Mam problem z instalacją SSL. Zainstalowałem Apache (apache_2.0.61-win32-x86-openssl-0.9.7m.msi). Skonfigurowałem wszystko. Wygenerowałem certyfikaty... odpalam https://localhost/ lub https://127.0.0.1/ lub http://localhost:443/ i nic... wykombinowałem już chyba wszystkie opcje.
Robiłem wszystko na podstawie tego: http://tud.at/programm/apache-ssl-win32-howto.php3
Czyli generowanie certyfikatów
Cytat
openssl req -config openssl.cnf -new -out my-server.csr
This creates a certificate signing request and a private key. When asked for "Common Name (eg, your websites domain name)", give the exact domain name of your web server (e.g. www.my-server.dom). The certificate belongs to this server name and browsers complain if the name doesn't match.
openssl rsa -in privkey.pem -out my-server.key
This removes the passphrase from the private key. You MUST understand what this means; my-server.key should be only readable by the apache server and the administrator.
You should delete the .rnd file because it contains the entropy information for creating the key and could be used for cryptographic attacks against your private key.
openssl x509 -in my-server.csr -out my-server.cert -req -signkey my-server.key -days 365
This creates a self-signed certificate that you can use until you get a "real" one from a certificate authority. (Which is optional; if you know your users, you can tell them to install the certificate into their browsers.) Note that this certificate expires after one year, you can increase -days 365 if you don't want this.
If you have users with MS Internet Explorer 4.x and want them to be able to install the certificate into their certificate storage (by downloading and opening it), you need to create a DER-encoded version of the certificate:
openssl x509 -in my-server.cert -out my-server.der.crt -outform DER
Create an Apache/conf/ssl directory and move my-server.key and my-server.cert into it.
This creates a certificate signing request and a private key. When asked for "Common Name (eg, your websites domain name)", give the exact domain name of your web server (e.g. www.my-server.dom). The certificate belongs to this server name and browsers complain if the name doesn't match.
openssl rsa -in privkey.pem -out my-server.key
This removes the passphrase from the private key. You MUST understand what this means; my-server.key should be only readable by the apache server and the administrator.
You should delete the .rnd file because it contains the entropy information for creating the key and could be used for cryptographic attacks against your private key.
openssl x509 -in my-server.csr -out my-server.cert -req -signkey my-server.key -days 365
This creates a self-signed certificate that you can use until you get a "real" one from a certificate authority. (Which is optional; if you know your users, you can tell them to install the certificate into their browsers.) Note that this certificate expires after one year, you can increase -days 365 if you don't want this.
If you have users with MS Internet Explorer 4.x and want them to be able to install the certificate into their certificate storage (by downloading and opening it), you need to create a DER-encoded version of the certificate:
openssl x509 -in my-server.cert -out my-server.der.crt -outform DER
Create an Apache/conf/ssl directory and move my-server.key and my-server.cert into it.
Plik error.log
Kod
[Tue Dec 25 14:44:28 2007] [notice] Parent: Received restart signal -- Restarting the server.
[Tue Dec 25 14:44:28 2007] [notice] Child 424: Exit event signaled. Child process is ending.
[Tue Dec 25 14:44:29 2007] [notice] Child 424: Released the start mutex
[Tue Dec 25 14:44:29 2007] [notice] Apache/2.0.61 (Win32) mod_ssl/2.0.61 OpenSSL/0.9.8g configured -- resuming normal operations
[Tue Dec 25 14:44:29 2007] [notice] Server built: Sep 5 2007 09:55:35
[Tue Dec 25 14:44:29 2007] [notice] Parent: Created child process 2904
[Tue Dec 25 14:44:30 2007] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]
[Tue Dec 25 14:44:30 2007] [notice] Child 2904: Child process is running
[Tue Dec 25 14:44:30 2007] [notice] Child 2904: Acquired the start mutex.
[Tue Dec 25 14:44:30 2007] [notice] Child 2904: Starting 250 worker threads.
[Tue Dec 25 14:44:31 2007] [notice] Child 424: Waiting for 250 worker threads to exit.
[Tue Dec 25 14:44:31 2007] [notice] Child 424: All worker threads have exited.
[Tue Dec 25 14:44:31 2007] [notice] Child 424: Child process is exiting
[Tue Dec 25 14:44:28 2007] [notice] Child 424: Exit event signaled. Child process is ending.
[Tue Dec 25 14:44:29 2007] [notice] Child 424: Released the start mutex
[Tue Dec 25 14:44:29 2007] [notice] Apache/2.0.61 (Win32) mod_ssl/2.0.61 OpenSSL/0.9.8g configured -- resuming normal operations
[Tue Dec 25 14:44:29 2007] [notice] Server built: Sep 5 2007 09:55:35
[Tue Dec 25 14:44:29 2007] [notice] Parent: Created child process 2904
[Tue Dec 25 14:44:30 2007] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]
[Tue Dec 25 14:44:30 2007] [notice] Child 2904: Child process is running
[Tue Dec 25 14:44:30 2007] [notice] Child 2904: Acquired the start mutex.
[Tue Dec 25 14:44:30 2007] [notice] Child 2904: Starting 250 worker threads.
[Tue Dec 25 14:44:31 2007] [notice] Child 424: Waiting for 250 worker threads to exit.
[Tue Dec 25 14:44:31 2007] [notice] Child 424: All worker threads have exited.
[Tue Dec 25 14:44:31 2007] [notice] Child 424: Child process is exiting
Szukałem na temat Session Cache, ale nic ciekawego nie znalazłem, próbowałem ustawić wartość w konfiguracji na None i dalej to samo...
Plik ssl.conf
Kod
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
<IfDefine SSL>
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache dbm:logs/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex default
<VirtualHost 127.0.0.1:443>
DocumentRoot "D:/Apache2/htdocs/ssl"
ServerName 127.0.0.1:443
ServerAdmin root@localhost
ErrorLog logs/ssl-error.log
TransferLog logs/ssl-access.log
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile conf/ssl/server.cert
SSLCertificateKeyFile conf/ssl/server.key
<FilesMatch "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "D:/Apache2/cgi">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
</IfDefine>
SSLRandomSeed connect builtin
<IfDefine SSL>
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache dbm:logs/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex default
<VirtualHost 127.0.0.1:443>
DocumentRoot "D:/Apache2/htdocs/ssl"
ServerName 127.0.0.1:443
ServerAdmin root@localhost
ErrorLog logs/ssl-error.log
TransferLog logs/ssl-access.log
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile conf/ssl/server.cert
SSLCertificateKeyFile conf/ssl/server.key
<FilesMatch "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "D:/Apache2/cgi">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
</IfDefine>
Czy ktoś wie co jest nie tak?
Pozdrawiam
Problem rozwiązany: Wystarczy przesunąć VirtualHost oraz dyrektywę SSLSessionCache poza <IFDefine SSL> inaczej Apache nie widzi danych ustawień.