Apache, Lighttpd, nginx, Cherokee
TecServer
Anbieter
Posts: 84 Joined: 2006-04-08 21:41
Post
by TecServer » 2007-09-23 18:57
grüß euch,
hab nun ein echtes thawtee zertifikat erworben, eingebunden und es hat auch gut 6 monate tadellos funktioniert. nun nach dem upgrade auf apache 2.2 funktioniert https nicht mehr und im log tauchen bei aufruf der seite folgende fehler im error_log auf:
Code: Select all
[Sun Sep 23 18:21:47 2007] [info] [client 85.127.60.61] Connection to child 0 established (server www.domain.com:443)
[Sun Sep 23 18:21:47 2007] [info] Seeding PRNG with 136 bytes of entropy
[Sun Sep 23 18:21:47 2007] [info] Client requested a 'session-resume' but we have no such session.
[Sun Sep 23 18:21:47 2007] [info] Initial (No.1) HTTPS request received for child 0 (server www.domain.com:443)
[Sun Sep 23 18:21:47 2007] [error] [client 85.127.60.61] client denied by server configuration: /var/www/domain/favicon.ico
[Sun Sep 23 18:21:49 2007] [info] Subsequent (No.2) HTTPS request received for child 0 (server www.domain.com:443)
[Sun Sep 23 18:21:49 2007] [error] [client 85.127.60.61] client denied by server configuration: /var/www/domain/
[Sun Sep 23 18:21:49 2007] [info] Subsequent (No.3) HTTPS request received for child 0 (server www.domain.com:443)
[Sun Sep 23 18:21:49 2007] [error] [client 85.127.60.61] client denied by server configuration: /var/www/domain/favicon.ico
[Sun Sep 23 18:21:49 2007] [info] [client 85.127.60.61] Connection to child 1 established (server www.domain.com:443)
[Sun Sep 23 18:21:49 2007] [info] Seeding PRNG with 136 bytes of entropy
[Sun Sep 23 18:21:49 2007] [info] [client 85.127.60.61] (70014)End of file found: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
[Sun Sep 23 18:21:49 2007] [info] [client 85.127.60.61] Connection closed to child 1 with abortive shutdown (server www.domain.com:443)
[Sun Sep 23 18:21:49 2007] [info] [client 85.127.60.61] Connection to child 2 established (server www.domain.com:443)
[Sun Sep 23 18:21:49 2007] [info] Seeding PRNG with 136 bytes of entropy
[Sun Sep 23 18:21:49 2007] [info] Initial (No.1) HTTPS request received for child 2 (server www.domain.com:443)
[Sun Sep 23 18:21:49 2007] [error] [client 85.127.60.61] client denied by server configuration: /var/www/domain/favicon.ico
[Sun Sep 23 18:22:04 2007] [info] [client 85.127.60.61] (70007)The timeout specified has expired: SSL input filter read failed.
[Sun Sep 23 18:22:04 2007] [info] [client 85.127.60.61] Connection closed to child 0 with standard shutdown (server www.domain.com:443)
[Sun Sep 23 18:22:04 2007] [info] [client 85.127.60.61] (70007)The timeout specified has expired: SSL input filter read failed.
[Sun Sep 23 18:22:04 2007] [info] [client 85.127.60.61] Connection closed to child 2 with standard shutdown (server www.domain.com:443)
beim restart kommt folgender output:
Code: Select all
[Sun Sep 23 18:19:39 2007] [notice] caught SIGTERM, shutting down
[Sun Sep 23 18:19:40 2007] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Sun Sep 23 18:19:40 2007] [info] Init: Seeding PRNG with 136 bytes of entropy
[Sun Sep 23 18:19:40 2007] [info] Loading certificate & private key of SSL-aware server
[Sun Sep 23 18:19:40 2007] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Sun Sep 23 18:19:40 2007] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Sun Sep 23 18:19:40 2007] [info] Init: Initializing (virtual) servers for SSL
[Sun Sep 23 18:19:40 2007] [info] Configuring server for SSL protocol
[Sun Sep 23 18:19:40 2007] [info] mod_ssl/2.2.6 compiled against Server: Apache/2.2.6, Library: OpenSSL/0.9.8e
[Sun Sep 23 18:19:40 2007] [notice] Digest: generating secret for digest authentication ...
