RE: trouble getting set up
On Sat, 13 Jul 2002, [iso-8859-2] Jan ©kola wrote: > Yes problem is that you need Win32 utilities ,awk' and ,bison'... > Download them somewhere put in directory in PATH and try compile > again... Right. See also http://apr.apache.org/compiling_win32.html . --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: apache 2.0.39 + mod_ssl.so
On Thu, 11 Jul 2002, Sauer, Adrian wrote: > ...this error occurs during start with "-DSSL": > Cannot load /opt/apache_2.0.39/modules/mod_ssl.so into server: > /opt/apache_2.0.39/modules/mod_ssl.so: undefined symbol: X509_free This is a frequently asked question. Please see (among other places): http://nagoya.apache.org/bugzilla/show_bug.cgi?id=8034 --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
SSLLog's demise (was Re: freebsd SSLCryptoDevice)
On Wed, 10 Jul 2002, Mads Toftum wrote: > Which is a really bad move IMHO - debugging with mod_ssl > was very good, and easy to use, but now with 2.0 it has been hacked into > something much less usable. Making the loglevel tie in with the general > loglevel, you get debugging info from two places at once, that it _very_ > rarely makes sense to debug together. FWIW, I was in the camp that totally agrees with this sentiment. The decision to get rid of it was by no means unanimous. Feel free to start a grassroots petition to get it added back in again. :) If the users want it back, the users want it back... --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: freebsd SSLCryptoDevice
On Tue, 9 Jul 2002, Geoff Thorpe wrote: > Can you ensure you've got a decent debugging level set (eg. perhaps > "SSLLogLevel info") and post the last few lines of the error log when Note that there's no such thing as a separate SSLLog/SSLLogLevel in Apache 2.0 anymore -- it's all lumped in with the regular error_log. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Quickie on Certrificate Requests (combined with virtual hosts)...
On 1 Jul 2002, Sean M Alderman wrote: > Cool, thanks!... So I've done that, I needed to use the make certificate > instead of the openssh commands because of the lack of a /dev/random on > Solaris 8 (I don't know why make is able to do make it happen when I > can't). Anyway, each time I run it it generates a new server.key file, > I need to keep each of these right?...perhaps name them based on the > virtual host each are for? Yes, exactly right. Dunno why the make certificate thing works when the openssl commands directly don't -- probably just some configuration issues. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Quickie on Certrificate Requests (combined with virtual hosts)...
On 1 Jul 2002, Sean M Alderman wrote: > I'm hoping someone on the list might have some experience with > multiple IP based virtual hosts and generating CSRs for ssl certs for > each host. Something has me thinking that if I run the commans from the > mod_ssl faq, I'll get several CSRs for the same host (either local or > the main hostname). That shouldn't be, certs are hostname specific > right? Anyway, if anyone would be so kind as to pass me a clue. The commands in the FAQ should be okay. When you run openssl and ask it to generate a CSR, it will prompt you for various things, one of which is "Common Name (CN)" -- enter the hostname with which the certificate should be associated there, and that's all you should have to do. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLCryptoDevice: works as a static, not as a DSO...?
On Fri, 28 Jun 2002, R. DuFresne wrote: > I was thinking, and perhaps wrongly for versions prior to apache 2, that > modules required openssl be shared, but, earlier mod-ssl based versions I > do not think were so limited, being how they were built with ssl support. Right. That's not a restriction in 1.3 as far as I know. Just 2.0 (due to libtool). For 2.0, if you want a shared mod_ssl, use a shared OpenSSL, and if you want a static mod_ssl, use a static OpenSSL. 1.3 should be a bit more flexible there. We'll get around to fixing that in 2.0 one of these days. :-/ --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLCryptoDevice: works as a static, not as a DSO...? (fwd)
[[ None of my emails from this evening seem to have actually gone out (misconfig on my end, I think), so here's this again. Sorry if it's a dupe. ]] -- Forwarded message -- Date: Fri, 28 Jun 2002 02:24:29 -0400 (EDT) From: Cliff Woolley <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: SSLCryptoDevice: works as a static, not as a DSO...? On Fri, 28 Jun 2002, Cliff Woolley wrote: > To ask a silly question, you are *loading* the DSO, right? And you have > SSL_EXPERIMENTAL_ENGINE defined in both cases? I guess I didn't read your first email carefully enough; I see you already mentioned that you do have the appropriate AddModule and LoadModule lines in the DSO case. Double-check that, though, as that and the SSL_EXPERIMENTAL_ENGINE things are the only possible reasons you'd get that message. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: compiling apache2039
On Tue, 25 Jun 2002, Jeff Landers wrote: > Even with just a ./configure I have many parse and symbol errors in the > config.log when I conifgure apache2039 although it exits with a zero. Is > that OK or do I need to work with someone to resolve these errors. That's totally normal. These "errors" are how autoconf determines which features your compiler, linker, and system headers/libraries support. If it compiles and links, that's a "yes, the feature is available." If it fails to compile and link that's just a "no, the feature is not available." But a particular feature not being available is not usually fatal. The messages configure prints on stdout would tell you if it was a fatal condition. In other words: ignore config.log unless you encounter a fatal condition and need to find out exactly what happened. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Upgrade ?
On Mon, 24 Jun 2002, Thomas Binder wrote: > > Then when you run 'make install' from the Apache 1.3.26 source > > directory, it will overwrite your 1.3.23 installation. > > Just in case anyone wonders: it will NOT overwrite the config > files of the 1.3.23 installation. Oh right... meant to point that out. Thanks. :) --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Upgrade ?
On Mon, 24 Jun 2002, RON MCKEEVER wrote: > Im a little confused on how to upgrade my current mod_ssl-2.8.7-1.3.23, to > mod_ssl-2.8.10-1.3.26. > When I untar the new apache1.3.26 it is in it own dir.. So how do I upgrade > 1.3.23? When I run the configure statement in the mod_ssl-2.8.10 dir I cant > state --with-apache="1.3.23", I need to state the new apache dir, right?? Right... you give mod_ssl-2.8.10 the Apache 1.3.26 *source* directory for its --with-apache= argument. Then when you configure apache, tell it to *install* to the same location that 1.3.23 is currently installed using --prefix= (eg /usr/local/apache) and use the same directory structure (using --with-layout= ) that you used before, if any. Then when you run 'make install' from the Apache 1.3.26 source directory, it will overwrite your 1.3.23 installation. That should be it. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: hanging apache processes (1.3.29 + mod_ssl 2.8.9)
On Sun, 23 Jun 2002, Alex Kotov wrote: > After a while the server processes become stuck while waiting for > the data from a socket. > Running strace on a hung process produces > read(5, > for a long time, eventually followed by > read(5, 0x959d2d8, 11) = -1 ETIMEDOUT (Connection timed out) Are you sure that file descriptor 5 is the connection to the client? What SSLRandomSeed are you using? This sounds like one of those /dev/random not-enough-entropy problems to me. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 1.3.26/mod_ssl-2.8.9-1.3.26 segfault
On Thu, 20 Jun 2002 [EMAIL PROTECTED] wrote:
> Per the recently announced vulnerability in versions of apache < 1.3.26,
> I decided to be a happy little prole and update all of my webservices.
>
> Unpacking clean source for apache, mod_ssl and mod_perl-1.26, I upgraded
> the packages like I always do:
>
> write(15, "[20/Jun/2002 16:50:05 04493] [in"..., 95) = 95
> brk(0x8109000) = 0x8109000
> open("./php.ini", O_RDONLY) = -1 ENOENT (No such file or
> directory)
> open("/usr/lib/php.ini", O_RDONLY) = -1 ENOENT (No such file or
> directory)
> brk(0x810a000) = 0x810a000
> brk(0x810b000) = 0x810b000
> brk(0x810c000) = 0x810c000
> brk(0x810d000) = 0x810d000
...
> brk(0x8123000) = 0x8123000
> brk(0x8125000) = 0x8125000
> brk(0x8126000) = 0x8126000
> --- SIGSEGV (Segmentation fault) ---
> +++ killed by SIGSEGV +++
Sounds like PHP is borked. Try building a new copy.
