Error 500 proxying to SSL-secured site

On 2004-06-28 03:04:46 -0400, Davide Bianchi
<davideyeahsure.DeleteThis@onlyforfun.net> said:

 > Scott Lowe <me.DeleteThis@privacy.net> wrote:
  >> however, I get an 500 error from Apache.
 >
 > Error 500 is a catch all, when something bad happens Apache send
 > an error 500. What's in the error_log?
 >
 > Davide

The only applicable error I can find relates to SSLProxyEngine. Is
this something that needs to be turned on?

--
Scott Lowe<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Error 500 proxying to SSL-secured site 

On 2004-06-28 11:16:21 -0400, Scott Lowe <me.RemoveThis@privacy.net> said:

 > On 2004-06-28 03:04:46 -0400, Davide Bianchi
 > <davideyeahsure.RemoveThis@onlyforfun.net> said:
 >
  >> Scott Lowe <me.RemoveThis@privacy.net> wrote:
   >>> however, I get an 500 error from Apache.
  >>
  >> Error 500 is a catch all, when something bad happens Apache send
  >> an error 500. What's in the error_log?
  >>
  >> Davide
 >
 > The only applicable error I can find relates to SSLProxyEngine. Is
 > this something that needs to be turned on?

I've answered my own question. I added "SSLProxyEngine On" to the
appropriate virtual host configuration, and now it works (so far).

Only one error remains, and I am not 100% certain that it is
server-based. When I attach to the SSL-secured reverse proxy, I
receive an error along the lines of "site identity cannot be verified."
I take this to mean that the server is presenting an SSL certificate
that a) doesn't match the URL I'm using to access the site, or b)
doesn't have an appropriate trusted CA certificate.

I'm reasonably certain that it's not a client-side issue (I use Camino
0.8 on Mac OS X 10.3) since I can attach to other SSL-secured sites
that have certificates from the same internal CA and don't receive the
same error. This leads me to believe that I have incorrectly
configured the root CA-related directives on Apache. I've converted
the root CA certificate into PEM format and specified it in the
configuration file using the SSLCertificateChainFile <filename>
directive. Is this the correct approach?

Thanks in advance for everyone's help.

--
Scott Lowe<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Error 500 proxying to SSL-secured site 

Scott Lowe <me.TakeThisOut@privacy.net> wrote:
 > The only applicable error I can find relates to SSLProxyEngine. Is
 > this something that needs to be turned on?

No, I've never used such thing, and this is exactly how I did the
Exchange proxy business without any SSLProxy. The only appreciable
differences is that I used Apache 1.3.x instead of 2 (it was already
installed and working).

If not that your proxy doesn't accept the certificate of the
final server?

Davide

--
| The C Programming Language -- A language which combines the
| flexibility and power of assembly language with the readability of
| assembly language.
|<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Error 500 proxying to SSL-secured site 

On 2004-06-28 11:54:33 -0400, Davide Bianchi
<davideyeahsure.RemoveThis@onlyforfun.net> said:

 > Scott Lowe <me.RemoveThis@privacy.net> wrote:
  >> The only applicable error I can find relates to SSLProxyEngine. Is
  >> this something that needs to be turned on?
 >
 > No, I've never used such thing, and this is exactly how I did the
 > Exchange proxy business without any SSLProxy. The only appreciable
 > differences is that I used Apache 1.3.x instead of 2 (it was already
 > installed and working).
 >
 > If not that your proxy doesn't accept the certificate of the
 > final server?
 >
 > Davide

Davide, see my parallel post--we must have been typing at the same
time! SSLProxyEngine fixed the problem.

Thanks.

--
Scott Lowe<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Error 500 proxying to SSL-secured site 

Scott Lowe <me.TakeThisOut@privacy.net> wrote:
 > receive an error along the lines of "site identity cannot be verified."
 > I take this to mean that the server is presenting an SSL certificate
 > that a) doesn't match the URL I'm using to access the site

I think this the one.
Davide

--
| An alcoholic is a person who drinks more than his own physician.
|
|
|<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Error 500 proxying to SSL-secured site 

On 2004-06-28 12:29:51 -0400, Davide Bianchi
<davideyeahsure DeleteThis @onlyforfun.net> said:

 > Scott Lowe <me DeleteThis @privacy.net> wrote:
  >> receive an error along the lines of "site identity cannot be verified."
  >> I take this to mean that the server is presenting an SSL certificate
  >> that a) doesn't match the URL I'm using to access the site
 >
 > I think this the one.
 > Davide

Using "openssl x590 -in <cert-file-name> -noout -text" or "openssl x509
-in <cert-file-name> -noout -subject" verifies that the CN field of the
subject of the certificate matches the FQDN that I am requesting from
the server. Correct me if I am wrong, but if the certificate's subject
is:

/C=US/ST=State/L=Locality/O=Organization Name/OU=Department
Name/CN=extranet.domain.com

and I am requesting "https://extranet.domain.com", then everything
should be fine, yes? (The CN field of the subject matches the FQDN
being requested.)

Or am I missing something?

--
Scott Lowe<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Error 500 proxying to SSL-secured site