Re: Mod_proxy and client certificate auth
On Wed, 7 Jun 2006, BJ Swope wrote: From everything I've heard and read, mod-proxy will not proxy HTTPS on the back like what you are asking. You can have HTTPS on the front end but not on the back. It will have to be HTTP to the back. If you get this working I would LOVE to hear how you got it done I'm getting end-to-end SSL, just the undesired (this time) effect of having the client cert passed all the way through the chain, which I'd expect folks to want as normal behavior. Paul - Paul D. Robertson My statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact. http://fora.compuwar.net Infosec discussion boards __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Mod_proxy and client certificate auth
Hi, I'm trying to get mod_proxy to work as an SSL proxy using a client certificate on the proxy to connect to a backend IIS server that's set up to use any client certificate signed by my OpenSSL-based CA. If I use a browser with the same certificate bundled up as a PKCS12 bundle, through the proxy, it all works, but what I really need is for Apache/mod_ssl to use a locally stored version of the cert/key to connect, then let the IIS server do its normal basic auth. That's one single client cert/key for all externally connecting users (yes, I understand the ramifaction- it's not for user authentication,) not a per-user proxy cert. Here's what I have in my Apache ssl.conf file: RequestHeader set Front-End-Https On CacheDisable * SSLProxyEngine On ProxyPass /app https://iisserver/app ProxyPassReverse /app https://iisserver/app SSLProxyMachineCertificatePath conf/cert SSLEngine on conf/cert contains user.pem, a .pem cert file with an RSA private key catenated to it. I also have a hash link to the user.pem cert file. Just in case, I've also added export OPENSSL_ALLOW_PROXY_CERTS=1 to bin/envvars. Can anyone tell me what I'm doing wrong? Thanks, Paul - Paul D. Robertson My statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: SSLVerifyClient fails
Sven Löschner schrieb: Try using openssl s_client to connect(? arg for options). It'll give alot of debug info. Okay, I tried openssl s_client -connect www.test.de:443 -CAfile /etc/ssl/UserCA/UserCAchaincert.pem -verify 3 -cert /etc/ssl/UserCA/svencert.pem -key /etc/ssl/UserCA/svenkey.pem -reconnect -showcerts -state -bugs The output is the following: CONNECTED(0003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A depth=0 /C=DE/ST=NRW/L=Hattingen/O=MX/OU=Demo Server/CN=www.test.de/[EMAIL PROTECTED] verify error:num=20:unable to get local issuer certificate Seems you don't have the required Root-CA-Certificates installed on your webserver. (you need the root-certificate of your client-certificates) anyone correct me if I'm wrong. Paul -- Linux-User #271918 with the Linux Counter, http://counter.li.org/ signature.asc Description: OpenPGP digital signature
Re: SSLCACertificatePath
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED] wrote: User authentication works when I specify SSLCACertificateFile However, it does not work when I use SSLCACertificatePath I use the Makefile.crt renamed Makefile in the same directory pointed to by SSLCACertificatePath The has symlinks are created. The log shows that Apache loads those certificates in, but when I try to authenticate, it can't find them. Yes, there are some problems with SSLCACertificatePath. I used SSLCACertificateFile and have put all certificate-entries in one file. This worked for me. Paul - -- Linux-User #271918 with the Linux Counter, http://counter.li.org/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (MingW32) iEYEARECAAYFAkLDpF0ACgkQqErKtBWD7VRs+wCfSsCouThgc6mT5MyQprbvCbJi rDkAoPFUHhuQo1e9uLJF/WBDrRZkCs6F =bVdr -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: SSLVerifyClient
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED] wrote: Indeed, the trouble was with Safari and Keychain. Apparently, having more than one certificate confuses Safari. I am not sure what to do now, except get a different browser. Any advice would be appreciated. On Jun 28, 2005, at 11:01 AM, [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: This can't be the problem, as I specify the CA using SSLCACertificatePath using the proper HASH names. I've also tried SSLCACertificateFile. using s_client with SSLVerifyClient optional, it shows that the server is correctly identifying which CAs are allowed. I think the problem is with Safari and Keychain. I shall look further into the matter. Please answer BELOW THE QUOTE! Thank you. Perhaps you could file a bug against Safari (or have a look in their bug-database (if existent)). Paul - -- Linux-User #271918 with the Linux Counter, http://counter.li.org/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (MingW32) iEYEARECAAYFAkLDpLUACgkQqErKtBWD7VQNWQCgu8DI++FBv5TCkrCDUUE5hrFC nYAAnAtzNNr3g+ljVeP8jEBpvzgZ4Q4y =bgbS -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Invalid command SSLEngine
Newbie to list, please tell me if I'm got the wrong one! :) SuSE 9, Apache 1.3.28 with curl 7.10.5 and openSSL 0.9.7b -- was working with SSL Updated with rpms to curl 7.11.2 and openSSL 0.9.7d -- Apache won't restart with SSL. Syntax error on line 1419 of /etc/httpd/httpd.conf: Invalid command 'SSLEngine', perhaps mis-spelled or defined by a module not included in the server configuration /usr/sbin/apachectl startssl: httpd could not be started IfDefine DUMMYSSL LoadModule ssl_module /usr/lib/apache/libssl.so /IfDefine Also tried with no success: LoadModule ssl_module /usr/lib/apache/libssl.so.0 LoadModule ssl_module /usr/lib/apache/libssl.so.0.9.7 Last clue I found on the internet suggested that mod_ssl was not loading. Is that my problem or have I missed something? thanks, Paul __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl and mod_jk (Win32)
Answering my own question in case anyone else ever encounters this: Modify Tomcat's server.xml specifying scheme=https (rather than scheme=http) for the Connector used to wire Apache and Tomcat. Paul Christmann wrote: Environment: Running Apache 2.0.43/OpenSSL 9.6.g as downloaded from hunter.campbus.com and mod_jk 1.2.1 for build 2.0.43 from jakarta. Problem: When I access the URL https://localhost/app, I *hope* to get the contents of index.html (i.e., https://localhost/app/index.html). Instead, my browser (Mozilla 1.0) reports a Bad Request error, indicating that there was a protocol error in accessing the URL http://localhost:443/app/index.html;. Of course there will be a protocol error -- using http to talk to the https port! Any ideas where that error might come from? I assume its something happening with a redirect in Tomcat. FWIW: Each of the following URLs work fine (right now, I have Apache configured to take all connections either from http or https and forward to Tomcat): + http://localhost/app + http://localhost/app/index.html + https://localhost/app/index.html Its only the https://localhost/app URL that's failing. Thanks for any assistance, Paul Christmann __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
How to read the html content
Hi all I am a newbie to this list. I need to know how mod_ssl gets the content(I mean the HTML message body) which the apache sends to the client. If it is difficult to explain, atleast please tell in which part of code, it is described Thanking in advance regards Blesson Paul __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Win32 Binary Builds
I'm just installing my first Apache server on a W2K box, and I'd like to include SSL support. From browsing this newsgroup and reading the apache docs, it appears that the following statements are true (please correct me if I'm wrong): 1. mod_ssl source is now bundled in Apache 2.X 2. No binary version of Apache 2.X is available with mod_ssl support. 3. Compiling Apache source requires MSVC 5 I've found several links (thanks primarily to hunter for links and instructions) to downloading SSL executables built for Windows, and am starting to play with them. But I am left with two questions: 1. Why isn't there an Apache 2.X binary distribution with SSL? As best I can tell, there is an issue with export laws. But why doesn't that same issue apply to non-windows builds? 2. I don't have (nor do I want to purchase) a MS license. Without that, is there any way I can compile Apache 2.X? (I have and use cygwin's gcc and make if that matters) Thanks, Paul Christmann __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Securing directories
Rob, You might want to use a restricted realm setup and use the authnname and setup a number of users to control the access. Part I: Restricting access. Using a authorization file on the folder in question is also possible, but if your users create subfolders, then they will be prompted to reauthenticate as they traverse the subfolders. Using the Authusername might be easier. Part II: Secure vs. unsecure connections: If you have both 80 and 443 bound to each of these virtual websites, then users will be able to connect on each port. Inserting the access controls mentioned at the top will work across both. If you want to insure that users are not able to open this connection via 80, then do not include this port in your listen statements in http.conf. There are many different ways to deal with this. See the following for more details. Binding ports and the listen option: http://httpd.apache.org/docs-2.0/bind.html Authentication overview. http://httpd.apache.org/docs-2.0/howto/auth.html Users via a password file: http://httpd.apache.org/docs-2.0/howto/auth.html#gettingitworking Users via a groups file: http://httpd.apache.org/docs-2.0/howto/auth.html#lettingmorethanonepersonin On Fri, 8 Nov 2002, Robert Lagana wrote: Hello, i Using mod_ssl .. on Apache .. I would like to secure two directories.. https://www.domain.com/homedir https://www.domain.com/homedir https://www.domain.com/homedir2 https://www.domain.com/homedir2 Now if user go to http://www.domain.com http://www.domain.com will users get a pop up saying that SSL is required? Is this just a matter of having Port 80 and Port 443 enabled? Do I set these directories up as virtual hosts? Is there a link someone can provided that explains this? Thanks, Rob __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Securing directories
Anytime. Thats what this group is all about. Let us know once you get things rolling. Regards, Paul On Fri, 8 Nov 2002, Robert Lagana wrote: Thank you very much Paul. Regards, Robert -Original Message- From: Paul Bleimeyer [mailto:paulb;mayo.edu] Sent: Friday, November 08, 2002 2:45 PM To: '[EMAIL PROTECTED]' Subject: Re: Securing directories Rob, You might want to use a restricted realm setup and use the authnname and setup a number of users to control the access. Part I: Restricting access. Using a authorization file on the folder in question is also possible, but if your users create subfolders, then they will be prompted to reauthenticate as they traverse the subfolders. Using the Authusername might be easier. Part II: Secure vs. unsecure connections: If you have both 80 and 443 bound to each of these virtual websites, then users will be able to connect on each port. Inserting the access controls mentioned at the top will work across both. If you want to insure that users are not able to open this connection via 80, then do not include this port in your listen statements in http.conf. There are many different ways to deal with this. See the following for more details. Binding ports and the listen option: http://httpd.apache.org/docs-2.0/bind.html Authentication overview. http://httpd.apache.org/docs-2.0/howto/auth.html Users via a password file: http://httpd.apache.org/docs-2.0/howto/auth.html#gettingitworking Users via a groups file: http://httpd.apache.org/docs-2.0/howto/auth.html#lettingmorethanonepersonin On Fri, 8 Nov 2002, Robert Lagana wrote: Hello, i Using mod_ssl .. on Apache .. I would like to secure two directories.. https://www.domain.com/homedir https://www.domain.com/homedir https://www.domain.com/homedir2 https://www.domain.com/homedir2 Now if user go to http://www.domain.com http://www.domain.com will users get a pop up saying that SSL is required? Is this just a matter of having Port 80 and Port 443 enabled? Do I set these directories up as virtual hosts? Is there a link someone can provided that explains this? Thanks, Rob __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Mod_SSL_2.8.10 and OpenSSL_0.9.6g
Geoff, Are you running 1.x or 2.40 apache? Regards, Paul -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Geoffrey Talvola Sent: Thursday, September 19, 2002 1:28 PM To: '[EMAIL PROTECTED]' Subject: RE: Mod_SSL_2.8.10 and OpenSSL_0.9.6g I'm using the binaries from the OpenSA package and they are working fine for me, both on NT and on 2000. details at http://www.opensa.org/development/news/101.html - Geoff -Original Message- From: David Diehl [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 19, 2002 2:15 PM To: [EMAIL PROTECTED] Subject: Mod_SSL_2.8.10 and OpenSSL_0.9.6g Has anybody got this to function on a NT 4.0 server? I've downloaded and compiled apache 1.3.26 with modssl 2.8.10 and openssl 9.6g and can't seem to get it to work on a NT 4.0 server. It works fine on a windows 2000 server, but when I try and start it on a NT 4.0 server the second apache process never starts and there are no error indications in the log files. I've also download 2 seperate precompiled builds and niether of them came with the openssl dll files libeay32.dll and ssleay32.dll, which normally reside in the system32 directory. If I use the ones I compiled, the same symptoms occur. Of course, if I remove all SSL directives from the httpd.conf file, I don't need the dll's and it functions properly. It seems that any version prior to 9.6 i.e. 9.5a functions without any problems. Any ideas or insight would be greatly appreciated. Thanks David __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Antw: RE: Apache 2.0.40 - Loaded mod_ssl successfully on w2k?
Andre, I think I am hitting a wall somewhere. Somewhat the same errors running your code. Could it be my browser? Connections over 80 and 443 are fine, but when I invoke ssl via https://localhost or the server name I get the internal 501 error code. I shutdown my copy, renamed the folder to apache2.old inserted yours, copied my ssl folder over with my key and cert in it and edited http.conf and ssl.conf to reflect my directory structure. Any Ideas here? I think I am tired, since I can't seem to figure out what's amiss here. here is my http.conf and ssl.conf files for reference. Access log still shows: 127.0.0.1 - - [03/Sep/2002:13:00:37 -0500] L 501 288 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Andre Schild Sent: Tuesday, September 03, 2002 10:25 AM To: [EMAIL PROTECTED] Subject: Antw: RE: Apache 2.0.40 - Loaded mod_ssl successfully on w2k? Has anyone successfully implemented mod_sll under 2.40 apache for w2k? I am getting a 501 1051 internal server error back. The ssl engine is loading but no response when I connect to the port. 2.0.40 works fine for me under W2K with OpenSSL 0.9.6e Did compile it from the scratch... Binaries are here: http://www.switzerland.net/Pneatec/ André __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] # # Based upon the NCSA server configuration files originally by Rob McCool. # # This is the main Apache server configuration file. It contains the # configuration directives that give the server its instructions. # See URL:http://httpd.apache.org/docs-2.0/ for detailed information about # the directives. # # Do NOT simply read the instructions in here without understanding # what they do. They're here only as hints or reminders. If you are unsure # consult the online docs. You have been warned. # # The configuration directives are grouped into three basic sections: # 1. Directives that control the operation of the Apache server process as a # whole (the 'global environment'). # 2. Directives that define the parameters of the 'main' or 'default' server, # which responds to requests that aren't handled by a virtual host. # These directives also provide default values for the settings # of all virtual hosts. # 3. Settings for virtual hosts, which allow Web requests to be sent to # different IP addresses or hostnames and have them handled by the # same Apache server process. # # Configuration and logfile names: If the filenames you specify for many # of the server's control files begin with / (or drive:/ for Win32), the # server will use that explicit path. If the filenames do *not* begin # with /, the value of ServerRoot is prepended -- so logs/foo.log # with ServerRoot set to C:/Apache2 will be interpreted by the # server as C:/Apache2/logs/foo.log. # # NOTE: Where filenames are specified, you must use forward slashes # instead of backslashes (e.g., c:/apache instead of c:\apache). # If a drive letter is omitted, the drive on which Apache.exe is located # will be used by default. It is recommended that you always supply # an explicit drive letter in absolute paths, however, to avoid # confusion. # ### Section 1: Global Environment # # The directives in this section affect the overall operation of Apache, # such as the number of concurrent requests it can handle or where it # can find its configuration files. # # # ServerRoot: The top of the directory tree under which the server's # configuration, error, and log files are kept. # # NOTE! If you intend to place this on an NFS (or otherwise network) # mounted filesystem then please read the LockFile documentation # (available at URL:http://httpd.apache.org/docs-2.0/mod/core.html#lockfile); # you will save yourself a lot of trouble. # # Do NOT add a slash at the end of the directory path. # ServerRoot C:/program files/Apache Group/Apache2 # # ScoreBoardFile: File used to store internal server process information. # If unspecified (the default), the scoreboard will be stored in an # anonymous shared memory segment, and will be unavailable to third-party # applications. # If specified, ensure that no two invocations of Apache share the same # scoreboard file. The scoreboard file MUST BE STORED ON A LOCAL DISK. # #ScoreBoardFile logs/apache_runtime_status # # PidFile: The file in which the server should record its process # identification number when it starts. # PidFile logs/httpd.pid # # Timeout: The number of seconds before receives and sends time out. # Timeout 300 # # KeepAlive: Whether or not to allow persistent connections (more than # one request per connection). Set to Off to deactivate. # KeepAlive On # # MaxKeepAliveRequests: The maximum number of requests to allow # during a
RE: Apache 2.0.40 - Loaded mod_ssl successfully on w2k?