--Cliff
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: Upgrade Question
On Thu, 20 Jun 2002, RON MCKEEVER wrote: > I currently have mod_ssl-2.8.7-1.3.23(apache) deal. I have seen the > security issue and the suggetions to upgrade to 2.0 or 1.3.26. > > Couple of questions, Please. > > 1. Can I just install the new apache version over my old install? And > will it still use my ssl info? If by "info" you mean configuration, the answer is yes. If by "info" you mean mod_ssl itself, the answer is no. > 2. Or do I need to wait for a "mod_ssl-2.x.x-1.3.26" release?? There has already been one. mod_ssl 2.8.9 is out. So just grab 1.3.26 and 2.8.9, compile them with the same options you did on 1.3.23/2.8.7, and when you install it it will overwrite the old binaries but keep your old config files. (remember to back up the old install directory just in case ;) --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 1.3.26 and mod_ssl
On Wed, 19 Jun 2002 [EMAIL PROTECTED] wrote: > I've patched the Apache 1.3.26 sources with mod_ssl 2.8.8 and --force > Option and it "works" I've apply the patch for 1.3.26 Forget it. Start over with a clean 1.3.26 and mod_ssl 2.8.9 which was released quite a while ago now. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl maintainership
On Wed, 19 Jun 2002, Tim Tassonis wrote: > It seem like due to his various other commitments, RSE is not really > active on mod_ssl anymore. Is there a plan to transfer maintainership of > mod_ssl to somebody else? For 2.0, it's already been transferred to the ASF. 1.3 is maintenance mode only, and RSE still handles the releases for that. It only takes a day or two This time we're all just kind of in a hurry. :) --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 1.3.26 and mod_ssl
On Wed, 19 Jun 2002, James Bromberger wrote:
> Seems that the current 2.8.8 has some problems patching into some of
> the mod_proxy code:
>
> ./ap/Makefile.tmpl.rej
> ./modules/proxy/mod_proxy.c.rej
> ./modules/proxy/proxy_http.c.rej
h... wonder why I didn't notice those before? Sigh. Anyway,
attached is a patch (totally untested!) which *should* replace the
missing part of the mod_ssl patch. So after you've run ./configure
--force, apply this patch by going to the apache_1.3.26/ directory and
running "patch -p0 < modssl-2.8.8-1.3.26-fixup.patch". Let me know if it
works or breaks. ;)
--Cliff
--- ./src/ap/Makefile.tmpl-1.3.26 Tue Jun 18 20:32:48 2002
+++ ./src/ap/Makefile.tmpl Tue Jun 18 20:33:18 2002
@@ -7,7 +7,7 @@
OBJS=ap_cpystrn.o ap_execve.o ap_fnmatch.o ap_getpass.o ap_md5c.o ap_signal.o \
ap_slack.o ap_snprintf.o ap_sha1.o ap_checkpass.o ap_base64.o ap_ebcdic.o \
- ap_strtol.o
+ ap_strtol.o ap_hook.o ap_ctx.o ap_mm.o
.c.o:
$(CC) -c $(INCLUDES) $(CFLAGS) $<
--- ./src/modules/proxy/mod_proxy.c-1.3.26 Tue Jun 18 20:34:15 2002
+++ ./src/modules/proxy/mod_proxy.c Tue Jun 18 20:36:36 2002
@@ -454,6 +454,14 @@
*/
/* handle the scheme */
+#ifdef EAPI
+if (ap_hook_use("ap::mod_proxy::handler",
+AP_HOOK_SIG7(int,ptr,ptr,ptr,ptr,int,ptr),
+AP_HOOK_DECLINE(DECLINED),
+&rc, r, cr, url,
+NULL, 0, scheme) && rc != DECLINED)
+return rc;
+#endif /* EAPI */
if (r->method_number == M_CONNECT) {
return ap_proxy_connect_handler(r, cr, url, NULL, 0);
}
@@ -1051,4 +1059,10 @@
NULL, /* child_init */
NULL, /* child_exit */
proxy_detect/* post read-request */
+#ifdef EAPI
+ ,proxy_addmod, /* EAPI: add_module */
+proxy_remmod, /* EAPI: remove_module */
+NULL, /* EAPI: rewrite_command */
+NULL /* EAPI: new_connection */
+#endif
};
--- ./src/modules/proxy/proxy_http.c-1.3.26 Tue Jun 18 20:37:07 2002
+++ ./src/modules/proxy/proxy_http.cTue Jun 18 20:40:36 2002
@@ -170,6 +170,9 @@
const char *datestr, *urlstr;
int result, major, minor;
const char *content_length;
+#ifdef EAPI
+char *peer;
+#endif
void *sconf = r->server->module_config;
proxy_server_conf *conf =
@@ -320,14 +323,43 @@
f = ap_bcreate(p, B_RDWR | B_SOCKET);
ap_bpushfd(f, sock, sock);
+#ifdef EAPI
+{
+char *errmsg = NULL;
+ap_hook_use("ap::mod_proxy::http::handler::new_connection",
+AP_HOOK_SIG4(ptr,ptr,ptr,ptr),
+AP_HOOK_DECLINE(NULL),
+&errmsg, r, f, peer);
+if (errmsg != NULL)
+return ap_proxyerror(r, HTTP_BAD_GATEWAY, errmsg);
+}
+#endif /* EAPI */
+
ap_hard_timeout("proxy send", r);
ap_bvputs(f, r->method, " ", proxyhost ? url : urlptr, " HTTP/1.1" CRLF,
NULL);
+
+#ifdef EAPI
+{
+int rc = DECLINED;
+ap_hook_use("ap::mod_proxy::http::handler::write_host_header",
+AP_HOOK_SIG6(int,ptr,ptr,ptr,int,ptr),
+AP_HOOK_DECLINE(DECLINED),
+&rc, r, f, desthost, destport, destportstr);
+if (rc == DECLINED) {
+if (destportstr != NULL && destport != DEFAULT_HTTP_PORT)
+ap_bvputs(f, "Host: ", desthost, ":", destportstr, CRLF, NULL);
+else
+ ap_bvputs(f, "Host: ", desthost, CRLF, NULL);
+}
+}
+#else /* EAPI */
/* Send Host: now, adding it to req_hdrs wouldn't be much better */
if (destportstr != NULL && destport != DEFAULT_HTTP_PORT)
ap_bvputs(f, "Host: ", desthost, ":", destportstr, CRLF, NULL);
else
ap_bvputs(f, "Host: ", desthost, CRLF, NULL);
+#endif
if (conf->viaopt == via_block) {
/* Block all outgoing Via: headers */
Re: Apache 1.3.26 and mod_ssl
On Tue, 18 Jun 2002, Matthew Ruzicka wrote: > Pardon my possible ignorance here, but has anyone come up with any good > work arounds for getting mod_ssl to work with the (patched) Apache 1.3.26 > since 2.8.8-1.3.24 only wants to work with 1.3.24? > > I assume a new version of mod_ssl will be on its way shortly, but was > looking for something in the meantime to close up any possible problems. Using mod_ssl's ./configure --force option on 2.8.8 should work. I just tried it against 1.3.26 and it patched successfully. You'll see lots of messages like this: Error: Application of patch failed: - || extra --activate-module=ssl is required. |+--- |Index: src/Configuration.tmpl |--- src/Configuration.tmpl 28 Jan 2002 19:21:21 - 1.1.1.7 |+++ src/Configuration.tmpl 28 Jan 2002 19:40:56 - 1.23 -- Patching file src/Configuration.tmpl using Plan A... Hunk #1 succeeded at 26. Hunk #2 succeeded at 528 (offset 18 lines). done - But as long as they all say "succeeded", you should be okay. I would normally tell people to wait for mod_ssl 2.8.9 to be released, but this is kind of a special circumstance. :-) --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 1.3.26 and mod_ssl
On Tue, 18 Jun 2002, Matthew Ruzicka wrote: > Pardon my possible ignorance here, but has anyone come up with any good > work arounds for getting mod_ssl to work with the (patched) Apache 1.3.26 > since 2.8.8-1.3.24 only wants to work with 1.3.24? I'm looking into it. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: compiling openssl for modssl - help!
