Questions tagged [mod-ssl]
The Apache Httpd interface to OpenSSL
273
questions
58
votes
8
answers
117k
views
Apache: SSLCertificateKeyFile: file does not exist or is empty
I am configuring SSL for Apache 2. My system is Ubuntu Server 10.04 LTS. I have the following settings related to SSL in my vhost configuration:
SSLEngine On
SSLCertificateKeyFile /etc/ssl/private/...
56
votes
6
answers
106k
views
Can an SSL certificate be on a single line in a file (no line breaks)?
SSL certificates by default have line breaks after 67 characters. I'm trying to create SSL certificate files using Chef. Essentially I want to create the entire certificate file from a string variable ...
36
votes
6
answers
294k
views
How to enable TLS 1.1 and 1.2 with OpenSSL and Apache
In light of a growing number of security issues, such as the newly announced Browser Exploit Against SSL/TLS (BEAST), I was curious how we could go about enabling TLS 1.1 and 1.2 with OpenSSL and ...
36
votes
3
answers
74k
views
Using Https between Apache Loadbalancer and backends
I am using an apache (2.4) server configured as loadbalancer in front of 2 apache servers. It works fine when I use http connections between loadbalancer and backends, however using https does not ...
19
votes
3
answers
5k
views
Apache2 with SSL do I have to copy VirtualHost blocks?
In Apache2 on ubuntu I have my site listening on 80, and now I want to add SSL. Is there a way to enable the SSLEngine for port 443 so I do not have to copy the entire VirtualHost block?
When I do ...
17
votes
1
answer
16k
views
Why is my SSL certificate untrusted on Android?
The SSL certificate is trusted on most Desktop computers, but only some Android devices. However, even on Android devices where the certificate is untrusted, the root certificate is installed.
I must ...
15
votes
1
answer
26k
views
Install & configure mod_ssl on Amazon EC2 instance
I am trying to support HTTPS traffic with the mod_ssl module on my website. I am running an Amazon EC2 instance for my server. I have installed and configured the basic LAMP packages. However, when I ...
15
votes
3
answers
23k
views
SSLCertificateChainFile Deprecation Warning on Apache 2.4.8+
We have an SSL Certificate for our website from Network Solutions. After upgrading Apache/OpenSSL to version 2.4.9, I now get the following warning when starting HTTPD:
AH02559: The ...
15
votes
7
answers
85k
views
Session Cache is not configured... why?
I'm running (trying to run, actually) Apache 2.4.2 on Windows Server 2003 R2 32 bit (plus PHP 5.4.5 and OpenSSL 1.0.1c, but I don't think that matters), and I'm getting the following line in the error ...
14
votes
1
answer
30k
views
How to disable SSLCompression on Apache httpd 2.2.15? (Defense against CRIME/BEAST)
I read about the CRIME attack against TLS Compression (CVE-2012-4929, CRIME is a successor to the BEAST attack against ssl & tls), and I want to protect my webservers against this attack by ...
13
votes
4
answers
55k
views
How to disable TLS 1.1 & 1.2 in Apache?
I have an Ubuntu 12.04.2 LTS server running Apache 2.2.22 with mod_ssl and OpenSSL v1.0.1.
In my vhosts config (everything else within which behaves as I would expect), I have the SSLProtocol line ...
12
votes
2
answers
6k
views
Why store Apache SSL certificate and private key in separate files?
The Apache mod_ssl documentation for the SSLCertificateFile and SSLCertificateKeyFile directives states that it is 'strongly discouraged' to store a private key and an SSL certificate in the same file....
10
votes
1
answer
30k
views
Disable SSL / TLS compression in Apache 2.2.x
Is there a way to disable SSL/TLS Compression in Apache 2.2.x when using mod_ssl?
If not, what are people doing to mitigate the effects of CRIME/BEAST in older browsers?
Related Links:
https://...
9
votes
2
answers
16k
views
mod_ssl SSLCACertificatePath Proper Usage or What is the Best way to Handle Multiple Acceptable Client Certificate CAs
I am attempting to use the mod_proxy SSLCACertificatePath directive, but I'm a tad bit confused on how to use it properly.
Here are two links explaining the SSLCACertificatePath directive:
http://...
8
votes
4
answers
22k
views
How to Disable SSLv2 for Apache httpd
I just tested my site on https://www.ssllabs.com/ and it said SSLv2 is insecure and I should disable that along with weak Cipher Suites.
How can I disable that? I tried the following but it isn’t ...
8
votes
1
answer
10k
views
How to tell if SSL session caching is in fact working correctly with Apache 2.2?
We have Apache 2.2.22 running on Ubuntu 12.04.
SSL is configured and enabled, with these directives in /etc/apache2/mods-enabled/ssl.conf:
SSLSessionCache shm:/var/www/apache-ssl-cache/ssl_scache(...