Has anyone successfully implemented mod_sll under 2.40 apache for w2k? I am getting a 501 1051 internal server error back. The ssl engine is loading but no response when I connect to the port. [info] Init: Initializing OpenSSL library [Fri Aug 30 15:51:28 2002] [info] Init: Seeding PRNG with 0 bytes of entropy [Fri Aug 30 15:51:28 2002] [info] Init: Generating temporary RSA private keys (512/1024 bits) [Fri Aug 30 15:51:28 2002] [info] Init: Generating temporary DH parameters (512/1024 bits) [Fri Aug 30 15:51:28 2002] [info] Init: Initializing (virtual) servers for SSL [Fri Aug 30 15:51:28 2002] [info] Server: Apache/2.0.40, Interface: mod_ssl/2.0.40, Library: OpenSSL/0.9.6g [Fri Aug 30 15:51:29 2002] [notice] Parent: Created child process 3484 [Fri Aug 30 15:51:29 2002] [debug] .\server\mpm\winnt\mpm_winnt.c(483): Parent: Sent the scoreboard to the child [Fri Aug 30 15:51:29 2002] [info] Init: Initializing OpenSSL library [Fri Aug 30 15:51:29 2002] [info] Init: Seeding PRNG with 0 bytes of entropy [Fri Aug 30 15:51:29 2002] [info] Init: Generating temporary RSA private keys (512/1024 bits) [Fri Aug 30 15:51:29 2002] [notice] Child 564: Released the start mutex [Fri Aug 30 15:51:29 2002] [info] Init: Generating temporary DH parameters (512/1024 bits) [Fri Aug 30 15:51:29 2002] [warn] Init: Session Cache is not configured [hint: SSLSessionCache] 192.168.1.2 - - [30/Aug/2002:12:30:48 -0500] ?L 501 1051 192.168.1.2 - - [30/Aug/2002:13:23:04 -0500] ?L 501 1051 192.168.1.2 - - [30/Aug/2002:14:35:42 -0500] ?L 501 1051 192.168.1.2 - - [30/Aug/2002:14:35:45 -0500] ?L 501 1051 192.168.1.2 - - [30/Aug/2002:14:35:53 -0500] ?L 501 1051 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Apache 2.0.35 - ssl fails silently?
Have you tried looking in ssl_engine.log? That one wasn't being generated. Now I'm not sure what the problem was, but upgrading to 2.0.40 fixed it. Now that I've seen the build again, it is possible that mod_ssl failed to build, and I missed it as the messages scrolled past. I made sure that it did build for 2.0.40. Thanks everyone, Paul -Original Message- From: Paul English [mailto:[EMAIL PROTECTED]] Sent: 02 September 2002 22:55 To: [EMAIL PROTECTED] Subject: Re: Apache 2.0.35 - ssl fails silently? On Mon, 2 Sep 2002, Paul English wrote: I'm working with a new setup of 2.0.35 under Linux, and having First of all, why 2.0.35 on a new setup? 2.0.36 was the first full release (back in April). 2.0.40 is the current release. Oops, I guess I should have said relatively new. It has been up and running without any SSL for a few months. I'm downloading 2.0.40 now, although I think the problem is most likely configuration somehow. Paul __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Antw: RE: Apache 2.0.40 - Loaded mod_ssl successfully on w2k?
Whose compiler did you use? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Lakey, Jeremy # IHTUL Sent: Tuesday, September 03, 2002 10:52 AM To: '[EMAIL PROTECTED]' Subject: RE: Antw: RE: Apache 2.0.40 - Loaded mod_ssl successfully on w2k? Ditto, compiled from scratch, apache 2.0.40, seperately compiled mod_ssl.so and moved it into the apache2 installed directory, worked fine.. -Original Message- From: Andre Schild [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 03, 2002 10:25 AM To: [EMAIL PROTECTED] Subject: Antw: RE: Apache 2.0.40 - Loaded mod_ssl successfully on w2k? Has anyone successfully implemented mod_sll under 2.40 apache for w2k? I am getting a 501 1051 internal server error back. The ssl engine is loading but no response when I connect to the port. 2.0.40 works fine for me under W2K with OpenSSL 0.9.6e Did compile it from the scratch... Binaries are here: http://www.switzerland.net/Pneatec/ André __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Apache 2.0.35 - ssl fails silently?
Hi, I'm working with a new setup of 2.0.35 under Linux, and having some trouble. I'm not sure where to look as there are no errors in error_log, or /var/log/messages or on the console. Reading the docs I eliminated: having Listen on port 443 and an appropriate virtual host context using apachectl startssl to pass -DSSL to the server tried using the stock httpd.conf and ssl.conf None of the above seems to work. Thrown into the mix I have several interfaces on the machine, and ipchains (for which I've enabled access from everywhere to port 443). I tested all the interfaces using nmap, which just says that port 443 is closed, and telnet. I've attached my config files to see if anyone else can make sense of it. Thanks, Paul # # This is the Apache server configuration file providing SSL support. # It contains the configuration directives to instruct the server how to # serve pages over an https connection. For detailing information about these # directives see URL:http://httpd.apache.org/docs-2.0/mod/mod_ssl.html # # For the moment, see URL:http://www.modssl.org/docs/ for this info. # The documents are still being prepared from material donated by the # modssl project. # # Do NOT simply read the instructions in here without understanding # what they do. They're here only as hints or reminders. If you are unsure # consult the online docs. You have been warned. # IfDefine SSL # Until documentation is completed, please check http://www.modssl.org/ # for additional config examples and module docmentation. Directives # and features of mod_ssl are largely unchanged from the mod_ssl project # for Apache 1.3. # # When we also provide SSL we have to listen to the # standard HTTP port (see above) and to the HTTPS port # Listen 206.253.195.210:443 # # Dynamic Shared Object (DSO) Support # # To be able to use the functionality of a module which was built as a DSO you #ErrorLog logs/dummy-host.example.com-error_log #CustomLog logs/dummy-host.example.com-access_log common ## ## SSL Global Context ## ## All SSL configuration in this context applies both to ## the main server and all SSL-enabled virtual hosts. ## # # Some MIME-types for downloading Certificates and CRLs # AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl.crl # Pass Phrase Dialog: # Configure the pass phrase gathering process. # The filtering dialog program (`builtin' is a internal # terminal dialog) has to provide the pass phrase on stdout. SSLPassPhraseDialog builtin # Inter-Process Session Cache: # Configure the SSL Session Cache: First the mechanism # to use and second the expiring timeout (in seconds). #SSLSessionCachenone #SSLSessionCacheshmht:logs/ssl_scache(512000) #SSLSessionCacheshmcb:logs/ssl_scache(512000) SSLSessionCache dbm:logs/ssl_scache SSLSessionCacheTimeout 300 # Semaphore: # Configure the path to the mutual exclusion semaphore the # SSL engine uses internally for inter-process synchronization. SSLMutex file:logs/ssl_mutex # Pseudo Random Number Generator (PRNG): # Configure one or more sources to seed the PRNG of the # SSL library. The seed data should be of good random quality. # WARNING! On some platforms /dev/random blocks if not enough entropy # is available. This means you then cannot use the /dev/random device # because it would lead to very long connection times (as long as # it requires to make more entropy available). But usually those # platforms additionally provide a /dev/urandom device which doesn't # block. So, if available, use this one instead. Read the mod_ssl User # Manual for more details. SSLRandomSeed startup builtin SSLRandomSeed connect builtin #SSLRandomSeed startup file:/dev/random 512 #SSLRandomSeed startup file:/dev/urandom 512 #SSLRandomSeed connect file:/dev/random 512 #SSLRandomSeed connect file:/dev/urandom 512 # Logging: # The home of the dedicated SSL protocol logfile. Errors are # additionally duplicated in the general error log file. Put # this somewhere where it cannot be used for symlink attacks on # a real server (i.e. somewhere where only root can write). # Log levels are (ascending order: higher ones include lower ones): # none, error, warn, info, trace, debug. SSLLog logs/ssl_engine_log SSLLogLevel info ## ## SSL Virtual Host Context ## VirtualHost 206.253.195.210:443 # General setup for the virtual host DocumentRoot /usr/local/htdocs/test ServerName 3tiergroup.com:443 ServerAdmin [EMAIL PROTECTED] ErrorLog logs/error_log TransferLog logs/access_log # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. SSLCipherSuite
Re: Apache 2.0.35 - ssl fails silently?
On Mon, 2 Sep 2002, Paul English wrote: I'm working with a new setup of 2.0.35 under Linux, and having First of all, why 2.0.35 on a new setup? 2.0.36 was the first full release (back in April). 2.0.40 is the current release. Oops, I guess I should have said relatively new. It has been up and running without any SSL for a few months. I'm downloading 2.0.40 now, although I think the problem is most likely configuration somehow. Paul __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Changing dummy cetificates?
Can anyone tell me how to change the dummy cert? I run gendummycerts again but the old cert is still kept for apache. Thanks! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
http or https but not both?
I have a fresh linux installation with apache + mod_ssl. With the mod_ssl module and AddModule uncommented, I can access https://mysite. BUT NOT http://mysite. Any help appreciated! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Warning message when starting modssl
Hello mod ssl users, I have compiled apache 1.3.26 with modssl. However, when i start apache it gives me a load of warning messages: [Fri Jul 19 13:40:36 2002] [warn] module mod_vhost_alias.c is already added, skipping [Fri Jul 19 13:40:36 2002] [warn] module mod_env.c is already added, skipping [Fri Jul 19 13:40:36 2002] [warn] module mod_log_config.c is already added, skipping [Fri Jul 19 13:40:36 2002] [warn] module mod_mime_magic.c is already added, skipping [Fri Jul 19 13:40:36 2002] [warn] module mod_mime.c is already added, skipping [Fri Jul 19 13:40:36 2002] [warn] module mod_negotiation.c is already added, skipping [Fri Jul 19 13:40:36 2002] [warn] module mod_status.c is already added, skipping [Fri Jul 19 13:40:36 2002] [warn] module mod_info.c is already added, skipping [Fri Jul 19 13:40:36 2002] [warn] module mod_include.c is already added, skipping [Fri Jul 19 13:40:36 2002] [warn] module mod_autoindex.c is already added, skipping [Fri Jul 19 13:40:36 2002] [warn] module mod_dir.c is already added, skipping [Fri Jul 19 13:40:36 2002] [warn] module mod_cgi.c is already added, skipping [Fri Jul 19 13:40:36 2002] [warn] module mod_asis.c is already added, skipping [Fri Jul 19 13:40:36 2002] [warn] module mod_imap.c is already added, skipping [Fri Jul 19 13:40:36 2002] [warn] module mod_actions.c is already added, skipping [Fri Jul 19 13:40:36 2002] [warn] module mod_speling.c is already added, skipping [Fri Jul 19 13:40:36 2002] [warn] module mod_userdir.c is already added, skipping [Fri Jul 19 13:40:36 2002] [warn] module mod_alias.c is already added, skipping [Fri Jul 19 13:40:36 2002] [warn] module mod_rewrite.c is already added, skipping [Fri Jul 19 13:40:36 2002] [warn] module mod_access.c is already added, skipping [Fri Jul 19 13:40:36 2002] [warn] module mod_auth.c is already added, skipping [Fri Jul 19 13:40:36 2002] [warn] module mod_auth_anon.c is already added, skipping [Fri Jul 19 13:40:36 2002] [warn] module mod_auth_dbm.c is already added, skipping [Fri Jul 19 13:40:36 2002] [warn] module mod_digest.c is already added, skipping [Fri Jul 19 13:40:36 2002] [warn] module mod_proxy.c is already added, skipping [Fri Jul 19 13:40:36 2002] [warn] module mod_cern_meta.c is already added, skipping [Fri Jul 19 13:40:36 2002] [warn] module mod_expires.c is already added, skipping [Fri Jul 19 13:40:36 2002] [warn] module mod_headers.c is already added, skipping [Fri Jul 19 13:40:36 2002] [warn] module mod_usertrack.c is already added, skipping [Fri Jul 19 13:40:36 2002] [warn] module mod_unique_id.c is already added, skipping [Fri Jul 19 13:40:36 2002] [warn] module mod_so.c is already added, skipping [Fri Jul 19 13:40:36 2002] [warn] module mod_setenvif.c is already added, skipping [Fri Jul 19 13:40:36 2002] [warn] module auth_ldap.c is already added, skipping [Fri Jul 19 13:40:36 2002] [warn] module mod_ssl.c is already added, skipping [Fri Jul 19 13:40:36 2002] [warn] module mod_dav.c is already added, skipping but apache still starts but why is it giving me these warning messages? thanks paul _ Chat with friends online, try MSN Messenger: http://messenger.msn.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Performance issues - testing
Hello all, I am having worries about the performance of using mod_ssl. Can anyone suggest any good testing package that will give me hits per second when running on a https server and hits per second when running on a normal http server so i can compare the performance. I am using apache 1.3.22 with mod ssl. Thanks for your time Paul _ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problems with Apache 2.0.35 and SSL
1. I have managed to install Apache 2.0.35 with mod SSL but it ony works when i sepecify the servername as been the servers IP address instead of the actual name - is this a bug or is this the way Apache in tended? Do you mean in the actual ServerName directive? No that's not intended, but I've also never seen this problem. Can you email me a configuration snippet that demonstrates the problem? Yes, its the ServerName directive. If i specify the host name e.g wellington.location.com:8443 then my server starts up okay and will run on http okay but when I try to goto port 8443 it says that connection is refused - i have tried also just putting wellington.location.com without the port number at the end but with the same effect. However, if i specify the actual IP address of the wellington then this works! - weired Cannot load /opt/local/apache/apache_2.0.35/modules/mod_ssl.so into server: ld.so.1: /opt/local/apache/apache_2.0.35/bin/httpd: fatal: relocation error: file /opt/local/apache/apache_2.0.35/modules/mod_ssl.so: symbol X509_INFO_free: referenced symbol not found Is this a common bug? Yes, it's a fairly frequently asked question. The problem is that you've built a shared mod_ssl against a static OpenSSL (ie, libssl.a and libcrypto.a instead of .so). That won't work because the way the build system currently works, OpenSSL is linked into httpd, not mod_ssl. httpd doesn't need the symbols from the OpenSSL libraries, so the static linker throws them away, meaning they're no longer available when mod_ssl is dynamically linked at runtime. Solution: use a shared OpenSSL. - this works now!! thanks for your help --Cliff _ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
mod_auth_ldap with Apache 2.0.35?
