Notes |
(0011053)
dragongeek (reporter)
2015-09-17 23:31
|
Forgot to mention, this is on the x86 architecture. We will however, also want to install the latest versions of Apache and SSL on SPARC, after we complete all testing and security configuration documentation. |
|
(0011054)
dam (administrator)
2015-09-22 10:21
|
Essentially this should work, please verify that you actually loaded the ssl module and see if there is anything suspicious in the logs at load time. |
|
(0011055)
cgrzemba (developer)
2015-09-22 16:54
|
for SSL to work you have change the CSW config:
--- httpd.conf.CSW Thu Jul 16 16:48:54 2015
+++ httpd.conf Tue Sep 22 16:10:56 2015
@@ -407,7 +407,7 @@
</IfModule>
# Secure (SSL/TLS) connections
-#Include /etc/opt/csw/apache2/extra/httpd-ssl.conf
+Include /etc/opt/csw/apache2/extra/httpd-ssl.conf
#
# Note: The following must must be present to support
# starting without SSL on platforms with no /dev/random equivalent
and
--- modules.load.CSW Tue Sep 22 16:48:03 2015
+++ modules.load Tue Sep 22 16:53:45 2015
@@ -23,7 +23,7 @@
#LoadModule cache_module lib/apache2/modules/mod_cache.so
#LoadModule cache_disk_module lib/apache2/modules/mod_cache_disk.so
#LoadModule cache_socache_module lib/apache2/modules/mod_cache_socache.so
-#LoadModule socache_shmcb_module lib/apache2/modules/mod_socache_shmcb.so
+LoadModule socache_shmcb_module lib/apache2/modules/mod_socache_shmcb.so
#LoadModule socache_dbm_module lib/apache2/modules/mod_socache_dbm.so
#LoadModule socache_memcache_module lib/apache2/modules/mod_socache_memcache.so
#LoadModule watchdog_module lib/apache2/modules/mod_watchdog.so
@@ -77,7 +77,7 @@
#LoadModule session_dbd_module lib/apache2/modules/mod_session_dbd.so
#LoadModule slotmem_shm_module lib/apache2/modules/mod_slotmem_shm.so
#LoadModule slotmem_plain_module lib/apache2/modules/mod_slotmem_plain.so
-#LoadModule ssl_module lib/apache2/modules/mod_ssl.so
+LoadModule ssl_module lib/apache2/modules/mod_ssl.so
#LoadModule dialup_module lib/apache2/modules/mod_dialup.so
#LoadModule lbmethod_byrequests_module lib/apache2/modules/mod_lbmethod_byrequests.so
#LoadModule lbmethod_bytraffic_module lib/apache2/modules/mod_lbmethod_bytraffic.so |
|
(0011056)
dragongeek (reporter)
2015-09-22 18:06
|
I did uncomment the httpd-ssl.conf. There is no 'modules.load.CSW' in my httpd.conf file, just the modules.load in and IFDefine block.
The LoadModule socache_shmcb_module does not appear in either the httpd.conf, or the httpd-ssl.conf, and neither is the ssl_module entry, so I added both to the httpd-ssl.conf, yet it still goes into maintenance mode upon restart.
root@oralin# svcadm enable svc:/network/cswapache24:default
root@oralin# svcs \*apache\*
STATE STIME FMRI
disabled Sep_16 svc:/network/http:apache22
disabled Sep_17 svc:/network/cswapache2:default
maintenance 9:03:12 svc:/network/cswapache24:default
root@oralin# svcs -l svc:/network/cswapache24:default
fmri svc:/network/cswapache24:default
enabled true
state maintenance
next_state none
state_time September 22, 2015 09:03:12 AM PDT
logfile /var/svc/log/network-cswapache24:default.log
restarter svc:/system/svc/restarter:default
contract_id
manifest /var/opt/csw/svc/manifest/network/cswapache24.xml
dependency require_all/none svc:/system/filesystem/local (online)
dependency require_all/none svc:/network/loopback (online)
root@oralin# tail -8 /var/svc/log/network-cswapache24:default.log
AH00526: Syntax error on line 73 of /etc/opt/csw/apache2/extra/httpd-ssl.conf:
Invalid command 'SSLCipherSuite', perhaps misspelled or defined by a module not included in the server configuration
[ Sep 17 10:44:45 Method "start" exited with status 1. ]
[ Sep 17 16:41:04 Leaving maintenance because disable requested. ]
[ Sep 17 16:41:04 Disabled. ]
[ Sep 22 09:03:11 Enabled. ]
[ Sep 22 09:03:11 Executing start method ("/var/opt/csw/svc/method/svc-cswapache24 start"). ]
[ Sep 22 09:03:12 Method "start" exited with status 1. ]
root@oralin# |
|
(0011059)
cgrzemba (developer)
2015-10-07 13:09
edited on: 2015-10-07 13:26
|
apache should load the following modules:
/opt/csw/sbin/apachectl -M
Loaded Modules:
core_module (static)
so_module (static)
http_module (static)
authn_file_module (shared)
authn_core_module (shared)
authz_host_module (shared)
authz_groupfile_module (shared)
authz_user_module (shared)
authz_core_module (shared)
access_compat_module (shared)
auth_basic_module (shared)
socache_shmcb_module (shared)
reqtimeout_module (shared)
filter_module (shared)
mime_module (shared)
log_config_module (shared)
env_module (shared)
headers_module (shared)
setenvif_module (shared)
version_module (shared)
ssl_module (shared)
mpm_event_module (shared)
unixd_module (shared)
status_module (shared)
autoindex_module (shared)
dir_module (shared)
alias_module (shared)
do you see the ssl_module and socache_shmcb_module here?
