Probleme mit httpd und ssl


Well-Known Member
Hi Leute,
ich habe ein Problem mit apache24 und ssl. Das will einfach nicht funktionieren.
Der apache ist schon laenger im Betrieb und lief bis data nur unter port 80.

Was mache ich dann gemacht.

1. Zertifikate erstellt
der /usr/local/etc/apache24/httpd.conf
LoadModule ssl_module libexec/apache24/
rekommentiert (sonst standard config)

Datei /usr/local/etc/apache24/extra/httpd-ssl.conf gesichert
und neu ediert:
# This is the Apache server configuration file providing SSL support.
# It contains the configuration directives to instruct the server how to
# serve pages over an https connection. For detailed information about these
# directives see <URL:>
# Do NOT simply read the instructions in here without understanding
# what they do.  They're here only as hints or reminders.  If you are unsure
# consult the online docs. You have been warned. 
# Required modules: mod_log_config, mod_setenvif, mod_ssl,
#          socache_shmcb_module (for default value of SSLSessionCache)

# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the SSL library.
# The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. This means you then cannot use the /dev/random device
# because it would lead to very long connection times (as long as
# it requires to make more entropy available). But usually those
# platforms additionally provide a /dev/urandom device which doesn't
# block. So, if available, use this one instead. Read the mod_ssl User
# Manual for more details.
#SSLRandomSeed startup file:/dev/random  512
#SSLRandomSeed startup file:/dev/urandom 512
#SSLRandomSeed connect file:/dev/random  512
#SSLRandomSeed connect file:/dev/urandom 512

# When we also provide SSL we have to listen to the
# standard HTTP port (see above) and to the HTTPS port
Listen 443

##  SSL Global Context
##  All SSL configuration in this context applies both to
##  the main server and all SSL-enabled virtual hosts.

#   SSL Cipher Suite:
#   List the ciphers that the client is permitted to negotiate,
#   and that httpd will negotiate as the client of a proxied server.
#   See the OpenSSL documentation for a complete list of ciphers, and
#   ensure these follow appropriate best practices for this deployment.
#   httpd 2.2.30, 2.4.13 and later force-disable aNULL, eNULL and EXP ciphers,
#   while OpenSSL disabled these by default in 0.9.8zf/1.0.0r/1.0.1m/1.0.2a.
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES

#  By the end of 2016, only TLSv1.2 ciphers should remain in use.
#  Older ciphers should be disallowed as soon as possible, while the
#  kRSA ciphers do not offer forward secrecy.  These changes inhibit
#  older clients (such as IE6 SP2 or IE8 on Windows XP, or other legacy
#  non-browser tooling) from successfully connecting. 
#  To restrict mod_ssl to use only TLSv1.2 ciphers, and disable
#  those protocols which do not support forward secrecy, replace
#  the SSLCipherSuite and SSLProxyCipherSuite directives above with
#  the following two directives, as soon as practical.
# SSLProxyCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA

#   User agents such as web browsers are not configured for the user's
#   own preference of either security or performance, therefore this
#   must be the prerogative of the web server administrator who manages
#   cpu load versus confidentiality, so enforce the server's cipher order.
SSLHonorCipherOrder on

#   SSL Protocol support:
#   List the protocol versions which clients are allowed to connect with.
#   Disable SSLv3 by default (cf. RFC 7525 3.1.1).  TLSv1 (1.0) should be
#   disabled as quickly as practical.  By the end of 2016, only the TLSv1.2
#   protocol or later should remain in use.
SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3

#   Pass Phrase Dialog:
#   Configure the pass phrase gathering process.
#   The filtering dialog program (`builtin' is an internal
#   terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog  builtin

#   Inter-Process Session Cache:
#   Configure the SSL Session Cache: First the mechanism
#   to use and second the expiring timeout (in seconds).
#SSLSessionCache         "dbm:/var/run/ssl_scache"
SSLSessionCache        "shmcb:/var/run/ssl_scache(512000)"
SSLSessionCacheTimeout  300

#   OCSP Stapling (requires OpenSSL 0.9.8h or later)
#   This feature is disabled by default and requires at least
#   the two directives SSLUseStapling and SSLStaplingCache.
#   Refer to the documentation on OCSP Stapling in the SSL/TLS
#   How-To for more information.
#   Enable stapling for all SSL-enabled servers:
#SSLUseStapling On

#   Define a relatively small cache for OCSP Stapling using
#   the same mechanism that is used for the SSL session cache
#   above.  If stapling is used with more than a few certificates,
#   the size may need to be increased.  (AH01929 will be logged.)
#SSLStaplingCache "shmcb:/var/run/ssl_stapling(32768)"

#   Seconds before valid OCSP responses are expired from the cache
#SSLStaplingStandardCacheTimeout 3600

#   Seconds before invalid OCSP responses are expired from the cache
#SSLStaplingErrorCacheTimeout 600

## SSL Virtual Host Context

<VirtualHost *:443>
    DocumentRoot "/usr/local/www/apache24/data"
    ServerName sauron:443
    ErrorLog "/var/log/httpd-error.log"
    TransferLog "/var/log/httpd-access.log"
    SSLEngine on
    SSLCertificateFile "/etc/ssl/certs/selfsigned.crt"
    SSLCertificateKeyFile "/etc/ssl/private/selfsigned.key"
    <FilesMatch "\.(cgi|shtml|phtml|php)$">
            SSLOptions +StdEnvVars
    <Directory "/usr/local/www/apache24/cgi-bin">
            SSLOptions +StdEnvVars
    BrowserMatch "MSIE [2-5]" \
            nokeepalive ssl-unclean-shutdown \
            downgrade-1.0 force-response-1.0
        CustomLog "/var/log/httpd-ssl_request.log" \
              "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

4. dann die synax gecheckt = ok
5. apache neustart

Aber nichts geht und der log vom httpd gibt mir immer aus:
[Wed Nov 20 20:13:25.978484 2019] [ssl:warn] [pid 2741] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache]
[Wed Nov 20 20:13:26.132256 2019] [mpm_prefork:notice] [pid 2741] AH00163: Apache/2.4.41 (FreeBSD) OpenSSL/1.1.1a-freebsd PHP/7.2.24 configured -- resuming normal operations
[Wed Nov 20 20:13:26.132448 2019] [core:notice] [pid 2741] AH00094: Command line: '/usr/local/sbin/httpd -D NOHTTPACCEPT'
Keine Ahnung. Keine Loesung gefunden. Beende jetzt meine Arbeit und werde mir erst mal n paar Bierchen goennen :/

Mir fallen da zumindest drei Dinge auf:

ServerName sauron:443

Bei namensbasierten Vhosts soll / muss der ServerName der FQDN sein, unter dem der Vhost aufgerufen wird. Der Port hat da nichts zu suchen.

<FilesMatch "\.(cgi|shtml|phtml|php)$">
            SSLOptions +StdEnvVars
    <Directory "/usr/local/www/apache24/cgi-bin">
            SSLOptions +StdEnvVars

Die StdEnvVars brauchst du wahrscheinlich nicht, aber sie sollten auch nicht schaden.

BrowserMatch "MSIE [2-5]" \
            nokeepalive ssl-unclean-shutdown \
            downgrade-1.0 force-response-1.0

Weg damit. Wer so steinalte Internet Explorer Versionen tatsächlich noch einsetzt, hat ganz andere Probleme und selbst schuld. Darauf sollte man keine Rücksicht mehr nehmen. :)