[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: HTTPS Problem

From: Geoff Beaumont <geoffbeaumont_at_stormhammer.com>
Date: 2003-06-22 02:28:39 CEST

On Saturday 21 June 2003 7:55 pm, Martin v. Löwis wrote:
> Geoff Beaumont <geoffbeaumont@stormhammer.com> writes:
> > > Yes. In my case, I found that the installation of the CA certificates
> > > was incorrect. Apache would first not read them, and then fail to
> > > verify them as I had to set the verify depth to 2.
> >
> > What depth should be set then? I don't appear to have it set explicitly.
>
> It depends on how many steps there are to your root CA.

There's my certificate and the Snake Oil Ltd. signing one. That's it.

> > printenv doesn't appear to tell me anything about the certificates -
> > output from Mozilla with HTTPS/Basic Auth at end of mail.
>
> You don't have an encrypted connection. If you had one, there would be
>
> SSL_SERVER_I_DN
> SSL_SERVER_S_DN
> SSL_CIPHER
> SSL_SESSION_ID
>
> Did you generate a server certificate? How exactly did you install
> that?

I generated the certificate myself using the certificate.sh script provided by
SuSE (not sure if this is a SuSE addition or standard Apache script).

I hacked the provided SuSE config files to set SSL up - I've got
SSLCertificateFile pointed at my certificate
SSLCertificateKeyFile pointed at the private key for it
SSLCertificateChainFile pointed at the signing cert (snakeoil-ca-rsa.crt)

> If you '/etc/init.d/httpd stop', then 'httpd -DSSL', does this
> show any error messages? Do you see any errors about the certificates
> in the log files?
>
> Do the browsers ask you to accept the certificate, just as they ask
> you when you connect to https://www.dcl.hpi.uni-potsdam.de?

Yes, the browsers both ask me to accept the certificate, due to it having an
unrecognised root. Both browsers display the certificate details correctly
and indicate a 128bit encrypted connection - if I don't have an encrypted
connection then there's some very serious bugs in both Mozilla and
Konqueror...

I've discovered that when HTTPS and Basic Auth are both on, while the initial
request from Konqueror fails to request authorisation, if I hit refresh it
gives me a login dialogue. When this is submitted it appears to be
continuously downloading the page - putting tail on the Apache access log
shows a continuous stream of requests. If I then hit stop and refresh again,
I have a correctly working, authenticated session. Very odd - but this is
consistently repeatable.

-- 
Geoff Beaumont
Geoff@stormhammer.com
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sun Jun 22 02:29:48 2003

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.