[Sun Sep 23 18:21:32 2007] [notice] Digest: done
[Sun Sep 23 18:21:32 2007] [info] Init: Seeding PRNG with 136 bytes of entropy
[Sun Sep 23 18:21:32 2007] [info] Loading certificate & private key of SSL-aware server
[Sun Sep 23 18:21:32 2007] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Sun Sep 23 18:21:32 2007] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Sun Sep 23 18:21:32 2007] [info] Shared memory session cache initialised
[Sun Sep 23 18:21:32 2007] [info] Init: Initializing (virtual) servers for SSL
[Sun Sep 23 18:21:32 2007] [info] Configuring server for SSL protocol
[Sun Sep 23 18:21:32 2007] [info] mod_ssl/2.2.6 compiled against Server: Apache/2.2.6, Library: OpenSSL/0.9.8e
[Sun Sep 23 18:21:32 2007] [notice] Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.8e PHP/5.2.4-pl2-gentoo configured -- resuming normal operations
[Sun Sep 23 18:21:32 2007] [info] Server built: Sep 18 2007 10:32:12
laut server-info wird mod_ssl korrekt geladen.
hat einer von euch da einen rat? bin etwas verwirrt dass dies nun nicht mehr funktioniert und die log infos sind auch recht spärlich
Joe User
Project Manager
Posts: 11182 Joined: 2003-02-27 01:00
Location: Hamburg
Post
by Joe User » 2007-09-23 19:34
Poste bitte Deine vollständige mod_ssl-Konfiguration und den SSL-VHost.
TecServer
Anbieter
Posts: 84 Joined: 2006-04-08 21:41
Post
by TecServer » 2007-09-23 19:43
mod_ssl.conf
Code: Select all
<IfDefine SSL>
<IfModule !mod_ssl.c>
LoadModule ssl_module modules/mod_ssl.so
</IfModule>
</IfDefine>
<IfModule mod_ssl.c>
#
# This is the Apache server configuration file providing SSL support.
# It contains the configuration directives to instruct the server how to
# serve pages over an https connection. For detailing information about these
# directives see <URL:http://httpd.apache.org/docs-2.0/mod/mod_ssl.html>
#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned.
#
#
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the SSL library.
# The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. This means you then cannot use the /dev/random device
# because it would lead to very long connection times (as long as
# it requires to make more entropy available). But usually those
# platforms additionally provide a /dev/urandom device which doesn't
# block. So, if available, use this one instead. Read the mod_ssl User
# Manual for more details.
#
# Note: This must come before the <IfDefine SSL> container to support
# starting without SSL on platforms with no /dev/random equivalent
# but a statically compiled-in mod_ssl.
#
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed startup file:/dev/urandom 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512
#
# When we also provide SSL we have to listen to the
# standard HTTP port (see above) and to the HTTPS port
#
Listen 443
##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##
#
# Some MIME-types for downloading Certificates and CRLs
#
<IfModule mod_mime.c>
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
</IfModule>
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog builtin
# Inter-Process Session Cache:
# Configure the SSL Session Cache: First the mechanism
# to use and second the expiring timeout (in seconds).
#SSLSessionCache none
#SSLSessionCache shmht:logs/ssl_scache(512000)
#SSLSessionCache shmcb:logs/ssl_scache(512000)
#SSLSessionCache dbm:/var/cache/apache2/ssl_scache
SSLSessionCache shm:/var/cache/apache2/ssl_scache(512000)
