Apache 2.0 and added a little formatting
    1.6.3	2002-05-18	info about better not overwriting the configuration files
    1.6.2	2002-05-10	more info about "couldn't load..."; apache 2 warning
    1.6.1	2002-04-10	AddModule clarification, more debugging
    1.6		2001-12-28	Windows XP information, common problems section
    1.5.3	2001-11-27	Added link to French translation
    1.5.2	2001-11-06	Added AddModule
    1.5.1	2001-10-26	Added link to Spanish translation
    1.5		2001-10-20	Lots of clarifications based on input from many people
    1.4.4	2001-05-26	Added Peter Holm to the contributors
    1.4.3	2001-05-25	"Port" directive commented out, some fixes for current versions
    1.4.2	2001-04-06	Remark about .so files
    1.4.1	2001-02-20	Success on ME
    1.4  	2001-01-28	Information about debugging connect errors
    1.3.14	2000-12-28	Small fixes; right-click to download the openssl.cnf file
    1.3.13	2000-12-19	Added feedback section
    1.2.12	2000-11-21	Information about the languages I speak
    1.2.11	2000-11-15	Removed outdated information about M$ IIS
    1.2.10	2000-11-05	OpenSSL.exe fixes
    1.2.9.2	2000-09-11	Minor tweaks, corrected HTML
    1.2.9.1	2000-07-26	IfDefine Directive added, thanks to Torsten Stanienda
    1.2.8	2000-05-09	OpenSSL -config corrected
    1.2.7	2000-04-29	Peter Barany corrected my English
    1.2.6	2000-04-28	Added info on converting the certificate to DER format for MSIE 4
    1.2.5	2000-04-21	The HOWTO is now hosted on my on server. Updated the URL
    					Added -config parameter for openssl to work with the provided config file
    1.2		2000-01-24	Christoph Zich tested the HOWTO on Windows 98
    1.1		1999-10-22	Included Horst Brauner's openssl.conf file
    1.0					Initial release
    -->
At line 48 added 500 lines.
<div style="float: right; margin-top: 20px;">
<script type="text/javascript"><!--
google_ad_client = "pub-7968247362757416";
google_ad_width = 468;
google_ad_height = 60;1
google_ad_format = "468x60_as";
google_color_border = "990000";
google_color_bg = "FFFFFF";
google_color_link = "000000";
google_color_url = "CC0000";
google_color_text = "333333";
//--></script>
<script type="text/javascript"
  src="http://pagead2.googlesyndication.com/pagead/show_ads.js"></script>
</div>

<h1>The Apache + SSL HOWTO</h1>

<p>Version 1.6.8 (changelog: view source)</p>

<p>
<a href="http://www.geocities.com/sartigas/apachessl.html">Spanish
translation</a> maintained by <a href="mailto:[email protected]">Sergio
Artigas</a>
</p>
<p>
<a href="http://netsafe.free.fr/index.php?Chap=A1">French
translation</a> maintained by <a href="mailto:[email protected]">Jean-Francois 
Moreau</a>
</p>
<p>
Revised September 26, 2002 by <a href="mailto:[email protected]">Matt Raible</a> for Apache 2.0.42.
Original Article at <a href="http://tud.at/programm/apache-ssl-win32-howto.php3/">http://tud.at/programm/apache-ssl-win32-howto.php3</a>.
</p>

%%note __NEW!__ (January 23, 2005) Chris Thompson has written an [an updated and simplified|http://www.thompsonbd.com/tutorials/apachessl.php] Apache+SSL HowTo for Windows.%%

<h2>Overview</h2>

<p>This page describes the installation of the Win32 version of Apache with
the mod_ssl extension. The newest version should always be available from <a
href="http://tud.at/programm/apache-ssl-win32-howto.php3">http://tud.at/programm/apache-ssl-win32-howto.php3</a>.
</p>
    <p> This process worked for many people on Windows NT, 98, ME, 2000 and XP; 
        please <a href="mailto:[email protected]">mail me</a> your suggestions and 
        bug reports. You can even install Apache with SSL in addition to the Microsoft 
        Internet Information Server if you need to.</p>
<p>
	Note: sometimes, there are changes between the precompiled apache
	distributions so that this HOWTO is not correct anymore. In this case,
	if the current version does not work for you, download an older version -
	one that was published before the modification date of this HOWTO.
	Or, if you like adventures, try to make it run, and <a href="mailto:[email protected]">mail 
	me</a> if you needed to change anything.
</p>

<p>Apache with mod_ssl seems to be the only free (as in speech, not in beer)
solution for Win32. Please note that Apache on Win32 is considered beta
quality as it doesn&#39;t reach the stability and performance of Apache on
Un*x platforms.</p>

<h2>1.: <a name="install" id="install"></a>Installing Apache</h2>

<p>Get the Win32 version of the Apache web server from one of the <a 
href="http://www.apache.org/mirrors/">mirrors</a>. It is called something like


<code>apache_x_y_z_win32.exe</code>. This is a self-extracting archive that
contains the Apache base system and sample configuration files.</p>

<p>
	Don't mix Apache versions 1.3 and 2! It won't work. If you find 1.3.x on
	modssl.org, you cannot expect it to work with 2.0.x. 
</p>

    <p>Install Apache as described in <a href="http://www.apache.org/docs/windows.html">http://www.apache.org/docs/windows.html</a>.</p>
	
<a name="install-linux" id="install-linux"></a>
<div class="highlight">
For Linux, to install Apache 2.0.42 with mod_sll installed, I performed the following steps: 

I used <a href="http://httpd.apache.org/docs-2.0/install.html">http://httpd.apache.org/docs-2.0/install.html</a> as a reference.

<code>$ lynx http://www.apache.org/dist/httpd/httpd-2.0.42.tar.gz</code><br />
<code>$ gzip -d httpd-2.0.42.tar.gz</code><br />
<code>$ tar xvf httpd-2.0.42.tar</code><br />
<code>$ ./configure --enable-mods-shared=most --enable-ssl=shared</code><br />
<code>$ make</code><br />
<code>$ make install</code> 

If you're using Apache 2.0.42 with Tomcat, you can download the binary mod_jk.so from<a href="http://jakarta.apache.org/builds/jakarta-tomcat-connectors/jk/release/v1.2.0/bin/linux/i386/mod_jk-2.0.42.so"> http://jakarta.apache.org/builds/jakarta-tomcat-connectors/jk/release/v1.2.0/bin/linux/i386/mod_jk-2.0.42.so</a>. 
After downloading, put this file into your <code>modules</code> directory 
and rename it <code>mod_jk.so</code>. <a href="http://www.raibledesigns.com/tomcat">Click 
here</a> for more information on configuring Apache and Tomcat.

