mod-ssl interview questions
Top mod-ssl frequently asked interview questions
I just purchased an SSL certificate and am considering options for its implementation on my Amazon Elastic Load Balancer, which will leverage Apache2. From what I understand I have two options for implementing an SSL certificate in Apache 2 --- either apache-ssl or mod_ssl. The purpose of this question is to collect benefits/drawbacks associated with going with one or the other.
Source: (StackOverflow)
I am installing SSL on my domain which is hosted ad digitalocean. I am following this tutorial. Currently I am trying to do execute commands:
SSLCACertificateFile /home/sammy/intermediate.crt
and
SSLCertificateChainFile /home/sammy/intermediate.crt
but both returns me:
SSLCACertificateFile: command not found
SSLCertificateChainFile: command not found
errors. I am wondering what I am missing.
Source: (StackOverflow)
I just added mod_ssl with a signed certificate, but I can't figure why Google chrome is marking my connection as untrusted
screenshot:
although, another website has almost the same details, but Google chrome is not marking it as untrusted:
Can someone help me, why google chrome is marking my website as untrusted?
EDIT 1 (Adding certificate information)
Source: (StackOverflow)
My hosting service is telling me to change my SSL port from 443 to 8443 since the OpenSSL tests are failing, even though they are working in production.
I changed my apache ports.conf
file to:
NameVirtualHost *:80
#NameVirtualHost *:443
NameVirtualHost *:8443
Listen 80
<IfModule mod_ssl.c>
# If you add NameVirtualHost *:443 here, you will also have to change
# the VirtualHost statement in /etc/apache2/sites-available/default-ssl
# to <VirtualHost *:443>
# Server Name Indication for SSL named virtual hosts is currently not
# supported by MSIE on Windows XP.
#Listen 443
Listen 8443
</IfModule>
<IfModule mod_gnutls.c>
#Listen 443
Listen 8443
</IfModule>
I also changed my virtual hosts from <VirtualHost *:443>
to <VirtualHost *:8443>
and restarted apache, but when I try to access the site via https, the browser says: Firefox can't establish a connection to the server
. Could it be a firewall issue?
Source: (StackOverflow)
I have a CentOS/Apache+OpenSSL server. I host two domain names with wildcard sub domains (application logic surfaces the correct site), e.g.
https://*.testing1.com
https://*.testing2.com
It works great over HTTP:-
<VirtualHost *:80>
# Admin email, Server Name (domain name) and any aliases
ServerAdmin webmaster@testing1.com
ServerName testing1.com
ServerName testing2.com
ServerAlias *.testing1.com *.testing2.com
# Index file and Document Root (where the public files are located)
DirectoryIndex index.html index.php
DocumentRoot /home/app/public_html/public
</VirtualHost>
I've purchased two Wildcard SSL certificated for both testing1.com and testing2.com, but I'm unsure how to set it up in this structure:-
<VirtualHost *.testing1.com:443>
SSLEngine On
SSLCertificateFile /etc/httpd/ssl/*.testing1.com.crt
SSLCertificateKeyFile /etc/httpd/ssl/*.testing1.com.key
SSLCACertificateFile /etc/httpd/ssl/geotrust.cer
ServerAdmin john@testing1.com
ServerName testing1.com
ServerAlias *.testing1.com
DirectoryIndex index.html index.php
DocumentRoot /home/app/public_html/public
</VirtualHost>
<VirtualHost *.testing2.com:443>
SSLEngine On
SSLCertificateFile /etc/httpd/ssl/*.testing2.com.crt
SSLCertificateKeyFile /etc/httpd/ssl/*.testing2.com.key
SSLCACertificateFile /etc/httpd/ssl/geotrust.cer
ServerAdmin john@testing2.com
ServerName testing2.com
ServerAlias *.testing2.com
DirectoryIndex index.html index.php
DocumentRoot /home/app/public_html/public
</VirtualHost>
The above for the SSL doesn't work, with the *.testing1.com definition, nor with just testing1.com.
I will also need to repeat this for testing2.com
Source: (StackOverflow)
I'm trying to get the client's certificate and sign an xml file using it.
I have added the following to my virtual hosts:
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +stdEnvVars
This should allow mod_ssl to get the user's certificate. But I don't know how to pass it along to my django app. Any help is appreciated. Thanks.
Source: (StackOverflow)
We manage our own VM Windows Server 2008 R2 STD 64 bits which is use as a web server.