Hello, Does anyone know if mod_auth_ldap comes with apache 2.0.35 like mod_ssl and mod_dav etc..The documentation seems to suggest so but I can't figure out a way to configure the makefile to install the module at compile time. Does anyone have any suggestions? Paul _ Join the worlds largest e-mail service with MSN Hotmail. http://www.hotmail.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Apache 2.0.35 with SSL - wont start
Hello all, I have downloaded and installed Apache 2.0.35 with SSL. I have configured the httpd.conf as they suggest in ssl.conf. However, when i try to start apachectl i get the following message: (13)Permission denied: make_sock: could not bind to address 0.0.0.0:443 no listening sockets available, shutting down ./apachectl startssl: httpd could not be started Has anyone any ideas what i'm doing wrong - i have succesfully got ssl working with apache 1.3.22. Thanks for your time Paul _ Chat with friends online, try MSN Messenger: http://messenger.msn.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0.35 with SSL - wont start
i'm actually trying to run this server on port 8443 - the other httpd runs on port 443 but i have stopped this server running (as its just another test server). I am starting the server as my self - not as root but the port is 1024 anyway I have tried chaning the port to other numbers aswell but to no luck Paul From: R. DuFresne [EMAIL PROTECTED] To: paul priestman [EMAIL PROTECTED] CC: [EMAIL PROTECTED] Subject: Re: Apache 2.0.35 with SSL - wont start Date: Mon, 15 Apr 2002 09:12:42 -0400 (EDT) You're not trying to run two httpd's on the same set of ports are you, the old one running while trying to fire up the new? that's what the error suggests I think... thanks, Ron DuFresne On Mon, 15 Apr 2002, paul priestman wrote: Hello all, I have downloaded and installed Apache 2.0.35 with SSL. I have configured the httpd.conf as they suggest in ssl.conf. However, when i try to start apachectl i get the following message: (13)Permission denied: make_sock: could not bind to address 0.0.0.0:443 no listening sockets available, shutting down ./apachectl startssl: httpd could not be started Has anyone any ideas what i'm doing wrong - i have succesfully got ssl working with apache 1.3.22. Thanks for your time Paul _ Chat with friends online, try MSN Messenger: http://messenger.msn.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0.35 with SSL - wont start
So its trying to bind to 443 - i have stated in my ssl.conf to listen on port 8443 and have set up a virtual host for port 8443 with ssl enabled - how come it tries to bind to port 443? I have therefore tried to start the server as root - it started okay but I cannot make a ssl connection - i goto https://servername.com:443 but get a server error telling me i could not connect to server - in the error logs i get: mod_ssl: Unable to set session id context to 'servername.com:443' (OpenSSL library error follows) OpenSSL: error:140DA111::lib(20) :func(218) :reason(273) (13)Permission denied: make_sock: could not bind to address 0.0.0.0:443 no listening sockets available, shutting down ./apachectl startssl: httpd could not be started It's *not* trying to start on 8443 though... thanks, Ron DuFresne On Mon, 15 Apr 2002, paul priestman wrote: i'm actually trying to run this server on port 8443 - the other httpd runs on port 443 but i have stopped this server running (as its just another test server). I am starting the server as my self - not as root but the port is 1024 anyway I have tried chaning the port to other numbers aswell but to no luck Paul From: R. DuFresne [EMAIL PROTECTED] To: paul priestman [EMAIL PROTECTED] CC: [EMAIL PROTECTED] Subject: Re: Apache 2.0.35 with SSL - wont start Date: Mon, 15 Apr 2002 09:12:42 -0400 (EDT) You're not trying to run two httpd's on the same set of ports are you, the old one running while trying to fire up the new? that's what the error suggests I think... thanks, Ron DuFresne On Mon, 15 Apr 2002, paul priestman wrote: Hello all, I have downloaded and installed Apache 2.0.35 with SSL. I have configured the httpd.conf as they suggest in ssl.conf. However, when i try to start apachectl i get the following message: From: R. DuFresne [EMAIL PROTECTED] To: paul priestman [EMAIL PROTECTED] CC: [EMAIL PROTECTED] Subject: Re: Apache 2.0.35 with SSL - wont start Date: Mon, 15 Apr 2002 09:12:42 -0400 (EDT) You're not trying to run two httpd's on the same set of ports are you, the old one running while trying to fire up the new? that's what the error suggests I think... thanks, Ron DuFresne On Mon, 15 Apr 2002, paul priestman wrote: Hello all, I have downloaded and installed Apache 2.0.35 with SSL. I have configured the httpd.conf as they suggest in ssl.conf. However, when i try to start apachectl i get the following message: (13)Permission denied: make_sock: could not bind to address 0.0.0.0:443 no listening sockets available, shutting down ./apachectl startssl: httpd could not be started Has anyone any ideas what i'm doing wrong - i have succesfully got ssl working with apache 1.3.22. Thanks for your time Paul _ Chat with friends online, try MSN Messenger: http://messenger.msn.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! _ Send and receive Hotmail on your mobile device: http://mobile.msn.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Apache 2.0.35 and SSL
Hello all, I am trying to compile apache 2.0.35 with ssl but it is not working. My config is as follows: ./configure --prefix=/path/whereiwant/apache \ --enable-ssl \ --with-ssl=/path/to/openssl however on make i get the following error flex -Pssl_expr_yy -s -B /home/user/jwoodman/apache/httpd-2.0.35/modules/ssl/ssl_expr_scan.l sh: flex: not found *** Error code 1 make: Fatal error: Command failed for target `ssl_expr_scan.c' Current working directory /home/user/jwoodman/apache/httpd-2.0.35/modules/ssl *** Error code 1 make: Fatal error: Command failed for target `all-recursive' Current working directory /home/user/jwoodman/apache/httpd-2.0.35/modules/ssl *** Error code 1 make: Fatal error: Command failed for target `all-recursive' Current working directory /home/user/jwoodman/apache/httpd-2.0.35/modules *** Error code 1 make: Fatal error: Command failed for target `all-recursive' I have managed to get apache 1.3.22 working with modssl and apache 2.0.35 working without ssl. Thanks for your help Regards _ Join the worlds largest e-mail service with MSN Hotmail. http://www.hotmail.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Job openings
-Original Message-From: Mark J. Matheson [mailto:[EMAIL PROTECTED]]Sent: Thursday, March 07, 2002 9:40 PMTo: [EMAIL PROTECTED]Subject: Re: Job openingsavijeet banerjee wrote: We have a requirement for a developer(senior) in a large software development organization. The person should have expertise in C , apache mods , Oracle Pl/sql and java/jsp experience would be an added advantage.Please send resumes ASAP.thanks Avijeet Avijeet Banerjee From: "Patrick Willart"<[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] To: "cesar"<[EMAIL PROTECTED]>,<[EMAIL PROTECTED]> Subject: Re: mod_ssl Date: Thu, 7 Mar 2002 13:34:41 -0800 Hi Cesar, Mod_ssl isn't the problem It works fine. But when you also add JSP functionality (tomcat / WARP), the server becomes instable. It appears to be crashing when multiple requests for one or more JSPs are send to the server at the same time. Apache+mod_ssl works ok Apache+tomcat works ok but Apache+mod_ssl+tomcat works but is very instable. I actually changed to iPlanet ($ 1500) because of this. Apache 2.0 will have SSL integrated. Maybe the problem will be solved then... Personally I have good feelings about this because the way threading is handled is completely revised. Are you only getting an error message in the log and does everything work? Or doesn't it... Patrick - Original Message - From: "cesar"<[EMAIL PROTECTED]> To:<[EMAIL PROTECTED]> Sent: Thursday, March 07, 2002 12:39 PM Subject: mod_ssl Hello Patrick I have a problem with apache+mod_ssl, when i execute any pages .jsp in my web server(windows 2000) i receive this error log: You are using mod_ssl under Win32.This combination is *NOT* officially supported. Use it at your own risk! What is this?? Is there a version stable of the apache+ssl for windows? Tks. Cesar __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] Chat with friends online, try MSN Messenger: Click Here __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] contact me directly at [EMAIL PROTECTED] I might be able to help Mark Thank you for sharing that with the group. -P
RE: Job openings
OK, well that's what I call putting your foot in your mouth! Apologies to all. -P -Original Message-From: Paul G. Weiss Sent: Thursday, March 07, 2002 9:43 PMTo: '[EMAIL PROTECTED]'Subject: RE: Job openings -Original Message-From: Mark J. Matheson [mailto:[EMAIL PROTECTED]]Sent: Thursday, March 07, 2002 9:40 PMTo: [EMAIL PROTECTED]Subject: Re: Job openingsavijeet banerjee wrote: We have a requirement for a developer(senior) in a large software development organization. The person should have expertise in C , apache mods , Oracle Pl/sql and java/jsp experience would be an added advantage.Please send resumes ASAP.thanks Avijeet Avijeet Banerjee From: "Patrick Willart"<[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] To: "cesar"<[EMAIL PROTECTED]>,<[EMAIL PROTECTED]> Subject: Re: mod_ssl Date: Thu, 7 Mar 2002 13:34:41 -0800 Hi Cesar, Mod_ssl isn't the problem It works fine. But when you also add JSP functionality (tomcat / WARP), the server becomes instable. It appears to be crashing when multiple requests for one or more JSPs are send to the server at the same time. Apache+mod_ssl works ok Apache+tomcat works ok but Apache+mod_ssl+tomcat works but is very instable. I actually changed to iPlanet ($ 1500) because of this. Apache 2.0 will have SSL integrated. Maybe the problem will be solved then... Personally I have good feelings about this because the way threading is handled is completely revised. Are you only getting an error message in the log and does everything work? Or doesn't it... Patrick - Original Message - From: "cesar"<[EMAIL PROTECTED]> To:<[EMAIL PROTECTED]> Sent: Thursday, March 07, 2002 12:39 PM Subject: mod_ssl Hello Patrick I have a problem with apache+mod_ssl, when i execute any pages .jsp in my web server(windows 2000) i receive this error log: You are using mod_ssl under Win32.This combination is *NOT* officially supported. Use it at your own risk! What is this?? Is there a version stable of the apache+ssl for windows? Tks. Cesar __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] Chat with friends online, try MSN Messenger: Click Here __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] contact me directly at [EMAIL PROTECTED] I might be able to help Mark Thank you for sharing that with the group. -P
Hanging Processes
( My apologies if this is posted twice. ) I have processes that appear to hang for a considerable period of time while waiting for a read to complete. I would have thought that there would be a timeout but apparently not. My server is: Apache/1.3.19 (Unix) mod_perl/1.25_01-dev mod_ssl/2.8.1 OpenSSL/0.9.6 Running on Solaris 2.7. There are actually two flavors of hanging processes. Here is how they look with pstack: First flavor: 26058: - lwp# 1 / thread# 1 ff216f88 read (3, 14cef58, b) fe39a7cc read (0, 14cef58, b, fee79f00, fef03c64, 1) + 30 fee77ed0 BIO_read (12c7138, 14cef58, b, 1070, 1000, 0) + d0 fee506b0 ssl23_read_bytes (12ac0d0, b, 5455b8, 116c, 1000, f0) + 30 fee4f0f4 ssl23_get_client_hello (12ac0d0, ffbef640, 0, 0, ffbef640, 725560) + 54 fee4eff4 ssl23_accept (2210, 6000, 4000, 2003, 2211, 6f757400) + 194 fee54224 SSL_accept (12ac0d0, 12c, 0, 7efefeff, 81010100, ff) + 24 fee3d07c ssl_hook_NewConnection (7214a0, 7234d0, 1e2c, ff310154, 4, 1) + 378 00025cb0 new_connection (45415049, 5df00, 6e89f8, ffbef8a8, ffbef8b8, c) + f4 00026ad0 child_main (59400, 59000, 59c00, 59400, 59438, 59c00) + 5a0 00026d80 make_child (5df00, c, 3b963c46, 59000, ff2369f4, 4) + 114 000270ac perform_idle_server_maintenance (17, 0, 0, 5df00, 40f58, 3bb38) + 250 00027598 standalone_main (3fc00, 59400, 55000, 44, ff236508, ff236844) + 324 00027b54 main (7, ffbefbbc, ffbefbdc, 59b28, 0, 0) + 328 00018e58 _start (0, 0, 0, 0, 0, 0) + 5c - lwp# 2 / thread# 2 ff2174bc signotifywait () fe38f590 _dynamiclwps (fe3ac524, fe3ade3c, 2, 0, ff233968, ff233968) + 1c ff212830 thr_errnop (0, 0, 0, 0, 0, 0) + 24 - lwp# 5 / thread# 3 ff217aec lwp_sema_wait (fdf0de78) fe38b044 _park(fdf0ddc8, fdf0de78, 0, 1, fe3ad298, 0) + 10c fe38ad38 _swtch (5, fe3ac524, fdf0de58, fdf0de54, fdf0de50, fdf0de4c) + 350 fe38e64c _reap_wait (fe3ae070, fe3b0fa0, 0, 0, 0, 0) + 34 fe38e3d0 _reaper (fe3ac524, fe3ae070, fe3ad308, 455f34, 1, fe401000) + 34 fe39b824 _thread_start (0, 0, 0, 0, 0, 0) + 40 Second flavor: 21644: / - lwp# 1 / thread# 1 ff216f88 read (3, 174c798, 5) fe39a7cc read (0, 174c798, 5, fee79f00, fef03c64, 1) + 30 fee77ed0 BIO_read (14a96c0, 174c798, 5, 174c798, 97538, 97538) + d0 fee668a0 ssl3_read_n (0, 5, 5, 0, ff233968, fee79eb8) + 160 fee6697c ssl3_get_record (132ab70, 97538, 97628, 0, fee7a000, 1) + 5c fee671b4 ssl3_read_bytes (132ab70, 16, 15e0868, 4, 0, 0) + 1b4 fee681f4 ssl3_get_message (132ab70, 2180, 2181, , 4000, ffbef4ec) + b4 fee61720 ssl3_check_client_hello (132ab70, 21c0, 21c1, 0, 2, ffbef408) + 20 fee5f59c ssl3_accept (, 2100, 3, 2180, 21d0, 21c0) + 6fc fee54224 SSL_accept (132ab70, 1, 97538, 1, 4c, 800) + 24 fee4f818 ssl23_get_client_hello (8, ffbef658, 4f, 2, ffbef658, 722680) + 778 fee4eff4 ssl23_accept (2210, 6000, 4000, 2003, 2211, 6f757400) + 194 fee54224 SSL_accept (132ab70, 12c, 0, 7efefeff, 81010100, ff) + 24 fee3d07c ssl_hook_NewConnection (71e5c0, 7205f0, 1e2c, ff310154, 4, 1) + 378 00025cb0 new_connection (45415049, 5df00, 13e458, ffbef8c0, ffbef8d0, a) + f4 00026ad0 child_main (59400, 59000, 59c00, 59400, 59438, 59c00) + 5a0 00026d80 make_child (5df00, a, 3b9638d8, 59000, ff2369f4, 1) + 114 000270ac perform_idle_server_maintenance (24, 0, 0, 5df00, 40f58, 3bb38) + 250 00027598 standalone_main (3fc00, 59400, 55000, 44, ff236508, ff236844) + 324 00027b54 main (7, ffbefbd4, ffbefbf4, 59b28, 0, 0) + 328 00018e58 _start (0, 0, 0, 0, 0, 0) + 5c - lwp# 2 / thread# 2 ff2174bc signotifywait () fe38f590 _dynamiclwps (fe3ac524, fe3ade3c, 2, 0, ff233968, ff233968) + 1c ff212830 thr_errnop (0, 0, 0, 0, 0, 0) + 24 - lwp# 4 / thread# 3 ff217aec lwp_sema_wait (fdf0de78) fe38b044 _park(fdf0ddc8, fdf0de78, 0, 1, fe3ad298, 0) + 10c fe38ad38 _swtch (5, fe3ac524, fdf0de58, fdf0de54, fdf0de50, fdf0de4c) + 350 fe38e64c _reap_wait (fe3ae070, fe3b0fa0, 0, 0, 0, 0) + 34 fe38e3d0 _reaper (fe3ac524, fe3ae070, fe3ad308, 455f34, 1, fe401000) + 34 Look familiar to anyone? -Paul Weiss __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Solaris8(x86) install problem
Hi Breughel, Sorry but I'm still new to Solaris. Where can I get that C compiler? Sorry for being such a dummy. http://www.sunfreeware.com/ should provide you with all the goodies you need. Their FAQ is useful too, as it gives solutions to a lot of common problems you can run into when compiling things yourself on Solaris. Paul This document and any attachments are intended solely for the named addressee(s), are confidential, and may be subject to legal professional privilege. Please notify us (on +61-2 9878 1744) as soon as possible if you have received this document in error. Any confidentiality or privilege is not waived or lost because this email has been sent to you by mistake. This document and any attachments are subject to copyright. No part of them should be reproduced or distributed by any means whatsoever without the prior consent of the copyright owner. Opentec does not warrant that this email and any attachments are error or virus free. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: http and https, same instance
If you have mod_perl, check out an article I wrote for take23 a while back at http://take23.org/articles/2001/03/12/redirect.xml?style=printable If you don't, maybe mod_rewrite would help? Then again, maybe I'm misreading what you need? --- Christopher Piggott HOME [EMAIL PROTECTED] wrote: Is it reasonable to expect to run some http and some https traffic on the same instance of apache 1.3 ? I have named virtual hosts, and I understand they don't work with mod_ssl, but what if I want something like this: NameVirtualHost 192.168.0.101 ### Definition for some http (non SSL) virtual hosts Virtual 192.168.0.101:80 ServerName host1.blah.blah.blah.com # definition for this virtual host /Virtual Virtual 192.168.0.101:80 ServerName host2.blah.blah.blah.com # definition for this virtual host /Virtual ### Definition for SSL - ALL port 443! Virtual _default_:443 Location / SSLRequireSSL /Location /Virtual In other words, I don't care if the virtual named hosts work properly for SSL, I just want it to work - and it's ok if HTTPS exists outside of any virtual host. I have thought of adding a second instance of the server, with its own config file (or switches in httpd.conf using IfDefine SSL) ... but I don't really want to lose the usefulness of apachectl. I don't know of a convenient way to do this other than brute force. Thanks, --Chris __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Seriously frustrating problem...