</div>

<p>Note: You can skip this step and get a full Apache+SSL distribution from
modssl.org, as described below. There will be no fancy installation program but
you won't need to overwrite the stock Apache files. This is the better way if
you are experienced and don't fear editing configuration files (which you will
need to do anyway).</p>

<p>Change at least the following parameters in <code>
Apache-dir/conf/httpd.conf</code>:<br />
<b>[[Replace all occurences of <code>www.my-server.dom</code> with the real
domain name!]</b></p>

<ul>
<li><code>Port 80</code> to <code><b>#</b> Port 80</code> (Comment it out;

<code>Port</code> is not necessary, <code>Listen</code> overrides it
later.)</li>

<li>(if <b>not</b> in addition to IIS) <code>Listen 80</code></li>

<li><code>ServerName</code> <b>www.my-server.dom</b></li>

<li>(if in addition to IIS) <code>DocumentRoot</code> and the corresponding
<code>&lt;Directory</code> some-dir<code>&gt;</code> to your <code>Inetpub\wwwroot</code></li>

</ul>

<p>Install the Apache service (NT only) and start the server. Verify that
everything works before proceeding to the SSL installation because this
limits the possible errors.</p>

<p>Try <u><b>http://www.my-server.dom:443/</b></u>. It won&#39;t be encrypted yet but if
this works then the port configuration (port 443) is right.</p>

<h2>2.: <a name="openssl" id="openssl"></a>Getting OpenSSL and mod_ssl</h2>

<p>
If you want to compile the mod_ssl.so module, you can use the latest 
sources, available at 
<a href="http://www.modssl.org/contrib/ftp/source/">http://www.modssl.org/contrib/ftp/source/</a> 
for Apache 1.3.x and included in Apache HTTP server sources, 
accesible as a CVS code repository (see the instructions at <a href="http://httpd.apache.org/dev/anoncvs.txt">http://httpd.apache.org/dev/anoncvs.txt</a>) 
for Apache 2.0.x.</p>
<p>For Windows, the precompiled module is available at 
<a href="http://hunter.campbus.com/">http://hunter.campbus.com/</a> 
(where you will find there Apache 1.3 and 2.0 binaries with 
the corresponding mod_ssl.so module versions included), while binaries for Linux are 
included in the major Linux distributions.
</li>
</ul>
Apache Software Foundation mades a point in not offering the compiled binaries 
for the SSL module, due to the export regulations for cryptographic software from USA. 
Don&#39;t ask for binaries if they will not be available at the currently indicated locations. 
Various ISVs provide free binaries for this module in various projects such as 
<a href="http://www.nusphere.com/products/index.htm#NuSphereTechPlatform">NuSphere 
Technology Platform</a>, <a href="http://www.apache-ssl.org/">Apache-SSL</a> etc.
</p>

<p>OpenSSL is required for getting a certificate to use with your web server. You may 
download its sources and compile it from 
<a href="http://www.openssl.org/source/">http://www.openssl.org/source/</a>. Compiled 
binaries are available at <a href="http://gnuwin32.sourceforge.net/packages/openssl.htm">http://gnuwin32.sourceforge.net/packages/openssl.htm</a> 
for Windows and are included in major Linux distributions.</p>

<p>OpenSSL for Windows might also be obtained by downloading and installing 
<strong>Cygwin </strong>from <a href="http://www.cygwin.com">http://www.cygwin.com</a>.</p>

<p><span class="highlight">Put the files <code>ssleay32.dll</code> and <code>libeay32.dll</code>
from the Apache/modssl distribution directory to <code>WINNT\System32</code> 
(or in another folder mentioned in the PATH environment variable).
This is important! About 70&nbsp;% of the e-mails I receive is because people
forget to do this.</span></p>

<h2>3.: <a name="create-cert" id="create-cert"></a>Creating a test certificate</h2>

<p>The following instructions are adapted from 
<a href="http://www.apache-ssl.org/#FAQ">http://www.apache-ssl.org/#FAQ</a>.</p>    

<p>Open a shell window (Command Prompt in Windows) and change the current directory to 
the directory where you have the openssl.exe file (openssl file for Linux).</p>

<p><code>openssl req -config openssl.cnf -new -out server.csr</code><br />
This creates a certificate signing request (<code>server.csr</code>) and a 
private key (<code>privkey.pem</code>), using the configuration 
file that is provided with the binary distribution of OpenSSL or with 
Cygwin (<code>openssl.cnf</code>) that will make the OpenSSL application to 
prompt for each detail of the certificate. When asked for 
<code>&quot;Common Name (eg, your websites domain name)&quot;</code>, 
give the exact domain name of your web server (e.g. <b>www.my-server.dom</b>). 
The certificate belongs to this server name and browsers complain if the 
name doesn&#39;t match.</p>

<p style="margin-left: 20px; font-style: italic; color: green">
If you didn't provide a config file, OpenSSL will try to use the file specified 
by the OPENSSL_CONF environment variable. This variable is usually not defined 
and if you follow the instructions from the original tutorial (linked at the 
top of this page), which does not use the <code>-conf</code> switch, you will 
get an error about &quot;distinguished name&quot;. (Thanks to 
<strong>Olivier Gambier</strong> for clearing this problem, using information from 
<a href="http://www.openssl.org/docs/apps/req.html">http://www.openssl.org/docs/apps/req.html</a>.)</p>

<p style="margin-left: 20px; font-style: italic; color: green">
On a Windows system, files with <code>cnf</code> extensions are treated as special files 
(of type SpeedDial) and Windows Explorer will refuse to display its extension, regardless 
of display settings, and the file will have a strongly modified context menu that 
might prevent you from editing it and might mislead you to believe you don't have this file. 
Just look for a SpeedDial-type file displayed simply as <code>openssl</code>.</p>

<p><code>openssl rsa -in privkey.pem -out server.key</code><br />
This removes the passphrase from the private key. You MUST understand 
what this means; <code>server.key</code> should be only readable by the 
Apache server and the administrator.<br />
You should delete the <code>.rnd</code> file because it contains the entropy 
information for creating the key and could be used for cryptographic attacks 
against your private key.</p>

<p><code>openssl x509 -in server.csr -out server.crt -req -signkey server.key 
        -days 365</code><br />
This creates a self-signed certificate that you can use until you get a
&quot;real&quot; one from a certificate authority. (Which is optional; if you
know your users, you can tell them to install the certificate into their
browsers.) Note that this certificate expires after one year, you can
increase <code>-days 365</code> if you don't want this.</p>

<p>If you have users with MS Internet Explorer 4.0+ and want them to be able
to install the certificate into their certificate storage (by downloading and
opening it), you need to create a DER-encoded version of the certificate:<br />
<code>openssl x509 -in server.crt -out server.der.crt -outform DER</code></p>

<p>Create an <code>Apache/conf/ssl</code> directory and move <code> server.key</code> 
and <code>server.crt</code> into it. <strong>For Linux</strong> create 
two directories: <code>ssl.key</code> and <code>ssl.crt</code>. Move <code>server.crt</code> 
into <code>ssl.crt</code> and move <code>server.key</code> into <code>ssl.key</code>.</p>

<p><span class="highlight">__Note:__ The default pass phrase shipped with openssl.cnf is ''aaaa''.</span></p>

