0

I'm trying to learn how to get ssl up and running on an apache 2.4 webserver (Windows Server 2012). I had the web server and PHP up and running perfectly fine without SSL.

  • I Generated my cert and key and placed them in C:\Apache24\conf
  • I Modified httpd.conf in the following way:
LoadModule ssl_module modules/mod_ssl.so
Include C:/Apache24/conf/openssl.cnf
  • I modified c:/Apache24/conf/extra/httpd-ssl.conf in the following way:

SSLCertificateFile "c:/Apache24/conf/server.crt" SSLCertificateKeyFile "c:/Apache24/conf/server.key" DocumentRoot "c:/Apache24/htdocs"

  • Added the following System Environment Variable

Variable Name: OPENSSL_CONF Variable Value: C:\Apache24\conf\openssl.cnf

I've hit a point where apache will not start due to the following error.

running httpd -t in powershell gives the result:

: Syntax error on line 8 of C:/Apache24/conf/openssl.cnf:
Invalid command 'HOME', perhaps misspelled or defined by a module not included in the server configuration

The following are lines 6 through 9 of openssl.cnf ( I have not modified this file. )

# This definition stops the following lines choking if HOME isn't
# defined.
HOME            = .
RANDFILE        = $ENV::HOME/.rnd

Any help is appreciated. Thanks !

Daedalus7
  • 3
  • 2
  • Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See [What topics can I ask about here](http://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Web Applications Stack Exchange](http://webapps.stackexchange.com/), [Webmaster Stack Exchange](http://webmasters.stackexchange.com/) or [Unix & Linux Stack Exchange](http://unix.stackexchange.com/) would be a better place to ask. – jww Dec 05 '17 at 20:49

1 Answers1

0

You are basically trying to include a third party config file inside httpd configuration, which will never yield a good result because Apache httpd will never recognize what's in there. Remove that include.

If you want to add system variables you can use PassEnv directive from mod_env module.

To get SSL up and running all you need is a SSL virtualhost like this:

In your server config something like:

LoadModule ssl_module modules/mod_ssl.so
<IfModule mod_ssl.c>
        Listen 443
        LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
        SSLProtocol all -SSLv3
        SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
        SSLHonorCipherOrder     on
        SSLCompression          off
        SSLSessionTickets       off
        SSLRandomSeed startup file:/dev/urandom 2048 # perhaps this need to be adapted for windows
        SSLRandomSeed connect file:/dev/urandom 2048 # same with this
        SSLSessionCache shmcb:/path/to/logs/ssl_gcache_data(512000)
</IfModule>

And the Virtualhost:

<Virtualhost *:443>
ServerName myssllvh.example.com
DocumentRoot /filesystem/path/to/docroot
CustomLog /path/to/logs/mysslvh.log combined
ErrorLog /path/to/logs/mysslvh-error.log

SSLEngine on
SSLCertificateFile /path/to/certs/mysslvh.crt
SSLCertificateKeyFile /path/to/certs/mysslvh.key

# Other stuff here
</VirtualHost>
Daniel Ferradal
  • 2,727
  • 1
  • 13
  • 19
  • Thanks ! The Apache server will start now. i changed the /dev/urandom path to C:/Temp/rand.... Hovever, when i try to visit the site in firefox i get "SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG" – Daedalus7 Dec 05 '17 at 23:19