Sorry about the long mail message, but I wanted to supply as much information as possible. Software Versions: OS HP-UX 11 Apache 1.3.12 mod_ssl 2.6.6-1.3.12 OpenSSL 0.9.6a Flex2.5.4a Compilercc NOT gcc Flex Builds no problem. All OK Apache Builds no problem. All OK OpenSSL Changed CC=gcc to CC=cc in config file Ran ./config no-idea Ran make Ran make test - GreatAll fine modSSL Run: ./configure \ --with-apache=/vg_U2YDEV_HOME/u2ydev/users/phooper/UMS_WEB/build/apache_1.3. 12 \ --with-ssl=/vg_U2YDEV_HOME/u2ydev/users/ums_web/openssl-0.9.6a \ --prefix=/vg_U2YDEV_HOME/u2ydev/users/phooper/UMS_WEB/install/apache_1.3.12 \ --enable-shared=ssl Output = Configuring mod_ssl/2.6.6 for Apache/1.3.12 + Apache location: /vg_U2YDEV_HOME/u2ydev/users/phooper/UMS_WEB/build/apache_1.3.12 (Version 1.3.12) + Auxiliary patch tool: ./etc/patch/patch (local) ./configure:Error: Building of 'patch' tool failed: - x patch/rename.c, 1323 bytes, 3 tape blocks x patch/util.c, 9365 bytes, 19 tape blocks x patch/util.h, 2325 bytes, 5 tape blocks x patch/version.c, 280 bytes, 1 tape blocks x patch/version.h, 25 bytes, 1 tape blocks loading cache ./config.cache checking for gcc... gcc checking whether the C compiler (gcc ) works... no configure: error: installation or configuration problem: C compiler cannot create executables. Make: No arguments or description file. Stop. - Hint: Either try to build 'patch' under etc/patch/ Hint: manually and re-run this 'configure' script Hint: or provide us the path to your vendor 'patch' Hint: program via the --with-patch=FILE option (but Hint: expect perhaps failures when applying patches!) The compiler line says checking for gcc... gcc checking whether the C compiler (gcc ) works... no but I can't work out where this is being read from. Can somebody please explain what is happening. I have been mulling this over for a good few days now, but really need some expert advice. Thanks Paul I did not have sexual relations with Miss Lewinski NOTICE AND DISCLAIMER: This email (including attachments) is confidential. If you have received this email in error please notify the sender immediately and delete this email from your system without copying or disseminating it or placing any reliance upon its contents. We cannot accept liability for any breaches of confidence arising through use of email. Any opinions expressed in this email (including attachments) are those of the author and do not necessarily reflect our opinions. We will not accept responsibility for any commitments made by our employees outside the scope of our business. We do not warrant the accuracy or completeness of such information. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Newbie to mod_ssl
I've downloaded apache_1.3.20.tar.gz and mod_ssl-2.8.4-1.3.20.tar.gz. Is there a step-by-step guide to install Apache with mod_ssl ? Such instructions are hidden away in a file named, somewhat cryptically, Install in the mod_ssl tar.gz. -- Paul McGarrymailto:[EMAIL PROTECTED] Systems Integrator http://www.opentec.com.au Opentec Pty Ltd http://www.iebusiness.com.au 6 Lyon Park RoadPhone: (02) 9870 4718 North Ryde NSW 2113 Fax: (02) 9878 1755 This document and any attachments are intended solely for the named addressee(s), are confidential, and may be subject to legal professional privilege. Please notify us (on +61-2 9878 1744) as soon as possible if you have received this document in error. Any confidentiality or privilege is not waived or lost because this email has been sent to you by mistake. This document and any attachments are subject to copyright. No part of them should be reproduced or distributed by any means whatsoever without the prior consent of the copyright owner. Opentec does not warrant that this email and any attachments are error or virus free. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Multiple Server Certificates
I have an Apache server running multiple Name Based Virtual Hosts, all running SSL with both server and client authentication. I have not been able to set up different server certificates for individual virtual hosts, and I have been told that this is not possible. Is this really the case and, if so, can anyone recommend a solution to meet this requirement. Thanks for any help you can offer. Paul __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Multiple Server Certificates
Owen, Thank you very much. I hadn't dared hope for such a clear and succinct answer. Much appreciated. Paul -Original Message- From: Owen Boyle [mailto:[EMAIL PROTECTED]] Sent: 11 June 2001 10:34 To: [EMAIL PROTECTED] Subject: Re: Multiple Server Certificates Hooper, Paul, (FNMF) wrote: I have an Apache server running multiple Name Based Virtual Hosts, all running SSL with both server and client authentication. I have not been able to set up different server certificates for individual virtual hosts, and I have been told that this is not possible. Is this really the case and, if so, can anyone recommend a solution to meet this requirement. http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47 Q: Why is it not possible to use Name-Based Virtual Hosting to identify different SSL virtual hosts? A: Name-Based Virtual Hosting is a very popular method of identifying different virtual = hosts. It allows you to use the same IP address and the same port number for many different sites. When people move on to SSL, it seems natural to assume that the same method can be used to have lots of different SSL virtual hosts on the same server. It comes as rather a shock to learn that it is impossible. The reason is that the SSL protocol is a separate layer which encapsulates the HTTP protocol. So the problem is that the SSL session is a separate transaction that takes place before the HTTP session even starts. Therefore all the server receives is an SSL request on IP address X and port Y (usually 443). Since the SSL request does not contain any Host: field, the server has no way to decide which SSL virtual host to use. Usually, it will just use the first one it finds that matches the port and IP address. You can, of course, use Name-Based Virtual Hosting to identify many non-SSL virtual hosts (all on port 80, for example) and then you can have no more than 1 SSL virtual host (on port 443). But if you do this, you must make sure to put the non-SSL port number on the NameVirtualHost directive, e.g. NameVirtualHost 192.168.1.1:80 Other workaround solutions are: Use separate IP addresses for different SSL hosts. Use different port numbers for different SSL hosts. Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: R: Cert signed by own CA and IE
Hi Arcady! Have you solved your problem? I wasw able to install your Certificate, after I installed your self-signed CA certificate. Is it possible this to be the missing step in your testing? The CA cert has to be added to your root auth., then you'll be able to install the actual server certificate. Hope this help, Paul PS: I am using IE 5.0 On Wed, 16 May 2001, Arcady Genkin wrote: Andrea Cerrito [EMAIL PROTECTED] writes: Connecting to a secure site with a certificate signed by own CA, IE seems to provide no obvious way of permanently adding the cert to the browser's configuration. As a result, a warning that The security certificate is issued by a company you have not chosen to trust... is displayed every time I'm trying to establish a connection. Is there a fool-proof way to permanently add a certificate or tell IE that the CA is to be trusted? Show Certificate / Install Certificate. I tried that, and it didn't work. It told me that the certificate was installed successfully, but once I quit IE, restart it, and load the page again, it displays the same warning again. The minimal html page I'm experimenting with is at https://www.thpoon.com If anyone would try to install the certificate from it in IE: maybe I did something wrong with configuration? I wasn't able to install it. Can u print your conf? You mean from httpd.conf? Since it's huge, I've posted it at http://www.thpoon.com/tmp/httpd.conf rather than sending to the list. The SSL-related stuff is at the bottom of it. Thanks! p.s. This is a repost, since I have replied from a different email address than the one I've subscribed from and I'm afraid that it didn't come through. Sorry if this is a dupe. -- Arcady Genkin __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- Bills travel through the mail at twice the speed of checks __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Urgent: remove password from server cert?
Forsake rebooting, use Unix! (-: LOL!! I'm with you, bud. But it *is* UNIX, just 10.2(only recently upgraded to that!) on an old T-500 machine. We just try to keep it clean. =o) __ Do You Yahoo!? Send instant messages get email alerts with Yahoo! Messenger. http://im.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Urgent: remove password from server cert?
In a sudden (and late) moment of epiphany, I just realized (while writing a note to our CSA to please put the new server's startup in the machines boot cycle) that when we reboot (*every* monday morning in the wee hours) it's not terribly likely that anyone's going to be around to feed the password to the startup query. This really needs to be automated. Help? =o) Paul = Friends are those who, when you must inconvenience them, are less bothered by it than you. ;o] __ Do You Yahoo!? Send instant messages get email alerts with Yahoo! Messenger. http://im.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
hang time, segfaults
This is way too generic, and I apologize, but maybe someone will have had a similar problem and be able to clue me into what I should be looking at. The server's running on the testbed (Apache/1.3.12 (Unix) mod_perl/1.23 mod_ssl/2.6.4 OpenSSL/0.9.5a, with an automatic redirect from 8080 to 8443), but not quite perfectly. :o/ It hangs a lot, especially on page reloads. Sometimes it delivers pages perfectly, other times it takes half a minute. The other day the error log piled up with several dozen segfault child expirations while checking it from a coworkers desk, which probably explains the empty document pages he kept getting. I have no real clue why. The one thing amiss I can find is probably just ignorance on my part. When I telnet to the server, it's return output includes numbers that I am not seeing in my web pages, which are no logical part of the output that I understand, and aren't there from the normal server. Specifically (as an example), I'm getting 15a as the first line of actual text after the blank line that ends headers, and a 0 two lines after the /BODY/HTML line that ends the page the server sends at the end of the 302 message from the page I requested (which 302 is correct server behavior, btw). Here's the Telnet transcript, with my parenthetical comments (note it's an intranet site, not accessible from outside the company): = $ telnet buda.bst.bls.com 8080 Trying... Connected to buda.bst.bls.com. Escape character is '^]'. GET / HTTP/1.1(** I send request headers **) Host: buda.bst.bls.com HTTP/1.1 302 Found(** It responds correctly **) Date: Tue, 30 May 2000 14:39:03 GMT Server: Apache/1.3.12 (Unix) mod_perl/1.23 mod_ssl/2.6.4 OpenSSL/0.9.5a Location: https://buda.bst.bls.com:8443/ Transfer-Encoding: chunked Content-Type: text/html; charset=iso-8859-1 15a (** but what is this? **) !DOCTYPE HTML PUBLIC -//IETF//DTD HTML 2.0//EN HTMLHEAD TITLE302 Found/TITLE /HEADBODY H1Found/H1 The document has moved A HREF=https://buda.bst.bls.com:8443/;here/A.P HR ADDRESSApache/1.3.12 Server at A HREF=mailto:[EMAIL PROTECTED] mbos04111.al.bst.bls.com/A Port 8080/ADDRESS /BODY/HTML 0 (** and this? **) Connection closed by foreign host. = Help? :o/ Paul We are symbols, and inhabit symbols. -- Emerson __ Do You Yahoo!? Kick off your party with Yahoo! Invites. http://invites.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Invalid method in request
--- Pavel_Hlou¹ek [EMAIL PROTECTED] wrote: What's wrong? When I connect to apache via https, Netscape says Conection refused and there is invalid method in request written in apache's error_log. I'm using Apache 1.3.19 + mod_ssl-2.8.1-1.3.19 + openssl-0.9.6. Did you use GET? or maybe a form, with POST? or even HEAD? Some servers restrict certain methods, for example PUT is pretty commonly a no-no. __ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
negative LocationMatch syntax?
Hi all. I need to leave a few areas of our site freely accessible, but most of the site is restricted, and I'd like the default behavior to be restrictive. I don't want to have to remember to change the config if I add new directories, as in adding Location SSLVerifyClient require /Location Is there a way I could use LocationMatch to specify a not condition? as in LocationMatch !~ "/(thisfile|thatDir|whatever).*" SSLVerifyClient require /LocationMatch That would let me list the exceptions, and everything else would be restricted by default.. ??? __ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re:[OT] explusion?
Thanks, Ralph. Now I don't feel so stupid, lol --- "Ralf S. Engelschall" [EMAIL PROTECTED] wrote: On Thu, Apr 05, 2001, Paul wrote: I have been looking at this for a while, and must be looking in the wrong places. From httpd.conf: # Semaphore: # Configure the path to the mutual explusion semaphore the # SSL engine uses internally for inter-process synchronization. "mutual eplusion semaphore"? OK, expulsion I would understand. Exclusion I would understand even better. Explusion? Is it just a typo? Or if not, what the hell is "explusion", and where can I find docs on it? =o) Sure, it's a typo. "exclusion" is the word. Now fixed for 2.8.3 Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
explusion?
I have been looking at this for a while, and must be looking in the wrong places. From httpd.conf: # Semaphore: # Configure the path to the mutual explusion semaphore the # SSL engine uses internally for inter-process synchronization. "mutual eplusion semaphore"? OK, expulsion I would understand. Exclusion I would understand even better. Explusion? Is it just a typo? Or if not, what the hell is "explusion", and where can I find docs on it? =o) (FYI, a web search turned up lots of typos; requiring SSL in addition to "explusion" gave me a bunch of quotes from httpd.conf! lol! ;o) __ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSL validation
--- Manne Anliot [EMAIL PROTECTED] wrote: Hi all, New to mod_ssl I've stumled upon a very disturbing problem: I'm coding an Apache module that needs to know whether we have a secure (SSL) connection or not in the URI Translation phase. We've solved this problem on for example MS IIS by checking SSI/CGI environments with the standard SSL information (HTTPS=on). A quick look in the mod_ssl source reveals that this variable isn't set before the pre-run fixup phase (just before the response handlers), so this solution seems inadequate. So in short: How can a module check if the current request is a secure one? (without workarounds à la specifying secure ports in configuration files etc) I'm not sure off the top of my head exactly what you mean here. Maybe I'm just being dense. Sorry. I do know that on our server we're using the standard port 80 for http, and 443 for https, so I check for secure connections in my PostReadRequestHandler with return OK if 443 == $r-get_server_port; I don't know if that's the sort of workaround you meant -- in our case, we know what ports are what, and this works before the system has to bother with access/authen/authorization handlers, path translation, or most anything else. A mod_ssl solution or even better a generic SSL solution would be soo much appretiated. (Apache/1.3.14, mod_ssl/2.7.2, OpenSSL/0.9.6) Regards, Manne Anliot Sweden. mailto:[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/?.refer=text __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: can anyone help me....
