[TriLUG] Apache2 SSL - misconfig followup..

Myrhillion lug at blackwizard.net
Mon Apr 17 17:32:59 EDT 2006


Okay, I'm not terribly familiar with https...  so bearing that..

If the Listen 443 is in listen.conf, but the flag isn't set in apache...

Does this mean https:// is just serving http on 443 without actual 
encrypting the session?
Visually in the browser how is this signalled,  no lock?

I'm mostly curious for signs of misconfiguration than anything.
I am just taking a class that sort of touches on https but doesn't give 
specifics of implementation.
I was contemplating setting one up to get some hands on..

As I understand it, https is usually 3 things to an end-user.

1. A web server running on 443 typically.
    Is this just done by the browser trying to connect to a web server 
on port 443 if https:// is used?
    I also assume the port can be changed as usual, (e.g. 
https://securedwebserver.com:<unusual port number>)

2. A guarantee that this web server will encrypt traffic with the client 
browser, usually signalled by a lock icon in the browser.
   Otherwise it is regular http protocol traffic.

3. Verification of a certificate through a trusted third party like 
Verisign.

Finally, I understand the specific encryption implementations might vary 
between web servers.

I didn't find any site that touches on common misconfigurations or their 
avoidance.
Anyway, thanks for help on correcting my perceptions/comprehension at 
this point.

Doug Taggart

Brian Blater (BBList) wrote:

>Thanks,
>
>It is in the /etc/sysconfig/apache2 file and it is called APACHE_SERVER_FLAGS= on SLES9.
>
>Brian
>
>  
>
>>>>On Mon, Apr 17, 2006 at 11:56 am, in message
>>>>        
>>>>
><20060417155631.GA12388 at mail.trilug.org>, oberry at trilug.org wrote: 
>  
>
>>I can't comment on SLES 9, but on a RHEL 4 box I have
>>/etc/sysconfig/httpd, which has a section as follows:
>>
>># To pass additional options (for instance, - D definitions) to the
>># httpd binary at startup, set OPTIONS here.
>>#
>>#OPTIONS=
>>
>>Maybe you have the same system config file, or similar?
>>
>>Owen
>>
>>On Mon, Apr 17, 2006 at 10:59:40AM - 0400, Brian Blater (BBList) wrote:
>>    
>>
>>>I have a SLES 9 box running Apache 2.0.54 happily. However, I would like to 
>>>      
>>>
>>setup SSL an be able to access pages on the box using https://. Easy enough I 
>>thought. I looked in the listen.conf file and saw the following:
>>    
>>
>>>Listen 80
>>>
>>><IfDefine SSL>
>>>    <IfDefine !NOSSL>
>>>        <IfModule mod_ssl.c>
>>>            Listen 443
>>>        </IfModule>
>>>    </IfDefine>
>>></IfDefine>
>>>
>>>This should mean that the server will listen on port 443, however it isn't. 
>>>      
>>>
>>If I add a Listen 443 right under the Listen 80 it works. So, that got me 
>>wondering what this <ifdefine ssl> does and why it wasn't working. I did the 
>>google search and found a couple of things, one which mentioned apache2 
>>should be started with the - DSSL option (as seen in a ps awx | grep http), but 
>>I just see the following:
>>    
>>
>>>21671 ?        Ss     0:00 /usr/sbin/httpd2- prefork - f /etc/apache2/httpd.conf
>>>
>>>So, what do I need to do to get apache2 to start on SLES with SSL support? I 
>>>      
>>>
>>know I can just add the Listen 443 option manually, but this has become more 
>>of a quest for learning what the <ifdefine ssl> is for and why it isn't 
>>working.
>>    
>>
>>>Thanks for your help.
>>>Brian
>>>
>>>      
>>>
>
>  
>




More information about the TriLUG mailing list