7
votes
8
answers
102k
views
How do I disable MEDIUM and WEAK/LOW strength ciphers in Apache + mod_ssl?
A PCI Compliance scan has suggested that we disable Apache's MEDIUM and LOW/WEAK strength ciphers for security. Can someone tell me how to disable these ciphers?
Apache v2.2.14
mod_ssl v2.2.14
This ...
7
votes
3
answers
23k
views
"Server should be SSL-aware but has no certificate configured"
Ubuntu 14.04 Apache 2.4.7 w/mod_ssl
I'm trying to install a (single) domain certificate. For some reason, apache does not accept it and refuses to start if the related website is enabled. Despite ...
7
votes
2
answers
4k
views
How to verify that SSL cipher order is being enforced?
I'm running Apache 2.2.31 and I'm trying to get Perfect Forward Secrecy working. Using Qualys SSL Labs shows that pretty much everything except IE is using ciphers that can use forward secrecy.
I've ...
7
votes
4
answers
65k
views
SSL Library Error: 218570875 error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long
I am trying to install SSL certificate from a certificate authority into my httpd server in CentOS 5.x. When I configure it and start the server I am getting the following errors,
[error]Init: Unable ...
7
votes
1
answer
2k
views
How does Apache interpret multiple SSLRandomSeed sources
In my Apache configuration I have these lines:
SSLRandomSeed connect builtin
SSLRandomSeed connect file:/dev/random
SSLRandomSeed connect file:/dev/urandom 1024
How, exactly, does Apache interpret ...
6
votes
2
answers
30k
views
Can I upgrade OpenSSL version used by apache without recompiling the server but just mod_ssl?
I have an Apache server on a Unix machine:
Apache/2.2.29 (Unix) OpenSSL/0.9.8zg
I would like to upgrade the OpenSSL version to 1.0.2, which is the version currently installed on my system:
machine:/...
6
votes
1
answer
5k
views
Is it possible to allow only some client certificates in Apache to login?
In my virtual host I have something like that:
SSLEngine on
SSLCertificateKeyFile /etc/apache2/ssl/svn.XXXXX.me.key
SSLCertificateFile /etc/apache2/ssl/svn.XXXXX.me.crt
SSLProtocol ...
6
votes
1
answer
3k
views
Can I use both RSA and ECC certificates in apache?
If I simply use "SSLCertificateFile" and "SSLCertificateKeyFile" twice, the certificate chain is broken for the first one.
Can I use both RSA and ECC certificate which is issued from different ...
6
votes
1
answer
3k
views
Upgrade openssl/mod_ssl on Mac OS X Server?
Context: I'm trying to set up an SVN server on a Mac OS X Server 10.6.7, and I'm running into the “SSL error parse tlsext” issue. I've tried changing the SSLProtocol option as described, but then I ...
5
votes
1
answer
8k
views
CentOS6 - Apache2 working but when installing / enabling SSL, server won't start because of permissions error
I'm attempting to install Apache with SSL on CentOS6 to use as a development server.
I've been following the directions posted here to get SSL working: http://wiki.centos.org/HowTos/Https (Note: ...
5
votes
2
answers
9k
views
Authenticate with Client SSL Certificate OR basic auth
For security reasons, the authentication for a web application should be migrated to SSL client certificates. It should be possible to log in with either username/password or SSL. In addition, users ...
5
votes
4
answers
3k
views
How can I configure Apache to use HTTPS for external access but HTTP for internal access?
I have two servers, one a development server that is accessible internally on our company's local network and the other a public-facing web server. The development server hosts several tools that we ...
5
votes
2
answers
6k
views
Why did git stop working after server disabled SSLv3?
Like most others, our repository server needs to disable SSLv3 (and v2) ASAP.
However, doing so seems to break our git-clients -- at least, on RHEL5 (connections from my FreeBSD desktop work fine). ...
5
votes
2
answers
6k
views
SSL_CLIENT_CERT_CHAIN not being passed to backend server
I have client certificate configured and working in Apache. I want to pass the PEM-encoded X.509 certificates of the client to the backend server.
I tried with the SSLOptions +ExportCertData. This ...
5
votes
3
answers
6k
views
How do I create a custom header from an existing SSL environment variable?
OK I have spent all day on this--
I'm using apache with mod_ssl
I'm trying to take an existing environment header, "%{SSL_CLIENT_S_DN_CN}s" which looks like "Lastname Firstname Mi username" and set a ...
5
votes
1
answer
16k
views
ProxyPass HTTPS to other server
I have a server frontend.example.com with public IP. It's Apache (2.4) should proxy the traffic coming for service1.example.com (DNS alias to frontend.example.com).
service1.example.com is a VM on a ...
