OK, I've tested it, and so far it isn't working for me. Here are my tests:
1) Attempt to configure, on an HP UX 11.0 system, to use SSL with a cryptographic accelerator card: Set up Apache 1.3.23, on this same system, and confirmed that it ran and successfully accessed the CryptoSwift card. configure --enable-ssl --with-ssl=/home/lgazis/openssl-engine-0.9.6c --prefix=/home/lgazis/apache2 --enable-rule=SSL_EXPERIMENTAL Had to create lib directory under openssl-engine-0.9.6c and copy libraries there, since they seemed to be expected there rather than at the top level. First problem: http://httpd.apache.org/docs-2.0/install.html makes no mention of actually installing a certificate, and "make certificate" appears to no longer be the correct thing to do. Worked around this by copying conf/ssl.crt and conf/ssl.key from Apache 1.3.23 installation to Apache 2.0.35 installation. Edited httpd.conf, set ServerName to pamela, User to www, Group to nobody, Listen to my IP address and port. Edited ssl.conf and set Listen to my IP address and port, and added "SSLCryptoDevice cswift". Attempted a "bin/apachectl startssl", and got the error: "Invalid command 'SSLCryptoDevice'...". Evidently something has changed, since Apache 1.3, about how to make the cryptographic accelerators in the OpenSSL engine code work. 2) Test, on HP UX 11.0 system, attempting to use SSL and no cryptographic accelerator. Got rid of the SSLCryptoDevice line, and tested to see whether I could make Apache 2.0 work with SSL with no accelerator. This also failed; the server started, but when I generated traffic, none of my handshakes succeeded, and my error log showed lots of "[error] [client 10.10.37.185] Invalid method in request k". Tried a test with OpenSSL's s_client, instead of my own test program, generating the traffic. Ran s_client with the -connect option, and no others. Got the error: warning, not much extra random data, consider using the -rand option CONNECTED(00000003) 905:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:460 Attempts to specify with ssl3 or tls1 also failed to connect, though with a different error. 3) Attempted to build Apache 2.0 on Solaris 7: Configured with same options as on the HP system, but my make failed with an undefined symbol sk_new_null. Either this isn't working properly, or I am missing some key information about how I am supposed to be setting this up. I've been building and running various versions of Apache 1.3 on these same systems with no difficulty. Lynn Gazis -----Original Message----- From: Cliff Woolley [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 09, 2002 8:03 AM To: [EMAIL PROTECTED] Subject: Re: Apache 2.0.* and SSL On Tue, 9 Apr 2002, Mads Toftum wrote: > I too could add a whole lot of reasons to not migrate if you're doing SSL. > Up to about a week before Apache went GA, there were substantial commits to > SSL code which to me makes it an essentially untested module. While I can't wholly disagree with you, I will point out that the only way we can ever really consider SSL "tried and true" is if the people _from_this_group_ test it extensively and help us find the problems with it. Your participation is vital... really! Thanks all, Cliff -------------------------------------------------------------- Cliff Woolley [EMAIL PROTECTED] Apache HTTP Server Project ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
