Date: Fri, 22 Jan 2010 21:28:59 +0000 From: "Philip M. Gollucci" <pgollucci@p6m7g8.com> To: David Southwell <david@vizion2000.net> Cc: apache@freebsd.org Subject: Re: Following latest upgrade apache-2.2.14_5 ssl failure Message-ID: <4B5A189B.7020005@p6m7g8.com> In-Reply-To: <201001221050.01689.david@vizion2000.net> References: <201001221050.01689.david@vizion2000.net>
next in thread | previous in thread | raw e-mail | index | archive | help
David Southwell wrote: > Can anyone please advise I take 1 shot in the dark at what your asking since you didn't say -- > private key - pass phrase requested You used SSLPassPhraseDialog right ? > permitted SSL ciphers [ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2: > +EXP:+eNULL] Yeah thats bad, you should be more strict ### SSL (PCI-compliant) SSLEngine On SSLProxyEngine on SSLProtocol -ALL +SSLv3 +TLSv1 SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP > [xxx.xxx.xxx.xxx] kind of pointless if you leave the servername in below > [Fri Jan 22 10:38:17 2010] [info] www.vizion2000.net:443 reusing existing RSA > [Fri Jan 22 10:38:20 2010] [notice] Apache/2.2.14 (FreeBSD) mod_ssl/2.2.14 > OpenSSL/0.9.8l DAV/2 PHP/5.2.12 with Suhosin-Patch mod_python/3.3.1 > Python/2.6.4 mod_ruby/1.3.0 Ruby/1.8.7(2009-12-24) SVN/1.6.6 configured -- Yeah, thats a non-optimal setup but hey. > [Fri Jan 22 10:39:33 2010] [info] server seems busy, (you may need to increase > StartServers, or Min/MaxSpareServers), spawning 8 children, there are 2 idle, > and 12 total children You'll definitely want to change your mpm settings to fix that > [Fri Jan 22 10:39:35 2010] [info] [client ::1] SSL library error 1 in > handshake (server www.vizion2000.net:443) > [Fri Jan 22 10:39:35 2010] [info] SSL Library Error: 336027900 > error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol speaking > not SSL to HTTPS port!? You'll want to use https on https servers and http on http servers. Check your httpd.conf for the LoadModule stuff and SSLEngine directives and be sure they are in the right scopes. Nothing here thats not a local httpd.conf setup issue. You might get better help on users@httpd.apache.org with help with the specifics of these issues. -- ------------------------------------------------------------------------ 1024D/DB9B8C1C B90B FBC3 A3A1 C71A 8E70 3F8C 75B8 8FFB DB9B 8C1C Philip M. Gollucci (pgollucci@p6m7g8.com) c: 703.336.9354 VP Apache Infrastructure; Member, Apache Software Foundation Committer, FreeBSD Foundation Consultant, P6M7G8 Inc. Sr. System Admin, Ridecharge Inc. Work like you don't need the money, love like you'll never get hurt, and dance like nobody's watching.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B5A189B.7020005>