아파치에서 ssl 설정 질문입니다.
글쓴이: 지수아비 / 작성시간: 목, 2009/04/16 - 10:50오전
아파치 2.0.59 이구요 mod_ssl을 추가로 설치했습니다.
server-info 를 통해서 모듈을 확인해보면
아래처럼 나옵니다. 그런데 Content handlers: none 이라는 부분이 좀 마음에 걸립니다.(이부분때문에 안되는건지...)
Module Name: mod_ssl.c Content handlers: none Configuration Phase Participation: Create Directory Config, Merge Directory Configs, Create Server Config, Merge Server Configs Request Phase Participation: Post-Read Request, Check Access, Verify User ID, Verify User Access, Fixups Module Directives: SSLMutex - Valid SSLMutex mechanisms are: `none', `default', `flock:/path/to/file', `fcntl:/path/to/file', `sysvsem', `posixsem', `pthread', `file:/path/to/file', `sem' SSLPassPhraseDialog - SSL dialog mechanism for the pass phrase query (`builtin', `|/path/to/pipe_program`, or `exec:/path/to/cgi_program') SSLSessionCache - SSL Session Cache storage (`none', `dbm:/path/to/file') SSLRandomSeed - SSL Pseudo Random Number Generator (PRNG) seeding source (`startup|connect builtin|file:/path|exec:/path [bytes]') SSLEngine - SSL switch for the protocol engine (`on', `off') SSLCipherSuite - Colon-delimited list of permitted SSL Ciphers (`XXX:...:XXX' - see manual) SSLCertificateFile - SSL Server Certificate file (`/path/to/file' - PEM or DER encoded) SSLCertificateKeyFile - SSL Server Private Key file (`/path/to/file' - PEM or DER encoded) SSLCertificateChainFile - SSL Server CA Certificate Chain file (`/path/to/file' - PEM encoded) SSLCACertificatePath - SSL CA Certificate path (`/path/to/dir' - contains PEM encoded files) SSLCACertificateFile - SSL CA Certificate file (`/path/to/file' - PEM encoded) SSLCARevocationPath - SSL CA Certificate Revocation List (CRL) path (`/path/to/dir' - contains PEM encoded files) SSLCARevocationFile - SSL CA Certificate Revocation List (CRL) file (`/path/to/file' - PEM encoded) SSLVerifyClient - SSL Client verify type (`none', `optional', `require', `optional_no_ca') SSLVerifyDepth - SSL Client verify depth (`N' - number of intermediate certificates) SSLSessionCacheTimeout - SSL Session Cache object lifetime (`N' - number of seconds) SSLProtocol - Enable or disable various SSL protocols(`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual) SSLUserName - Set user name to SSL variable value SSLProxyEngine - SSL switch for the proxy protocol engine (`on', `off') SSLProxyProtocol - SSL Proxy: enable or disable SSL protocol flavors (`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual) SSLProxyCipherSuite - SSL Proxy: colon-delimited list of permitted SSL ciphers (`XXX:...:XXX' - see manual) SSLProxyVerify - SSL Proxy: whether to verify the remote certificate (`on' or `off') SSLProxyVerifyDepth - SSL Proxy: maximum certificate verification depth (`N' - number of intermediate certificates) SSLProxyCACertificateFile - SSL Proxy: file containing server certificates (`/path/to/file' - PEM encoded certificates) SSLProxyCACertificatePath - SSL Proxy: directory containing server certificates (`/path/to/dir' - contains PEM encoded certificates) SSLProxyCARevocationPath - SSL Proxy: CA Certificate Revocation List (CRL) path (`/path/to/dir' - contains PEM encoded files) SSLProxyCARevocationFile - SSL Proxy: CA Certificate Revocation List (CRL) file (`/path/to/file' - PEM encoded) SSLProxyMachineCertificateFile - SSL Proxy: file containing client certificates (`/path/to/file' - PEM encoded certificates) SSLProxyMachineCertificatePath - SSL Proxy: directory containing client certificates (`/path/to/dir' - contains PEM encoded certificates) SSLOptions - Set one or more options to configure the SSL engine(`[+-]option[=value] ...' - see manual) SSLRequireSSL - Require the SSL protocol for the per-directory context (no arguments) SSLRequire - Require a boolean expression to evaluate to true for granting access(arbitrary complex boolean expression - see manual) SSLLog - SSLLog directive is no longer supported - use ErrorLog. SSLLogLevel - SSLLogLevel directive is no longer supported - use LogLevel. Current Configuration: SSLRandomSeed startup builtin SSLRandomSeed connect builtin SSLRandomSeed startup file:/dev/random 512 SSLRandomSeed startup file:/dev/urandom 512 SSLRandomSeed connect file:/dev/random 512 SSLRandomSeed connect file:/dev/urandom 512
httpd.conf 파일에는 아래와 같구요
LoadModule ssl_module modules/mod_ssl.so <IfModule mod_ssl.c> Include conf/ssl.conf </IfModule>
ssl.conf는 아래와 같습니다.
SSLRandomSeed startup builtin SSLRandomSeed connect builtin SSLRandomSeed startup file:/dev/random 512 SSLRandomSeed startup file:/dev/urandom 512 SSLRandomSeed connect file:/dev/random 512 SSLRandomSeed connect file:/dev/urandom 512 <IfDefine SSL> Listen 443 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl SSLPassPhraseDialog builtin SSLSessionCache dbm:/usr/local/apache/logs/ssl_scache SSLSessionCacheTimeout 300 <VirtualHost _default_:443> DocumentRoot "/home/hodocs" ServerName <a href="http://www.domainname:443" rel="nofollow">www.domainname:443</a> ServerAdmin root@domainname ErrorLog /usr/local/apache/logs/error_log TransferLog /usr/local/apache/logs/access_log SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /usr/local/apache/conf/certs/server.crt SSLCertificateKeyFile /usr/local/apache/conf/private/server.key SSLCertificateChainFile /usr/local/apache/conf/certs/server.crt <FilesMatch "\.(cgi|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory "/usr/local/apache/cgi-bin"> SSLOptions +StdEnvVars </Directory> SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog /usr/local/apache/logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost> </IfDefine>
아파치를 재시작해도 443포트로 접속이 되지 않습니다.
ssl.conf 파일의 안쪽 부분이 수행되지 않는것 같습니다.
와 부분을 주석처리한후 아파치를 재기동하면 데몬이 올라오지 않습니다.
에러로그는 아래와 같습니다. 뭐가 잘못된걸까요?
[Wed Apr 01 14:46:15 2009] [notice] SIGHUP received. Attempting to restart [Wed Apr 01 14:46:15 2009] [error] Init: Unable to read pass phrase [Hint: key introduced or changed before restart?] [Wed Apr 01 14:46:15 2009] [error] SSL Library Error: 218710120 error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag [Wed Apr 01 14:46:15 2009] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag [Wed Apr 01 14:46:15 2009] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error [Wed Apr 01 14:46:15 2009] [error] SSL Library Error: 218734605 error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib
Forums:
댓글 달기