On Wed, Sep 26, 2001 at 12:12:08AM +0800, Eric Boo wrote: > Hi all, > > I'm using SID. I installed apache-ssl and even though it loaded > without any error messages, i realized that netstat -an|grep 443 gives > nothing. ps aux shows that gcache is running. > > So i purged it and install apache + mod-ssl. Port 80 works but netstat > -an|grep 443 still gives nothing. No error messages. > > In both cases, https://127.0.0.1 gives "Connection refused". > > Any idea what's wrong? >
Wild guess (never done this myself): There is probably some configuration tasks to perform to tell apache to actually listen for ssl connections. Also, any https server needs to have a certificate issued by someone the users browser is configured to trust for signing certificates for servers by that name. The (generic) procedure goes like this: 1. Server operator chooses a DNS name which will be embedded in the certificate. Browsers will show nasty security alarms if the user types https://secure.funny.yy and the server replies with a certificate issued to https://www.funny.yy because the browser thinks someone may be redirecting traffic or stealing identities. 2. Server operator runs some command (openssl?) to generate a random private key (which will be sent NOWHERE) and a matching public key (which will be sent everywhere) plus a request for it to be certified for use with the name chosen in 1. 3. Server operator contacts Verisign or a Verisign competitor, pays them $$ and goes through several days of identity checks. You can use openssl to run your own Verisign-competing operation for test purposes and you can TRY to convince people to tell their browsers to trust you as being as trustworthy as Verisign. 4. Verisign sends server operator (and anyone else asking) a certificate where they state for the record that the public key from step 2. does truly identify the rightful operator of the DNS name certified. 5. On every https connection apache sends the certificate to the browser BEFORE seeing the url (that is why you can't have two https server names on the same IP address). 6. The browser checks that the certificate was signed by Verisign, matches the public key from step 2 and the DNS name in the url. I guess apache is waiting for you to complete step 2 or 4. Hope this helps -- This message is hastily written, please ignore any unpleasant wordings, do not consider it a binding commitment, even if its phrasing may indicate so. Its contents may be deliberately or accidentally untrue. Trademarks and other things belong to their owners, if any.