On Tue, 18 Jun 2002, Shon Stephens wrote: > i am trying to compile modssl. before i can do so, i need to get openssl > compiled and working. i did not want to use openssl's internal prng. so i > patched my solaris 8 system to provide a /dev/random & /dev/urandom. i > thought that these would be detected by the configure script. however, it > appears to me that the openssl is still using its internal prng, not the > system devices. can anyone help me with this? What version numbers are we talking about here? Apache, mod_ssl, OpenSSL, etc. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: undefined symbol: X509_free
On Sat, 15 Jun 2002, Zac Hillier wrote: > Just recently, eventually got apache 2.0.36 installed with mod_ssl. > Now when I try to start apache with: > httpd -D SSL > I get an error: > > Cannot load modules/mod_ssl.so into server : modules/mod_ssl.so: undefined > symbol : X509_free That's a still-outstanding bug in the Apache build process (a linking problem, specifically). It's triggered when you build a shared mod_ssl against a static OpenSSL. The workaround is to make them match -- I recommend installing the shared version of OpenSSL (eg, /usr/lib/libssl.so and /usr/lib/libcrypto.so instead of /usr/lib/libssl.a and /usr/lib/libcrypto.a... see the mod_ssl install docs for how to accomplish this), and then recompile mod_ssl. What's happened in your case right now is that for some reason we're linking OpenSSL into the httpd binary rather than into the mod_ssl DSO, and the static linker is therefore throwing away all the symbols we need because httpd itself doesn't use them. When we go to dynamically link in mod_ssl later, OpenSSL's symbols aren't there for us. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: installing with apache 2 and mod_ssl
On Sat, 15 Jun 2002, Zac Hillier wrote: > The configure line reads: > > ./configure --with-ssl=/home/wserve/_s-store/openssl-0.9.6c --enable-ssl --e > nable-mods-all=shared --prefix=/usr/local/apache2 Is that the path to the source code distribution directory or the install directory? It should be the install directory prefix. For example, my OpenSSL is installed under /usr/lib with its include files in /usr/include, so my configure argument is --with-ssl=/usr . And I think you mean --enable-mods-shared=all rather than --enable-mods-all=shared. But that's a different issue. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: installing with apache 2 and mod_ssl
On Fri, 14 Jun 2002, Zac Hillier wrote: > Can you help? I'm trying to install apache 2.0.36 with mod_ssl and having > real trouble I have re-installed a couple of times now once specifically > with --enable-ssl=shared and once with --enable-shared=all each time the > mod_ssl does not appear to compile into the modules dir and is not present > in any of the conf files? What does the configure output say around the spot where it says "checking whether to enable mod_ssl"? Chances are, it's not finding your OpenSSL installation (which is a dependency for mod_ssl), and it's therefore skipping mod_ssl. (Hint: use --with-ssl= to tell it where to look.) Now, it's strange that it would do that with --enable-shared=all (=all is supposed to me "fail if you can't find some module's dependencies"), but it's my best guess at the moment. My ./configure script says this there: checking whether to enable mod_ssl... checking dependencies checking for SSL/TLS toolkit base... /usr checking for SSL/TLS toolkit version... checking for SSL/TLS toolkit includes... /usr/include checking for SSL/TLS toolkit libraries... /usr/lib adding "-I/usr/include/openssl" to INCLUDES adding "-lssl" to LIBS adding "-lcrypto" to LIBS checking for SSL_set_state... no checking for SSL_set_cert_store... no checking whether to enable mod_ssl... yes (default) Hope this helps, --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLRequireSSL Circumvention
On Tue, 4 Jun 2002, Cliff Woolley wrote: > > BTW- I originally put in the 'deny from all' and 'satisfy any' lines > > because I had another line 'allow from .my-domain.com' inbetween them > > at one point. Which makes me wonder, what would I do if I wanted to > > put it back in? > > Ah, forgot to respond to this part. If you want that, then you would > obviously have to use 'satisfy any'. And in that case, you can't use > SSLRequireSSL. You can use a RewriteRule to get the same effect. I just discovered a config option of which I was previously unaware that would help here. From the SSLOptions directive: # o StrictRequire: # This denies access when "SSLRequireSSL" or "SSLRequire" applied even # under a "Satisfy any" situation, i.e. when it applies access is denied # and no other module can change it. So add: SSLOptions +StrictRequire and then your scenario will work. Sorry for misleading you earlier! --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache2 with SSL doesn't start
On Wed, 12 Jun 2002, Andre Steffens wrote: > I've installed Apache 2.0.36 with mod_ssl on Win2k. After I create a > certificate I now have the files test.cert and test.key. > But the Apache doesn't start! Someone who know what I've to do? What does the error log say? --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache2 with ssl
On Wed, 12 Jun 2002, Jeff Landers wrote: > What is the recommended way of getting the ssl module for Apache2? Using > the built in Apache2 SSL or using mod_ssl? I don't see a mod_ssl for > Apache2 on the mod_ssl site. Does anyone have experience with Apache2 > and ssl? There's no mod_ssl on the www.modssl.org for Apache 2.0 because the builtin SSL with Apache2 *IS* mod_ssl. Ralf donated it to the Apache Software Foundation, and it ships with the main Apache distribution now. The only catch is that there are no binaries of mod_ssl with the official Apache2 binary distributions distributed from apache.org, so if you want it, you'll probably have to compile it yourself. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: apache2 won't start
On Tue, 11 Jun 2002, Jeff Landers wrote: > Thank you for the info. I will work on debugging but here is another > question. Why, when ssl and apache are under /usr/local, is vhosts.c > still under the source code directory? This seems more like a > compilation problem although I have compiled it a couple of times. Um, because vhosts.c is one of the source files? I guess I don't understand the question. It's not a compilation problem -- it compiles just fine. It's a runtime problem. It just so happens that the runtime error occurred in code that was compiled from vhosts.c, and the debugger is telling you which source file to look in for the line that faulted. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: apache2 won't start
On Mon, 10 Jun 2002, Jeff Landers wrote: > ./bin/apachectl startssl [Mon Jun 10 10:19:51 2002] [crit] [Mon Jun 10 > 10:19:51 2002] file vhost.c, line 232, assertion "rv == APR_SUCCESS" > failed Abort - core dumped ./bin/apachectl startssl: httpd could not be > started That means the call to apr_sockaddr_info_get() on the address "255.255.255.255" failed (the call is made because you're using "_default_" in one of your vhosts). So then the question is: why did it fail? Well, to know that, I need to know (a) what the actual return code was, (b) what OS you're running, and it would be helpful to also have (c) a backtrace. See http://httpd.apache.org/dev/debugging.html for help on fetching b and c. :) Thanks, Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: 2.0.36 + mod-ssl + Win2k = Easy Money
On Mon, 10 Jun 2002, John wrote: > Well, we got one response from Victor, but he seems to be unable to > follow through (we don't get any response from his private e-mail) so we > still have $500 for anyone who can give us working binaries of apache > 2.0.36 with mod-ssl... > Anyone? Is this actually possible? Has anyone ever got this right? Of course it's possible. I'd do it for you but I'm not convinced that I as a US citizen am allowed to export strong-encryption binaries from the US. Which is, of course, the entire reason that the official distributions don't come with mod_ssl binaries. --Cliff PS: If you can wait a few days, 2.0.37 will hopefully be out and it has some important bugs fixed. Just so you know. ----------- Cliff Woolley [EMAIL PROTECTED] Apache HTTP Server Project __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Installing ModSSL Question
On Thu, 6 Jun 2002, Don wrote: > ./configure \ > --with-apxs[=/path/to/apache/bin/apxs] \ > --with-ssl=/path/to/openssl > > Is the first option the path to the httpd binary (httpd) or the config > file (httpd.conf)? Neither. It's the path to apxs. :) apxs is a script that usually sits in the same directory as the httpd binary, but it's not the same thing. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLRequireSSL Circumvention
On Tue, 4 Jun 2002 [EMAIL PROTECTED] wrote: > BTW- I originally put in the 'deny from all' and 'satisfy any' lines > because I had another line 'allow from .my-domain.com' inbetween them > at one point. Which makes me wonder, what would I do if I wanted to > put it back in? Ah, forgot to respond to this part. If you want that, then you would obviously have to use 'satisfy any'. And in that case, you can't use SSLRequireSSL. You can use a RewriteRule to get the same effect. It probably wouldn't hurt to have this mentioned in the docs, I agree. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLRequireSSL Circumvention
On Tue, 4 Jun 2002 [EMAIL PROTECTED] wrote: > SSLRequireSSL > DirectoryIndex index.wp2 > AddHandler cgi-script .cgi > Options +ExecCGI > deny from all > AuthType Basic > AuthUserFile /yadda/yadda/path/to/site/root/admin/.htpasswd > AuthName "Administrative Pages" > require valid-user > satisfy any > > BUT, I still get the page in the browser! Weird. I can reload it, > punch in the URL for a new page (which isn't cached), etc. I tried > this on a couple different client computers to be sure. > Now, I can get the expected result if I comment out the 'deny from > all' and 'satisfy any' lines. So, I'm OK now. Logs look right, and > the browser is refused on port 80 for the admin area, as expected. That's not a bug, it's a feature. mod_ssl acts as an access checker for SSLRequireSSL just like both mod_access and mod_auth. "satisfy any" means that if any of the access checkers is satisfied, then access is allowed. Presumably your browser either has the password for mod_auth cached or you've typed it in again. In that case, mod_auth's "require valid-user" condition is satisfied, so access is granted. If mod_auth's requirement failed, access would still be granted as long as the connection was SSL. The "deny from all" is useless here since it can never be satisfied. Bottom line: I don't think you should be using "satisfy any" given the configuration above. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl-2.8.8-1.3.24
On Mon, 3 Jun 2002, Geoff Thorpe wrote: > Ummm ... I had generally been using 0.9.7-dev CVS with mod_ssl without any > great grief for some time. Hm. Okay, well, you're luckier than the httpd committer who tried it. :) At least with Apache 2.0, many things have been rumored to break under the stock mod_ssl with OpenSSL 0.9.7-dev. YMMV. Of course my recommendation to stick with 0.9.6 for now stands. :) --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl-2.8.8-1.3.24
On Mon, 3 Jun 2002, Ekkehard Ellmann LRT1 wrote:
> Running make in apache 1.3.24 gave a compile-error in
> apache_1.3.24/src/modules/ssl/ssl_engine_vars.c
> The compiler pointed at the line:
> { "UID", NID_uniqueIdentifier },
>
> (linux-2.2.17, apache-1.3.24, mod_ssl-2.8.8-1.3.24,
> openssl-0.9.7-beta1)
Many changes have occurred between OpenSSL 0.9.6 and 0.9.7. mod_ssl is
unlikely to work with 0.9.7 at the moment, even if this were fixed. Stick
with 0.9.6 for now.