<h2>4.: <a name="configuring" id="configuring"></a>Configuring Apache and mod_ssl</h2>

<p>Copy the executable files (*.exe, *.dll, *.so) from the downloaded
apache-mod_ssl distribution over your original Apache installation directory
(remember to stop Apache first and DO NOT overwrite your edited config files
etc.!).</p>

<p>Find the LoadModule directives in your <code>httpd.conf</code> file and
add this after the existing ones, according to the file you have found in the
distribution:</p>

<p><code>LoadModule ssl_module modules/ApacheModuleSSL.dll</code> <br /> or<br />
<code>LoadModule ssl_module modules/ApacheModuleSSL.so</code>  <br /> or<br />
<code>LoadModule ssl_module modules/mod_ssl.so</code> 
<br />
in newer versions. (Use this for 2.0.42 on Windows, on Linux, this will 
be done for you when you compile with <code>--enable-ssh=shared</code>)</p>

<p>In newer versions of the distribution for Apache 1.x, it could also be necessary to add<br />
<code>AddModule mod_ssl.c</code><br />
after the AddModule lines that are already in the config file. </p>

<p>Copy <code>ssl.conf</code> from the OpenSSL distribution to Apache/conf/. 
For Windows, you can download from <a href="http://www.raibledesigns.com/tomcat/ssl.conf">http://www.raibledesigns.com/tomcat/ssl.conf</a> 
(Right click -> Save Target As...). <span class="highlight">Make sure 
and change the <code>DocumentRoot</code> and <code>ServerName</code> values 
on lines 93 and 94.</span></p>

<p>Add the following to the end of <code>httpd.conf</code>: <span class="highlight">Make sure and change <b>www.my-server.dom</b> in the example below.</span></p>
    <pre>
<code><i># see <a 
href="http://www.modssl.org/docs/2.4/ssl_reference.html">http://www.modssl.org/docs/2.4/ssl_reference.html</a> for more info</i>
SSLMutex sem
SSLRandomSeed startup builtin
SSLSessionCache none

ErrorLog logs/ssl.log
LogLevel info
<i># You can later change &quot;info&quot; to &quot;warn&quot; if everything is OK</i>

&lt;VirtualHost <b>www.my-server.dom</b>:443&gt;
SSLEngine On
SSLCertificateFile conf/ssl/server.crt
SSLCertificateKeyFile conf/ssl/server.key
&lt;/VirtualHost&gt;</code></pre>

<p>Don't forget to call apache with <code>-D SSL</code> if the <code>IfDefine</code> 
    directive is active in the config file! <span class="highlight">In other words, 
    either start Apache from the command line with <code>-D SSL</code> or comment 
    out the <code>IfDefine</code> start/end tags in <code>ssl.conf</code>.</span></p>

<div class="highlight">
                        
        <p><span class="c1"><strong>NOTE</strong>:</span> When using SSL with 
            multiple Virtual Hosts, you must use an ip-based configuration. This 
            is because SSL requires you to configure a specific port (443), whereas 
            name-based specifies all ports (*). You might the following error 
            if you try to mix name-based virtual hosts with SSL.</p>
        <p><code>[[error] VirtualHost _default_:443 -- mixing * ports and non-* 
            ports with a NameVirtualHost address is not supported, proceeding 
            with undefined results</code></p>
    </div>

<p>You might need to use <code>regedit</code> to change the key <code>

HKEY_LOCAL_MACHINE\SOFTWARE\Apache&nbsp;Group\Apache\X.Y.Z</code> to the
correct number if the <code>apache.exe</code> from 
<code>modssl.org/contrib</code> is not the same version as the previously installed
one. (This seems not to be necessary with recent versions.)</p>

<p>Start the server, this time from the command prompt (not as a service) in order 
    to see the error messages that prevent Apache from starting. If everything 
    is OK, (optionally) press CTRL+C to stop the server and start it as a service 
    if you prefer.</p>
<p>
    If it doesn&#39;t work, Apache should write meaningful messages to the screen 
    and/or into the error.log and SSL.log files in the Apache/logs directory.<br />

    If something doesn&#39;t work, set all <code>LogLevel</code>s to the maximum 
    and <em>look into the logfiles</em>. They are very helpful.</p>

<p>DON'T e-mail me or the other contributors without having plain Apache
installed (Step 1). We will ignore your request; we are not the Free Apache
Helpdesk and there is enough good documentation on configuring Apache; if that
is not enough for you, you shouldn't run a secure server anyway. Also, DON'T
e-mail without having looked into the error.log and SSL.log with
<code>LogLevel</code> set to Debug.</p>

<h2><a name="debugging" id="debugging"></a>Debugging connect problems</h2>

<p>
	Problems connecting to the server with a browser can have many reasons, 
	many of them on the client (proxy, DNS, general IE dumbness).
</p>
<p>
	So, if you encounter problems connecting with SSL, try another browser
	and/or look into the settings. If even this doesn't work, you can use
	OpenSSL to debug the problem.
</p>
<pre><code>bb@www$ <b>openssl s_client -connect no-such-machine:443</b>
gethostbyname failure 	<i># Error resolving this DNS name. Connect with the IP address.</i>
connect:errno=2

bb@www$ <b>openssl s_client -connect www1.tud.at:443</b>

connect: Connection refused		
connect:errno=111
<i># No SSL server on this port. Double-check the <b>Listen</b> and <b>Port</b> directives.</i>

bb@www$ <b>openssl s_client -connect </b>apcenter.apcinteractive.net<b>:443</b>
<i># everything OK. OpenSSL shows the information it obtained from the server.</i>

CONNECTED(00000003)
depth=0 /C=at/ST=Wien/L=Wien/O=APC interactive/OU=Lifecycle Management/CN=apcenter.apcinteractive.net/[email protected]
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=at/ST=Wien/L=Wien/O=APC interactive/OU=Lifecycle Management/CN=apcenter.apcinteractive.net/[email protected]
verify return:1
---
Certificate chain
 0 s:/C=at/ST=Wien/L=Wien/O=APC interactive/OU=Lifecycle Management/CN=apcenter.apcinteractive.net/[email protected]
   i:/C=at/ST=Wien/L=Wien/O=APC interactive/OU=Lifecycle Management/CN=apcenter.apcinteractive.net/[email protected]
---
Server certificate
---BEGIN CERTIFICATE---
MIIC0TCCAjoCAQAwDQYJKoZIhvcNAQEEBQAwgbAxCzAJBgNVBAYTAmF0MQ0wCwYDV
[[...]
9ucXUnk=
---END CERTIFICATE---
subject=/C=at/ST=Wien/L=Wien/O=APC interactive/OU=Lifecycle Management/CN=apcenter.apcinteractive.net/[email protected]
issuer=/C=at/ST=Wien/L=Wien/O=APC interactive/OU=Lifecycle Management/CN=apcenter.apcinteractive.net/[email protected]
---
No client certificate CA names sent
---
SSL handshake has read 1281 bytes and written 320 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 1024 bit
SSL-Session:
    Protocol  : TLSv1
    Cipher    : EDH-RSA-DES-CBC3-SHA
    Session-ID: 49ACE1CF484A67D2C476B923D52110A6FCA1A7CE53D76DF7F233DEBF2333D4FB
    Session-ID-ctx:
    Master-Key: 00E9FA964253752294ECD69C18ADBA527B7170C112E2B3BCB25EA8F4FD847EC46E1FF0194EF8E16985B5E38BF6F12131
    Key-Arg   : None
    Start Time: 980696025
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
<b>[Enter: 
GET / HTTP/1.0
and press RETURN twice]</b>
HTTP/1.1 200 OK
Date: Sun, 28 Jan 2001 15:34:58 GMT
Server: Apache/1.3.9 (Win32) mod_ssl/2.4.9 OpenSSL/0.9.4
Cache-Control: no-cache, no-store, must-revalidate, private
Expires: 0
Pragma: no-cache
X-Powered-By: PHP/4.0.4
Last-Modified: Sun, 28 Jan 2001 15:35:00 GMT
Connection: close
Content-Type: text/html