--- Rene Labiran [EMAIL PROTECTED] wrote: i been having this error: "invalid command loadmodule perhaps mispelled or defined by a module notincluded in the server configuration sshd." It would help to see the commend in context. Is it in your config file? In a script? Are you using DSO? and if so, I honestly don't remember (sheepish grin)... is http.conf case sensitive? If so, the DSO LoadModule command has caps in two places. can anyone help me rene __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/?.refer=text __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Enabling a single directory as SSL enabled
--- Alex Moon [EMAIL PROTECTED] wrote: Set the server up as secure - allowing insecure or secure connection to the server but denying access to the the directory you want as secure except through the secure server port 443 You know, that makes remarkably good sense. Does it work? I've seen this question a dozen times here, and nobody ever said anything so simple. Can it be that easy? On 16 Mar 01, at 21:14, Scott Brown wrote: I'm probably looking for an answer to a FAQ tell me where it's listed, and I'll take it from there. I'm from a MS-IIS background - and when I want to make a directory secure, it's easy to tell the system via the MMC that /secure/ is to have a secure connection requirement. Is there any way to set Apache up such that it recognizes that a specific directory is supposed to be secure? I've tried a virtualhost www.mytestdomain.com ...non-ssl directives Directory /secure/ SSLEngine on SSLRequireSSL etc..etc.. (including cert/key definitions) /Directory /virtualhost but it's not behaving as I would expect (at very least I would be expecting it to complain that my site cert's name doesnt match my testdomain's name - but it doesnt)... IE5.01 doesnt display the locked symbol - BUT it is saying that it has a cert (and no, I've not installed the cert...) Is it not possible to have a subdirectory of a domain declared and processed as SSL enabled under Apache/modssl/openssl?? __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Alex Moon email:[EMAIL PROTECTED] Tel:020 8411 5092 Middlesex University Business School, The Burroughs Hendon London NW4 4BT -- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/?.refer=text __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Enabling a single directory as SSL enabled
--- Scott Brown [EMAIL PROTECTED] wrote: I'm probably looking for an answer to a FAQ tell me where it's listed, and I'll take it from there. lol -- on these lists, a lot of the time. Read back through the archives. I'm from a MS-IIS background - and when I want to make a directory secure, it's easy to tell the system via the MMC that /secure/ is to have a secure connection requirement. But not via webserver.. Is there any way to set Apache up such that it recognizes that a specific directory is supposed to be secure? There are definitely ways, but they require a bit of a hack. I recently wrote an article for how to do this with mod_perl at http://take23.org/articles/2001/03/12/redirect.xml?style=printable but if you don't have mod_perl installed you could do basically the same thing with mod_rewrite, I'm pretty sure. (mod_rewrite docs are at http://httpd.apache.org/docs-2.0/mod/mod_rewrite.html ) It boils down to this: before the web server looks to see which directory you want, it has already either established a secure protocol or a nonsecure one. If you have nonsecure accesses redirected externally to the secure port, you tell the browser to ask using the right "language" (say please, basically). Hope that helps. I've tried a virtualhost www.mytestdomain.com ...non-ssl directives Directory /secure/ SSLEngine on SSLRequireSSL etc..etc.. (including cert/key definitions) /Directory /virtualhost but it's not behaving as I would expect (at very least I would be expecting it to complain that my site cert's name doesnt match my testdomain's name - but it doesnt)... IE5.01 doesnt display the locked symbol - BUT it is saying that it has a cert (and no, I've not installed the cert...) Is it not possible to have a subdirectory of a domain declared and processed as SSL enabled under Apache/modssl/openssl?? no and sort of. See above. ;o) __ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: FYI - Equifax reselling Verisign Global SGC certs at cost!
Given my experiences of Verisign's customer service, I often wonder what exactly they do for me. Well, they gave me something to laugh about this morning. http://www.microsoft.com/technet/security/bulletin/MS01-017.asp -- Paul McGarrymailto:[EMAIL PROTECTED] Systems Integrator http://www.opentec.com.au Opentec Pty Ltd http://www.iebusiness.com.au 6 Lyon Park RoadPhone: (02) 9878 1744 North Ryde NSW 2113 Fax: (02) 9878 1755 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: SSLSession and an HTTP session
Thanks Mads, that has saved me some time. I'm considering mapping SSL_SESSION_IDs to sessions on my webserver. Are there any obvious gotchas that I should be aware of before I start going down this route? Don't use SSL_SESSION_ID - most MSIE browser versions will expire the session after 1 or 2 minutes. -- Paul McGarrymailto:[EMAIL PROTECTED] Systems Integrator http://www.opentec.com.au Opentec Pty Ltd http://www.iebusiness.com.au 6 Lyon Park RoadPhone: (02) 9878 1744 North Ryde NSW 2113 Fax: (02) 9878 1755 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
SSLSession and an HTTP session
Howdy All, I'm considering mapping SSL_SESSION_IDs to sessions on my webserver. Are there any obvious gotchas that I should be aware of before I start going down this route? Thanks. -- Paul McGarrymailto:[EMAIL PROTECTED] Systems Integrator http://www.opentec.com.au Opentec Pty Ltd http://www.iebusiness.com.au 6 Lyon Park RoadPhone: (02) 9878 1744 North Ryde NSW 2113 Fax: (02) 9878 1755 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Very[OT]:Technical query re: scratchpad lookups for my() vars
Anybody know offhand *why* my() lexicals are supposedly faster? If they're stored on a scratchpad for the scope, which is an array, (technically a stack of them to accommodate recursion,) then exactly how does Perl go about finding which data location you mean when you say $x for a lexical? $::x has to go through the package lookup, which (if I recall correctly) is technically a hash element of a hash element at least..but if the scratchpad has a lot of scope-specific lexicals, how does it find which one is x? my $brain = 'tapioca'; #=o) __ Do You Yahoo!? Yahoo! Auctions - Buy the things you want at great prices. http://auctions.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Very[OT]:Technical query re: scratchpad lookups for my() vars
--- Brian Ingerson [EMAIL PROTECTED] wrote: Garrett Goebel wrote: From: Paul [mailto:[EMAIL PROTECTED]] Anybody know offhand *why* my() lexicals are supposedly faster? Yes this is OT, but I'll contribute to the problem as well... My coworker Gisle Aas (maybe you've heard of him ;) says that globals and lexicals have identical speed because Perl optimizes out the symbol-table lookup. Trust Gisle. lol -- now *there's* an answer. So for my details I should go to the parse tree docs, and the code, I'm thinking. BTW -- with many thanks to everyone -- my question was "why are they faster", but the reason was never the speed -- it was to understand the way Perl stores and *accesses* lexicals. Any input? =o) __ Do You Yahoo!? Yahoo! Auctions - Buy the things you want at great prices. http://auctions.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: ANNOUNCE: mod_ssl 2.8.1 for Apache 1.3.19
That's interesting if the dbm cache is causing those problems. Unfortunately I'm not able to use the shm cache in my installation. I might try replacing dbm with Berkeley DB (www.sleepycat.com) which is an upward-compatible dbm replacement with much better concurrency support. It might be worth incorporating that as an option in the modssl distribution. -Original Message- From: Ralf S. Engelschall [mailto:[EMAIL PROTECTED]] Sent: Saturday, March 03, 2001 3:13 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: ANNOUNCE: mod_ssl 2.8.1 for Apache 1.3.19 Sorry for the short delay, but here it finally is: mod_ssl 2.8.1 for Apache 1.3.19. The corresponding CHANGES entries are appended below. Grab it from: http://www.modssl.org/source/ ftp://ftp.modssl.org/source/ Yours, Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com Changes with mod_ssl 2.8.1 (30-Jan-2001 to 03-Mar-2001) *) Conditionally adjusted source to build quietly also under latest OpenSSL 0.9.7-dev versions. *) Added a bunch of (untested!) adjustments and fixes for the Win32 platform as posted to modssl-users some time ago by various people. *) Fixed SSLCipherSuite example in httpd.conf-dist: The string EXP56 is actually EXPORT56, although OpenSSL internally the variable is named SSL_TXT_EXP56. *) Upgraded to Apache 1.3.19 as base version. *) Extended FAQ entry for MSIE problems. *) Added FAQ entry for questions "Why do I get lots of random SSL errors under heavy load?" __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org Official Announcement Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: it runs but that's about it
--- Justin Naik [EMAIL PROTECTED] wrote: . . . The apache server starts up ok in normal form and even starts up with -startssl parameter. But I go to https://myaddress.com and I get a doesn't exist error HELP! - where do I start to look for errors - I have no idea! What sort of "doesn't exist error"? Like a *htat page* doesn't exist error, as reported by *that server*, or like a *that server* doesn't exist error, as reported by your browser after not finding it? If it's a *that page* error, then your server's working fine, and you're in fact already taling to it with SSL, because you're using https://. The problem may be in the configuration of your default index page; look for a DirectoryIndex directive in your httpd.conf (or it's equivelent), and make sure it has whatever you're using as your index.htm or ome.shtml or whatever. If it's a *that server* doesn't exist, maybe you should check to make certain your SSL server is running on a valid virtual server name? I dunno, that could be so many things. and I'm no expert. But good luck! Paul __ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
port correction consequences....
Hi all. I have an intranet site with a core area that is public access, but the rest of the site is SSL secured. I have a PostReadRequest handler checking the port, and if it's 443 returning OK, but if not it checks to see if the requested page is in the list of nonsecure areas and exceptions. Anything not clearly specified as unsecured is sent an external redirect to the same page on the secure socket. This works great for most things, but there are a few consequences that I just can't think around. Specifically, other intranet sites link directly to relevant data locations on our server. This is fine under normal circumstances, but today I got a nastygram from a user for "changing" my access. Her certificate had expired (along with several others in her office who had all installed on the same day), and suddenly it was effectively a dead link. Even once they had installed new certs, several of them were still getting "certificate expired" because they had told their browsers to use the old one by default. I have pages on the site to explain all this and provide solutions, but these aren't exactly sophisticated users; someone helps them get it all installed and then they remember the certificate password, and go from there. When it expires, it never occurs to them to see if the server root is still accessible, or if it does, to take the "s" out of the protocol, which would let them get to the site (on virtually every page of which we have a header link to "Digital Certificate Info"). The best suggestion I could come up with was to ask the linking site to add a link to a nonsecure page, like our comment form. Anyone have anything better? __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: ssl connection for a particular directory
[EMAIL PROTECTED] wrote: Is there anybody to tell me : How can i force in the apache configuration file the use of a ssl connection for a particular directory without using virtual hosts ? You'll probably have to run a whole seperate server if you aren't using vhosts. The choice of protocol is done before the connection is established; path translation is way later. What you *could* do, however, is to have the index page in that directory check the port number or something. mod_perl makes that pretty easy; Apache::Request probably does, too. I'm not sure off the top of my head how you'd do it without perl. If it's not secure, redirect to the secure server. You could kind of do it anyway, just as a matter of course. Have the index page (I'd recommend a CGI) do an external redirect to the secure socket. Obviously, you have to have an SSL server running somewhere, either as another server or as a vhost or *something*, but then the default page in that directory will redirect to the https:// other-page. But you can't have just one directory be SSL on one server, because the SSL protocol has to be established *WAY* before the server knows what directory the user wants. __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl: Init: Failed to generate temporary 512 bit RSA private key
--- Ges Seger [EMAIL PROTECTED] wrote: Paul wrote: Hi, all. I've been trying to add a couple of modules to my Apache, and just can't seem to get it to do it's thing. Forgive me if I tell you too much, but I'm just trying to be thorough. STEP 1: === perl Makefile.PL USE_APACI=1 USE_DSO=0 EVERYTHING=1 \ DO_HTTPD=1 SSL_BASE=/usr/local/ssl \ APACHE_SRC=../apache_1.3.12/src\ APACI_ARGS=--enable-module=ssl,--enable-module=auth_dbm,--enable-modul e=info,--enable-module=rewrite,--enable-module=usertrack This runs smoothly. STEP 2: make This, too, runs smoothly. == STEP 3: make test Here's the problem. It runs fine till t/TEST tries to spawn a server and hit it. The server fails at init because it can't generate a temporary 512 bit RSA private key. I've moved to the apache directory and run "make certificate" before the "make test", but it doesn't help. If I'm not mistaken, I had this problem when I was first installing the server, and ended up skipping the test. It installed and has been working fine. I'd just rather have a clean test before I try installing and using the new binary now that it's in production. Anybody got a suggestion? Recent versions of mod_ssl compiled for HPUX require an equivalent to Linux's /dev/random. You can get this by downloading and installing an Entropy Gathering Daemon (egd), which can be found at: http://www.lothar.com/tech/crypto/ I ran into the same problem last month upgrading my team's website, until trawling through various mailing list archives pointed me to egd. If 10.20 is anything like 11.x, this should get you through "make test" with flying colors. Apologies for being sort of off-topic here... Ges Senior Perl Hacker Ingenium Corporation EGD is great -- thanks for the suggestion -- but the "make test" is still no go. The OpenSSL manpage for RAND_egd (to which egd.pl docs pointed me) says if the socket is /dev/egd-pool it'll use it automatically, but it's a no-go so far. I'm at wit's end. Could it be something in the test httpd.conf? As a test I backed up the old httpd and replaced it with the new one, and it seems to be working fine. All that took less than a minute, and we're a small enough server that it was a tolerable interruption even if it hadn't worked, but I'd still like to do the install, just to update everything. Is that safe? What else does it change? __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
[OT] make test fail [WAS mod_ssl: Init: Failed to generate temporary 512 bit RSA private key]
--- Lutz Jaenicke [EMAIL PROTECTED] wrote: On Fri, Feb 09, 2001 at 01:04:51PM -0800, Paul wrote: EGD is great -- thanks for the suggestion -- but the "make test" is still no go. The OpenSSL manpage for RAND_egd (to which egd.pl docs pointed me) says if the socket is /dev/egd-pool it'll use it automatically, but it's a no-go so far. The automatic usage is brand new and only included in the version to become 0.9.7 one fine day. If you have =0.9.6 you have to explicitly specify the place in httpd.conf SSLRandomSeed startup egd:/var/run/egd-pool First, that was exactly the problem. May you and all who contributed to its resolution receive skillfully rendered the prurient favors you prefer most from the individual(s) of your choosing. Now, I have a slightly different point of confusion. The "make test" still fails, but leaves the spawned httpd running on the test port. The error log says: [notice] Destruction-DESTROY called for $global_object [Fri Feb 9 16:29:43 2001] [warn] [notice] child_init for process 23323, report any problems to [no address given] But if I hit the port with a browser I can pull the test.shtml page with all the SSI mod_perl calls working fine. I feel a lot better about doing the install now, but I still want to know what the problem is here. FYI, there was an suexec problem before, but I think that's just because this box doesn't have a user "nobody". I edited the test httpd.conf to run as our actual server id and it was happy, at least for that. It's just that I keep coming back to various suexec problems But since the current server runs and suexec's as it should, I'm not too worried about that. I just hate leaving *any* loose ends. _ On a seperate note, the main reason I was doing the recompile was to add in mod_auth_dbm. I finally got a test directory to do a simple request for authentication by ID/password, but now I can't get it to accept my password. I built the file with Apache's dbmmanage, importing a list of id/passwords from a script which used a perl crypt() to encrypt the passwords as it fed them to dbmmanage via pipe in the specified "id:encpwd" format. Everything seems to have gone smoothly enough, but it won't accept the password. What now? :o/ The .htaccess file is: === AuthDBMUserFile /dart10/web/docs/public/test/test AuthType Basic AuthName "password test site" Require valid-user === The DBM is in the directory I'm accessing, just as a test. *sigh* __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
mod_ssl: Init: Failed to generate temporary 512 bit RSA private key
Hi, all. I've been trying to add a couple of modules to my Apache, and just can't seem to get it to do it's thing. Forgive me if I tell you too much, but I'm just trying to be thorough. STEP 1: === perl Makefile.PL USE_APACI=1 USE_DSO=0 EVERYTHING=1 \ DO_HTTPD=1 SSL_BASE=/usr/local/ssl \ APACHE_SRC=../apache_1.3.12/src\ APACI_ARGS=--enable-module=ssl,--enable-module=auth_dbm,--enable-modul e=info,--enable-module=rewrite,--enable-module=usertrack This runs smoothly. STEP 2: make This, too, runs smoothly. == STEP 3: make test Here's the problem. It runs fine till t/TEST tries to spawn a server and hit it. The server fails at init because it can't generate a temporary 512 bit RSA private key. I've moved to the apache directory and run "make certificate" before the "make test", but it doesn't help. If I'm not mistaken, I had this problem when I was first installing the server, and ended up skipping the test. It installed and has been working fine. I'd just rather have a clean test before I try installing and using the new binary now that it's in production. Anybody got a suggestion? [ROOT] /dart26/mod_perl-1.23: uname -a HP-UX uap5 B.10.20 C 9000/891 373319211 32-user license [ROOT] /dart26/mod_perl-1.23: ../apache_1.3.12/src/httpd -V Server version: Apache/1.3.12 (Unix) Server built: Feb 8 2001 16:04:39 Server's Module Magic Number: 19990320:7 Server compiled with -D EAPI -D HAVE_SHMGET -D USE_SHMGET_SCOREBOARD -D USE_FCNTL_SERIALIZED_ACCEPT -D HTTPD_ROOT="/usr/local/apache" -D SUEXEC_BIN="/usr/local/apache/bin/suexec" -D DEFAULT_PIDLOG="logs/httpd.pid" -D DEFAULT_SCOREBOARD="logs/httpd.scoreboard" -D DEFAULT_LOCKFILE="logs/httpd.lock" -D DEFAULT_XFERLOG="logs/access_log" -D DEFAULT_ERRORLOG="logs/error_log" -D TYPES_CONFIG_FILE="conf/mime.types" -D SERVER_CONFIG_FILE="conf/httpd.conf" -D ACCESS_CONFIG_FILE="conf/access.conf" -D RESOURCE_CONFIG_FILE="conf/srm.conf" [ROOT] /dart26/mod_perl-1.23: ../apache_1.3.12/src/httpd -l Compiled-in modules: http_core.c mod_env.c mod_log_config.c mod_mime.c mod_negotiation.c mod_status.c mod_info.c mod_include.c mod_autoindex.c mod_dir.c mod_cgi.c mod_asis.c mod_imap.c mod_actions.c mod_userdir.c mod_alias.c mod_rewrite.c mod_access.c mod_auth.c mod_auth_dbm.c mod_usertrack.c mod_setenvif.c mod_ssl.c mod_perl.c suexec: disabled; invalid wrapper /usr/local/apache/bin/suexec (Also, anybody got an idea why this suexec message? is it something to worry about?) __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Certs: where to get them?
