Re: [apache] plain SSL support [SOLVED]

To: "Johann Koenig" <explosive@hvc.rr.com>
Cc: debian-user@lists.debian.org
Subject: Re: [apache] plain SSL support [SOLVED]
From: "Michael B Allen" <mba2000@ioplex.com>
Date: Sat, 10 Jan 2004 06:16:10 -0500 (EST)
Message-id: <[🔎] 38422.207.172.165.186.1073733370.squirrel@miallen.com>
In-reply-to: <[🔎] 20040110023721.532f6477@note>
References: <[🔎] 37666.207.172.165.248.1073719684.squirrel@miallen.com> <[🔎] 20040110023721.532f6477@note>

>> What is the cleanest way to get plain Apache+SSL going?
>
> Perhaps install apache-ssl (not apache) and only require ssl for some
> directories/sites? I haven't done it, this is just something you might
> consider looking into.

Sounds good in theory but unfortunately apache-ssl appears to be inextricably
SSL'd. Attempting to "turn off" SSL is unsuccessful; causes the web browser to
call the server repeatedly and then cough up "Document contains no data" with many
SSL error messages in the log.

So, I opted to go the route I've been using on Redhat systems which is to use
mod_ssl. I uninstalled apache-ssl and installed regular 'apache' and then
libapache-mod-ssl. It doesn't work out of the box though. It's painful. Basically
you have to run:

# mod-ssl-makecert

select 1 for 'dummy' (which it says not to do; thanks) and then add something like
the following to your httpd.conf which fortunately for me I copied out of a
working install on a RH machine:

Listen 80
Listen 443
...
<IfModule mod_ssl.c>
        SSLPassPhraseDialog  builtin
        SSLSessionCache         dbm:/var/log/apache/ssl_scache
        SSLSessionCacheTimeout  300
        SSLMutex  file:/var/log/apache/ssl_mutex
        SSLRandomSeed startup builtin
        SSLRandomSeed connect builtin
        SSLLog      /var/log/apache/ssl_engine_log
        SSLLogLevel error
</IfModule>

<VirtualHost _default_:443>
        ErrorLog /var/log/apache/error.log
        TransferLog /var/log/apache/access.log
        SSLEngine on
        SSLCertificateFile /etc/apache/ssl.crt/server.crt
        SSLCertificateKeyFile /etc/apache/ssl.key/server.key
        <Files ~ "\.(cgi|shtml|phtml|php3?)$">
            SSLOptions +StdEnvVars
        </Files>
        <Directory "/var/www/cgi-bin">
            SSLOptions +StdEnvVars
        </Directory>
        SetEnvIf User-Agent ".*MSIE.*" \
                 nokeepalive ssl-unclean-shutdown \
                 downgrade-1.0 force-response-1.0
        CustomLog /var/log/apache/ssl_request_log \
                  "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

Why anyone thinks someone could possibly figure this out without help from someone
who has done it before is beyond me.

-- 
A program should be written to  model the concepts of the task it
performs rather than the physical world or a process because this
maximizes the  potential for it  to be applied  to tasks that are
conceptually similar and, more  important, to tasks that have not
yet been conceived.

Reply to:

References:
- [apache] plain SSL support
  - From: "Michael B Allen" <mba2000@ioplex.com>
- Re: [apache] plain SSL support
  - From: Johann Koenig <explosive@hvc.rr.com>

Prev by Date: Re: More 2.6.0 woes
Next by Date: Re: apt-get dist-downgrade?
Previous by thread: Re: [apache] plain SSL support
Next by thread: Remove E-mail Headers
Index(es):
- Date
- Thread