--Cliff
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: Performance Tuning on Apache 1.3.24 with mod_ssl 2.8.8
On Fri, 31 May 2002, Geoff Thorpe wrote: > oh yeah, there's also that security problem with modssl that I mentioned > ages ago - AFAIK this still hasn't been changed in modssl and *may* not > yet have changed in apache 2.0 either. Ralf or David, please correct me > if I'm wrong; > http://marc.theaimsgroup.com/?l=apache-modssl&m=99717585106420&w=2 This was fixed in 2.0 as of 2.0.25 but is not yet fixed in 1.3's modssl. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Performance Tuning on Apache 1.3.24 with mod_ssl 2.8.8
On Thu, 30 May 2002, Patrick Dionisio wrote: > Currently, I have a client script that generates n > number of requests to the apache server. The page it > requests is a static page. With SSL turned on, I'm > only able to get at most 7 to 8 requests per second. > With SSL turned off, I am able to get 50+ requests per > second. Wow, that's still incredibly slow. What kind of CPU and how much RAM are we talking about here? With SSL turned off you should be able to pump out way more RPS than that on a static page. I suggest you tune that first (you should be looking for a number in the hundreds of RPS at least), and *then* focus on SSL. See: http://httpd.apache.org/docs/misc/perf-tuning.html Upgrading to Apache 2.0.x might help, too. :) > I've tried setting SSLMutex to use sem and > SSLSessionCache to > shm:/usr/local/apache/logs/ssl_gcache_data(512000), shmcb can perform better than shmht under stress (shm == shmht in 1.3, shm == shmcb in 2.0, though you can explicitly specify either choice in both versions)... that's probably worth looking into. See the thread http://marc.theaimsgroup.com/?l=apache-modssl&m=98529562629436&w=2 for an explanation of the differences (though some of the information there is out of date by now, eg shmcb is no longer experimental). > but those changes didn't improve the results. It should actually be a rather drastic improvement over other session cache methods. I definitely think you need to concentrate on the rest of Apache first and then come back to looking at SSL tuning. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: PassPhraseDialog BuiltIn not supported...
On Thu, 30 May 2002, Chris Hsiang wrote: > what exec I can use on win32 to submit the passphrase and also You'd have to write your own script to do it. But keep in mind that protecting the _script_ with the passphrase hardcoded into it is hard, and even if you manage to do that, there are still problems protecting the key since the web server has the decrypted private key in-memory after you've submitted the passphrase. Whether passphrases are any good or not is a bit of an ongoing heated debate on this mailing list (AND NO, GUYS, LET'S NOT GO THROUGH THAT AGAIN PLEASE :-)... just suffice it to say that you should be aware of the security implications of either choice when deciding how best to protect your private key. > how do I get rid of the passphrase from my private key now? See http://www.modssl.org/docs/2.8/ssl_faq.html#ToC31 . It's in unix-speak, but it shouldn't be hard to see what to do. It's the openssl command that is the important one... and of course be sure to set the permissions correctly on the key. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: PassPhraseDialog BuiltIn not supported...
On Thu, 30 May 2002, Chris Hsiang wrote: > [30/May/2002 17:31:17 05760] [error] Init: PassPhraseDialog BuiltIn not > supported in server private key from file > F:/Apache/Apache2/conf/ssl/secure.key (OpenSSL library error follows) It means you can't use SSLPassPhraseDialog BuiltIn on Win32. Either use the SSLPassPhraseDialog exec:/path/to/program method or just get rid of the passphrase. (I recommend the latter.) Granted, it's a rather obtuse error message. I just changed it for 2.0.37. Hope this helps, --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: make fails - no flex
On Mon, 20 May 2002, Petryczka, George wrote: > Actually i just tried touching the three files and i still get that same > error. I'll try downloading a flex if i can find it. Would lex work > though? >> touch ssl_expr_parse.c >> touch ssl_expr_parse.h >> touch ssl_expr_scan.h Crap, my fault... that last one should have been touch ssl_expr_scan.c There is no ssl_expr_scan.h. --Cliff (To answer your question, flex is found at http://www.gnu.org/software/flex/flex.html , though like I said you shouldn't need it. And no, regular lex probably won't work, as flex has some GNU extensions over regular lex, and ssl_expr_scan.l *might* actually use them.) ------ Cliff Woolley [EMAIL PROTECTED] Charlottesville, VA __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: make fails - no flex
On Mon, 20 May 2002, Petryczka, George wrote: > Won't touching those files cause some component not to be built? > And thanks. Nope. They're generated files distributed along with mod_ssl. If somehow their timestamps get to be older than the .y and .l files they came from, the Makefile will want to regenerate them using flex and yacc. But you shouldn't need to regenerate them. Touching them to update their timestamps will harm nothing; the next time you run make, it will see that the .c and .h files are up to date, but it will recognize that the corresponding .o files are out of date and just compile the two files. Done. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: make fails - no flex
On Mon, 20 May 2002, Petryczka, George wrote: > My apache make fails with: > Error: Cannot load flex. > > I never heard of flex. Is this just a fancy lex? Can i substitute lex for > flex in the makefile? I'm on HPUX11.0. > Else can i download flex from somewhere? fast lex. It's GNU's lex. But you shouldn't need it. In the mod_ssl build directory, do the following: touch ssl_expr_parse.c touch ssl_expr_parse.h touch ssl_expr_scan.h And then it shouldn't try to use flex anymore. What version of mod_ssl and Apache is this, by the way? --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: ssl proxy
On Fri, 17 May 2002, Petryczka, George wrote: > Can a httpd be set up as a "secure proxy"? Ie.: forward requests from a > client (a client that doesn't get involved with any ssl stuff itself) on > to an HTTPS site? Yes. With Apache 1.3 / mod_ssl 2.8.x, you _might_ have to enable SSL_EXPERIMENTAL or something like that, I'm not sure. But it can be done. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: certificate in Apache2.0.36!
On Thu, 16 May 2002, Nay Mooly wrote: > I want to use ssl with mod_ssl in Apache2.0.36. > # make certificate TYPE=custom > Then I get this message > make*** no rule to make target 'certificate' discontinuation Please see my message from earlier today on this subject, subject "Re: make certificate TYPE=custom?" --Cliff ---------- Cliff Woolley [EMAIL PROTECTED] Charlottesville, VA __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: make certificate TYPE=custom?
On Thu, 16 May 2002, Peter Viertel wrote: > make certificate does not work in apache 2 yet. IIRC, the official consensus on the httpd dev list was that will NOT support make certificate in Apache 2.x at all, with the reasoning that test certificates just tend to confuse people who don't know what they're doing. Granted, there is a documentation bug which still indicates that make certificate is available. There's a bug report about that and our doc people will hopefully get around to fixing that soon. I'm not saying I personally agree with the dropping of make certificate, but it was the group's decision, not mine. And I suppose I see the reasoning. All you need is a few commands from openssl to do the same thing, and those are well-documented. Just so you know. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLSessionCache: shared memory cache not useable on this platform
On Wed, 15 May 2002, Ted Bannon wrote: > I've been trying to make use of the SSLSessionCache shared memory option in > my Apache config: > > #SSLSessionCacheshmht:/data/home/apache/1.3.24/logs/ssl_scache(512000) > #SSLSessionCacheshmcb:/data/home/apache/1.3.24/logs/ssl_scache(512000) > SSLSessionCache dbm:/data/home/apache/1.3.24/logs/ssl_scache > #SSLSessionCache > shm:/data/home/apache/1.3.24/logs/ssl_gcache_data(512000) Note that shm: is equivalent to shmht: ... there are really only two types of shm session caches. > SSLSessionCache: shared memory cache not useable on this platform You need to define EAPI_MM when building Apache. See the INSTALL file for mod_ssl, somewhere around line 281. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: OT: Getting ssl information in another module
On 12 May 2002, Erik Axel Nielsen wrote: > I have been looking all over (apache search, google, and in the source) > for an description for the ap_ctx_get > function and haven't found anything. ap_ctx_* were part of Ralf's EAPI extensions to Apache, which were a set of patches that had to be applied to Apache in order for mod_ssl to work. EAPI for 1.3.x was distributed with mod_ssl. It no longer applies. > I wondered if you could give me a hint on where I could get the > information to: > 1. check if mod_ssl is used (a https:// request) > 2. Get the cipher,key and maxkey. You might want to ask these on [EMAIL PROTECTED] I'd answer them myself but I don't know the answers. The optional function ssl_lookup_var() would probbly help out though. --Cliff ------ Cliff Woolley [EMAIL PROTECTED] Charlottesville, VA __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: prng seeding in mod_ssl 2.8.6
On Fri, 10 May 2002, Joe Orton wrote:
> On Fri, May 10, 2002 at 05:51:04PM +0100, Noel O'Kelly wrote:
> > We have a report of a problem from 2.8.6 onwards due to a change in the
> > seeding of the PRNG which halves the
> > performance of SSL requests. Any update on this ???