&lt;!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"&gt;
&lt;html&gt;
<i># the server shows its main document</i>
</code></pre>

<h2>Common problems</h2>

<p>Q: I see the following when starting Apache:
</p><pre>Syntax error on line [[some number] of ...httpd.conf
Cannot load apache/modules/mod_ssl.so into server 
(126) The module could not be found:
</pre>
<br />
A: Did you copy the openssl DLLs to WINNT/SYSTEM32 (or WINDOWS/SYSTEM on
Win9x/ME)? <br />
You can verify this by copying <code>openssl.exe</code> into a directory of its
own and executing it. If it complains about not being able to find some DLLs,
then you haven't copied them into the correct directory.
<br />
One user told me that he had this problem even when he did everything right. He
then found the problem: corrupt openssl DLLs. So if you get this error despite
having done everything correctly, try the openssl DLLs from another version from
modssl.org/contrib.
<p></p>

<p>Q: I see the following when starting Apache:
</p><pre>Syntax error on line [[some number] of apache/conf/httpd.conf:
Cannot load apache/modules/apachemodulessl.dll into server:
(127) The specified procedure could not be found:</pre>
or: 

<pre>Syntax error on line [[some number] of apache/conf/httpd.conf:
Invalid command 'SSLMutex', perhaps mis-spelled or defined by a module not
included in the server configuration</pre>
<br />
A: You didn't add the AddModule line (or not where it belongs, it belongs below
the other AddModule lines).
<p></p>

<p>Q: SSL doesn't work in the browser and I see the following in some logfile:
</p><pre>
[Fri Nov 16 15:46:30 2001] [[error] OpenSSL: error:1407609C:SSL
routines:SSL23_GET_CLIENT_HELLO:http request [[Hint: speaking HTTP to
HTTPS port!?]
</pre>
A: How much clearer can an error message get? Your VirtualHost or Listen
configuration is wrong.
<p></p>

<p>Q: When trying to connect to https://www.myhost.com I kept getting an error about an unknown protocol. I could however connect to https://10.10.0.14 which is the local ip of the server.
<br /><br />
A: Under the VirtualHost section you add to the httpd.conf, I had to change __&lt;VirtualHost www.myhost.com:443>__ to __&lt;VirtualHost _default_:443>__.Not sure why this had to be done in my case, but it works.

<h3>Questions about Java servlets, OpenSSL compilation etc.</h3>

<p>
	Don't ask us about installing servlet extensions, recompiling mod_ssl or
	Apache with EAPI, recompiled versions etc. We have no idea and won't be able
	help you. We are just users and not programmers.<br />
	If your needs are so special, you are better off with a 
	<a href="http://www.debian.org/">Debian GNU/Linux</a> or 
	<a href="http://www.openbsd.org/">OpenBSD</a> server. It will save you lots
	of trouble. Really. </p>

<h2>Links</h2>

<p>
Apache Web Server: <a href="http://www.apache.org">http://www.apache.org</a><br />
mod_ssl: <a href="http://www.modssl.org">http://www.modssl.org</a><br />
mod_ssl configuration: <a 
href="http://www.modssl.org/docs/2.4/ssl_reference.html">http://www.modssl.org/docs/2.4/ssl_reference.html</a><br />
OpenSSL: <a href="http://www.openssl.org">http://www.openssl.org</a><br />
PHP Hypertext preprocessor: <a href="http://www.php.net">http://www.php.net</a> 
</p>

<p>Author of this document: <a href="mailto:[email protected]">Bal&aacute;zs
B&aacute;r&aacute;ny</a> (<a href="http://tud.at">http://tud.at</a>) <br />
(mail me your questions, but only after having looked into the error logs with 
<code>LogLevel debug</code>. You can mail me in English, German and Hungarian.
<br />
If I am constantly ignoring your e-mail, read all the hints in the HOWTO about
how to e-mail me.)</p>

<p>
Contributor: <a href="mailto:[email protected]">Horst
Br&auml;uner</a> (OpenSSL configuration on NT)<br />
Contributor: <a href="mailto:[email protected]">Christoph Zich</a>
(Windows 98)<br />
Contributor: <a href="mailto:[email protected]">Torsten Stanienda</a>
(Test with 1.3.12, IfDefine directive)<br />

Contributor: <a href="mailto:[email protected]">Peter Holm</a> (Listen and Port directives)
</p>

<p>Last change: 2002-05-18</p>
<p>This document can be redistributed under the 
<a href="http://www.gnu.org/copyleft/fdl.html">GNU Free
Documentation License</a>. &copy; Bal&aacute;zs B&aacute;r&aacute;ny 1999-2002</p>

<p class="testedBy">
  These instructions were tested by <a href="mailto:[email protected]">Matt Raible</a> 
  on Windows XP (SP1) and Red Hat Linux 7.3 with Apache 2.0.42.   
</p>

</div>


          

      

      

      
      Back to ApacheSSL,
       or to the Page History.
       