5
votes
1
answer
5k
views
List of SSL Cipher Support by Browser
Not really sure if this is the appropriate SE to post this to, but here it is: Is there some online reference for what SSL ciphers are supported by the various browsers? Basically, I'm interested in ...
5
votes
1
answer
5k
views
Apache SSL reverse proxy to a Embed Tomcat
I'm trying to put in place a reverse proxy for an application that is running a tomcat embed server over SSL. The application needs to run over SSL on the port 9002 so I have no way of "disabling SSL" ...
5
votes
1
answer
5k
views
Apache sends plain-text response when accessing SSL-enabled site without HTTPS
I've never encountered something such as this before. I was attempting to simply redirect the page to the HTTPS version if it determined that HTTPS was off, but instead it's displaying an HTML page ...
5
votes
0
answers
2k
views
Apache 2.2 fails with "unable to write 'random state'" with 2048-bit RSA key (1024-bit works fine)
I'm usually pretty good with Apache and OpenSSL, but this one has me completely baffled. I'm running Apache 2.2.22 and OpenSSL 1.0.1 on a Ubuntu 12.04 LTS Server. I have an IP-based virtual host ...
4
votes
3
answers
3k
views
Problems with multiple SSL on same IP, but only in select clients
I know there are tons of posts about multiple SSL on same IP, but I promise I'm not beating a dead horse. My question is very clear. First, a little background...
Our organization has several ...
4
votes
1
answer
11k
views
How to check apache for SNI (Server Name Indication ) availability?
I have a centos 7 server. I switched from apache 2.4.6 to apache 2.4.25 using IUS repository (https://ius.io/). My goal is to support multiple SSL certificates with a single IP.
I have installed:
...
4
votes
4
answers
19k
views
How to run a virtualhost 443 without an SSL cert?
I have a virtualhost directive that serves up a custom 404 error if invalid subdomain is entered:
<VirtualHost *:80> # the first virtual host
ServerName site_not_found
RedirectMatch 404 ^/(?...
4
votes
1
answer
9k
views
Forcing SSL in Apache without hard-coding the hostname
I think that I have this sorted (thanks mainly to the question How to redirect non-www to www without hardcoding using .htaccess?), but I still don't entirely understand a couple of things.
I would ...
4
votes
3
answers
22k
views
apache Client Certificate Authentication errors: Certificate Verification: Error (18): self signed certificate
So I have been following instructions on setting up Client Certificate Authentication in Apache2 w/ mod_ssl. This is solely for the purpose of testing an application against CAA, not for any sort of ...
4
votes
1
answer
489
views
Apache ServerName uses AlternativeName instead of CommonName
I have recently purchased an SSL Certificate. The CommonName (CN) of the certificate is www.mydomain.com and has several AlternativeNames such as subdomain1.mydomain.com, subdomain2.mydomain.com etc.
...
4
votes
1
answer
6k
views
missing mod_ssl.so for lighttpd
I am trying to set up ssl (i.e. https) for my lighttpd web server running Debian 8 (Jessie).
The relevant lines in lighttpd.conf are:
server.modules = (
"mod_access",
"mod_alias",
"...
4
votes
2
answers
14k
views
Installing mod_ssl on CentOS
I am trying to install mod_ssl on my server with:
yum install mod_ssl
All i get in response is:
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centosv4-msync-dvd....
4
votes
1
answer
11k
views
How to solve Apache-2.4 AH02026: Failed to acquire SSL session cache lock
I've just stood up a new AWS Ubuntu 16.04 server running Apache2.4 with PHP-FPM 5.6 and 7.1 available via different sockets. Everything is working great, but I'm getting the following errors in the ...
4
votes
2
answers
3k
views
Requiring client certificate issued by a specific intermediate CA in Apache
I have a CA hierarchy like this:
Root-CA
________|_____________
| |
TEST-CA PRODUCTION-CA
_____|_____ ____|...
4
votes
2
answers
1k
views
YouTrack on Tomcat 7 using SSL
I have a running YouTrack instance deployed using Tomcat 7 and it works fine on http://example.com:8080/youtrack
Apache is already configured to support SSL for the main domain (I have .pem file). ...
4
votes
1
answer
1k
views
mod_spdy problems and speculations
I'm trying out mod_spdy and I've run into a problem - it seems to be incompatible with AJAX requests and mod_php as in this: https://www.modspdy.com/blog/2012/04/15/using-mod_spdy-with-php/
The ...
4
votes
1
answer
2k
views
Can apache use a key agent to store private keys for SSL?
For mod_ssl in apache to work, you need your RSA private key on the server. If the key is passphrase protected, you have to enter the passphrase whenever you restart apache. There is ...
4
votes
1
answer
2k
views
How apache reverse proxy can be configured without breaking the https tunnel between client & server?
I have configured apache reverse proxy. In that configuration https connection is possible between client to reverse proxy and again reverse proxy to server. But I want https connection between client ...