SSLSessionCacheTimeout 300
# Semaphore:
# Configure the path to the mutual exclusion semaphore the
# SSL engine uses internally for inter-process synchronization.
SSLMutex file:/var/cache/apache2/ssl_mutex
</IfModule>
ssl vhost:
Code: Select all
<VirtualHost *:443>
ServerName www.domain.com
ServerAlias www.domain.com
DocumentRoot /var/www/domain
ScriptAlias /cgi-bin/ /var/www/domain/cgi-bin/
suPHP_ConfigPath /data/php/domain
<IfModule mod_ssl.c>
SSLEngine on
SSLCertificateKeyFile /home/user/ssl/www_domain_com.key
SSLCertificateFile /home/user/ssl/www_domain_com.cert
SetEnvIf User-Agent ".*MSIE.*"
nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0
<Files ~ ".(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/domain/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
</IfModule>
suPHP_UserGroup domain domain
</VirtualHost>
Joe User
Project Manager
Posts: 11182 Joined: 2003-02-27 01:00
Location: Hamburg
Post
by Joe User » 2007-09-23 20:28
Bitte domain und die Zertifikatspfade jeweils selbst passend setzen:
Code: Select all
<IfModule ssl_module>
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/run/ssl_scache(512000)
SSLSessionCacheTimeout 300
SSLMutex file:/var/run/ssl_mutex
<VirtualHost _default_:443>
ServerName domain:443
ServerAdmin webmaster@domain
DocumentRoot "/var/www/domain"
<Directory "/var/www/domain">
Options -All +FollowSymLinks
AllowOverride Options FileInfo AuthConfig Limit
Order allow,deny
Allow from all
</Directory>
ErrorLog "/var/log/apache2/ssl_error_log"
TransferLog "/var/log/apache2/ssl_access_log"
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile "/etc/apache2/ssl/apache.crt"
SSLCertificateKeyFile "/etc/apache2/ssl/apache.key"
<FilesMatch ".(cgi|shtml|pl|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/var/www/domain/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
CustomLog "/var/log/apache2/ssl_request_log" "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x "%r" %b"
suPHP_ConfigPath /data/php/domain
suPHP_UserGroup domain domain
</VirtualHost>
</IfModule>
TecServer
Anbieter
Posts: 84 Joined: 2006-04-08 21:41
Post
by TecServer » 2007-09-23 20:40
hat nichts gebracht.
nun steht folgendes bei einem ssl aufruf im log:
Code: Select all
[Sun Sep 23 20:32:58 2007] [info] Loading certificate & private key of SSL-aware server
[Sun Sep 23 20:32:58 2007] [info] Configuring server for SSL protocol
[Sun Sep 23 20:32:58 2007] [info] [client 127.0.0.1] Connection to child 0 established (server www.domain.com:443)
[Sun Sep 23 20:32:58 2007] [info] Seeding PRNG with 136 bytes of entropy
[Sun Sep 23 20:32:58 2007] [info] [client 127.0.0.1] SSL handshake failed: HTTP spoken on HTTPS port; trying to send HTML error page
[Sun Sep 23 20:32:58 2007] [info] SSL Library Error: 336027804 error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request speaking HTTP to HTTPS port!?
[Sun Sep 23 20:32:58 2007] [info] [client 127.0.0.1] Connection to child 0 established (server www.domain.com:443)
[Sun Sep 23 20:32:58 2007] [info] Seeding PRNG with 136 bytes of entropy
[Sun Sep 23 20:32:58 2007] [info] [client 127.0.0.1] SSL handshake failed: HTTP spoken on HTTPS port; trying to send HTML error page
[Sun Sep 23 20:32:58 2007] [info] SSL Library Error: 336027804 error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request speaking HTTP to HTTPS port!?
[Sun Sep 23 20:32:58 2007] [info] [client 127.0.0.1] Connection to child 0 established (server www.domain.com:443)
[Sun Sep 23 20:32:58 2007] [info] Seeding PRNG with 136 bytes of entropy
[Sun Sep 23 20:32:58 2007] [info] [client 127.0.0.1] SSL handshake failed: HTTP spoken on HTTPS port; trying to send HTML error page
[Sun Sep 23 20:32:58 2007] [info] SSL Library Error: 336027804 error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request speaking HTTP to HTTPS port!?
