From owner-freebsd-apache@FreeBSD.ORG Fri Jan 22 21:29:01 2010 Return-Path: Delivered-To: apache@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6167F106568B for ; Fri, 22 Jan 2010 21:29:01 +0000 (UTC) (envelope-from pgollucci@p6m7g8.com) Received: from exhub015-2.exch015.msoutlookonline.net (exhub015-2.exch015.msoutlookonline.net [207.5.72.94]) by mx1.freebsd.org (Postfix) with ESMTP id 4DEC78FC17 for ; Fri, 22 Jan 2010 21:29:01 +0000 (UTC) Received: from philip.hq.rws (174.79.184.239) by smtpx15.msoutlookonline.net (207.5.72.103) with Microsoft SMTP Server (TLS) id 8.2.176.0; Fri, 22 Jan 2010 13:28:59 -0800 Message-ID: <4B5A189B.7020005@p6m7g8.com> Date: Fri, 22 Jan 2010 21:28:59 +0000 From: "Philip M. Gollucci" Organization: P6M7G8 Inc. User-Agent: Thunderbird 2.0.0.23 (X11/20091208) MIME-Version: 1.0 To: David Southwell References: <201001221050.01689.david@vizion2000.net> In-Reply-To: <201001221050.01689.david@vizion2000.net> Content-Type: text/plain; charset="ISO-8859-1"; format=flowed Content-Transfer-Encoding: 7bit Cc: apache@freebsd.org Subject: Re: Following latest upgrade apache-2.2.14_5 ssl failure X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Jan 2010 21:29:01 -0000 David Southwell wrote: > Can anyone please advise I take 1 shot in the dark at what your asking since you didn't say -- > private key - pass phrase requested You used SSLPassPhraseDialog right ? > permitted SSL ciphers [ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2: > +EXP:+eNULL] Yeah thats bad, you should be more strict ### SSL (PCI-compliant) SSLEngine On SSLProxyEngine on SSLProtocol -ALL +SSLv3 +TLSv1 SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP > [xxx.xxx.xxx.xxx] kind of pointless if you leave the servername in below > [Fri Jan 22 10:38:17 2010] [info] www.vizion2000.net:443 reusing existing RSA > [Fri Jan 22 10:38:20 2010] [notice] Apache/2.2.14 (FreeBSD) mod_ssl/2.2.14 > OpenSSL/0.9.8l DAV/2 PHP/5.2.12 with Suhosin-Patch mod_python/3.3.1 > Python/2.6.4 mod_ruby/1.3.0 Ruby/1.8.7(2009-12-24) SVN/1.6.6 configured -- Yeah, thats a non-optimal setup but hey. > [Fri Jan 22 10:39:33 2010] [info] server seems busy, (you may need to increase > StartServers, or Min/MaxSpareServers), spawning 8 children, there are 2 idle, > and 12 total children You'll definitely want to change your mpm settings to fix that > [Fri Jan 22 10:39:35 2010] [info] [client ::1] SSL library error 1 in > handshake (server www.vizion2000.net:443) > [Fri Jan 22 10:39:35 2010] [info] SSL Library Error: 336027900 > error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol speaking > not SSL to HTTPS port!? You'll want to use https on https servers and http on http servers. Check your httpd.conf for the LoadModule stuff and SSLEngine directives and be sure they are in the right scopes. Nothing here thats not a local httpd.conf setup issue. You might get better help on users@httpd.apache.org with help with the specifics of these issues. -- ------------------------------------------------------------------------ 1024D/DB9B8C1C B90B FBC3 A3A1 C71A 8E70 3F8C 75B8 8FFB DB9B 8C1C Philip M. Gollucci (pgollucci@p6m7g8.com) c: 703.336.9354 VP Apache Infrastructure; Member, Apache Software Foundation Committer, FreeBSD Foundation Consultant, P6M7G8 Inc. Sr. System Admin, Ridecharge Inc. Work like you don't need the money, love like you'll never get hurt, and dance like nobody's watching.