Re: port 443 problem?

To: debian-user@lists.debian.org
Subject: Re: port 443 problem?
From: "Jakob B. Jensen" <jbj@image.dk>
Date: Sun, 30 Sep 2001 03:03:11 +0200
Message-id: <[🔎] 20010930030310.A29125@jbj2.jbj.danware.dk>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 20010926001208.A2684@bloopie>; from moongazer@gmx.net on Wed, Sep 26, 2001 at 12:12:08AM +0800
References: <[🔎] 20010926001208.A2684@bloopie>

On Wed, Sep 26, 2001 at 12:12:08AM +0800, Eric Boo wrote:
> Hi all, 
> 
> I'm using SID. I installed apache-ssl and even though it loaded
> without any error messages, i realized that netstat -an|grep 443 gives
> nothing. ps aux shows that gcache is running.
> 
> So i purged it and install apache + mod-ssl. Port 80 works but netstat
> -an|grep 443 still gives nothing. No error messages.
> 
> In both cases, https://127.0.0.1 gives "Connection refused".
> 
> Any idea what's wrong?
> 

Wild guess (never done this myself):

There is probably some configuration tasks to perform to tell
apache to actually listen for ssl connections.

Also, any https server needs to have a certificate issued by
someone the users browser is configured to trust for signing
certificates for servers by that name.

The (generic) procedure goes like this:

1. Server operator chooses a DNS name which will be embedded in
  the certificate.  Browsers will show nasty security alarms if
  the user types https://secure.funny.yy and the server replies
  with a certificate issued to https://www.funny.yy because the
  browser thinks someone may be redirecting traffic or stealing
  identities.

2. Server operator runs some command (openssl?) to generate a
  random private key (which will be sent NOWHERE) and a matching
  public key (which will be sent everywhere) plus a request for
  it to be certified for use with the name chosen in 1.

3. Server operator contacts Verisign or a Verisign competitor,
  pays them $$ and goes through several days of identity checks. 
  You can use openssl to run your own Verisign-competing
  operation for test purposes and you can TRY to convince people
  to tell their browsers to trust you as being as trustworthy as
  Verisign.

4. Verisign sends server operator (and anyone else asking) a
  certificate where they state for the record that the public
  key from step 2. does truly identify the rightful operator of
  the DNS name certified.

5. On every https connection apache sends the certificate to the
  browser BEFORE seeing the url (that is why you can't have two
  https server names on the same IP address).

6. The browser checks that the certificate was signed by
  Verisign, matches the public key from step 2 and the DNS name
  in the url.

I guess apache is waiting for you to complete step 2 or 4.

Hope this helps

-- 
This message is hastily written, please ignore any unpleasant wordings,
do not consider it a binding commitment, even if its phrasing may
indicate so. Its contents may be deliberately or accidentally untrue.
Trademarks and other things belong to their owners, if any.

Reply to:

References:
- port 443 problem?
  - From: Eric Boo <moongazer@gmx.net>

Prev by Date: DHCP problems with cable modem
Next by Date: Re: Email all users
Previous by thread: port 443 problem?
Next by thread: core dump
Index(es):
- Date
- Thread