You can obtain a 'test id' from Verisign for free...good for 14 days. The only difference between one that's free and one you pay for? * No 'verification process' * Only valid for 14 days as opposed for 365 days (one year) And: * The root certificate for the test ids doesn't come with your average browser and therefore needs to be installed 'manually' by visitors to your site to prevent the warning messages from occurring. May as well use your own CA. -- Paul McGarrymailto:[EMAIL PROTECTED] Systems Integrator http://www.opentec.com.au Opentec Pty Ltd http://www.iebusiness.com.au 6 Lyon Park RoadPhone: (02) 9878 1744 North Ryde NSW 2113 Fax: (02) 9878 1755 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Certs: where to get them?
And you wouldn't have to do that if you issued your own? Yes, you would. That's why I said you 'may as well use your own'. The advantage there being that you don't have to fiddle around with your server setup every 14 days to install a new cert (actually this was primarily an issue for me when developing on NES, as that completely refused to start when it had a cert is out of date IIRC. I started using my own CA for testing and non-general-public uses before I started using apache mod_ssl so I don't know how it behaves). Actually, if you think about it, whether you use your own self signed CA or a test ID from Verisign, and don't install the 'test' root CA, the end user still gets the same error message, something about the issuer not being trusted... There's nothing inherently wrong with using Verisign test certs. I've just found the time limit annoying. For non-general-public uses (ie where you do have real users) I think the "Do Not Trust" nature of the Verisign test root cert may raise a few eyebrows, where a CA created by your own company may not (as you are already likely to have an existing business relationship with such users). For general-public uses you more or less need a commercial cert if you don't want to scare people off. -- Paul McGarrymailto:[EMAIL PROTECTED] Systems Integrator http://www.opentec.com.au Opentec Pty Ltd http://www.iebusiness.com.au 6 Lyon Park RoadPhone: (02) 9878 1744 North Ryde NSW 2113 Fax: (02) 9878 1755 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Opinion on SSL/Virtual Hosting problem
Hi Owen Thanks for the reply Owen Boyle wrote: Jason Paul McCartan wrote: Recently though the server was used to add other name-based virtual domains. Now the SSL through HTTPS is totally unavailable, and when we tried to view anything over HTTPS we get a blank "Page Not Found" page. We have no problem on port 80 for any of the sites. Initially we could hit the same site on HTTP and HTTPS and the SSL would activate. Now on HTTP it works fine, but we get that "Page Not Found" error on HTTPS. One big trap that a lot of people fall into is that you *cannot* have SSL name-based virtual hosts. This is basically because SSL negotiation has to be complete before any HTTP traffic can be received - to negotiate SSL you need the certificate, which is defined in the VH, which is selected using the ServerName, which can only be found from HTTP, which can't take place until SSL is established... see the problem? Yup. That's what I was afraid would be the case. That aside, you don't actually say you are trying to run SSL VHs so you may have a simpler solution - define the port numbers explicitly in the NameVirtualHost and VirtualHost directives to avoid ambiguities, e.g: NameVirtualHost 192.168.1.1:80 # HTTP host1 VirtualHost 192.168.1.1:80 Servername www.site1.com /VirtualHost # HTTP host2 VirtualHost 192.168.1.1:80 Servername www.site2.com /VirtualHost # SSL host VirtualHost 192.168.1.1:443 Servername ssl.site1.com /VirtualHost We had this working before about 4 months ago before we added a different domain through the virtual servers. Until then all the virtual servers belonged to the same name, and we had several on port 80 and only one on port 443 - pretty much as you defined above. We're not using SSL based virtual hosts. We only require one SSL enabled site - https://secure.mydomain.com for example. All the other virtual servers run on port 80. Did you get a warning message when starting the server? Check in the common_error_log... No errors at all. The SSL is up and running as far as we can see. There are no error messages when we telnet into it as well - it closes the connection which is what we're aware of what it's supposed to do. We initially got a "cannot mix * ports and non-* ports" error message when we changed some of the settings, but we nominated all the ports on the virtual servers to be port 80 or 443. At this point I'm thinking that it's best for us to used another IP address, and move the SSL service onto that, and leave all the name based virtual hosting on the other IP address. Will this do the trick ? I appreciate the helpfulness of your response. -- Jason Paul McCartan - [EMAIL PROTECTED] CEO/President MindShift Design LLC http://www.mindshiftdesign.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Opinion on SSL/Virtual Hosting problem
I'd like to get an opinion from the experts on a problem we've ran into. We use Redhat 6.1 at the moment and Apache/1.3.9 (Unix) Red-Hat-Secure/3.1 mod_ssl/2.4.10 OpenSSL/0.9.4 as installed by our hosting company on our dedicated machine. When we first kicked the server into life we were using only one domain name, and it pointed to that machine from our own DNS and from our hosting companies DNS. We had our SSL up and running with only a few hitches, but were able to work on both port 80 and 443 without any problem. As we launched the site, we had no problems with our SSL working properly - we were taking orders via e-commerce as the site should have. Recently though the server was used to add other name-based virtual domains. Now the SSL through HTTPS is totally unavailable, and when we tried to view anything over HTTPS we get a blank "Page Not Found" page. We have no problem on port 80 for any of the sites. Initially we could hit the same site on HTTP and HTTPS and the SSL would activate. Now on HTTP it works fine, but we get that "Page Not Found" error on HTTPS. I'd just like to confirm that this is a problem because we're not using IP-based virtual machines, but name-based virtual machines so that we can get the SSL up and running again ASAP. I've checked the HOW-TOs and FAQS, and I know that it mentions that SSL won't work with MOD_SSL, but it doesn't tell me what I should or shouldn't see through hitting a HTTPS web page g. Any help or comments are appreciated. -- Jason Paul McCartan - [EMAIL PROTECTED] CEO/President MindShift Design LLC http://www.mindshiftdesign.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: forcing http to https with a twist
--- Haroon Rafique [EMAIL PROTECTED] wrote: Thanks for responding, Paul, Carlos and Michael. You're welcome. =o) Unfortunately, my situation is a catch 22. I will give you more background to help understand my position. Good idea, lol Here's the current situation: - homepage is http which leads to an https form-based login page. Here's what we want to achieve: - Make the https form-based login page be the actual homepage to eliminate an extra click-thru with a way to silently redirect to http page in the case of non-SSL capapble browser. Ah! That's a little simpler than I was thinking, actually. I think ~lol~ How do other people deal with this scenario? Is there always an http page which leads to the https page to cover the possibility that the user is coming in with non-SSL lynx and at least you could warn them about that on the http page. Any other way out? Ok. Try this (and I'm hoping more knowledgeable folk will poke holes in this where applicable, since they'll probably have better ideas.) I run my SSL server as a VirtualHost on the same box, but with practically the same setup (docroot, etc.), but I think you should be able to set up the SSL document root in one location (the https form-based login page you mentioned) and the http on port 80 (or whatever you're using) document root on the nonsecure info page. If someone hits the nonsecure server, it'll give them its page, which isn't the same as the SSL login (though it can be named the same, just in another directory). If they use https they'll hit the secure port, and get the secure docroot's login page. Holes, anyone? I'm not testing this or rummaging through the documentation as I blather, so please don't let me lead anyone astray... Paul Thanks, -- Haroon Rafique [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! Shopping - Thousands of Stores. Millions of Products. http://shopping.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: forcing http to https with a twist
--- Haroon Rafique [EMAIL PROTECTED] wrote: I have been reading the archives for a while now and didn't see any solution to my problem. So here goes... Thank in advance for any solutions To force people to use https instead of http, I could use the mod_rewrite as follows (all is theoretical, I don't have access to apache or apache with mod_ssl right now, so please bear with me): RewriteEngine On # use log level 9 for most verbose 0 for least RewriteLogLevel 9 RewriteLog "/etc/httpd/logs/rewrite.log" RewriteCond %{HTTPS} !=on RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L] It is absolutely essential to give the user the ability to see the homepage as regular http (and a few tech support pages) in case they have SSL turned off, or are using lynx without SSL support. Otherwise, if I blindly forward all http requests to https how would they know they're supposed to use SSL when they're using a non-SSL browser. Is it possible to not have a RewriteCond which prevents the RewriteRule to execute to take care of the above situation? Am I missing something obvious? Thanks, -- Haroon Rafique [EMAIL PROTECTED] As a quick-and-dirty response, here's a modperl handler we set up: #~~ # module for Apache/mod_perl PerlPostReadRequestHandler to redirect # users on the nonsecure port over to SSL (hopefully saving bookmarks) #__ package Apache::PortCorrect; use strict; use Apache::Constants qw( :response :methods ); sub handler { my($r,$s,$url,$args,$uri,$subr); $r = shift;# the request object return OK if 443 == $r-get_server_port; (undef,$url,undef) = split(/\s+/o, $r-the_request); return OK if $url =~ m{ ^(?:/ |.*[.](?:gif|jpg) |/(?: public | teampages | pics | avgrates | regulatory )(?:/.*)? |/(?:home|cook)[.]shtml )$ }ixo; $uri = "https://buda.bst.bls.com" . $url; $uri .= "?$args" if $args = $r-args; $r-custom_response(MOVED,$uri); return MOVED; } 1; # guarantee return code for load === It allows http on the listed subsites, but redirects to the secure port for everything else. If you don't have mod_perl, you might manage a similar effect with some hacking. There are better ways, but my ride's waiting. =o) Good luck. __ Do You Yahoo!? Yahoo! Shopping - Thousands of Stores. Millions of Products. http://shopping.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Some question about modssl
James Treworgy wrote: I would absolutely *not* do this, [mix SSL and non-SSL content] unless you want your web site users to see a message from the web browser saying "this page has both secure and insecure information. Do you want to proceed?" every time they user your site. This does not instill confidence. --- Owen Boyle [EMAIL PROTECTED] wrote: Good point Jamie. However, for some users this may be necessary, there is nothing in the protocol against doing this, the browser warnings are browser-dependent (Netscape doesn't give a peep) Which NetScape? I could swear I got this message from my Navigator a few times when I was first setting up our site, and hadn't cleared up the messes Our intranet site uses a modperl PerlPostReadRequest handler to reroute requests that *should* have been on the secure protocol, but doesn't bother with .jpg's or .gif's or certain directories or pages that are generally OK. That regularly means pages with mixed content, but the user never gets those messages. On the other hand, we're a small enough site (an intranet) that we can afford the extra performance hit of all the 302's for correcting the protocol on restricted pages. On any high volume site, you'd want to handle it differently, but I think I've seen some posts where someone suggested mod_rewrite as an option. Paul __ Do You Yahoo!? Thousands of Stores. Millions of Products. All in one Place. http://shopping.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
[repost]garbled redirects
; -D ACCESS_CONFIG_FILE="conf/access.conf" -D RESOURCE_CONFIG_FILE="conf/srm.conf" Summary of my perl5 (revision 5.0 version 6 subversion 0) configuration: Platform: osname=hpux, osvers=10.20, archname=PA-RISC1.1-multi uname='hp-ux uap5 b.10.20 c 9000891 373319211 32-user license ' config_args='' hint=recommended, useposix=true, d_sigaction=define usethreads=undef use5005threads=undef useithreads=undef usemultiplicity=define useperlio=undef d_sfio=undef uselargefiles=define use64bitint=undef use64bitall=undef uselongdouble=undef usesocks=undef Compiler: cc='cc', optimize='-O', gccversion= cppflags='-D_HPUX_SOURCE -Aa -DDEBUGGING' ccflags =' -D_HPUX_SOURCE -DDEBUGGING -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -Ae' stdchar='unsigned char', d_stdstdio=define, usevfork=false intsize=4, longsize=4, ptrsize=4, doublesize=8 d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16 ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8 alignbytes=8, usemymalloc=y, prototype=define Linker and Libraries: ld='ld', ldflags =' -L/usr/local/lib' libpth=/usr/local/lib /lib /usr/lib /usr/ccs/lib libs=-lnsl_s -lndbm -ldld -lm -lc -lndir -lcrypt -lsec libc=/lib/libc.sl, so=sl, useshrplib=false, libperl=libperl.a Dynamic Linking: dlsrc=dl_hpux.xs, dlext=sl, d_dlsymun=undef, ccdlflags='-Wl,-E -Wl,-B,deferred ' cccdlflags='+z', lddlflags='-b +vnocompatwarnings -L/usr/local/lib' Characteristics of this binary (from libperl): Compile-time options: DEBUGGING MULTIPLICITY USE_LARGE_FILES PERL_IMPLICIT_CONTEXT Built under hpux Compiled at May 5 2000 15:36:16 @INC: /usr/local/lib/perl5/5.6.0/PA-RISC1.1-multi /usr/local/lib/perl5/5.6.0 /dart10/perl5/lib/site_perl/PA-RISC1.1-multi /dart10/perl5/lib/site_perl /dart10/perl5/lib/site_perl . (Sorry, I don't have utilities for a decent stacktrace) As always, thanks much in advance for any suggestions. Paul __ Do You Yahoo!? Thousands of Stores. Millions of Products. All in one Place. http://shopping.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: How do browsers cache ssl pages?
