[GLLUG] More mod_ssl
Edward Glowacki
glowack2@msu.edu
18 Apr 2002 09:24:56 -0300
On Wed, 2002-04-17 at 23:18, Mike Szumlinski wrote:
> Well, I got apache w/mod_ssl up and running on our FreeBSD system. Now I
> have a question about how the whole thing works. I get a "Security
> Failure/Data Decryption Error" when pointing to the index I have at my ssl
> virtual host. I set up certificates (thanks to dpk's instructions) and
> everything seems to be starting up okay, but I can't access the site (check
> out https://cstore-secure.cl.msu.edu/). Do I need a verisign account to
> setup SSL correctly, or can I make self-signed certificates or something?
> How does it all work?
If you don't get a VeriSign certificate (i.e. you make your own), then
anyone using your site will probably get a pop-up warning box saying
that the certificate is suspect. The reason is because a signed
certificate is not only usable for encryption, but also authentication
of the site.
Basically if you have a signed certificate, it says to the user, "Hey,
VeriSign trusts who I am, so if you trust the integrity of VeriSign,
then you know I am legitimate." By contrast, you can create a snake oil
certificate (self-signed) and still get the encryption, but it's like
saying, "Hi, I'm Ed. I don't have my passport, but I do have a Polaroid
of me at a birthday party, and it's got my signature on it..."
As for your technical difficulties:
It doesn't look like your SSL port is speaking SSL. Here's a sequence
against your server (only relevant text...)
telnet cstore-secure.cl.msu.edu 443
GET / HTTP/1.0<enter><enter>
HTTP/1.1 200 OK
Server: Apache/1.3.22 (Unix) PHP/4.1.1
When I try the same with my working SSL-enabled server, I get:
telnet localhost 443
GET / HTTP/1.0<enter><enter>
HTTP/1.1 400 Bad Request
Server: Apache/1.3.24 (Unix) PHP/4.1.2 mod_ssl/2.8.8 OpenSSL/0.9.6a
I don't recall what has been said in this thread so far, so if I'm
redundant, I apologize. Make sure you're starting Apache with
"apachectl startssl". Also make sure you have mod_ssl compiled in.
Finally, check your config file. If you build apache/mod_ssl/php from
the FreeBSD ports tree (in that order), you should end up with a working
apache config file in /usr/local/etc/apache/httpd.conf.
Gotta go, hope that helps!
-ED
--
Edward Glowacki glowack2@msu.edu
GLLUG Peon http://www.gllug.org
Imagination is the one weapon in the war against reality.
-- Jules de Gaultier