Then you should take a look in the Apache error log.
|
|
(0011060)
cgrzemba (developer)
2015-10-07 13:28
|
Try to upgrade to 2.4.16, there is 'SSLProxyCipherSuite' contained |
|
(0011061)
dragongeek (reporter)
2015-10-07 16:46
|
(FYI - I've answered, below, but I'm going to disable this package and build/install from source code. Seems the most expedient at this point.)
I upgraded to 2.4.16 and checked the packages. It shows socache_shmcb_module and ssl_module loaded.
root@oralin# pkgutil -u apache24
Solving needed dependencies ...
Solving dependency order ...
22 CURRENT packages:
CSWapache24-2.4.16,REV=2015.07.17
CSWcas-initsmf-1.50,REV=2015.01.17
CSWcas-preserveconf-1.50,REV=2015.01.17
CSWcas-sslcert-1.50,REV=2015.01.17
CSWcommon-1.5,REV=2010.12.11
CSWisaexec-0.2,REV=2009.03.26
CSWlibapr1-0-1.5.1,REV=2014.12.24
CSWlibaprutil1-0-1.5.4,REV=2015.08.26
CSWlibexpat1-2.1.0,REV=2013.01.01
CSWlibgcc-s1-4.9.2,REV=2014.11.07
CSWlibiconv2-1.14,REV=2011.08.07
CSWliblber2-4-2-2.4.40,REV=2015.06.23
CSWlibldap2-4-2-2.4.40,REV=2015.06.23
CSWliblua5-2-5.2.2,REV=2013.10.08
CSWliblzma5-5.0.5,REV=2013.07.05
CSWlibpcre1-8.37,REV=2015.04.30
CSWlibsasl2-2-2.1.25,REV=2012.05.06
CSWlibssl1-0-0-1.0.1p,REV=2015.07.09
CSWlibuuid1-1.0.2,REV=2014.08.12
CSWlibxml2-2-2.9.1,REV=2013.08.16
CSWlibz1-1.2.8,REV=2013.09.23
CSWopenssl-utils-1.0.1p,REV=2015.07.09
Nothing to do.
root@oralin# svcs \*apache\*
STATE STIME FMRI
disabled 15:20:11 svc:/network/http:apache22
disabled 15:20:11 svc:/network/cswapache2:default
maintenance 15:20:31 svc:/network/cswapache24:default
root@oralin# svcadm clear svc:/network/cswapache24:default
root@oralin# svcs \*apache\*
STATE STIME FMRI
disabled 15:20:11 svc:/network/http:apache22
disabled 15:20:11 svc:/network/cswapache2:default
maintenance 7:41:45 svc:/network/cswapache24:default
root@oralin# tail /var/svc/log/network-cswapache24:default.log
[ Oct 6 15:20:27 Executing start method ("/var/opt/csw/svc/method/svc-cswapache24 start"). ]
[ Oct 6 15:20:31 Method "start" exited with status 1. ]
[ Oct 6 15:20:31 Executing start method ("/var/opt/csw/svc/method/svc-cswapache24 start"). ]
[ Oct 6 15:20:31 Method "start" exited with status 1. ]
[ Oct 6 15:20:31 Executing start method ("/var/opt/csw/svc/method/svc-cswapache24 start"). ]
[ Oct 6 15:20:31 Method "start" exited with status 1. ]
[ Oct 7 07:41:45 Leaving maintenance because clear requested. ]
[ Oct 7 07:41:45 Enabled. ]
[ Oct 7 07:41:45 Executing start method ("/var/opt/csw/svc/method/svc-cswapache24 start"). ]
[ Oct 7 07:41:45 Method "start" exited with status 1. ]
root@oralin# /opt/csw/sbin/apachectl -M
Loaded Modules:
core_module (static)
so_module (static)
http_module (static)
authn_file_module (shared)
authn_core_module (shared)
authz_host_module (shared)
authz_groupfile_module (shared)
authz_user_module (shared)
authz_core_module (shared)
access_compat_module (shared)
auth_basic_module (shared)
reqtimeout_module (shared)
filter_module (shared)
mime_module (shared)
log_config_module (shared)
env_module (shared)
headers_module (shared)
setenvif_module (shared)
version_module (shared)
mpm_event_module (shared)
unixd_module (shared)
status_module (shared)
autoindex_module (shared)
dir_module (shared)
alias_module (shared)
socache_shmcb_module (shared)
ssl_module (shared)
root@oralin# |
|
(0011174)
cgrzemba (developer)
2016-08-04 17:00
|
This occure if 64bit is enabled.
# /usr/bin/svcprop -p general/enable_64bit cswapache24
true
# so also /opt/csw/sbin/64/apachectl -M
has to run for test. This starts httpd with option '-D 64bit' which in turn loads module from /etc/opt/csw/64/apache2/extra/modules.load
There have the be the module enabled also |
|
(0011175)
cgrzemba (developer)
2016-08-04 17:02
|
solution:
check if 64bit is used and
modules enabled in /etc/opt/csw/64/apache2/extra/modules.load |
|