APACHE httpd-2.2.22-win32-x86-no_ssl is install on it since the beggining cause this was the only self install file (MSI) that we found on Apache web site.
I now need to install an SSL Certificate. I ran into a couple of forum without getting the exact solution method to my situation.
I use OpenSSL to create our own Self Sign Certificate on purpose of this installation. The issue is where can I find mod_ssl module that is missing ? I have no experience yet (but it's never too late to get a start) with compiling binaries and where can I get some safe binaries for this module if order to continue in configuring this dawn SSL Certificate ? :)
On the same machine i'm also running :
- php-5.3.13-Win32-VC9-x86
- mysql-5.5.24-winx64
- FileZilla_Server-0_9_41
- hMailServer
Source: (StackOverflow)
We are using Apache 2.2.25 with mod_ssl in the reverse proxy mode using mod_proxy. It has a server certificate we use for testing purposes, issued by GoDaddy. There are 3 certificates in the chain, server cert -> GoDaddy intermediate CA -> GoDaddy Root CA
. The intermediate CA (Go Daddy Secure Certificate Authority - G2) is not always found in clients' list of trusted CA.
The SSL connection to the server works well for browsers (at least for some), but not for some other clients. We noticed that our server does not send the full certificate chain, by using the following command: openssl s_client -showcerts -connect SERVER_URL:443
, and indeed the command reports the error Verify return code: 21 (unable to verify the first certificate)
We use the SSLCertificateFile
directive in each VirtualHost:
SSLCertificateFile certificate.crt
Where the certificate.crt file contains the private key and all the certificates in the chain.
We tried to split it into the following:
SSLCertificateFile server.crt
SSLCertificateKeyFile server.key
SSLCertificateChainFile chain.crt
But this didn't change anything.
Thanks for your help!
EDIT
The plot thickens - it seems to be some combination of the certificate and the server.
(testing is done with the SSL Shopper tool)
- Go Daddy certificate (as above) on Apache 2.2 (RHEL) - does not work
- same certificate, on IIS7 - works
- customer's certificate (from Comodo) on Apache 2.2 RHEL - works
Source: (StackOverflow)
For example, we have our site set up on mainwebsite.com
, and have for a very long time, and have SSL enabled. We also own mws.com
as a shorter URL used by some places.
All incoming requests to mws.com
are redirected to mainwebsite.com
. We do something like this in our httpd.conf.
ServerName www.mainwebsite.com
ServerAlias mainwebsite.com
ServerAlias mws.com
ServerAlias www.mws.com
RewriteCond %{HTTP_HOST} ^(www\.)?mws\.com [NC]
RewriteRule ^(.*)$ http://www.mainwebsite.com$1 [R=301,L]
This works great, until SSL is involved. In our ssl.conf, we have
ServerName www.mainwebsite.com:443
<VirtualHost *:443>
</VirtualHost>
What happens is that if someone ends up going to https://www.mws.com, they get an SSL error related to the cert being tied to mainwebsite.com.
I would like to be able to redirect them before they would get the error. I had tried to do this
RewriteCond %{HTTPS} =on
RewriteCond %{HTTP_HOST} ^(www\.)?mws\.com [NC]
RewriteRule ^(.*)$ http://www.mainwebsite.com$1 [R=301,L]
But it seemed to do nothing - would just sit there (I am assuming on a loop, although couldn't catch it in the logs).
How can I redirect them if coming in over SSL without giving a warning? Or if that is not possible, how can I make it so that 443 only listens for mainwebsite.com, and not for mws.com?
Source: (StackOverflow)
I need to update my apache 2.2.21 installation to use the latest openssl version.
But somehow it just keeps using 0.9.8k. (according to server-status).
I followed this guide and compiled apache with the custom ssl path:
http://hulan.info/item/compile-apache-with-ssl-php-5-and-mysql-on-linux
It still says:
Server Version: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/0.9.8k DAV/2
Server Built: Mar 8 2012 10:17:02
Can anyone help me?
How can you let mod_ssl use the latest openssl version?
Source: (StackOverflow)
Currently we have an Apache 2.2.3 server with mod_ssl 2.2.3 running Django, with users authenticating by using a x509 certificate.
So far the system is running perfectly except for a single user, who when trying to upload a file receives 400 Bad Request error, and the contents of the ssl_error_log regarding this operation are:
[<date>] [error] [client <client ip>] request failed: error reading the headers, referer: <referrer url>
The contents of the ssl_access_log are:
<client ip> - - [<date>] "POST <target page> HTTP/1.1" 400 321
Also, the user's browser is Firefox as far as I know.