>
> Hi, here's the fix we're using...
>
> Submitted by: Nalin Dahyabhai <[EMAIL PROTECTED]>
>
> --- mod_ssl/pkg.sslmod/ssl_engine_rand.c
> +++ mod_ssl/pkg.sslmod/ssl_engine_rand.c
> @@ -156,6 +156,9 @@
> */
> if (ap_scoreboard_image != NULL && SCOREBOARD_SIZE > 16) {
> m = ((SCOREBOARD_SIZE / 2) - 1);
> +if (m > 1024) {
> +m = 1024;
> +}
> n = ssl_rand_choosenum(0, m);
> RAND_seed(((unsigned char *)ap_scoreboard_image)+n, m);
> nDone += m;
FYI, this problem does not affect Apache 2.0+mod_ssl. It _would_ have,
because I forward-ported this change to Apache 2.0 between 2.0.32 and
2.0.33.
http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_rand.c.diff?r1=1.11&r2=1.12
But the group consensus was that we should *not* be using the scoreboard a
source of entropy at all because it's too easy for the client to
manipulate. And then there's this problem. At any rate, the patch was
reverted out of Apache 2.0 prior to 2.0.33.
http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_rand.c.diff?r1=1.12&r2=1.13
I'd suggest the same change in 2.8.9-dev: just get rid of the scoreboard
as a source of entropy altogether.
--Cliff
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0.36, load balancer and SSLMutex
On Fri, 10 May 2002, Guan Yang wrote: > When I try to run SSLMutex sem on each server, it is able to respond to 3 > or 4 requests, but then stops working. There is no response. and log > messages like these appear: > > ssl_engine_log:[10/May/2002 15:33:11 29273] [warn] Failed to acquire > global mutex lock This is a known bug that should be fixed in a few days. Please see http://nagoya.apache.org/bugzilla/show_bug.cgi?id=8124 --Cliff ------ Cliff Woolley [EMAIL PROTECTED] Charlottesville, VA __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: (OpenSSL library error follows) - in Apache 2.0.35 with mod_ssl
On Mon, 6 May 2002, MegaZone wrote: > (Wisdom I relearned today - use explicit paths. You never know when > someone else has left an old install laying around earlier in your > build path. Like, say, a non-shared openssl which makes a shared > apache+mod_ssl sad... Not that I wasted a lot of time on that...) Bummer, yeah, that's a kind of nasty one. We're trying to figure out a clean way to get around that problem, but haven't gotten anything in yet. Glad you got it. --Cliff ---------- Cliff Woolley [EMAIL PROTECTED] Charlottesville, VA __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: (OpenSSL library error follows) - in Apache 2.0.35 with mod_ssl
On Mon, 6 May 2002, MegaZone wrote: > [06/May/2002 21:07:05 21504] [error] Unable to set session id context to >`[server]:443' (OpenSSL library error follows) > [06/May/2002 21:07:05 21504] [error] OpenSSL: >error:140DA111:lib(20):func(218):reason(273) Let me guess, SHMCB, right? Download 2.0.36 (released today) and use that. SHMCB is now fixed. --Cliff ------ Cliff Woolley [EMAIL PROTECTED] Charlottesville, VA __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: virtual hosting and ssl
On Mon, 6 May 2002, Andrew Lietzow wrote: > > ServerAdmin [EMAIL PROTECTED] >... > > ServerAdmin [EMAIL PROTECTED] Change those to 192.168.1.1:80, and you're fine. Of course you realize that that means your second ssl vhost will have to be accessed as https://secure.anotherdomain.com:745/ , right? --Cliff ---------- Cliff Woolley [EMAIL PROTECTED] Charlottesville, VA __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Whats this when running httpd -l?
On Thu, 2 May 2002 [EMAIL PROTECTED] wrote: > suexec: disabled; invalid wrapper /opt/apache/bin/suexec No, it just means you probably left out the --enable-suexec or one of the --with-suexec-foo arguments to ./configure. --Cliff -- Cliff Woolley [EMAIL PROTECTED] Charlottesville, VA __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0.36 with mod_ssl and working SSL-ProxyPass for Windows(NT or 2000) ???
On Thu, 2 May 2002, Dwayne Miller wrote: > First I've seen of the SSL issues still remaining. I thought 2.0 WOULD > have SSL because the SSL restrictions went away. Can you point me to a > location where I can catch up on the ongoing discussions/questions? > Not that I have a problem compiling it... just curious. I honestly haven't followed it that closely. It's something along the lines of it's clear that we can distribute _source_ for strong encryption software from within the US, but it's not clear that we can distribute _binaries_ of strong encryption software. I personally think that's ridiculous, but some of the developers involved with creating the binary distributions just felt that this was the safer path until the government makes it clearer to us what's allowed and what's not. Search the archives for [EMAIL PROTECTED], it's in there somewhere. --Cliff ------ Cliff Woolley [EMAIL PROTECTED] Charlottesville, VA __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0.36 with mod_ssl and working SSL-ProxyPass for Windows(NT or 2000) ???
On Thu, 2 May 2002, Johannes Artur Bertscheit wrote: > Is it planned to test the next release 2.0.36 on windows / support it > for windows including SSL-ProxyPass? Current release schedule has 2.0.36 coming out on Monday. Win32 binaries will be provided and are well-supported. BUT: official binaries from apache.org don't include mod_ssl due to ongoing questions of export restrictions. You can compile it yourself with VC6. ProxyPass https->http has been fixed. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: More Apache 2.0.35 testing
On Wed, 1 May 2002, Mads Toftum wrote: > Yes, that is the one - > http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_scache_shmcb.c > The next version of apache2 should be tagged in the tree - a new release > is probably not too far away. Yep. SHMCB was totally messed up in 2.0.35. (SHMHT worked I think.) Aaron Bannert and I spent some long hours a few evenings ago getting it to work right. :) Anyway, as you say, the change is in for 2.0.36, which is in final testing and should be released in the next few days. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: win2000 compile
On Tue, 30 Apr 2002, Dwayne Miller wrote: > Try extracting the zip again (or get ssl_expr_parse.x from CVS). Your > attempt to build probaby resulted in empty files for > ssl_expr_parse.c/.h. Then edit (or touch) the .c/.h version to make > them modified after ssl_expr_parse.y. They do not need to be rebuilt, > but since their timestamps are wrong, make believes they are out of date. Right. The timestamps were bad in the tarball. This is fixed in 2.0.36, which will be released soon. For now, the files you need to touch are: ssl_expr_parse.c ssl_expr_parse.h ssl_expr_scan.c --Cliff ------ Cliff Woolley [EMAIL PROTECTED] Charlottesville, VA __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Performance issues - testing
On Mon, 29 Apr 2002, paul priestman wrote: > I am having worries about the performance of using mod_ssl. Can anyone > suggest any good testing package that will give me hits per second when > running on a https server and hits per second when running on a normal http > server so i can compare the performance. I am using apache 1.3.22 with mod > ssl. ApacheBench (ab), which comes with Apache, supports SSL. Or at least the one that comes with Apache 2.0 does... I don't know about the 1.3 version. --Cliff ---------- Cliff Woolley [EMAIL PROTECTED] Charlottesville, VA __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problem loading mod_ssl.so in Apache 1.3.24
On Tue, 23 Apr 2002, Aryeh Katz wrote: > poster specified a win32 environment, ssleay32.dll is one of the two > openssl libs on win32. Ah missed that. Sorry. :) __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problem loading mod_ssl.so in Apache 1.3.24
On Tue, 23 Apr 2002, Aryeh Katz wrote: > make sure that ssleay and libeay are both in the path. Um, or libssl and libcrypto from openssl (in the library path, that is). ssleay's getting to be pretty old these days. :) __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: http and https
On Thu, 18 Apr 2002, R. DuFresne wrote: > Would this not still leave port 80 open and bound? It would, yes. > Is not just removing the port delcarations for 80 and only having 443 > set better and perhaps more secure? That's a case-by-case decision. In some cases, it would be insufficiently secure to leave open port 80 (as when the initial request contains privileged information). In other cases, it's only the response or subsequent requests that are privileged, so it's okay to let the initial request come in on port 80 as long as you immediately bounce them over to https. In that situation, leaving port 80 open is just a convenience for your users (in case they type http: by mistake), if you deem it safe to provide that convenience. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: http and https
On Thu, 18 Apr 2002 [EMAIL PROTECTED] wrote: > Now if if I enter this > http://server/www/index.php > I get to the same location and it is not SSL secured > So my question is can you turn off access to http? See the SSLRequireSSL directive. Or you might want to set up a Redirect so that the client is automatically sent over to the https side. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: searching for Windows NT binary of Apache 2.0.35 with mod_ssl
On Thu, 18 Apr 2002, Johannes Artur Bertscheit wrote: > and I tried to compile the soruces with Visual C++ 6.0 without success > (strange compilation errors occured). Which errors? You do realize that you need sed installed to compile it, right? See http://apr.apache.org/compiling_win32.html for tips. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.xxxx and mod-ssl ???
