configure a test SSL
Alex Dean
alex at crackpot.org
Mon Aug 31 19:06:35 MST 2009
On Aug 31, 2009, at 8:50 PM, keith smith wrote:
> Here it is. Thanks!
>
> Also log shows this about 10 times
>
> [Mon Aug 31 18:30:09 2009] [warn] RSA server certificate CommonName
> (CN) `newcart.dev' does NOT match server name!?
>
>
>
> <VirtualHost 192.168.20.20:443>
> DocumentRoot "/work/dev/newcart.dev"
> ServerName newcart.dev:443
> ErrorLog logs/ssl_error_log
> TransferLog logs/ssl_access_log
> ##LogLevel warn
>
> LogLevel debug
>
> ##SSLEngine on
> ##SSLProtocol all -SSLv2
> ##SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
> ##SSLCertificateFile /etc/pki/tls/certs/localhost.crt
> ##SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
> #SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
> #SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
>
> ##<Files ~ "\.(cgi|shtml|phtml|php3?)$">
> ## SSLOptions +StdEnvVars
> ##</Files>
> ##<Directory "/var/www/cgi-bin">
> ## SSLOptions +StdEnvVars
> ##</Directory>
>
> ##SetEnvIf User-Agent ".*MSIE.*" \
> ## nokeepalive ssl-unclean-shutdown \
> ## downgrade-1.0 force-response-1.0
>
> ##CustomLog logs/ssl_request_log \
> ## "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>
> </VirtualHost>
>
ok, with all that stuff commented out, the browser sends you an ssl
request, and you answer in plaintext. Chaos ensues. (The server
doesn't 'know' that its supposed to speak ssl on port 443. That's a
common convention, but not a technical requirement.)
The only must-have directives are SSLEngine on, SSLCertificateFile,
and SSLCertificateKeyFile (that file should only be readable by root,
btw). Everything else seems fine at a glance, but you can leave the
rest commented out while you're debugging.
alex
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
Url : http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20090831/dbefd7aa/attachment.pgp
More information about the PLUG-discuss
mailing list