I am completely unable to reproduce this bug and so far none of the other users have experienced it. Could you point out some reasons for this to happen?
Source: (StackOverflow)
colleagues!
Well, I am with a huge problem with the speed of SSL Authentication. Since I move my website to SSL, the GoogleBot reduce the indexing of my website, because the SSL Negotiation is with below value I got with WebPageTest.org:
URL: https://www.musiconline.com.br/jorge-e-mateus/alcapao/
Host: www.musiconline.com.br
Error/Status Code: 200
Client Port: 0
Start Offset: 0.735 s
DNS Lookup: 34 ms
Initial Connection: 170 ms
SSL Negotiation: 531 ms
Time to First Byte: 311 ms
Content Download: 178 ms
Bytes In (downloaded): 13.2 KB
Bytes Out (uploaded): 0.4 KB
Look, the "SSL Negotiation" is in 531ms, a big value.
Someone know how can I solve this issue?
I verified the mod_spdy, however, I can't install because the follow message in my Linux CentOS 6, Apache 2.4:
root@server1 [/home/login/src]# rpm -U mod-spdy-*.rpm
warning: mod-spdy-beta_current_x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID 7fac5991: NOKEY
error: Failed dependencies:
httpd >= 2.2.4 is needed by mod-spdy-beta-0.9.4.3-420.x86_64
mod_ssl >= 2.2 is needed by mod-spdy-beta-0.9.4.3-420.x86_64
root@server1 [/home/login/src]# httpd -v
Server version: Apache/2.4.12 (Unix)
Server built: Mar 21 2015 10:58:04
Cpanel::Easy::Apache v3.28.4 rev9999
root@server1 [/home/molbr/src]# uname -a
Linux server1.musiconline.com.br 2.6.32-431.20.3.el6.x86_64 #1 SMP Thu Jun 19 21:14:45 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
Thanks for assistance.
Source: (StackOverflow)
I have set up a number of Virtual Hosts all using SSL. Everything worked fine. Then I needed to add SSL Client Authentication to one of them (let's call it the SVN host). After enabling client certificates for the SVN host, the host stopped working, instead the default virtual host would be used instead (which means that an un-matching server certificate would be provided, so that neither access to the secure host, nor client authentication would work).
Here's the virtual host configuration I'm using:
<VirtualHost *:443>
ServerName svn.anydomain.com
SSLEngine on
SSLOptions +StrictRequire
SSLProtocol -all +TLSv1
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:!SSLv3:RC4+RSA:+HIGH:+MEDIUM
SSLCertificateFile /etc/certs/svn.crt
SSLCertificateKeyFile /etc/certs/svn.key
SSLCertificateChainFile /etc/certs/starcom/sub.class1.server.ca.pem
SSLCACertificateFile /etc/certs/cacert.crt
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
SSLVerifyClient require
SSLVerifyDepth 2
SSLUserName SSL_CLIENT_S_DN_CN
<Location /path0>
DAV svn
SSLRequireSSL
SVNPath /var/svn/path0
#Require valid-user
</Location>
<Location /path1>
DAV svn
SSLRequireSSL
SVNPath /var/svn/path1
#Require valid-user
</Location>
</VirtualHost>
Also, I seem to have this problem on Mac OS X only. I am able to access the host from Windows 8 with no sweat. Basically, on my Mac I can get it to work only with these options in curl (sometimes, not consistently)
curl -v -v -v -1 -k --cacert Documents/Certs/CACert.pem --cert Documents/Certs/ClientCert.pem https://svn.anydomain.com/path1
This instead fails (note the -3 instead of -1 for SSLv3 instead of TLSv1)
curl -v -v -v -3 -k --cacert Documents/Certs/CACert.pem --cert Documents/Certs/ClientCert.pem https://svn.anydomain.com/path1
and returns the certificate of the default virtual host. This behaviour (wrong virtual host) is what I get for any access to that domain on my Mac (Safari, Eclipse+Subversive, Cornerstone, etc).
Any ideas?