      

      

      

      

      

      

      

      Show Menu
-ApacheSSL
+    Search Wiki:
 At line 1 added 46 lines.
+<style type="text/css" media="all">
+    span.highlight {background: yellow; color: black}
+    div.highlight {background: #ffc; color: black; border: 1px solid black; padding: 10px}
+    p.testedBy {border-top: 1px dashed black; padding-top: 5px; color: #666; background: transparent; font-size: .9em;}
+</style>
+<div class="canvas">
+    <!--
+    Changelog:
+.7.1       2006-11-16      Added default test certificate pass phrase
+.7.0       2005-12-29      Added "unknown protocol" issue and solution
+.6.9       2005-01-24      Added link to new Windows+Apache+SSL Tutorial
+.6.8       2004-12-13      Links updated; OpenSSL configfile explained; other clarifications
+.6.7       2004-05-18      Moved to Wiki so users can edit when they find mistakes/updates
+.6.6	2003-12-30	Added user comments
+.6.5	2002-09-27	Added instructions for Linux
+.6.4	2002-09-26	Added information for Apache 2.0 and added a little formatting
+.6.3	2002-05-18	info about better not overwriting the configuration files
+.6.2	2002-05-10	more info about "couldn't load..."; apache 2 warning
+.6.1	2002-04-10	AddModule clarification, more debugging
+.6		2001-12-28	Windows XP information, common problems section
+.5.3	2001-11-27	Added link to French translation
+.5.2	2001-11-06	Added AddModule
+.5.1	2001-10-26	Added link to Spanish translation
+.5		2001-10-20	Lots of clarifications based on input from many people
+.4.4	2001-05-26	Added Peter Holm to the contributors
+.4.3	2001-05-25	"Port" directive commented out, some fixes for current versions
+.4.2	2001-04-06	Remark about .so files
+.4.1	2001-02-20	Success on ME
+.4  	2001-01-28	Information about debugging connect errors
+.3.14	2000-12-28	Small fixes; right-click to download the openssl.cnf file
+.3.13	2000-12-19	Added feedback section
+.2.12	2000-11-21	Information about the languages I speak
+.2.11	2000-11-15	Removed outdated information about M$ IIS
+.2.10	2000-11-05	OpenSSL.exe fixes
+.2.9.2	2000-09-11	Minor tweaks, corrected HTML
+.2.9.1	2000-07-26	IfDefine Directive added, thanks to Torsten Stanienda
+.2.8	2000-05-09	OpenSSL -config corrected
+.2.7	2000-04-29	Peter Barany corrected my English
+.2.6	2000-04-28	Added info on converting the certificate to DER format for MSIE 4
+.2.5	2000-04-21	The HOWTO is now hosted on my on server. Updated the URL
+    					Added -config parameter for openssl to work with the provided config file
+.2		2000-01-24	Christoph Zich tested the HOWTO on Windows 98
+.1		1999-10-22	Included Horst Brauner's openssl.conf file
+.0					Initial release
+    -->
 At line 48 added 500 lines.
+<div style="float: right; margin-top: 20px;">
+<script type="text/javascript"><!--
+google_ad_client = "pub-7968247362757416";
+google_ad_width = 468;
+google_ad_height = 60;1
+google_ad_format = "468x60_as";
+google_color_border = "990000";
+google_color_bg = "FFFFFF";
+google_color_link = "000000";
+google_color_url = "CC0000";
+google_color_text = "333333";
+//--></script>
+<script type="text/javascript"
+  src="http://pagead2.googlesyndication.com/pagead/show_ads.js"></script>
+</div>
+<h1>The Apache + SSL HOWTO</h1>
+<p>Version 1.6.8 (changelog: view source)</p>
+<p>
+<a href="http://www.geocities.com/sartigas/apachessl.html">Spanish
+translation</a> maintained by <a href="mailto:[email protected]">Sergio
+Artigas</a>
+</p>
+<p>
+<a href="http://netsafe.free.fr/index.php?Chap=A1">French
+translation</a> maintained by <a href="mailto:[email protected]">Jean-Francois
+Moreau</a>
+</p>
+<p>
+Revised September 26, 2002 by <a href="mailto:[email protected]">Matt Raible</a> for Apache 2.0.42.
+Original Article at <a href="http://tud.at/programm/apache-ssl-win32-howto.php3/">http://tud.at/programm/apache-ssl-win32-howto.php3</a>.
+</p>
+%%note __NEW!__ (January 23, 2005) Chris Thompson has written an [an updated and simplified|http://www.thompsonbd.com/tutorials/apachessl.php] Apache+SSL HowTo for Windows.%%
+<h2>Overview</h2>
+<p>This page describes the installation of the Win32 version of Apache with
+the mod_ssl extension. The newest version should always be available from <a
+href="http://tud.at/programm/apache-ssl-win32-howto.php3">http://tud.at/programm/apache-ssl-win32-howto.php3</a>.
+</p>
+    <p> This process worked for many people on Windows NT, 98, ME, 2000 and XP;
+        please <a href="mailto:[email protected]">mail me</a> your suggestions and
+        bug reports. You can even install Apache with SSL in addition to the Microsoft
+        Internet Information Server if you need to.</p>
+<p>
+	Note: sometimes, there are changes between the precompiled apache
+	distributions so that this HOWTO is not correct anymore. In this case,
+	if the current version does not work for you, download an older version -
+	one that was published before the modification date of this HOWTO.
+	Or, if you like adventures, try to make it run, and <a href="mailto:[email protected]">mail
+	me</a> if you needed to change anything.
+</p>
+<p>Apache with mod_ssl seems to be the only free (as in speech, not in beer)
+solution for Win32. Please note that Apache on Win32 is considered beta
+quality as it doesn&#39;t reach the stability and performance of Apache on
+Un*x platforms.</p>
+<h2>1.: <a name="install" id="install"></a>Installing Apache</h2>
+<p>Get the Win32 version of the Apache web server from one of the <a
+href="http://www.apache.org/mirrors/">mirrors</a>. It is called something like
+<code>apache_x_y_z_win32.exe</code>. This is a self-extracting archive that
+contains the Apache base system and sample configuration files.</p>
+<p>
+	Don't mix Apache versions 1.3 and 2! It won't work. If you find 1.3.x on
+	modssl.org, you cannot expect it to work with 2.0.x.
+</p>
+    <p>Install Apache as described in <a href="http://www.apache.org/docs/windows.html">http://www.apache.org/docs/windows.html</a>.</p>
+<a name="install-linux" id="install-linux"></a>
+<div class="highlight">
+For Linux, to install Apache 2.0.42 with mod_sll installed, I performed the following steps:
+I used <a href="http://httpd.apache.org/docs-2.0/install.html">http://httpd.apache.org/docs-2.0/install.html</a> as a reference.
+<code>$ lynx http://www.apache.org/dist/httpd/httpd-2.0.42.tar.gz</code><br />
+<code>$ gzip -d httpd-2.0.42.tar.gz</code><br />
+<code>$ tar xvf httpd-2.0.42.tar</code><br />
+<code>$ ./configure --enable-mods-shared=most --enable-ssl=shared</code><br />
+<code>$ make</code><br />
+<code>$ make install</code>