On Thu, 18 Apr 2002, Alban [ISO-8859-1] Médici wrote: > Is there anybody known if mod ssl anounce a version working with Apache > 2.0.35 or later than 1.3.24 ?? Should I wait for a new version of modssl > for apache 2 or use apache 1.3.24 ?? Apache 2.0 comes bundled with mod_ssl. I suppose www.modssl.org should be updated to reflect that... --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problems with Apache 2.0.35 and SSL
On Wed, 17 Apr 2002, paul priestman wrote: > 1. I have managed to install Apache 2.0.35 with mod SSL but it ony works > when i sepecify the servername as been the servers IP address instead of the > actual name - is this a bug or is this the way Apache in tended? Do you mean in the actual ServerName directive? No that's not intended, but I've also never seen this problem. Can you email me a configuration snippet that demonstrates the problem? > Cannot load /opt/local/apache/apache_2.0.35/modules/mod_ssl.so into server: > ld.so.1: /opt/local/apache/apache_2.0.35/bin/httpd: fatal: relocation error: > file /opt/local/apache/apache_2.0.35/modules/mod_ssl.so: symbol > X509_INFO_free: referenced symbol not found > > Is this a common bug? Yes, it's a fairly frequently asked question. The problem is that you've built a shared mod_ssl against a static OpenSSL (ie, libssl.a and libcrypto.a instead of .so). That won't work because the way the build system currently works, OpenSSL is linked into httpd, not mod_ssl. httpd doesn't need the symbols from the OpenSSL libraries, so the static linker throws them away, meaning they're no longer available when mod_ssl is dynamically linked at runtime. Solution: use a shared OpenSSL. --Cliff ------ Cliff Woolley [EMAIL PROTECTED] Apache HTTP Server Project __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Reinstalling a Thawte CRT - Feasible?
On Sun, 14 Apr 2002, Andrew Lietzow wrote: > Now I have installed SuSE 7.3 on this new server and I need to reinstall my > CERT. I have the securedomainname.crt file in my possession on a diskette > but I do not have the original securedomainname.key file, or the > securedomainname.csr file (because I trust servers to never crash?). The > files are gone now as I have completely reformatted that system during the > new install. Sorry to be the one to have to tell you this, but you can't mix-and-match like that. The certificate is absolutely tied to the private key, because the certificate contains the public key. So you can't use the certificate/public key unless you have the private key that goes with it. I don't know if Thawte has a "replacement" program... I think some of the CA's do. So maybe you can get a reissued certificate to go with your new private key for less than the full price. Good luck, Cliff ---------- Cliff Woolley [EMAIL PROTECTED] Charlottesville, VA __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: modssl for Apache 2.0
On Thu, 11 Apr 2002, R. DuFresne wrote: > I've found this, do I point at the openssl dir I have the all the sub dirs > and bins installed in, or to the source tree they were compiled from? The install dir's prefix. So, for example, if your OpenSSL is in /usr/lib and /usr/include/openssl, then you'd use --with-ssl=/usr PS: warning, danger Will Robinson: I heard a rumor that if you link to a static OpenSSL (ie, libssl.a and libcrypto.a) instead of a shared one (libssl.so and libcrypto.so) and you use mod_ssl as a DSO, then it breaks. If you get errors along the lines of unresolved symbols such as X509_INFO_free, this is probably what's going on. Watch out for that! --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: lex and yacc was Re: Apache 2.0.35 and SSL
On Thu, 11 Apr 2002, Mads Toftum wrote: > Given that this is probably the same problem as we have seen with the > "old" mod_ssl - my guess is more like a broken tar that resets timestamps. That could explain some of it. But I feel like there might be something else going on too, because... > But I haven't verified the problem because it never failed for me :) It gets rebuilt on me from time to time, and I only ever use CVS (which maintains timestamps), not tarballs (unless I'm testing a pre-release). Of course, I have lex and yacc, so it builds fine, but it's still annoying because it causes a difference in my otherwise pristine tree which it then wants me to commit. :) --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: modssl for Apache 2.0
On Thu, 11 Apr 2002, R. DuFresne wrote: > Lookin at it now. So, are compile directives pretty much the same, as for > pointing at the ssl source and mm source trees? The docs are not as clear > on this as Ralf has them in the mod-ssl structures . Look at ./configure --help for starters. Hint --with-ssl=DIR is probably what you're looking for. Oh, and Apache 2.0's mod_ssl doesn't use mm anymore... it uses the shared memory support that's built in to APR. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: lex and yacc was Re: Apache 2.0.35 and SSL
On Thu, 11 Apr 2002, paul priestman wrote: > flex -Pssl_expr_yy -s -B > /home/user/jwoodman/apache/httpd-2.0.35/modules/ssl/ssl_expr_scan.l > sh: flex: not found > *** Error code 1 I *wish* I could figure out why it is that mod_ssl feels the need to regenerate the scanner and parser sometimes. It happens to me every now and then but I haven't pinned down the cause. Best guess is that you did a copy of the files without preserving the timestamps? Anyway, we distribute the generated files... you already have them, you just need to update the timestamps on them so that you can convince make they're not out-of-date. Do this: cd httpd-2.0/modules/ssl touch ssl_expr_scan.c touch ssl_expr_parse.c touch ssl_expr_parse.h Then it should work fine. --Cliff ------ Cliff Woolley [EMAIL PROTECTED] Apache HTTP Server Project __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: apache 1.3.12 with newer mod_ssl
On Wed, 10 Apr 2002 [EMAIL PROTECTED] wrote: > What are the issues with using a newer mod_ssl with an older apache? First of all, it would be difficult to get the patches to apply without heavy manual assistance. > I need to use Apache 1.3.12 for a project and am wondering if I can use > the newer mod_ssl releases? Are there bugs or vulnerabilities with the > mod_ssl for Apache 1.3.12 or is it safe to use the older mod_ssl? Secondly, there are both bugs and (relatively minor) vulnerabilities in older versions of both mod_ssl and Apache. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: modssl for Apache 2.0
On Thu, 11 Apr 2002, R. DuFresne wrote: > When is apache 2.0 coming out of beta and into primetime? How did you manage to miss the party? :) It went GA last week with the release of 2.0.35. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: modssl for Apache 2.0
On Thu, 11 Apr 2002, George Walsh wrote: > As for windows, that is NOT my cup of tea. We are a Micro-soft Free zone > here, so I cannot comment on the peculiarities you might experience in > your environment. I really do not know hy you would want to run a secure > server on top of a windows box, but then I admit to a happy ignorance > about it, at least :-) FWIW, in 2.0, the Win32 port of Apache is just as solid and performant as the Unix port. (Of course, it is intended for WinNT, 2k, and XP, not the consumer-level ones (95, 98, and ME)...) --Cliff ------ Cliff Woolley [EMAIL PROTECTED] Apache HTTP Server Project __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: modssl for Apache 2.0
On Wed, 10 Apr 2002, Chuck Goehring wrote: > I see all the activity on the list about Apache 2.0 and modssl. Where > can I get the necessary "stuff" for Apache 2.0. I don't see it on the > modssl, openssl or Apache web sites. I need to get ssl up on Apache on > Windows 2000. mod_ssl now comes bundled with Apache 2.0. Just download the .zip or the .msi from http://www.apache.org/dist/httpd/ and openssl from http://www.openssl.org/ if you don't already have it and that's all you need. --Cliff ------ Cliff Woolley [EMAIL PROTECTED] Apache HTTP Server Project __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0 and SSL
On Tue, 9 Apr 2002, George Walsh wrote: > I, for one, would be more than happy to use Apache 2.0. BUT, I need > mod_ssl to function and as I understand it, mod_ssl applications cannot > cope with cgi, so I really have no place to start. Just to clarify for those who might be listening and didn't follow George's earlier posts, Apache 2.0 handles https: requests to CGI's perfectly fine. EXCEPT when you try to configure it to renegotiate on a POST request (which could happen if, say, your cgi-bin directory had per-directory SSL parameters set (eg SSLProtocol or requiring a client certificate)). [As a bit of historical reference, those of you who've been around for a while will recall that mod_ssl for Apache 1.3 had the same problem (worse, actually... it just gave an I/O error) until version 2.3.10, when the method not allowed response an experimental workaround were put in. It remained available only with --enable-rule=SSL_EXPERIMENTAL up until version 2.5.0.] --Cliff ------ Cliff Woolley [EMAIL PROTECTED] Charlottesville, VA __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0.* and SSL