Source: (StackOverflow)
I've spent a few hours trying to configure my Apache server to use SSL with no public IP, just localhost. I've created the certificate OK, I think (it has been like a crash course on black magic for me), and when I try tro access https://localhost, the browser says "Connected to localhost..." on the status line but just keeps loading forever. Here's a snippet from error_log
:
[Fri Mar 27 22:03:39 2009] [info] Loading certificate & private key of SSL-aware server
[Fri Mar 27 22:03:39 2009] [info] Configuring server for SSL protocol
[Fri Mar 27 22:03:39 2009] [info] Loading certificate & private key of SSL-aware server
[Fri Mar 27 22:03:40 2009] [info] Configuring server for SSL protocol
everything seems to be OK there, but, meanwhile, at ssl_engine_log
...
[Fri Mar 27 22:03:39 2009] [info] Init: Initializing OpenSSL library
[Fri Mar 27 22:03:39 2009] [info] Init: Seeding PRNG with 136 bytes of entropy
[Fri Mar 27 22:03:39 2009] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Fri Mar 27 22:03:39 2009] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Fri Mar 27 22:03:39 2009] [info] Init: Initializing (virtual) servers for SSL
[Fri Mar 27 22:03:39 2009] [info] mod_ssl/2.0.61 compiled against Server: Apache/2.0.61, Library: OpenSSL/0.9.7i
[Fri Mar 27 22:03:39 2009] [warn] module php5_module is already loaded, skipping
[Fri Mar 27 22:03:39 2009] [info] Init: Initializing OpenSSL library
[Fri Mar 27 22:03:39 2009] [info] Init: Seeding PRNG with 136 bytes of entropy[Fri Mar 27 22:03:39 2009] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Fri Mar 27 22:03:40 2009] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Fri Mar 27 22:03:40 2009] [info] Init: Initializing (virtual) servers for SSL
[Fri Mar 27 22:03:40 2009] [info] mod_ssl/2.0.61 compiled against Server: Apache/2.0.61, Library: OpenSSL/0.9.7i
[Fri Mar 27 22:03:40 2009] [notice] Digest: generating secret for digest authentication ...
[Fri Mar 27 22:03:40 2009] [notice] Digest: done
[Fri Mar 27 22:03:40 2009] [notice] Apache/2.0.61 (Unix) mod_ssl/2.0.61 OpenSSL/0.9.7l DAV/2 PHP/5.2.5 configured -- resuming normal operations
[Fri Mar 27 22:03:40 2009] [info] Server built: Jan 17 2008 17:33:42
[Fri Mar 27 22:03:40 2009] [emerg] (13)Permission denied: apr_proc_mutex_lock failed. Attempting to shutdown process gracefully.
[Fri Mar 27 22:03:40 2009] [emerg] (13)Permission denied: apr_proc_mutex_lock failed. Attempting to shutdown process gracefully.
...many more like these last two lines, until I finally stop the server...
[Fri Mar 27 22:03:43 2009] [info] removed PID file /usr/local/apache2/logs/httpd.pid (pid=8786)
[Fri Mar 27 22:03:43 2009] [notice] caught SIGTERM, shutting down
some googling about this permission denied
and the apr_proc_mutex_lock
failing hasn't yielded anything useful. Only some results relating to MPM and perchild option, but as they were old (years 2002 and 2003) and I don't really can draw any conclusions after reading them, I'm asking you if there is a way to overcome this problem. Well, first: what is actually the problem? Is there any kind of incompatibility between modules? Do I have to recompile something (please, Lord, not again, no)?
Thanks in advance.
Source: (StackOverflow)
I would like to know if there is a way to redirect a browser from a webpage, if it hasn't presented a valid client certificate.
For example:
This section on my website requires a mutual SSL authentication:
subdomain.domain.com
This is the main section of my website, and it's public:
domain.com
The client certificates for the authentication are issued by my own CA, self signed.
The server certificate same.
The "known" clients have also my CA added to their trusted CA store.
If there's a 3rd party client without the a valid client certificate accessing subdomain.domain.com it shall be redirected to domain.com
I'm thinking about some configuration in the VHOSTs area. I played around with
RewriteCond %{SSL:SSL_CLIENT_VERIFY} !=SUCCESS
or with
SSLVerifyClient optional / required / optional_no_ca
but it didnt seem to work as I'd like to have it.
I've found this article
http://mail-archives.apache.org/mod_mbox/httpd-docs/201204.mbox/%3Ch15hm6ny7srm9zeidijezwJv4X.penango@mail.gmail.com%3E
and somehow understood what it's saying but am not sure if there isn't another way to go around it, or maybe it was fixed in the meanwhile (not just the documentation)
Thank you.
Source: (StackOverflow)