[Sun Sep 23 20:32:58 2007] [info] [client 127.0.0.1] Connection to child 0 established (server www.domain.com:443)
[Sun Sep 23 20:32:58 2007] [info] Seeding PRNG with 136 bytes of entropy
[Sun Sep 23 20:32:58 2007] [info] [client 127.0.0.1] SSL handshake failed: HTTP spoken on HTTPS port; trying to send HTML error page
[Sun Sep 23 20:32:58 2007] [info] SSL Library Error: 336027804 error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request speaking HTTP to HTTPS port!?
[Sun Sep 23 20:32:58 2007] [info] [client 127.0.0.1] Connection to child 0 established (server www.domain.com:443)
[Sun Sep 23 20:32:58 2007] [info] Seeding PRNG with 136 bytes of entropy
[Sun Sep 23 20:32:58 2007] [info] [client 127.0.0.1] SSL handshake failed: HTTP spoken on HTTPS port; trying to send HTML error page
[Sun Sep 23 20:32:58 2007] [info] SSL Library Error: 336027804 error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request speaking HTTP to HTTPS port!?
[Sun Sep 23 20:33:01 2007] [info] Loading certificate & private key of SSL-aware server
[Sun Sep 23 20:33:01 2007] [info] Configuring server for SSL protocol
[Sun Sep 23 20:33:32 2007] [info] Loading certificate & private key of SSL-aware server
[Sun Sep 23 20:33:32 2007] [info] Configuring server for SSL protocol
[Sun Sep 23 20:35:28 2007] [info] [client 85.127.60.61] Connection to child 1 established (server www.domain.com:443)
[Sun Sep 23 20:35:28 2007] [info] Seeding PRNG with 136 bytes of entropy
[Sun Sep 23 20:35:28 2007] [info] Initial (No.1) HTTPS request received for child 1 (server www.domain.com:443)
[Sun Sep 23 20:35:28 2007] [error] [client 85.127.60.61] client denied by server configuration: /var/www/domain/
[Sun Sep 23 20:35:29 2007] [info] Subsequent (No.2) HTTPS request received for child 1 (server www.domain.com:443)
[Sun Sep 23 20:35:29 2007] [error] [client 85.127.60.61] client denied by server configuration: /var/www/domain/favicon.ico
[Sun Sep 23 20:35:29 2007] [info] [client 85.127.60.61] Connection to child 2 established (server www.domain.com:443)
[Sun Sep 23 20:35:29 2007] [info] Seeding PRNG with 136 bytes of entropy
[Sun Sep 23 20:35:29 2007] [info] [client 85.127.60.61] (70014)End of file found: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
[Sun Sep 23 20:35:29 2007] [info] [client 85.127.60.61] Connection closed to child 2 with abortive shutdown (server www.domain.com:443)
[Sun Sep 23 20:35:29 2007] [info] [client 85.127.60.61] Connection to child 3 established (server www.domain.com:443)
[Sun Sep 23 20:35:29 2007] [info] Seeding PRNG with 136 bytes of entropy
[Sun Sep 23 20:35:29 2007] [info] Subsequent (No.3) HTTPS request received for child 1 (server www.domain.com:443)
[Sun Sep 23 20:35:29 2007] [error] [client 85.127.60.61] client denied by server configuration: /var/www/domain/favicon.ico
[Sun Sep 23 20:35:29 2007] [info] Initial (No.1) HTTPS request received for child 3 (server www.domain.com:443)
[Sun Sep 23 20:35:29 2007] [error] [client 85.127.60.61] client denied by server configuration: /var/www/domain/favicon.ico
[Sun Sep 23 20:35:44 2007] [info] [client 85.127.60.61] (70007)The timeout specified has expired: SSL input filter read failed.