On Tue, 9 Apr 2002, Eli Marmor wrote: > This, exactly, was one of my intentions when I opened this thread. Glad to hear it. :) > BTW: Great article about 2.0, Cliff! (IIRC, it was Linux Magazine). Thanks! It's good to know that people got something out of it. PS: for anyone else who's interested but missed it, it just recently became available online at linux-mag.com. --Cliff ------ Cliff Woolley [EMAIL PROTECTED] Apache HTTP Server Project __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0.* and SSL
On Tue, 9 Apr 2002, Mads Toftum wrote: > I too could add a whole lot of reasons to not migrate if you're doing SSL. > Up to about a week before Apache went GA, there were substantial commits to > SSL code which to me makes it an essentially untested module. While I can't wholly disagree with you, I will point out that the only way we can ever really consider SSL "tried and true" is if the people _from_this_group_ test it extensively and help us find the problems with it. Your participation is vital... really! Thanks all, Cliff ------ Cliff Woolley [EMAIL PROTECTED] Apache HTTP Server Project __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: [BugDB] SSL problem question (PR#692)
On Mon, 8 Apr 2002 [EMAIL PROTECTED] wrote: > Hi my name is Jaymes Redus and I work with Affliated Computer Systems > here in Tallahassee, I just wanted to ask a question concerning a SSL > issue that we are having. We are having a problem with our Upload > functionality on our Web Application. It seems that if a customer tries > to upload a file or text file(encrypted) that's under 57 MB it works > fine but if the file is 58 MB(encrypted) or higher the upload fails. Several Win32 system calls have (ridiculous) hidden limits right around the 56-57MB limit. Among the ones I've seen that fail when passed more data than that in a single call: WriteFile() TransmitFile() I'm willing to bet you're using WriteFile(). If so, make sure you check its return code for errors. You'll get back something like ERROR_INSUFFICIENT_RESOURCES (or something like that, I don't remember exactly what it is off the top of my head). You'd have to loop on the WriteFile() call and pass it bite-sized chunks to get it to work. But in general, do you really want a web application buffering that much in memory? Surely not. --Cliff ------ Cliff Woolley [EMAIL PROTECTED] Charlottesville, VA __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Apache 2.0.* and SSL
On Mon, 8 Apr 2002, Steve Gonzales wrote: > One list is enough for me. SSL theory doesn't change from 1.3.xx to > 2.0.xx; only the configuration and installation changes. And even that is mostly the same. :) ------ Cliff Woolley [EMAIL PROTECTED] Charlottesville, VA __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0.* and SSL
On Mon, 8 Apr 2002, Eli Marmor wrote: > I think that we should open a special mailing list for mod_ssl of > Apache2. My personal opinion would be that most modssl users' questions will be of the same nature regardless of version. The kinds of questions we get here: (1) why can't I use NBVH+SSL? (2) how do I get my certificate created and/or to work (3) I'm having problems getting IE to connect, what do I do? (4) ... The answers to these questions are all the same regardless of whether you're talking about 1.3 or 2.0, and there will always be those of us on the httpd development team that listen in on modssl-users for potential bugs, so in my mind it makes sense to keep the user group as one. But that's just me... if you guys disagree, then go right ahead and create a new list. --Cliff ---------- Cliff Woolley [EMAIL PROTECTED] Charlottesville, VA __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: POST / SSL / Client Certificates Problem
On Sun, 7 Apr 2002 [EMAIL PROTECTED] wrote: > I'm using Apache 2 beta, mod_ssl (obviously), and a few self-signed > client certificates. My problem is that when I try to POST to a .cgi > file, I get the following error: "Method not allowed! The POST method is > not allowed for the requested URL." This is a known issue with mod_ssl for Apache 2.0... it's on the modules/ssl/TODO list. Thanks, Cliff ---------- Cliff Woolley [EMAIL PROTECTED] Apache HTTP Server Project __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: ca cert questions (was Re: Dumb SSL question)
On 2 Apr 2002, jon schatz wrote: > we had not chose to trust). geotrust had me install a CA cert on the > server and use 'SSLCACertificateFile' to point to it. magically, ie then > trusted the certificate. so why does this work? i mean, why can't i > start forging ssl certificates that are trusted by my own ca files that > i host locally? do browsers do any verification of ca files served up by > remote machines? feel free to point me to documentation on this one... The difference is that the CA certificate they would have had you install (a) is signed by a CA that the browser *does* trust and (b) contains a flag saying "this certificate may be used to sign other certificates." SSLCertificateChainFile (and SSLCACertificateFile in this case) is all about establishing a chain of trust back to some entity (a root CA) that the browser does trust. Take a look at the CA certificate they gave you... it will have been signed by some root CA (is Thawte the only one that actually provides this service? Maybe Verisign does, I don't know.), and you'll see the special capabilities flags in there as well. --Cliff ------ Cliff Woolley [EMAIL PROTECTED] Apache HTTP Server Project __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Performance Issue
On Mon, 1 Apr 2002, Alex wrote: > I am experiencing exactly the same issue after upgrade of couple of > servers in our web-farm from Sol.2.6 to Solaris 8 (running on Sun Enterprise). > We are using Apache 1.3.9 on Solaris 2.6, Apache 1.3.23/mod_ssl 2.8.7 on > Solaris 8. > > Please, let me know if you find something that explains such a high load > and a way to eliminate it. As I mentioned the last time (and never got a response): To help track this down, can you do a before-and-after run of the following: truss -c lockstat -CP sleep 5 and email the outputs of both from the old version and the new version to me? Thanks, Cliff ------ Cliff Woolley [EMAIL PROTECTED] Apache HTTP Server Project __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Performance Issue
On Thu, 2002-03-28 at 13:05, Denis A.V.Jr. wrote: > > I have a few webservers using apache+mod_ssl in our site. > I have noticed, with the installation of 1.3.2[34] and mod_ssl2.8.[78], > a significant performance situation. Now I have a very high load > average, which I never had before with older versions of the software > (ex: apache1.3.22+mod_ssl 2.8.6). > The hardware used are all Sun Enterprise with Solaris 2.7. To help track this down, can you do a before-and-after run of the following: truss -c lockstat -CP sleep 5 and email the outputs of both from the old version and the new version to me? Thanks, Cliff ------ Cliff Woolley [EMAIL PROTECTED] Apache HTTP Server Project __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: No solution for bug with IE on Mac?
On Wed, 27 Mar 2002, John Siracusa wrote: > BrowserMatch "MSIE [1-4]" nokeepalive ssl-unclean-shutdown \ > downgrade-1.0 force-response-1.0 > BrowserMatch "MSIE [5-9]" ssl-unclean-shutdown > > SSLCipherSuite > !EXP1024-RC4-SHA:!EXP1024-DES-CBC-SHA:ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM: > +LOW:+SSLv2:+EXP:+eNULL That !EXP56 should be !EXPORT56 . And by the way, the mod_ssl FAQ recommends this: SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP which is pretty similar to what you have but slightly less restrictive. --Cliff ------ Cliff Woolley [EMAIL PROTECTED] Apache HTTP Server Project __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl for apache 1.3.24?
On Mon, 25 Mar 2002, Cliff Woolley wrote: > But if you're in a huge hurry and absolutely can't wait, you can use the > --force parameter to mod_ssl's configure script. Just to be clear: this method is NOT recommended. If you can wait for the next version, I strongly urge you to do so. [In other words, --force at your own risk. :] --Cliff ------ Cliff Woolley [EMAIL PROTECTED] Apache HTTP Server Project __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl for apache 1.3.24?
