[GLLUG] More mod_ssl

Edward Glowacki glowack2@msu.edu
18 Apr 2002 09:24:56 -0300

Previous message: [GLLUG] More mod_ssl
Next message: [GLLUG] More mod_ssl
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 2002-04-17 at 23:18, Mike Szumlinski wrote:
> Well, I got apache w/mod_ssl up and running on our FreeBSD system.  Now I
> have a question about how the whole thing works.  I get a "Security
> Failure/Data Decryption Error" when pointing to the index I have at my ssl
> virtual host. I set up certificates (thanks to dpk's instructions) and
> everything seems to be starting up okay, but I can't access the site (check
> out https://cstore-secure.cl.msu.edu/).  Do I need a verisign account to
> setup SSL correctly, or can I make self-signed certificates or something?
> How does it all work?

If you don't get a VeriSign certificate (i.e. you make your own), then
anyone using your site will probably get a pop-up warning box saying
that the certificate is suspect.  The reason is because a signed
certificate is not only usable for encryption, but also authentication
of the site.  

Basically if you have a signed certificate, it says to the user, "Hey,
VeriSign trusts who I am, so if you trust the integrity of VeriSign,
then you know I am legitimate."  By contrast, you can create a snake oil
certificate (self-signed) and still get the encryption, but it's like
saying, "Hi, I'm Ed.  I don't have my passport, but I do have a Polaroid
of me at a birthday party, and it's got my signature on it..."

As for your technical difficulties:

It doesn't look like your SSL port is speaking SSL.  Here's a sequence
against your server (only relevant text...)

telnet cstore-secure.cl.msu.edu 443
GET / HTTP/1.0<enter><enter>
HTTP/1.1 200 OK
Server: Apache/1.3.22 (Unix) PHP/4.1.1

When I try the same with my working SSL-enabled server, I get:

telnet localhost 443
GET / HTTP/1.0<enter><enter>
HTTP/1.1 400 Bad Request
Server: Apache/1.3.24 (Unix) PHP/4.1.2 mod_ssl/2.8.8 OpenSSL/0.9.6a

I don't recall what has been said in this thread so far, so if I'm
redundant, I apologize.  Make sure you're starting Apache with
"apachectl startssl".  Also make sure you have mod_ssl compiled in. 
Finally, check your config file.  If you build apache/mod_ssl/php from
the FreeBSD ports tree (in that order), you should end up with a working
apache config file in /usr/local/etc/apache/httpd.conf.  

Gotta go, hope that helps!

-ED

-- 
Edward Glowacki				glowack2@msu.edu
GLLUG Peon  				http://www.gllug.org
Imagination is the one weapon in the war against reality.
                -- Jules de Gaultier

Previous message: [GLLUG] More mod_ssl
Next message: [GLLUG] More mod_ssl
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]