"Wohlgemuth, Michael J." wrote: Now, on to my new question, and I hope I can explain it without thoroughly confusing everyone: We have modssl configured with an SSLSessionCacheTimeout of 300 seconds. One of the web applications running on the server uses frames, with one frameset containing an HTTP form, and the other frameset having navigation buttons, including the submit button. The design and implementation of these pages is out of my control. When the user hits the submit button, the page runs some JavaScript that performs an HTTP post on the frameset with the form. This works fine as long as the user doesn't take longer that 300 seconds to fill out the form and hit submit. If modssl expires the session cache, the browser clears all the entries in the HTML form. This leads me to believe that the browser is somehow limiting access from one frameset to the other based on the session id, and since the session ids don't match, it is clearing the form data. We see this behavior in both IE and Netscape. As I understand it the SSLSessions are completely unrelated to any http-level sessions you may be using on the site. An SSLsession timing out should be completely transparent to the client at the http level, a new SSLsession should simply be created at the SSL level. For what it's worth, I am using a frame based application over SSL with an SSLSessionCacheTimout of 300, using http sessions (which last until the browser is shutdown) to track users and I am not experiencing any such problems. I'm not doing any javascript posts to another frame, but I do use javascript to trigger gets in other frames. Can you run your app in straight http mode to check that SSL is really involved in causing the problem? -- Paul McGarrymailto:[EMAIL PROTECTED] Systems Integrator http://www.opentec.com.au Opentec Pty Ltd http://www.iebusiness.com.au 6 Lyon Park RoadPhone: (02) 9878 1744 North Ryde NSW 2113 Fax: (02) 9878 1755 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: unsecure objects with IE5.5
[EMAIL PROTECTED] wrote: Now Microsoft has released the SP1 for IE5.5 which fixes the bug with unsecure objects. Thanks for the update Andreas, I've been polling Windows Update daily but it doesn't seem to rate a mention there. Now let's cross our fingers and hope a fix for the similar bug in Mozilla will get in prior to Netscape 6 (though I think it's unlikely). Actually, if anyone has a publically accessible real world example then perhaps they could attach it to: http://bugzilla.mozilla.org/show_bug.cgi?id=58180 then perhaps the Mozilla folks may up the priority a bit. My testcase may seem a bit academic compared to the real world implications of the bug (making a secure site that uses javascript urls unusable unless the user turns off their security features). -- Paul McGarrymailto:[EMAIL PROTECTED] Systems Integrator http://www.opentec.com.au Opentec Pty Ltd http://www.iebusiness.com.au 6 Lyon Park RoadPhone: (02) 9878 1744 North Ryde NSW 2113 Fax: (02) 9878 1755 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Ready for Prime Time ?
Keith Parkansky wrote: If there are any commercial support operations available, where can I find contact information for them ? Redhat will probably happily take your money from you.. I'm sure Linuxcare will too... In fact, with many of the largish Open Source companies basing much of their business model on support revenue I wouldn't think it would be all that difficult to find someone willing to give you support if you actually go and look. -- Paul McGarrymailto:[EMAIL PROTECTED] Systems Integrator http://www.opentec.com.au Opentec Pty Ltd http://www.iebusiness.com.au 6 Lyon Park RoadPhone: (02) 9878 1744 North Ryde NSW 2113 Fax: (02) 9878 1755 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Ready for Prime Time ?
Keith Parkansky wrote: In fact, with many of the largish Open Source companies basing much of their business model on support revenue I wouldn't think it would be all that difficult to find someone willing to give you support if you actually go and look. For issues related to the OS this is true, but for issues related to the applications they bundle, such as Apache, they will not provide "in depth" technical support. http://www.redhat.com/products/support/ecommerce/ I haven't talked to them or anything, but their web-page suggests they'll help you with 'your toughest technical problems'. -- Paul McGarrymailto:[EMAIL PROTECTED] Systems Integrator http://www.opentec.com.au Opentec Pty Ltd http://www.iebusiness.com.au 6 Lyon Park RoadPhone: (02) 9878 1744 North Ryde NSW 2113 Fax: (02) 9878 1755 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: unsecure objects with IE5.5
David Rees wrote: We've got no problems with NS or other IE versions. Maybe a reason: We use extensively javascript within the pages. This is a known bug in IE 5.5. I don't know of any work arounds. Does anyone know where (if) this bug is documented. I couldn't find anything on MS's site (I'd just like something to point to when people ask what the error means). In further bad news, a similar bug exists in Mozilla: http://bugzilla.mozilla.org/show_bug.cgi?id=58180 This is all somewhat annoying, having the most recent versions of the two leading browsers screw up an application I spent some time crafting out of entirely standards based technology (HTML4, CSS, ecmascript and DOM). -- Paul McGarrymailto:[EMAIL PROTECTED] Systems Integrator http://www.opentec.com.au Opentec Pty Ltd http://www.iebusiness.com.au 6 Lyon Park RoadPhone: (02) 9878 1744 North Ryde NSW 2113 Fax: (02) 9878 1755 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: should you start ssl as a root???
Susmitha Vuyyuru wrote: I have apache+jserv+modssl running on red hat. I start it as a root. But, I have a question about the usual convention... Is the usual convention to start webserver as a root or as a general user?? Yes, it is normal to start Apache as root (in fact you have to if you want it to bind to the standard port numbers for http and https). However your webserver should be changing to another user/group once it has started. Search for "User" in your httpd.conf file. -- Paul McGarrymailto:[EMAIL PROTECTED] Systems Integrator http://www.opentec.com.au Opentec Pty Ltd http://www.iebusiness.com.au 6 Lyon Park RoadPhone: (02) 9878 1744 North Ryde NSW 2113 Fax: (02) 9878 1755 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
multiple secure name-based virtual hosts and mod_ssl
Hello, I am trying to use multiple name-based virtual hosts with mod_ssl. The system is running Mandrake 7.1 with mod_ssl-2.6.4. The virtual hosts definition work fine with one gotcha, the first certificate/private key pair is being used for both virtual hosts. The configuration file looks like this: ### NameVirtualHost IPAddr1:443 VirtualHost IPAddr1:443 DocumentRoot /home/httpd/site1/html ServerName site1.domain ErrorLog logs/ssl-error_log TransferLog logs/ssl-access_log SSLEngine on SSLCertificateFile conf/ssl/site1.domain.crt SSLCertificateKeyFile conf/ssl/site1.domain.key ...Location/directory specific directives /VirtualHost NameVirtualHost IPAddr1:443 VirtualHost IPAddr1:443 DocumentRoot /home/httpd/site2/html ServerName site2.domain ErrorLog logs/ssl-error_log TransferLog logs/ssl-access_log SSLEngine on SSLCertificateFile conf/ssl/site2.domain.crt SSLCertificateKeyFile conf/ssl/site2.domain.key ...Location/directory specific directives /VirtualHost If I try to establish a secure connection to either site1 or site2, then I get appropriate the pages and access for that site based on the document root and the location/directory specific directives. However when I connect to site2, I get a browser error stemming from a name mismatch between the site name and the site certificate. When I check the detailed information for the server certificate, it's showing me the information for the certificate of site1, even though I retrieve the pages for site 2. Can't mod_ssl handle separate certificates for each vhost? If not, then why are the SSSCertificate(Key)File directives used in VirtualHost instead of being global? Thank you, Paul-Andre Panon __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: multiple secure name-based virtual hosts and mod_ssl
Can't mod_ssl handle separate certificates for each vhost? Not for name based hosts. See the FAQ! If not, then why are the SSSCertificate(Key)File directives used in VirtualHost instead of being global? Because VirtualHosts can also be IP or port based. Could mod_ssl be changed to refuse to start up if name based virtual secure hosts are set up, with an appropriate message ("READ THE FAQ!") output to the Apache log files? You'd probably want another configuration directive too, SSLYesIHaveReadTheFAQ on too override this new behavior for situations where someone doesn't care about the browser errors (eg in a dev environment). -- Paul McGarrymailto:[EMAIL PROTECTED] Systems Integrator http://www.opentec.com.au Opentec Pty Ltd http://www.iebusiness.com.au 6 Lyon Park RoadPhone: (02) 9878 1744 North Ryde NSW 2113 Fax: (02) 9878 1755 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: THE CLUELESS MORON
Harald Langaker wrote: The above person (Harald Langaker ([EMAIL PROTECTED])) has been sending obscene and insulting mail to me. Please request that he cease this activity and that he withdraw his postings from any online archives. He is a member of a group of people who illegally posted advertising on my Web site. Complaints are being made to the appropriate law-enforcement authorities. I wonder what the legality is of him stating that you (and members of the modssl group for that matter) are involved in illegal behaviour. Perhaps someone should drop a line to somewhere appropriate ([EMAIL PROTECTED]) in the computing services department there and get them to have a quiet word. -- Paul McGarrymailto:[EMAIL PROTECTED] Systems Integrator http://www.opentec.com.au Opentec Pty Ltd http://www.iebusiness.com.au 6 Lyon Park RoadPhone: (02) 9878 1744 North Ryde NSW 2113 Fax: (02) 9878 1755 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: why 8443?
--- [EMAIL PROTECTED] wrote: Can someone explain the differences and why 8443 is the default? Anything below 1024 requires root privelege. Sometimes the web admin isn't root, so this is a "standard" accomodation. __ Do You Yahoo!? Yahoo! Mail - Free email you can access from anywhere! http://mail.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
./configure --with-apxs=/usr/sbin/apxs
When running the configure with apxs command on mandrake 7.1 helium with apache 1.3.12 already installed from rpm I recieved the following message. Configuring mod_ssl/2.6.6 for Apache/1.3.12 ./configure:Error: The mod_ssl/2.6.6 can be used for Apache/1.3.12 only. ./configure:Error: Your Apache source tree under /usr is version Server. ./configure:Hint: Please use an extracted apache_1.3.12.tar.gz tarball ./configure:Hint: with the --with-apache option, only. I dug through the configure script and fell on line 289 after breaking it up I found that the mandrake version is a bit fouled up. This is the first line of output from httpd -v Server version: Apache-AdvancedExtranetServer/1.3.12 (NetRevolution/Linux-Mandrake) I retouched line 289 to read APV=`/usr/sbin/httpd -v | grep \"Server version:\" | awk {print\'$3\'} | sed -e \'s/.*\\///\' -e \'s/ .*//\'` and all was well. I\'m posting this so maybe it can be fixed and so people can find it in the mail archives. I know that was one of the first places I looked. -- http://edispatch.timespace.org -- mailto:[EMAIL PROTECTED] Running ... Cos anything else would be a waste... `:::\' ... .. ::: * `::.::\' ::: .:: .:.::. .:: .:: `::. :\' ::: :: :: :: :: :::::. ::: .::. .:: ::. `. .:\' ::. .:::.::\' ... __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
ssl_scache
I have my session caching set to about 5 minutes, and now it's working *but* -- I've had some trouble getting the system to *keep* the ssl_scache file. At this point I have a nightly process doing a "ssl_scache.pag" and "ssl_scache.dir" and "chmod 777 ssl_scache.???", but that certainly doesn't seem to be the optimal solution. never mind the security problem with the 777 mode, why should I have to keep manually creating the file every night? How was it getting deleted, or the permissions changed? Has anybody else seen anything like this, or is it just another ridiculous quirk of this old system on which I work? __ Do You Yahoo!? Kick off your party with Yahoo! Invites. http://invites.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Frames Javascript - insecure?
--- Lee Feigenbaum [EMAIL PROTECTED] wrote: the page gives the warning "this page contains both secure and insecure elements" This will happen if ANYTHING is accessed by a nonsecure protocol, even so much as a single banner from another site. You did say all links were relative, though Anything offsite being accessed through that JS? Or maybe are you loading images for flyover changes? That *might* count as nonsecure, though I don't know the internal implementation __ Do You Yahoo!? Kick off your party with Yahoo! Invites. http://invites.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: What's this error?
--- Mads Toftum [EMAIL PROTECTED] wrote: On Wed, Jul 19, 2000 at 08:22:57AM -0700, Paul wrote: Somebody suggest a debugger? I'm feeling pretty ignorant, here, and unfortunately won't have any time to RTFM for a few weeks yet. (~mumblegrumble~) http://www.modssl.org/docs/2.6/ssl_faq.html#report-backtrace You may also have a tool like strace (Linux) or truss (Solaris), which can be very helpful too. Thanks much. Maybe that's why I haven't been getting core files.. Will look into it. __ Do You Yahoo!? Get Yahoo! Mail Free email you can access from anywhere! http://mail.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: What's this error?
I have also noted a fair amount of [Wed Jul 19 16:01:58 2000] [notice] child pid 24703 exit signal Segmentation Fault (11) I get this, too, a *LOT*. Err... I'm convinced that our current mod_ssl 2.6.5 is 100% stable and does not produce any segfaults. If you really get segfaults, some other component causes it. Let me guess: You're running PHP or mod_ssl+OpenSSL as a DSO underf Solaris, right? Forgive the "me, too"-ism, here, but this problem just won't seem to go away. I'm running on HP-UX B.10.20 (best the company will spring for) on a PARISC1.1 9000/891. I probably did build DSO, though, and I really don't need it. Hmm think the same prob might apply here? If no, then I've no clue and you have to attach a debugger to find out where it segfaults. Somebody suggest a debugger? I'm feeling pretty ignorant, here, and unfortunately won't have any time to RTFM for a few weeks yet. (~mumblegrumble~) Paul __ Do You Yahoo!? Get Yahoo! Mail Free email you can access from anywhere! http://mail.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: error_log message
--- Penny Rand [EMAIL PROTECTED] wrote: [Fri Jul 14 09:26:50 2000] [crit] (48)Address already in use: make_sock: could not bind to port 80 Something's already using port 80, the default web port. Check memory -- try "ps -ef|grep -i httpd" If there's *any* webserver active, shut it down, then try again (if that's an option). Paul __ Do You Yahoo!? Get Yahoo! Mail Free email you can access from anywhere! http://mail.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Multiple secure domains against one server.
David Leeson wrote: If its an RTFM, mads, please tell me gently ;-) It is, and TFM will tell you that you can't do it. It'll also tell you why. -- Paul McGarrymailto:[EMAIL PROTECTED] Systems Integrator http://www.opentec.com.au Opentec Pty Ltd http://www.iebusiness.com.au 6 Lyon Park RoadPhone: (02) 9878 1744 North Ryde NSW 2113 Fax: (02) 9878 1755 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: How to ...?