[Sun Sep 23 20:35:44 2007] [info] [client 85.127.60.61] Connection closed to child 1 with standard shutdown (server www.domain.com:443)
[Sun Sep 23 20:35:44 2007] [info] [client 85.127.60.61] (70007)The timeout specified has expired: SSL input filter read failed.
[Sun Sep 23 20:35:44 2007] [info] [client 85.127.60.61] Connection closed to child 3 with standard shutdown (server www.domain.com:443)
Joe User
Project Manager
Posts: 11182 Joined: 2003-02-27 01:00
Location: Hamburg
Post
by Joe User » 2007-09-23 20:59
Code: Select all
emerge --info
emerge -pv apache openssl
rc-update show
TecServer
Anbieter
Posts: 84 Joined: 2006-04-08 21:41
Post
by TecServer » 2007-09-23 21:04
emerge --info:
Code: Select all
emerge --info
Portage 2.1.3.9 (default-linux/x86/2006.1, gcc-4.1.2, glibc-2.5-r4, 2.6.22-gentoo-r2 i686)
=================================================================
System uname: 2.6.22-gentoo-r2 i686 Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz
Timestamp of tree: Mon, 17 Sep 2007 16:20:01 +0000
app-shells/bash: 3.2_p17
dev-lang/python: 2.4.4-r4
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 1.12.9-r2
sys-apps/sandbox: 1.2.17
sys-devel/autoconf: 2.13, 2.61-r1
sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils: 2.17-r1
sys-devel/gcc-config: 1.3.16
sys-devel/libtool: 1.5.24
virtual/os-headers: 2.6.21
ACCEPT_KEYWORDS="x86"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-march=pentium4 -O2 -pipe -mmmx -msse"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/php/apache2-php4/ext-active/ /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php4/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php4/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-march=pentium4 -O2 -pipe -mmmx -msse"
DISTDIR="/usr/portage/distfiles"
FEATURES="distlocks metadata-transfer parallel-fetch sandbox sfperms strict unmerge-orphans userfetch"
GENTOO_MIRRORS="ftp://gentoo.inode.at/source/ http://gentoo.intergenia.de http://gd.tuwien.ac.at/opsys/linux/gentoo/ http://mirrors.sec.informatik.tu-darmstadt.de/gentoo/"
LINGUAS="de"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="apache2 bcmath berkdb big-tables bitmap-fonts bzip2 bzlib calendar cgi checkpath cjk clamav clamd cli cracklib crypt ctype curl curlwrappers dbx dri exif extraengine force-cgi-redirect fortran ftp gd gdbm gpm graphicsmagick hash iconv imagemagick imap innodb ipv6 isdnlog jpeg k latin1 ldap libwww maildir mhash midi mime mudflap mysql ncurses nls nptl nptlonly openmp pam pam-mysql pcre pdf pdo perl perll php png ppds pppd python readline reflection sasl session sharedmem simplexml soap sockets spamd spl sse2 ssl subject-rewrite symlink tcpd truetype-fonts type1-fonts unicode vroot x86 xml xmlreader xmlrpc xmlwriter xorg xsl zip zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="de" USERLAND="GNU" VIDEO_CARDS="apm ark chips cirrus cyrix dummy fbdev glint i128 i740 i810 imstt mach64 mga neomagic nsc nv r128 radeon rendition s3 s3virge savage siliconmotion sis sisusb tdfx tga trident tseng v4l vesa vga via vmware voodoo"
Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
emerge -pv apache openssl:
Code: Select all
[ebuild R ] www-servers/apache-2.2.6 USE="ldap ssl -debug -doc -mpm-event -mpm-itk -mpm-peruser -mpm-prefork -mpm-worker -no-suexec (-selinux) -static-modules -threads" 0 kB
[ebuild R ] dev-libs/openssl-0.9.8e-r2 USE="sse2 zlib -bindist -emacs -test" 0 kB
was du mit rc-update show anfangen willst weis ich nicht - kann doch damit gar nichts zutun haben :-/
apache ist jedenfalls auf default ;)
Joe User
Project Manager
Posts: 11182 Joined: 2003-02-27 01:00
Location: Hamburg
Post
by Joe User » 2007-09-23 21:29
Was betreibst Du da überhaupt, einen Desktop oder einen Server?