+If you're using Apache 2.0.42 with Tomcat, you can download the binary mod_jk.so from<a href="http://jakarta.apache.org/builds/jakarta-tomcat-connectors/jk/release/v1.2.0/bin/linux/i386/mod_jk-2.0.42.so"> http://jakarta.apache.org/builds/jakarta-tomcat-connectors/jk/release/v1.2.0/bin/linux/i386/mod_jk-2.0.42.so</a>.
+After downloading, put this file into your <code>modules</code> directory
+and rename it <code>mod_jk.so</code>. <a href="http://www.raibledesigns.com/tomcat">Click
+here</a> for more information on configuring Apache and Tomcat.
+</div>
+<p>Note: You can skip this step and get a full Apache+SSL distribution from
+modssl.org, as described below. There will be no fancy installation program but
+you won't need to overwrite the stock Apache files. This is the better way if
+you are experienced and don't fear editing configuration files (which you will
+need to do anyway).</p>
+<p>Change at least the following parameters in <code>
+Apache-dir/conf/httpd.conf</code>:<br />
+<b>[[Replace all occurences of <code>www.my-server.dom</code> with the real
+domain name!]</b></p>
+<ul>
+<li><code>Port 80</code> to <code><b>#</b> Port 80</code> (Comment it out;
+<code>Port</code> is not necessary, <code>Listen</code> overrides it
+later.)</li>
+<li>(if <b>not</b> in addition to IIS) <code>Listen 80</code></li>
+<li><code>ServerName</code> <b>www.my-server.dom</b></li>
+<li>(if in addition to IIS) <code>DocumentRoot</code> and the corresponding
+<code>&lt;Directory</code> some-dir<code>&gt;</code> to your <code>Inetpub\wwwroot</code></li>
+</ul>
+<p>Install the Apache service (NT only) and start the server. Verify that
+everything works before proceeding to the SSL installation because this
+limits the possible errors.</p>
+<p>Try <u><b>http://www.my-server.dom:443/</b></u>. It won&#39;t be encrypted yet but if
+this works then the port configuration (port 443) is right.</p>
+<h2>2.: <a name="openssl" id="openssl"></a>Getting OpenSSL and mod_ssl</h2>
+<p>
+If you want to compile the mod_ssl.so module, you can use the latest
+sources, available at
+<a href="http://www.modssl.org/contrib/ftp/source/">http://www.modssl.org/contrib/ftp/source/</a>
+for Apache 1.3.x and included in Apache HTTP server sources,
+accesible as a CVS code repository (see the instructions at <a href="http://httpd.apache.org/dev/anoncvs.txt">http://httpd.apache.org/dev/anoncvs.txt</a>)
+for Apache 2.0.x.</p>
+<p>For Windows, the precompiled module is available at
+<a href="http://hunter.campbus.com/">http://hunter.campbus.com/</a>
+(where you will find there Apache 1.3 and 2.0 binaries with
+the corresponding mod_ssl.so module versions included), while binaries for Linux are
+included in the major Linux distributions.
+</li>
+</ul>
+Apache Software Foundation mades a point in not offering the compiled binaries
+for the SSL module, due to the export regulations for cryptographic software from USA.
+Don&#39;t ask for binaries if they will not be available at the currently indicated locations.
+Various ISVs provide free binaries for this module in various projects such as
+<a href="http://www.nusphere.com/products/index.htm#NuSphereTechPlatform">NuSphere
+Technology Platform</a>, <a href="http://www.apache-ssl.org/">Apache-SSL</a> etc.
+</p>
+<p>OpenSSL is required for getting a certificate to use with your web server. You may
+download its sources and compile it from
+<a href="http://www.openssl.org/source/">http://www.openssl.org/source/</a>. Compiled
+binaries are available at <a href="http://gnuwin32.sourceforge.net/packages/openssl.htm">http://gnuwin32.sourceforge.net/packages/openssl.htm</a>
+for Windows and are included in major Linux distributions.</p>
+<p>OpenSSL for Windows might also be obtained by downloading and installing
+<strong>Cygwin </strong>from <a href="http://www.cygwin.com">http://www.cygwin.com</a>.</p>
+<p><span class="highlight">Put the files <code>ssleay32.dll</code> and <code>libeay32.dll</code>
+from the Apache/modssl distribution directory to <code>WINNT\System32</code>
+(or in another folder mentioned in the PATH environment variable).
+This is important! About 70&nbsp;% of the e-mails I receive is because people
+forget to do this.</span></p>
+<h2>3.: <a name="create-cert" id="create-cert"></a>Creating a test certificate</h2>
+<p>The following instructions are adapted from
+<a href="http://www.apache-ssl.org/#FAQ">http://www.apache-ssl.org/#FAQ</a>.</p>
+<p>Open a shell window (Command Prompt in Windows) and change the current directory to
+the directory where you have the openssl.exe file (openssl file for Linux).</p>
+<p><code>openssl req -config openssl.cnf -new -out server.csr</code><br />
+This creates a certificate signing request (<code>server.csr</code>) and a
+private key (<code>privkey.pem</code>), using the configuration
+file that is provided with the binary distribution of OpenSSL or with
+Cygwin (<code>openssl.cnf</code>) that will make the OpenSSL application to
+prompt for each detail of the certificate. When asked for
+<code>&quot;Common Name (eg, your websites domain name)&quot;</code>,
+give the exact domain name of your web server (e.g. <b>www.my-server.dom</b>).
+The certificate belongs to this server name and browsers complain if the
+name doesn&#39;t match.</p>
+<p style="margin-left: 20px; font-style: italic; color: green">
+If you didn't provide a config file, OpenSSL will try to use the file specified
+by the OPENSSL_CONF environment variable. This variable is usually not defined
+and if you follow the instructions from the original tutorial (linked at the
+top of this page), which does not use the <code>-conf</code> switch, you will
+get an error about &quot;distinguished name&quot;. (Thanks to
+<strong>Olivier Gambier</strong> for clearing this problem, using information from
+<a href="http://www.openssl.org/docs/apps/req.html">http://www.openssl.org/docs/apps/req.html</a>.)</p>
+<p style="margin-left: 20px; font-style: italic; color: green">
+On a Windows system, files with <code>cnf</code> extensions are treated as special files
+(of type SpeedDial) and Windows Explorer will refuse to display its extension, regardless
+of display settings, and the file will have a strongly modified context menu that
+might prevent you from editing it and might mislead you to believe you don't have this file.
+Just look for a SpeedDial-type file displayed simply as <code>openssl</code>.</p>
+<p><code>openssl rsa -in privkey.pem -out server.key</code><br />
+This removes the passphrase from the private key. You MUST understand
+what this means; <code>server.key</code> should be only readable by the
+Apache server and the administrator.<br />
+You should delete the <code>.rnd</code> file because it contains the entropy