--- "Amr A. Aysha" [EMAIL PROTECTED] wrote: Hi All, Hi, Amr. Now, after one of my Netscape client get its certficates, I would like to sign any HTML form for non repudiation. How can I do that ? If I understand your questions correctly, you only have to make certain that the page is accessed via HTTPS. The server will sign the page as part of the protocol. Second question, if I want to cross-sign two Certificate Authority between them. How to proceed an hierarchical certificate structure? For this either I am ignorant, or I do not understand the question. Good luck. Paul __ Do You Yahoo!? Get Yahoo! Mail Free email you can access from anywhere! http://mail.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: HTTPS
- Original Message - From: Alexandre Dias To: [EMAIL PROTECTED] Sent: Tuesday, July 11, 2000 4:45 PM Subject: HTTPS I would like to use HTTPS on another port than 443... How can I do it? *sigh* RTFM is good advice, but I know that sometimes one wonders where in the manual to look. The standard configuration looks something like this: IfDefine SSL Listen 80 Listen 443 /IfDefine This assumes that 80 (the HTTP default) is your standard port, and 443 (the HTTPS default) is your standard SSL port. If, however, you don't have root permissions (as an example), you can do this: IfDefine SSL Listen 8080 Listen 8443 /IfDefine This is a common practice, and will work fine (as long as you keep everything lined up -- make sure your Port and Listen commands for the standard http access are in fact watching 8080, and that any virtual host you want on the secure port knows it should be watching 8443 -- cross-port the commands, and I kinda doubt it will work. =o) *Read The Manual*, but for a quick reference check the http.conf file. Paul __ Do You Yahoo!? Get Yahoo! Mail Free email you can access from anywhere! http://mail.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: which port ? 80 or 443
--- Danilo Nascimento [EMAIL PROTECTED] wrote: From: "Yu, Leo" [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: "'[EMAIL PROTECTED]'" [EMAIL PROTECTED] CC: "Yu, Leo" [EMAIL PROTECTED] Subject: which port ? 80 or 443 Date: Mon, 10 Jul 2000 12:30:40 -0700 Hi, I configure a Linux system to run Apache and Jserv and SSL. The server is listening to both port 80 and port 443 (for SSL). I have a servlet running on the system to print out which port is request is coming form The problem is no matter what port ( 80 or 443 ) the URL request is coming in. The servlet always prints out port 80. I use the gerServerPort() function of the request object to retrieve the port number. Any idea why ? Does Apache need to have port 80 open always ? Thanks! Leo Hi Leo, but what´s your Test URL? This question can sound strange, but i have saw many users testing SSL connections using a HTTP URL! Bye, Danilo. A little added clarification -- HTTP always comes o through port 80 by default; httpS comes through port 443. Paul __ Do You Yahoo!? Get Yahoo! Mail Free email you can access from anywhere! http://mail.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Help : Annoying information windows in Internet Explorer ?
Sounds vaguely familiar (though our intranet uses mostly NetScape). It's a browser-end problem, if I understand you correctly, and I don't think you can change it from the server-end, though I've been wrong about such things before. =o) I posted instructions for how the user can tell the browser not to bother him/her anymore. Some reconfigure, some just suffer through. Paul --- Gianluca Morello [EMAIL PROTECTED] wrote: I configured a good working configuration of Apache-SSL, I created my own CA. All is up and working: I have a web based certificate request, an automatic signing process of the client certificates and automatic downloading of certicates. All works well, Only one thing: When (MS Internet Explorer) clients connect to my secure web server, they can choose their client certificate. OK. The authentification of certificates is OK. The problem is that when a client make a page request (through links or forms) in their browser a window appears saying that they are exchange data with the server signing these data with their private key, so in their navigation, for each page they view they have to close this information window with a nervous effect. So the question : There's a way to avoid these annoying popup windows to appears. Note : I create the certificate request using the Enroll.CreatePKCS10 method of Enroll object of MS Internet Explorer, and the download of the signed client certificate is made with the IControl.AcceptPKCS7 method. I used php , vba and a short shell script to do all the stuff. Thanks. __ Do You Yahoo!? Send instant messages get email alerts with Yahoo! Messenger. http://im.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache/mod_perl
Stronghold would give you professional tech support, but if all you want is SSL, check out Ralph Engelschall's mod_ssl (www.modssl.org) based on the OpenSSL protocol (www.openssl.org). It works well with vanilla Apache, and it's *free* -- thanks again, Ralph. =o) --- Pramod Sokke [EMAIL PROTECTED] wrote: Has anybody used stronghold? I'm considering using stronghold for SSL support since ours is a commercial application. Would mod_perl and all related modules work as fine with Stronghold as with plain Apache? Thanks, Pramod At 10:24 AM 7/7/00 -0400, Vivek Khera wrote: "PS" == Pramod Sokke [EMAIL PROTECTED] writes: PS We are running Netscape Enterprise server with cgis written in perl and C. PS I'm looking at moving over to Apache and start using mod_perl. How [ .. ] PS over to Apache/mod_perl going to be a simple plug-in or would it involve PS re-writing lots of stuff? The C stuff will probably not be worth rewriting, but that depends on what it does. The perl stuff will need to be "cleaned" if it is sloppy code. That is, if it is clean running in Perl under "-w" and "use strict" you're most likely going to have little difficulty with them. But what you should do is use the two-server performance enhancement (using mod_proxy and mod_rewrite) and have your legacy apps run on the front-end server, and then migrate your perl to the mod_perl backend one at a time. -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Vivek Khera, Ph.D.Khera Communications, Inc. Internet: [EMAIL PROTECTED] Rockville, MD +1-301-545-6996 GPG MIME spoken herehttp://www.khera.org/~vivek/ = "Seize the wildness of the moment, Feel the movement of the moon -- Swans fly with wings wide open to the sky." -- B-52's - Real friends are those whom, when you inconvenience them, it bothers you more than them. -- me. =o) - "There are trivial truths and there are great Truths. The opposite of a trival truth is obviously false. The opposite of a great Truth is also true." -- Neils Bohr - TEMPVS PECVDEM COLLARE EST - It's time to thin the herd. - [http://www.catfishforbreakfast.com/letgod.html] - __ Do You Yahoo!? Send instant messages get email alerts with Yahoo! Messenger. http://im.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re:[OT] Welcome to the world, Noah!
*MANY* congrats, and welcome to the gene pool. God bless each of you. Paul --- "Ralf S. Engelschall" [EMAIL PROTECTED] wrote: Welcome to the world, Noah! Three hours ago (at June 23th, 2000 - 4:08pm CET) our first kid was born: Noah Sebastian Engelschall, weight: 3690g, length: 52cm. Mother Daniela (27 years) and Noah (3 hours ;) are feeling very well! Father Ralf also still feels well... and now really understands why we men are considered snivelling and what OTOH our womans really accomplish in their life. I'm very proud. In case you're interested: we've chosen the first name Noah for him, because this name stands for "the bringer of ease and comfort" (according to the text books of names). And Daniela and I found it not unreasonable if at least one of our family members _at least by definition_ is more of a calming type ;) Yours, Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] = "Seize the wildness of the moment, Feel the movement of the moon -- Swans fly with wings wide open to the sky." -- B-52's - Real friends are those whom, when you inconvenience them, it bothers you more than them. -- me. =o) - "There are trivial truths and there are great Truths. The opposite of a trival truth is obviously false. The opposite of a great Truth is also true." -- Neils Bohr - TEMPVS PECVDEM COLLARE EST - It's time to thin the herd. - [http://www.catfishforbreakfast.com/letgod.html] - __ Do You Yahoo!? Get Yahoo! Mail - Free email you can access from anywhere! http://mail.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: garbled redirections
--- "Jason P. Winters" [EMAIL PROTECTED] wrote: First, the problem: [Tue Jun 20 09:06:55 2000] [error] [client 90.17.209.65] Invalid error redirection directive: üØ@ üØ@? Let me assure you, "üØ@" isn't in my code anywhere. =o) Am I confusing or crosswiring Apache by doing a cross-port custom response here? It seems to work Or is it something entirely different? This looks more like a system that is sending you 16bit encoded text, instead of straight 8bit ASCII... (and yes, my system converted the text to something it can read. ;} ) You may not be seeing all of the data because it is 16bit and the 8bit processor chops it off... But it's not consistent. Here's another: __ [Tue Jun 20 08:53:03 2000] [error] [client 96.90.8.163] Invalid error redirection directive: @^_íØs://buda.bst.bls.com/dres/dres.cgi ~~ "buda.bst.bls.com" is our intranet server. "@^_íØ" is *VERY* confusing. I'm assigning the $uri for the custom_response with a literal string : ~ $uri = "https://buda.bst.bls.com" . $url; _ How it that coming through as "@^_íØs://buda.bst.bls.com"? If I spoof the same uri with a telnet, I get this: ~ HTTP/1.1 302 Found Date: Tue, 20 Jun 2000 16:29:29 GMT Server: Apache/1.3.12 (Unix) mod_perl/1.23 mod_ssl/2.6.4 OpenSSL/0.9.5a Location: https://buda.bst.bls.com/dres/dres.cgi Transfer-Encoding: chunked Content-Type: text/html; charset=iso-8859-1 _ It's internal to the server, and not consistent. :o( Thanks for the suggestion, tho. Every idea is worth checking! __ Do You Yahoo!? Send instant messages with Yahoo! Messenger. http://im.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Compiling a module during the build of apache
"Michael J. McGillick" wrote: I've just downloaded the php-4.0.0 tarball, and would like to have it get built and recognized in the http.conf file when I make apache. Is there a document that shows how to do this? Just compile Apache (and mod_ssl) as you normally would with mod_so enabled and install it. Once you've done that then install PHP as explained in the INSTALL file in the section "QUICK INSTALL (DSO)". -- Paul McGarrymailto:[EMAIL PROTECTED] Systems Integrator http://www.opentec.com.au Opentec Pty Ltd http://www.iebusiness.com.au 6 Lyon Park RoadPhone: (02) 9878 1744 North Ryde NSW 2113 Fax: (02) 9878 1755 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Auto HTTPS
I wrote a handler to do it. (BTW, I hope this helps, but PLEASE feel free to give criticisms and suggestions. I'm new to Apache/modperl/etc. =o) #~~ # module for Apache/mod_perl PerlPostReadRequestHandler to redirect # users on the nonsecure port over to SSL (hopefully saving bookmarks) #__ package Apache::PortCorrect; use strict; use Apache::Constants qw( :response :methods ); use Carp (); $SIG{__WARN__} = \Carp::cluck; sub handler { my($r,$s,$url,$args,$uri); $r = shift; # the request object return OK if 443 == $r-get_server_port; (undef,$url,undef) = split(/\s+/o, $r-the_request); # allow HTTP:// access to some core pages and to graphics return OK if $url =~ m{ ^(?:/ | /(public|teampages|pics|avgrates)/.* | /(home|cook)[.]shtml | .*[.](gif|jpg) )$ }ixo; # else redirect to the secure server $uri = "https://$our_server.com" . $url; # edited :o) $args = $r-args; $uri .= "?$args" if $args; $r-custom_response(MOVED,$uri); return MOVED; } 1; # guarantee return code for load ## In the config file, I just said (with minimal edit): PerlModule Apache::PortCorrect PerlPostReadRequestHandler Apache::PortCorrect ## Hope that helps. Paul --- "Airey, John" [EMAIL PROTECTED] wrote: A user redirect in the head a web page at http://www/mydomain.com/michel such as META HTTP-EQUIV="refresh" CONTENT="1; URL=https://www/mydomain.com/michel" Would achieve this (redirecting after 1 second). However, the secure document root would have to be different! I don't think (AFAIK) there's a way for a web server to do this. - John Airey Internet Systems Support Officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] -Original Message- From: michel [mailto:[EMAIL PROTECTED]] Sent: 14 June 2000 16:46 To: [EMAIL PROTECTED] Subject: Auto HTTPS Hi, I have a site with SSL. I want that if a user came in http://www/mydomain.com/michel via automatic the user is redirect to https://www/mydomain.com/michel I have see manual, but I'm a newbie in regular expression. In httpd.conf I have: Directory /usr/local/apache-1.3.12/htdocs/michel Order allow,deny Allow from all RewriteEngineon RewriteCond %{HTTPS} !=on RewriteRule (.*) https://%{SERVER_NAME}/ [R,L] #RewriteRule * https://%{SERVER_NAME}/$1 /Directory out of every IfModule Tnx in advance both them (Windows and M. Lewinski) suck a lot and both them are are giving Bill some trouble. -- Michel ZioBudda Morelli [EMAIL PROTECTED] ICQ UIN: 58351764 PR of PhpItalia.com http://www.ziobudda.net http://faq.ziobudda.net __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! Photos -- now, 100 FREE prints! http://photos.yahoo.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: How can I create certificates and keys using *.bat files? Please help.
--- Derek DeMoro [EMAIL PROTECTED] wrote: I need to be able to create keys and certificates using *.bat files? How can I do that? Are you using OpenSSL? It has a command-line interface that can be executed from a *.bat; check out http://www.openssl.org/docs/apps/genrsa.html Paul = __ Do You Yahoo!? Yahoo! Photos -- now, 100 FREE prints! http://photos.yahoo.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Urgent: remove password from server cert?
Forsake rebooting, use Unix! (-: LOL!! I'm with you, bud. But it *is* UNIX, just 10.2(only recently upgraded to that!) on an old T-500 machine. We just try to keep it clean. =o) __ Do You Yahoo!? Send instant messages get email alerts with Yahoo! Messenger. http://im.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Urgent: remove password from server cert?
--- Victor STANESCU [EMAIL PROTECTED] wrote: First question: Is there any logical reason to reboot every week? If you are speaking a real, production-environment server, it is stupid to do such a thing. It should have months or years of uptime.. The only excuse for a reboot can be: - hardware upgrade / failure - operating system upgrade / patching (depending on what are you using) - the use of windows where it does not belong (on a real-world server) Which is your case? LOL!! Case #4: IT says so. In response to your question, Is there any logical reason to reboot every week? the answer is that I can't think of one, unless it's because we're running an *old* midrange box with an old OS (10.2 UNIX) and have are asking it to do too much -- they're chain-branching disk arrays because we've run out of card slots. Still, the IT dept. is horribly underbudgeted, and mostly farmed out to contractors who are obeying the legacy guidelines as laid down by people they (nor I) never met. So I'm stuck with monday morning reboots until we can get a new box, and manage it ourselves. In the meantime, however, the password problem has been satisfactorily solved (security caveats noted), and thank you all. =o) Paul = ...Look upon my works, ye Mighty, and despair!... "Ozymandias" -- Percy Bysshe Shelley __ Do You Yahoo!? Send instant messages get email alerts with Yahoo! Messenger. http://im.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Insecure information
Are the links written img src=http://.? That makes the server access the *insecure* server for them. Try making them relative URL's? --- Mark Lo [EMAIL PROTECTED] wrote: Hi, I have installed my secure web server and get the test certificate from verisign. I was trying some of my web pages that using https://mydomain/test.html. Then, a window pop-up and indicate that some of the information is not secured, so it will not be show on the web page. All of the insecured informations are picture which is using jpeg or gif format. I wonder what is wrong with those pictures. And How to overcome this problem. Thanks Mark __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] = "Seize the wildness of the moment, Feel the movement of the moon -- Swans fly with wings wide open to the sky." -- B-52's - Real friends are those whom, when you inconvenience them, it bothers you more than them. -- me. =o) - "There are trivial truths and there are great Truths. The opposite of a trival truth is obviously false. The opposite of a great Truth is also true." -- Neils Bohr - TEMPVS PECVDEM COLLARE EST - It's time to thin the herd. - [http://www.catfishforbreakfast.com/letgod.html] - __ Do You Yahoo!? Send instant messages get email alerts with Yahoo! Messenger. http://im.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Urgent: remove password from server cert?
In a sudden (and late) moment of epiphany, I just realized (while writing a note to our CSA to please put the new server's startup in the machines boot cycle) that when we reboot (*every* monday morning in the wee hours) it's not terribly likely that anyone's going to be around to feed the password to the startup query. This really needs to be automated. Help? =o) Paul = Friends are those who, when you must inconvenience them, are less bothered by it than you. ;o] __ Do You Yahoo!? Send instant messages get email alerts with Yahoo! Messenger. http://im.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]