On Mon, 25 Mar 2002, Jimmy Lantz wrote: > Just wanted to know if there's a mod_ssl version for apache 1.3.24? > Since the current version will not compile with apache 1.3.24. I'm sure it's on the way soon. But if you're in a huge hurry and absolutely can't wait, you can use the --force parameter to mod_ssl's configure script. 2.8.7 *will* apply to 1.3.24 with no patching failures (some warnings, but no errors)... I know because I tried it. ;) Granted, that's the exception rather than the rule... but it does happen to work for this particular version. --Cliff ------ Cliff Woolley [EMAIL PROTECTED] Apache HTTP Server Project __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSL Session cache and IDs
On Mon, 25 Mar 2002, Mads Toftum wrote: > The defaults are nokeepalive IIRC - if that affects the session, then > shouldn't it cut the session short even after the initial request? nokeepalive doesn't really imply no session caching at all... that's not exactly what I meant to say. What I was trying to say was that IE doesn't deal well with sessions in general, which is why kept-alive sessions cause even more headaches -- IE just does bad things with them. I can't be much more specific than that because I haven't studied it in depth... but I just feel like things that would make IE behave better with sessions in general might make it do the right thing the server asks for a renegotation in this case. > Setting SSLLogLevel to something like debug and looking for cache > hits/misses would probably be a good place to start. This and testing with/without load balancing both sound like a good plan... --Cliff ------ Cliff Woolley [EMAIL PROTECTED] Charlottesville, VA __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSL Session cache and IDs
> On Mon, Mar 25, 2002 at 05:47:04PM -, Bray, Mike wrote: > > Can anyone help by explaining how the session cache works? We have a web > > site supported by two servers using a content switch to load balance. > > and you're absolutely sure that it is not hte client that has requested > a new session? MSIE usually cuts sessions after a couple of minutes > (the length varies with the browser and ssl version) When load balancing, if the back-end servers do not share a session cache, a client that initiates a session with one server and then gets handed off to another server will lose the session, because the client will not know it got handed off. It will present a session to the new back-end server that the new server knows nothing about, and the server will force a renegotation. > > Does the time out last from the start of the session to the end or > > does it last from request to request? > > It should last from the start of the session until the timeout, but the > client can cut it short. The server can also cut it short. This can happen in the above situation or when the session cache fills up under heavy load (for certain kinds of session caches). > > I have seen discussion about nokeepalive with MSIE. Would this affect > > it? > I don't think so. I tend to think the two most likely are related. There's less you can do about it in this case, but the same general techniques might help. What BrowserMatch settings are you currently using? How is your SessionCache set up? --Cliff -- Cliff Woolley [EMAIL PROTECTED] Apache HTTP Server Project __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Page size not available
On Fri, 8 Mar 2002, Mark Barton wrote: > My problem - no, not problem, or even concern... minor bug is that on the > new installation using 1.3.23 is that the page sizes are no longer > available (the Page Size property of the served page is listed as 'Not > Available') on Internet Explorer. I have not changed my httpd.conf file > between the two installs. This is really no big deal, I was just wondering > if someone knows why. FWIW, I did a diff between 1.3.19 and 1.3.23 from the CVS repository and didn't find anything right off in Apache itself that would have caused Content-Length to be unset when it didn't used to be, though of course something could have changed in mod_ssl that would do this, I suppose. Does this only happen under HTTPS or does it happen with regular HTTP as well? Can you give me a URL to try out so I can see what the response headers look like? Thanks, --Cliff ------ Cliff Woolley Apache HTTP Server Project [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: I have know idea on this one
On Tue, 5 Mar 2002, Mark wrote: > [Tue Mar 5 21:11:21 2002] [alert] (22)Invalid argument: setgid: unable > to set group id to Group 4294967295 > [Tue Mar 5 21:11:21 2002] [notice] Apache/1.3.22 (Unix) mod_ssl/2.8.5 Your system does not support a GID of -1 (2^32-1 = 429467295). Apache's install scripts are supposed to test your system to see whether it supports this GID or not and pick a different one if it doesn't, but due to a bug in the install script in Apache 1.3.22, that feature was broken in that release. So just go into your config file and pick a different gid, and you'll be set (or upgrade to a newer Apache ;). --Cliff ---------- Cliff Woolley Apache HTTP Server Project [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: install questions
On Sun, 3 Mar 2002, Eric wrote: > Has anyone done this lately? Do I need to rebuild SSL after building 5 > minutes ago? I'm using openssl 0.9.5a and apache_1.3.22+ssl_1.44.tar.gz. Two things: (1) You're using old versions of everything and should upgrade. (2) You're working with Apache-SSL, which is different from mod_ssl, meaning that this is not the right forum to answer your question. You need to ask this question on the Apache-SSL support forum instead. See http://www.apache-ssl.org/ (or you could use mod_ssl instead, then we could help you. :-) Hope this helps, --Cliff Woolley Apache HTTP Server Project __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache Access Violation
On Wed, 13 Feb 2002, c2z4s9 wrote: > If you are interested I have the NT error info as well (very long and > confusing to me). Yes, that's important information. Please post it if it's not incredibly long, or at least email it to me directly at [EMAIL PROTECTED] Thanks, --Cliff ------ Cliff Woolley Charlottesville, VA __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
duplicate message delivery
I've been seeing duplicate deliveries of messages to the list from mmx.engelschall.com for the last few days... Ralf, can you check on this when you get a chance? Thanks, --Cliff -- Cliff Woolley [EMAIL PROTECTED] Charlottesville, VA __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: How do I create a un-encrypted private key (without pass phrase)?
On Wed, 6 Feb 2002, Owen Boyle wrote: > Having a password means that no-one can use your certificate - even if > they obtain a copy of it. They can load the cert into their server but > it won't let the server come up unless they know the password. > > The downside is that you have to type in the password personally to > start apache. Tricks like putting the password in a program and so on > just shift the risk - the hacker just needs to grab the program. > > My personal tuppence-worth is that if you have a machine where there is > a risk that hackers can steal root-privileged files then you should not > be running it as an SSL web-server (if they can steal a cert, they can > steal your customer's private data - exposing you to a liability issue). > So if you protect your server to the utmost, you have no need of a > password protected certificate. s/certificate/private key/g, and this matches my sentiments exactly. Passphrases just give a false sense of security. --Cliff ---------- Cliff Woolley [EMAIL PROTECTED] Charlottesville, VA __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: ??? 1.3.23
On Sun, 27 Jan 2002, Tom Oehser wrote: > I found the documentation on how to upgrade *modssl* later, using apxs. > But that method doesn't seem to apply to upgrading *apache*... The short answer is that while it *can* be done, it's a very manual process and it's highly prone to mistakes. If you insist on doing it by hand, there's a flag you can give to mod_ssl's configure to force it to try to apply itself to a version it wasn't designed to work with (--force), but don't be surprised if you get patching errors and have to manually tweak the Apache source afterward to get it to (a) compile and (b) run correctly. The safest bet by far is to just wait on the new version of mod_ssl to be released. --Cliff ------ Cliff Woolley [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: apache + modssl + openssl + Windows Client.
On Fri, 4 Jan 2002, Yu, Ming wrote: > I use dbm as session cache. Try an shm session cache and see what happens. --Cliff -- Cliff Woolley [EMAIL PROTECTED] Charlottesville, VA __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: apache + modssl + openssl + Windows Client.
On Fri, 4 Jan 2002, Yu, Ming wrote: > I have a box with Solaris 2.8, apache 1.3.20 mod_ssl/2.8.4 OpenSSL/0.9.6b. > I found it is very slow for windows NT or 2000 client using either IE or > Netscape. It has very nice speed if it is a Unix or Linux client. Does > anyone know why? > > Thanks in advance for any answers. What kind of session cache are you using? --Cliff ------ Cliff Woolley [EMAIL PROTECTED] Charlottesville, VA __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: "make certificate" Doesn't Work, Apache 2.0.28, Unix, and mod_ssl
On Wed, 12 Dec 2001, Cliff Woolley wrote: > On Tue, 11 Dec 2001, Kevin McQuiggin wrote: > > > I want to create a dummy self-signed certificate. Despite the Apache > > documentation, "make certificate" in the top-level source directory doesn't > > work. There's no "certificate:" target in the Makefile. > > This was not present in the 2.0.28 beta, but it or an equivalent should be > present in 2.0 final when it is released (it might even be in the next > beta, but it hasn't been checked into CVS yet). Whoops, a little bad information there. My fault. I had forgotten that `make certificate` was a thing to generate a _test_ certificate (Snake Oil), not a real certificate. To generate a real CSR under Apache 2.0.28 is the same as in Apache 1.3, because you do it all with OpenSSL directly. See http://www.modssl.org/docs/2.8/ssl_faq.html#cert-real . Thanks, Cliff PS: I checked with the group, and it looks like `make certificate` is _unlikely_ to be in Apache 2.0 final because we're trying to get rid of test pages (ie "It Worked!") and test certificates and the like because they are very confusing to end users. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: "make certificate" Doesn't Work, Apache 2.0.28, Unix, and mod_ssl
On Tue, 11 Dec 2001, Kevin McQuiggin wrote: > I want to create a dummy self-signed certificate. Despite the Apache > documentation, "make certificate" in the top-level source directory doesn't > work. There's no "certificate:" target in the Makefile. This was not present in the 2.0.28 beta, but it or an equivalent should be present in 2.0 final when it is released (it might even be in the next beta, but it hasn't been checked into CVS yet). In the meanwhile, you should be able to build a CSR with Apache 1.3+mod_ssl (where make certificate _does_ work) and use the signed certificate you get back from the CA with 2.0.28 with no trouble. You could also generate the CSR using OpenSSL by hand, but it's probably easier to just temporarily grab a copy of Apache 1.3 and generate your keys and CSR [make sure to copy them somewhere before you delete your temporary copy of 1.3!]. Hope this helps, -Cliff Woolley Apache HTTPD Group __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Quick Q on Server Certificates
On Mon, 3 Dec 2001, Chris Allen wrote: > I have to rebuild my entire setup for serving pages. Need to get all new > source of php/apache/modssl etc... > I just received my server certificate from Thawte, and I am wondering do I > need to go thru this whole process of getting a new cert? Can I jsut simply > copy over my server.key and server.crt to the appropiate place where the new > apache can find them? > Can I reuse my key and cert with new binaries? If so why, if not :(. You shouldn't have any trouble at all using it with different binaries. --Cliff ------ Cliff Woolley [EMAIL PROTECTED] Charlottesville, VA __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