+information for creating the key and could be used for cryptographic attacks
+against your private key.</p>
+<p><code>openssl x509 -in server.csr -out server.crt -req -signkey server.key
+        -days 365</code><br />
+This creates a self-signed certificate that you can use until you get a
+&quot;real&quot; one from a certificate authority. (Which is optional; if you
+know your users, you can tell them to install the certificate into their
+browsers.) Note that this certificate expires after one year, you can
+increase <code>-days 365</code> if you don't want this.</p>
+<p>If you have users with MS Internet Explorer 4.0+ and want them to be able
+to install the certificate into their certificate storage (by downloading and
+opening it), you need to create a DER-encoded version of the certificate:<br />
+<code>openssl x509 -in server.crt -out server.der.crt -outform DER</code></p>
+<p>Create an <code>Apache/conf/ssl</code> directory and move <code> server.key</code>
+and <code>server.crt</code> into it. <strong>For Linux</strong> create
+two directories: <code>ssl.key</code> and <code>ssl.crt</code>. Move <code>server.crt</code>
+into <code>ssl.crt</code> and move <code>server.key</code> into <code>ssl.key</code>.</p>
+<p><span class="highlight">__Note:__ The default pass phrase shipped with openssl.cnf is ''aaaa''.</span></p>
+<h2>4.: <a name="configuring" id="configuring"></a>Configuring Apache and mod_ssl</h2>
+<p>Copy the executable files (*.exe, *.dll, *.so) from the downloaded
+apache-mod_ssl distribution over your original Apache installation directory
+(remember to stop Apache first and DO NOT overwrite your edited config files
+etc.!).</p>
+<p>Find the LoadModule directives in your <code>httpd.conf</code> file and
+add this after the existing ones, according to the file you have found in the
+distribution:</p>
+<p><code>LoadModule ssl_module modules/ApacheModuleSSL.dll</code> <br /> or<br />
+<code>LoadModule ssl_module modules/ApacheModuleSSL.so</code>  <br /> or<br />
+<code>LoadModule ssl_module modules/mod_ssl.so</code>
+<br />
+in newer versions. (Use this for 2.0.42 on Windows, on Linux, this will
+be done for you when you compile with <code>--enable-ssh=shared</code>)</p>
+<p>In newer versions of the distribution for Apache 1.x, it could also be necessary to add<br />
+<code>AddModule mod_ssl.c</code><br />
+after the AddModule lines that are already in the config file. </p>
+<p>Copy <code>ssl.conf</code> from the OpenSSL distribution to Apache/conf/.
+For Windows, you can download from <a href="http://www.raibledesigns.com/tomcat/ssl.conf">http://www.raibledesigns.com/tomcat/ssl.conf</a>
+(Right click -> Save Target As...). <span class="highlight">Make sure
+and change the <code>DocumentRoot</code> and <code>ServerName</code> values
+on lines 93 and 94.</span></p>
+<p>Add the following to the end of <code>httpd.conf</code>: <span class="highlight">Make sure and change <b>www.my-server.dom</b> in the example below.</span></p>
+    <pre>
+<code><i># see <a
+href="http://www.modssl.org/docs/2.4/ssl_reference.html">http://www.modssl.org/docs/2.4/ssl_reference.html</a> for more info</i>
+SSLMutex sem
+SSLRandomSeed startup builtin
+SSLSessionCache none
+ErrorLog logs/ssl.log
+LogLevel info
+<i># You can later change &quot;info&quot; to &quot;warn&quot; if everything is OK</i>
+&lt;VirtualHost <b>www.my-server.dom</b>:443&gt;
+SSLEngine On
+SSLCertificateFile conf/ssl/server.crt
+SSLCertificateKeyFile conf/ssl/server.key
+&lt;/VirtualHost&gt;</code></pre>
+<p>Don't forget to call apache with <code>-D SSL</code> if the <code>IfDefine</code>
+    directive is active in the config file! <span class="highlight">In other words,
+    either start Apache from the command line with <code>-D SSL</code> or comment
+    out the <code>IfDefine</code> start/end tags in <code>ssl.conf</code>.</span></p>
+<div class="highlight">
+        <p><span class="c1"><strong>NOTE</strong>:</span> When using SSL with
+            multiple Virtual Hosts, you must use an ip-based configuration. This
+            is because SSL requires you to configure a specific port (443), whereas
+            name-based specifies all ports (*). You might the following error
+            if you try to mix name-based virtual hosts with SSL.</p>
+        <p><code>[[error] VirtualHost _default_:443 -- mixing * ports and non-*
+            ports with a NameVirtualHost address is not supported, proceeding
+            with undefined results</code></p>
+    </div>
+<p>You might need to use <code>regedit</code> to change the key <code>
+HKEY_LOCAL_MACHINE\SOFTWARE\Apache&nbsp;Group\Apache\X.Y.Z</code> to the
+correct number if the <code>apache.exe</code> from
+<code>modssl.org/contrib</code> is not the same version as the previously installed
+one. (This seems not to be necessary with recent versions.)</p>
+<p>Start the server, this time from the command prompt (not as a service) in order
+    to see the error messages that prevent Apache from starting. If everything
+    is OK, (optionally) press CTRL+C to stop the server and start it as a service
+    if you prefer.</p>
+<p>
+    If it doesn&#39;t work, Apache should write meaningful messages to the screen
+    and/or into the error.log and SSL.log files in the Apache/logs directory.<br />
+    If something doesn&#39;t work, set all <code>LogLevel</code>s to the maximum
+    and <em>look into the logfiles</em>. They are very helpful.</p>
+<p>DON'T e-mail me or the other contributors without having plain Apache
+installed (Step 1). We will ignore your request; we are not the Free Apache
+Helpdesk and there is enough good documentation on configuring Apache; if that
+is not enough for you, you shouldn't run a secure server anyway. Also, DON'T
+e-mail without having looked into the error.log and SSL.log with
+<code>LogLevel</code> set to Debug.</p>
+<h2><a name="debugging" id="debugging"></a>Debugging connect problems</h2>
+<p>
+	Problems connecting to the server with a browser can have many reasons,
+	many of them on the client (proxy, DNS, general IE dumbness).
+</p>
+<p>
+	So, if you encounter problems connecting with SSL, try another browser
+	and/or look into the settings. If even this doesn't work, you can use
+	OpenSSL to debug the problem.
+</p>
+<pre><code>bb@www$ <b>openssl s_client -connect no-such-machine:443</b>
+gethostbyname failure 	<i># Error resolving this DNS name. Connect with the IP address.</i>
+connect:errno=2
+bb@www$ <b>openssl s_client -connect www1.tud.at:443</b>
+connect: Connection refused
+connect:errno=111
+<i># No SSL server on this port. Double-check the <b>Listen</b> and <b>Port</b> directives.</i>