http://www.rootforum.org/wiki/howto/gentoo
`rc-update show` hätte gezeigt, ob `rc-update add urandom boot` Dein Problem gelöst hätte. Da Dir allerdings zum Serverbetrieb essenzielle USE-Flags fehlen und Du stattdessen unzählige USE-Flags für den Desktopbetrieb verwendest, hat sich dies eh erledigt. Dein Hauptproblem, insbesondere mit OpenSSL, liegt übrigens in Deinen C(XX)FLAGS...
TecServer
Anbieter
Posts: 84 Joined: 2006-04-08 21:41
Post
by TecServer » 2007-09-23 21:32
urandom ist bereits auf boot eingestellt. betrieben wird ein server - welche useflags würdest du dafür setzen?
wo siehst du das problem bei den c flags?
Joe User
Project Manager
Posts: 11182 Joined: 2003-02-27 01:00
Location: Hamburg
Post
by Joe User » 2007-09-23 21:40
Lies einfach mal mein HowTo für Gentoo Hardened auf RootServern im Wiki, Link habe ich ja bereits gepostet. Deine C(XX)FLAGS beinhalten "-mmmx -msse" was nicht nur für OpenSSL tödlich ist...
TecServer
Anbieter
Posts: 84 Joined: 2006-04-08 21:41
Post
by TecServer » 2007-09-23 21:41
bin schon am durchlesen von dem tutorial.
die frage die sich mir aber stellt: warum funktionierte SSL dann mit apache 2.0 und funktioniert auch auf dem anderen server den ich besitze? dort ist ebenso -mmmx -msse eingestellt
TecServer
Anbieter
Posts: 84 Joined: 2006-04-08 21:41
Post
by TecServer » 2007-09-27 10:20
grüß dich joe,
hab ein paar dinge auf meinem server abermals gemacht und der anleitung in deinem tutorial angepasst, jedoch ist leider noch immer keine besserung in sicht :(
Weist du eventuell noch einen rat? Kanns sein dass durch den apache 2.0 auf 2.2 Wechsel das ssl Modul einen Knacks bekommen hat? Apache hat ja seine API grundlegend geändert weshalb ich auch suPHP neu kompillieren musste - eventuell gibts mod_ssl noch nicht für den 2.2?
Joe User
Project Manager
Posts: 11182 Joined: 2003-02-27 01:00
Location: Hamburg
Post
by Joe User » 2007-09-27 10:48
mod_ssl gehört seit Apache-2.0 zu den Standardmodulen und ist somit immer zur jeweiligen Apache-Version kompatibel.
Ich kann Deinen Fehler bei mir leider nicht reproduzieren:
Code: Select all
gentoo ~ # emerge -pv apache openssl
These are the packages that would be merged, in order:
Calculating dependencies... done!
[ebuild R ] www-servers/apache-2.2.6-r1 USE="mpm-worker ssl threads -debug -doc -ldap -mpm-event -mpm-itk -mpm-peruser -mpm-prefork -no-suexec (-selinux) -static-modules" 0 kB
[ebuild R ] dev-libs/openssl-0.9.8e-r2 USE="sse2 zlib -bindist -emacs -test" 0 kB
Total: 2 packages (2 reinstalls), Size of downloads: 0 kB
gentoo ~ #
Konfiguration siehe Wiki.
TecServer
Anbieter
Posts: 84 Joined: 2006-04-08 21:41
Post
by TecServer » 2007-10-01 02:38
das problem konnte gefunden und eliminiert werden. so wie es aussieht genügt es dem neuen mod_ssl nicht, wenn nur der DocRoot angegeben ist, es muss auch eine directory direktive im ssl vhost angegeben sein sonst spinnt das system mit den obigen ssl fehlermeldungen