+bb@www$ <b>openssl s_client -connect </b>apcenter.apcinteractive.net<b>:443</b>
+<i># everything OK. OpenSSL shows the information it obtained from the server.</i>
+CONNECTED(00000003)
+depth=0 /C=at/ST=Wien/L=Wien/O=APC interactive/OU=Lifecycle Management/CN=apcenter.apcinteractive.net/[email protected]
+verify error:num=18:self signed certificate
+verify return:1
+depth=0 /C=at/ST=Wien/L=Wien/O=APC interactive/OU=Lifecycle Management/CN=apcenter.apcinteractive.net/[email protected]
+verify return:1
+---
+Certificate chain
+s:/C=at/ST=Wien/L=Wien/O=APC interactive/OU=Lifecycle Management/CN=apcenter.apcinteractive.net/[email protected]
+   i:/C=at/ST=Wien/L=Wien/O=APC interactive/OU=Lifecycle Management/CN=apcenter.apcinteractive.net/[email protected]
+---
+Server certificate
+---BEGIN CERTIFICATE---
+MIIC0TCCAjoCAQAwDQYJKoZIhvcNAQEEBQAwgbAxCzAJBgNVBAYTAmF0MQ0wCwYDV
+[[...]
+ucXUnk=
+---END CERTIFICATE---
+subject=/C=at/ST=Wien/L=Wien/O=APC interactive/OU=Lifecycle Management/CN=apcenter.apcinteractive.net/[email protected]
+issuer=/C=at/ST=Wien/L=Wien/O=APC interactive/OU=Lifecycle Management/CN=apcenter.apcinteractive.net/[email protected]
+---
+No client certificate CA names sent
+---
+SSL handshake has read 1281 bytes and written 320 bytes
+---
+New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
+Server public key is 1024 bit
+SSL-Session:
+    Protocol  : TLSv1
+    Cipher    : EDH-RSA-DES-CBC3-SHA
+    Session-ID: 49ACE1CF484A67D2C476B923D52110A6FCA1A7CE53D76DF7F233DEBF2333D4FB
+    Session-ID-ctx:
+    Master-Key: 00E9FA964253752294ECD69C18ADBA527B7170C112E2B3BCB25EA8F4FD847EC46E1FF0194EF8E16985B5E38BF6F12131
+    Key-Arg   : None
+    Start Time: 980696025
+    Timeout   : 300 (sec)
+    Verify return code: 0 (ok)
+---
+<b>[Enter:
+GET / HTTP/1.0
+and press RETURN twice]</b>
+HTTP/1.1 200 OK
+Date: Sun, 28 Jan 2001 15:34:58 GMT
+Server: Apache/1.3.9 (Win32) mod_ssl/2.4.9 OpenSSL/0.9.4
+Cache-Control: no-cache, no-store, must-revalidate, private
+Expires: 0
+Pragma: no-cache
+X-Powered-By: PHP/4.0.4
+Last-Modified: Sun, 28 Jan 2001 15:35:00 GMT
+Connection: close
+Content-Type: text/html
+&lt;!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"&gt;
+&lt;html&gt;
+<i># the server shows its main document</i>
+</code></pre>
+<h2>Common problems</h2>
+<p>Q: I see the following when starting Apache:
+</p><pre>Syntax error on line [[some number] of ...httpd.conf
+Cannot load apache/modules/mod_ssl.so into server
+(126) The module could not be found:
+</pre>
+<br />
+A: Did you copy the openssl DLLs to WINNT/SYSTEM32 (or WINDOWS/SYSTEM on
+Win9x/ME)? <br />
+You can verify this by copying <code>openssl.exe</code> into a directory of its
+own and executing it. If it complains about not being able to find some DLLs,
+then you haven't copied them into the correct directory.
+<br />
+One user told me that he had this problem even when he did everything right. He
+then found the problem: corrupt openssl DLLs. So if you get this error despite
+having done everything correctly, try the openssl DLLs from another version from
+modssl.org/contrib.
+<p></p>
+<p>Q: I see the following when starting Apache:
+</p><pre>Syntax error on line [[some number] of apache/conf/httpd.conf:
+Cannot load apache/modules/apachemodulessl.dll into server:
+(127) The specified procedure could not be found:</pre>
+or:
+<pre>Syntax error on line [[some number] of apache/conf/httpd.conf:
+Invalid command 'SSLMutex', perhaps mis-spelled or defined by a module not
+included in the server configuration</pre>
+<br />
+A: You didn't add the AddModule line (or not where it belongs, it belongs below
+the other AddModule lines).
+<p></p>
+<p>Q: SSL doesn't work in the browser and I see the following in some logfile:
+</p><pre>
+[Fri Nov 16 15:46:30 2001] [[error] OpenSSL: error:1407609C:SSL
+routines:SSL23_GET_CLIENT_HELLO:http request [[Hint: speaking HTTP to
+HTTPS port!?]
+</pre>
+A: How much clearer can an error message get? Your VirtualHost or Listen
+configuration is wrong.
+<p></p>
+<p>Q: When trying to connect to https://www.myhost.com I kept getting an error about an unknown protocol. I could however connect to https://10.10.0.14 which is the local ip of the server.
+<br /><br />
+A: Under the VirtualHost section you add to the httpd.conf, I had to change __&lt;VirtualHost www.myhost.com:443>__ to __&lt;VirtualHost _default_:443>__.Not sure why this had to be done in my case, but it works.
+<h3>Questions about Java servlets, OpenSSL compilation etc.</h3>
+<p>
+	Don't ask us about installing servlet extensions, recompiling mod_ssl or
+	Apache with EAPI, recompiled versions etc. We have no idea and won't be able
+	help you. We are just users and not programmers.<br />
+	If your needs are so special, you are better off with a
+	<a href="http://www.debian.org/">Debian GNU/Linux</a> or
+	<a href="http://www.openbsd.org/">OpenBSD</a> server. It will save you lots
+	of trouble. Really. </p>
+<h2>Links</h2>
+<p>
+Apache Web Server: <a href="http://www.apache.org">http://www.apache.org</a><br />
+mod_ssl: <a href="http://www.modssl.org">http://www.modssl.org</a><br />
+mod_ssl configuration: <a
+href="http://www.modssl.org/docs/2.4/ssl_reference.html">http://www.modssl.org/docs/2.4/ssl_reference.html</a><br />
+OpenSSL: <a href="http://www.openssl.org">http://www.openssl.org</a><br />
+PHP Hypertext preprocessor: <a href="http://www.php.net">http://www.php.net</a>
+</p>
+<p>Author of this document: <a href="mailto:[email protected]">Bal&aacute;zs
+B&aacute;r&aacute;ny</a> (<a href="http://tud.at">http://tud.at</a>) <br />
+(mail me your questions, but only after having looked into the error logs with
+<code>LogLevel debug</code>. You can mail me in English, German and Hungarian.
+<br />
+If I am constantly ignoring your e-mail, read all the hints in the HOWTO about
+how to e-mail me.)</p>
+<p>
+Contributor: <a href="mailto:[email protected]">Horst
+Br&auml;uner</a> (OpenSSL configuration on NT)<br />
+Contributor: <a href="mailto:[email protected]">Christoph Zich</a>
+(Windows 98)<br />
+Contributor: <a href="mailto:[email protected]">Torsten Stanienda</a>
+(Test with 1.3.12, IfDefine directive)<br />
+Contributor: <a href="mailto:[email protected]">Peter Holm</a> (Listen and Port directives)
+</p>
+<p>Last change: 2002-05-18</p>
+<p>This document can be redistributed under the
+<a href="http://www.gnu.org/copyleft/fdl.html">GNU Free
+Documentation License</a>. &copy; Bal&aacute;zs B&aacute;r&aacute;ny 1999-2002</p>
+<p class="testedBy">
+  These instructions were tested by <a href="mailto:[email protected]">Matt Raible</a>
+  on Windows XP (SP1) and Red Hat Linux 7.3 with Apache 2.0.42.
+</p>
+</div>